Don't Panic! A Web-surfer's Guide to Online Security
In a world where new security breaches are reported every day, it's important to know how to keep safe and secure online.
Until fairly recently, most people didn’t spend a lot of time worrying about their online security. That’s changed over the last few years, as identity theft, fraudulent charges, and ransomware attacks have disrupted the lives of millions.
While IT departments play a key role in helping companies and organizations keep their data secure, attacks that target individuals can also cause problems for the company or organization for which they work. In some cases, companies have even lost tens of millions of dollars when attackers spoofed emails from executives authorizing fraudulent wire transfers.
In a world where personal information increasingly lives online and new security breaches are reported every day, it’s more important than ever to know how to keep safe and secure online, but it can often feel overwhelming.
The good news is that there are some fairly simple and straightforward things that a person can do to dramatically reduce the risk of being hacked and exposing themselves or their employers. Here are some of the best practices we recommend at Palantir to help us and our clients improve their security online:
Manage Your Passwords
If you’ve ever had an account with LinkedIn, Adobe, Yahoo, Dropbox, Tumblr, MySpace, or any one of the dozens of high-profile sites that have had security breaches over the last few years, your email address, username and password for those sites are probably for sale on the dark web. If you want to find out if you’ve been potentially compromised in one of these breaches, you can enter your email address or username at haveibeenpwned.com.
Once they obtain information about you, hackers can then run scripts that test your credentials to see if they work on other sites. In other words, if you’ve ever used the same password on multiple sites, and one of those sites is compromised, it’s highly likely that hackers will be able to use that information to log in as you on other sites as well.
The first step is to make sure you’re using a unique and difficult-to-crack password (ideally, a set of completely random characters or words) on every site where you have an account. Password management programs like LastPass, 1Password, and Dashlane make this easy by securely storing all of your login credentials and integrating with your browser so that you only need to remember one password to log into any site. Password managers also make it easy to generate strong, random passwords so that you don’t end up using the same credentials on multiple sites.
At Palantir, we use 1Password for Teams, which integrates well with Apple operating systems and provides user management options to control who has access to internal and/or client logins and credentials. 1Password even has a “Travel Mode” that enables users to temporarily remove potentially sensitive information from their devices while traveling.
Use Two-Factor Authentication
Some of the biggest and most highly publicized data breaches of the last few years were caused by people simply clicking on malicious links or attachments that showed up in their email inboxes. These types of “phishing” attacks were behind highly publicized incidents like the 2014 leak of celebrities’ personal photos stored in Apple’s iCloud and the 2016 leak of personal emails belonging to Hillary Clinton campaign chair John Podesta.
But it’s not just the rich and famous who are at risk. Phishing attacks can allow attackers to gain access to the accounts of everyday users on sites like PayPal, Amazon, and Uber, where they can make fraudulent charges that might go unnoticed for days or weeks, especially if they also have access to the victim’s email account and can cover their tracks. Even when discovered, it’s usually impossible to catch the perpetrators.
The easiest way to avoid a phishing attack is simply not to login into any websites from a link in an email, or click on unknown attachments, even if that email purports to be “from” someone you know. With the increasing sophistication of these attacks, however, being able to judge whether or not an email is legitimate or not is increasingly difficult, even for sophisticated users.
That’s where two-factor authentication comes in. The idea is that there are multiple ways to authenticate yourself online: via something you know (a password), something you have (a phone, security key, or other device), or something you are (biometric data like a fingerprint or eye scan). Being able to authenticate someone against two or more of those factors is much more secure than using just a password.
Many of the most widely used sites on the web support two-factor authentication, which may also referred to as two-step verification, login verification, or 2FA. When enabled, you will occasionally be asked to confirm logins from an app on your smartphone or other device like Google Authenticator or Authy. Some password managers, like 1Password, can also function as second-factor authenticators, providing extra flexibility for teams.
At the very least, two-factor authentication should enabled for sites and services that are common attack vectors such as email, social media, and file hosting. Enabling two-factor authentication varies from site-to-site, but you can find online tutorials for some of the widely used sites.
While some sites offer SMS text messages as a form of two-factor authentication, this is less secure than most other methods. In 2016, Black Lives Matter activist DeRay McKesson’s Twitter account was compromised when hackers were able to convince Verizon to change the SIM card for his phone to one that they controlled, enabling them to intercept his text messages and authorize access to his account.
For added security that doesn’t require a phone, another good option is to use a USB security key for two-factor authentication. Google, Facebook, GitHub, Docker, Dropbox, and Salesforce all support the FIDO U2F standard, which means that you can validate logins by simply plugging a security key like the Yubikey into your computer’s USB port. Because they’re inexpensive, easy-to-use, and secure, U2F security keys are an increasingly attractive option, especially as they are supported by more sites and software applications.
Secure Your Hardware
If your computer, smartphone, or device is lost or stolen, you don’t want someone else to be able to access the information on it. In addition to making sure your device is locked with a secure password or passcode that’s at least six characters, you also need to have encryption enabled in order to ensure data security.
Disk encryption does not change the way you use your computer or device; it simply makes it incredibly difficult for someone who doesn’t have your password to retrieve data from it. To enable disk encryption on recent versions of Windows, you just turn on BitLocker, and on macOS you need to set up FileVault. If you have an Apple iPhone or iPad running iOS 8 or better, encryption is enabled by default, as it is on most recent Android devices.
It’s also important to keep your software up-to-date and install operating system security updates as soon as they become available. The series of ransomware attacks that incapacitated dozens of companies and organizations around the world in 2017 exploited Windows security vulnerabilities that primarily impacted users running older and unpatched versions of Microsoft’s flagship operating system. Some hardware vulnerabilities, like Meltdown, can only be mitigated through operating system updates.
Even if you’re using a secure password and two-factor authentication, it’s still possible for attackers to intercept your login credentials on insecure websites. As a rule of thumb, you should never enter any information on a website that doesn’t use the HTTPS protocol to secure the connection between your browser and the site. Sites that don’t use HTTPS transmit data “in the clear”, making it much easier for a malicious third party to intercept.
Browsers usually indicate that a site is using HTTPS by showing a small lock icon somewhere in the address bar. The HTTPS Everywhere browser plugin forces sites to use the SSL connection if available.
Any time you’re on someone else’s wifi network, it’s possible for others to monitor and and intercept your web traffic, even if it’s password-protected. The easiest way to ensure your privacy and security while on someone else’s network is to use a Virtual Private Network (VPN), which routes all of your internet traffic through a private, encrypted server. While some companies and organizations run their own VPN servers, there are also a wide array of commercial VPN services. Most of these services offer servers in multiple countries, and the one that we use at Palantir also provides static IP addresses, which is useful when working with clients who restrict access to their networks by location.
Over the last few years, online ad networks have increasingly become a vector for distributing malicious software that can be used to scrape personal information, including passwords from user's systems. Because of the way that today's ad networks work, publishers often have no control over what ads appear on their site or whether they contain malicious scripts that can exploit hardware vulnerabilities like Spectre to capture personal information.
Ad blocking software is controversial because it undermines the financial model of many websites that provide free content to users; however, it is also the best way to mitigate against advertising malware as well as other third-party tracking software. Privacy Badger provides you with a greater level of control and security than running your browser in “incognito” or “anonymous” mode. Firefox and other privacy-focused browsers also have built-in tools that enable you to block trackers and make sure that sensitive data like passwords, cookies, and your browsing history isn’t stored on your computer or device.
While there’s no way to completely protect yourself from all possible threats online, following the recommendations in this article will greatly reduce the risk of having your information or identity compromised.
While they may seem intimidating at first, password managers, two-factor authenticators, and other online security tools are getting easier to use all the time, and once you’ve started using them, they quickly become second nature. What added inconvenience they do cause is more than offset by the time and expense of dealing with even a single incident of identity theft or fraud caused by someone compromising one of your accounts.
While we’ve focused here primarily on the issues that most people in the United States are likely to encounter while using the internet for everyday tasks, it is important to keep in mind that political activists, journalists, and others more likely to be targets of online abuse may need to take additional steps to protect themselves online. The key is being conscious of what information you’re putting online and who has access to it.
Cybersecurity is a rapidly changing field, and it’s often hard to keep track of current best practices. We’ll review and update this article periodically to reflect new threats and mitigation tactics as they emerge. If you have any questions in the meantime, just drop us a line or reach out to us on Twitter @palantir.
Updated January 12, 2018 to include additional information about advertising malware, as well as mitigation against hardware vulnerabilities like Meltdown and Spectre.
Stay connected with the latest news on web strategy, design, and development.