I am sure that everyone will be excited to see what happens to their computers when they return to work after this weekend’s excitement. Will my computer work? Will I be locked out? Am I safe?

The good news for most of you running any operating system (Microsoft, Mac or Linux) is probably nothing. That’s because most of you will be running the latest version with all the updates, which often contain security fixes. You can rest assured you are safe. Or are you?

Actually no. And that’s thanks to the Americans, or more specifically the NSA (National Security Agency). They have been using security holes in all kinds of devices, including phones, routers, and webcams for years. That’s right security holes. Irrespective of your iPhone, your Android phone, Windows or MacOS, you will have a security hole that has not been fixed.

Why are there security holes? Security holes need to be discovered and most importantly, disclosed to the manufacturer. If no one has disclosed information about the security hole, it cannot be fixed. Why would the NSA inform Apple, Facebook or Microsoft or anyone about a security hole that they are exploiting to spy on the citizens of the world? Exactly, they would not, so these security holes are maintained year after year with no fixes because no one knows about them. They are often known as Zero Day Exploits.

In addition, there is an Israeli company that is employed by various agencies around the world, to hack into, or monitor all kinds of devices. In this world of mass surveillance, everyone is assumed to be valid prey for monitoring. You are monitored with every step you take. CCTV, Internet browsing, emails and so much more. Although you may not think this is a problem, you really do need to think: how do you feel that someone is looking at all those pictures you take? Reading all those private messages that you thought were private? They could so easily be leaked, accidentally or on purpose. Oh, wait! They did get hacked and the information and tools they use have been leaked! Now the hackers can spy on you!

 

In order to understand how you can protect yourself, you need to know a little more about privacy:

The Universal Declaration of Human Rights, which is not followed by most countries, states that No one shall be subject to arbitrary interference with his privacy, family home, or correspondence. You may have preconceptions about state monitoring that you believe only occurs in China, Russia or Dictator lead countries. But in reality, the UK is the most surveyed society in the world. And that puts your safety and security at risk.

The idea that only those who have “something to hide” need to worry about privacy is very dangerous. The same goes for “I’m a normal person and no one is interested enough in me to harm me”. Every “interesting” person throughout history was once a boring, normal person too.

Here is an extract from Financial Highway that nicely describes the risks:

One of the biggest reasons you need to be wary about sharing online is due to the way that others can use the information against you. There are scammers out there who will use the information you share in an effort to defraud you. From investment fraud to bad credit loan scams, to stealing your identity, there are various scams that can be used with the information online:

  • Your email address can be used to send you phishing emails, meant to get information from you, including passwords and other information.
  • What you share online can be used to let others know where some of your weak points may ie, and what you might be more likely to believe and agree to.
  • Social media information is often used in affinity scams. Using the information that might be publicly available, scammers can get just enough information to pose as someone you might know, or someone you might be acquainted with.
  • Personal information shared can be used in identity theft. When you share your birth date online, and your name, it is possible for others to pose as you. Information about your family, where you went to high school, and more can all be used to steal your identity.

Everyone has private information that could be used to harm themselves or others they know. You shouldn’t blindly trust a large corporation not to use that information against you and you shouldn’t trust that the information won’t end up in the hands of others who can use it against you.

This is an extract from Quora that puts the argument for privacy:

Everyone has something to hide. Or rather, everyone has things they’d rather keep private. I started to make a list but if you cannot identify things in your life you would rather others not know, then you’re not giving this argument real consideration. Examples:

  • how much money I have in the bank
  • how much money I make
  • the things that I’m afraid of
  • the way I feel about specific people, good or bad
  • my sexual kinks or perversions
  • my credit history
  • things from my past of which I’m ashamed (a list in itself!)
  • the prejudices I hold (even though I try not to)
  • religious or political affiliations
  • beliefs that are not mainstream and for which I might be ostracized
  • the times I’ve broken the law and not been caught (minor infractions)
  • etc., etc.

What if your phone records (your phone can leak its position to within a few meters) put you in the location of a serious crime? What if your phone showed that you had been exceeding the speed limit? In the future, you could automatically be issued with a speeding ticket. All of this information isn’t just available to the authorities, it’s available to multinationals like Google, Facebook, Apple. However, Apple has a different privacy policy that protects you against intrusion and they never sell or give away data about you.

So Google and others know your location, what emails you have sent and received, who you have chatted with, who your friends are, what you watch, love, hate. They can see all your images and know where those images were taken. It seems that nothing is private.. Think about that for a moment, and then think, what if the information on you was released to the wider world. ie. they got hacked? Or your information was accidentally released to the public? It happens frequently. More worrying is that these companies sell the information they have on you. And now, in the USA, internet companies can sell your browsing history to third parties.

Who cares? Well criminals, hackers, authorities to begin with. The information can be used to build a profile of you, gain access to your personal life and yes even empty your bank. Even just the inconvenience of being investigated when you are an innocent party, or the disruption of having unauthorised transactions coming out of your bank account, it all costs you in time, money, hassle.

 

Why are people blaming the NSA for the latest worldwide cyber attack?

What happens when the NSA itself is hacked? What happens is that the tools the NSA use, with all their knowledge of security holes, are also leaked to the world. This facilitates new and very effective malware to be made, built on the back of these tools. It’s now very simple to purchase these tools, currently available for around $16.00 and build your own malware.

This is what has happened not just to the NHS but thousands of systems around the world. And it’s not new. If you have been following my Hacking & Malware Facebook page, you will see that there is a constant stream of information about people being released to the world, all helping to build a profile of you. Thinking a little darker, how hard would it be to incriminate you with something serious? To prevent you from accessing your own data? Or to fake logs that you had visited illegal websites, sent illegal images? Not hard at all.

This is why we should defend our privacy and stop the Government from forcing companies to make ‘backdoors’. If the Government can spy on us via a backdoor, so can hackers and our security will be compromised.

 

What about terrorist activities?

Let’s not fool ourselves here. If you are a terrorist, you will already be using strong encryption in your communications and you will be hiding your web browsing activity by using free tools such as Tor. Governments are using the threat of terrorism to spy on its citizens, which ultimately, as we have shown above, makes your identity and privacy much less secure.

 

How can we protect ourselves?

We could dump our smartphones and never connect to the internet or insert a USB memory device. Ever. But that’s unreasonable.

 

Here are some tips that you should consider following:

Make sure you are running the latest operating system. If your computer or device cannot run a modern operating system,  securely erase it and invest in something new. You MUST securely erase any newly purchased Windows-based computer before use, as it has been shown, multiple times, that new computers can come ready loaded with malware. Second-hand computers must also be securely wiped before use, this includes Apple devices!

Next, unless you use software that relies on it, do not install Java or Adobe Flash. OK. Some of you will see this as an inconvenience, but it’s not without good reason that Apples Safari web browser, and now other cross-platform browsers including Opera and Firefox, block flash content by default. That’s because almost every month a new zero-day exploit comes out that works with Adobe Flash. It’s one of the best ways for malicious software to enter your computer. Many compromised websites will even suggest that your ‘flash player’ is out of date and that you need to download a new version. It isn’t out of date – and that ‘new version’? It’s just malware that can infect Mac and Windows operating systems. So if you have flash, dump it. If you use Chrome, which has flash built in, I would personally dump it. Not just because it has flash built in, but because everything you do is tracked by Google and to be honest I don’t want Google to profile me any more that they already do.

Make sure you turn on auto software updates (on by default in Windows 10) and make sure you always install them! Run a quality anti-virus, and if you have Windows, make sure that Windows firewall and security are all turned on. Mac users have their firewall turned off by default, and that’s how it should be left in most circumstances. If you want more information on this, scour the web, it’s way beyond this article to explain why.

Next, emails. You will not ‘catch’ anything by just viewing an email, in any application these days. So long as the points above have been taken into account! However, downloading attachments to ‘view’ a document is a different matter. In general, you should not download or view email attachments. That’s how the NSA, Hacker groups, and criminals get into your system. With MacOS and Windows 10, downloads and email attachments are run in a sandbox. It’s a fairly safe environment where any malicious code is prevented from interacting with your system. However, as soon as you are asked ‘Do you want this application to’…. and you say ‘yes’… you are fucked. I need to say that again because it’s the only way to get your attention. You are fucked! You may think it’s just a PDF or a word file, even an image. But its contents may be very different. Only open attachments that you believe to be from a secure source and even then, such an attachment should never ever ask for permission to do anything and you should never give it permission! Only grant permission for something to happen on your computer if you are completely sure that what it is doing is legit. For example installing known, clean software OS updates etc. Finally, at least run the attachments through an anti-virus application or a third-party sandbox app, even on a Mac. It’s very unlikely you will ever see a MacOS virus or malware, but I have seen clients with both.
I have not even mentioned links in emails yet! For the most part, I do click every link in an email. I know that such a link could be leading me to a fake site, but I enjoy clicking on fake PayPal, Apple, whatever links and filling in their fake forms with fake, unusable data! However, I would not recommend that you do this!

You should as a matter of course digitally sign your emails and you should strongly consider automatically encrypting your emails while in transit. All modern email clients support this functionality but none of you actually do it!
There is much more to tell you about this, but you will need to arrange a consultation with me to discuss it.

Next. Never insert a USB stick. Just inserting a USB stick can infect a MacOS, Windows or Linux computer. A USB stick – other than a one you have owned from new, has never been used in some other persons computer, and the source of the USB stick is legit, (many Far East ‘cheap’ – of any brand – USB sticks can come with malware loaded and often never have the advertised capacity) – if all of those points are true, you should be OK to use it. But nothing should be taken for granted. You should consider having a secure computer, not internet or network connected to view the contents of USB sticks from ‘outside’ sources, for vetting the contents. This is especially true in environments that use older operating systems. This would involve copying the USB stick files to the computers hard drive. Checking the files with a good antivirus app and then moving them to a portable hard drive before using them on a computer of your choice. Yes, it’s a royal pain, and yes the risks are reduced on the MacOS platform, but real world, infected USB drives are out in the wild and it has been shown that no standard software can detect or block the malware from running.

It should go without saying that you should keep away from illegal download sites and video streaming sites (yes all of you that download videos, or stream football illegally should be worried). It’s a nice and easy way to spread malware on your computer. It’s very cheap these days to watch movies on Netflix, iTunes etc and such content is, so far, completely safe. The same can be said for Deezer, Spotify, Apple Beats. No malware, so long as you are downloading the App directly from the companies web server and not via a link in an email or third party website.

On another note, many respectful publications have reviewed anti-virus software and they have found that not a single anti-virus program can keep you safe from all the nasties in the world, but they can help. Whatever your operating system. Install Anti-Virus software.

So you thought owning and using a computer was easy? You thought your privacy didn’t matter? You thought you were safe?!

I hope that this short document, inspired by the recent worldwide malware attack, has helped you understand why privacy, security, and vigilance is important when using your computer.

 

Phil Coates
IT Consultant 12th May 2017

 

Addendum:
Below I have listed some useful tools to help protect you and for those of you who are still not convinced that privacy is important to you here is a short article from Quora:

1. Yes, criminals are the most concerned with privacy, but sometimes it’s OK to be a criminal. Homosexuality, interracial relationships, recreational marijuana use, etc. These are all things people had to hide and in many cases, the penalty for being found out was as severe as death. In a world where no privacy exists, all illegal actions are immediately known and punishment delivered. Positive social change stagnates. What is “wrong” today may not be in the future. Maybe you’re not a criminal, but maybe, one day, you will need to be, and it will be the right thing to do.

2. Google has the potential to harm you with the information you’ve given. I can’t point to any specific examples involving Google (I’m sure they exist) but it’s not hard to believe that a profit driven corporation will harm its customers if there is a financial incentive to do so. It might not be likely that Google will retaliate against customers it discovers have participated in some campaign which is hostile to the company or at least not in line with its own opinions. The point is, however, that you make this scenario possible by forfeiting your information

Update on point three, from Phil Coates: Actually Google already penalises you with regard to search engines. If they deem you have broken their rules. however inadvertently they will reduce the ranking of your site. If they don’t like an advert you have made, they will block it. They can block you as a person or organisation (I have clients where this has happened) and even ban you from Google, without ever having to disclose why. Again, I have clients where this has happened. You have no recourse, nor will they disclose why they have banned you.

3. Google can give your information to people who might harm you. Government agencies are first on the list. Examples already exist whereby government agencies (I’m looking at you IRS) have targeted individuals for their beliefs. And, Google retains the right to share (but not necessarily sell) your information to its so-called strategic business partners. By sharing your information with Google, you are potentially sharing it with anyone else with whom Google does business, and that’s a lot of people.

4. People can steal your information from Google. Probably more dangerous, are persons who might come by your data unlawfully, by hacking a data center for instance. Think Google’s security is impenetrable? Really? The NSA probably has good security, too, but that didn’t stop Edward Snowden from stealing and revealing many of its secrets. If you think you don’t need to worry about Google because the real threat is from identity theft and other criminal activities, then why would you store all of the information said criminals need in a giant database with the same information from millions of other people? When large companies pool together huge stores of valuable information, they create “honey pots” for criminals. The effect is ironic. Your information is probably more secure on your own laptop that you don’t even have password protected.

5. People can steal your information before it even gets to Google. Before your information is sent off to Google’s mythical data centers, it’s usually stored on your phone for some time. This presents another target for criminals. A well-made virus has the ability to extract that information from millions of devices. Another honeypot scenario, really. In addition, all of that information you send to Google has to travel across communication lines neither you nor Google control. This gives potential access to third parties along the route. Search for “ISP packet injection” if you don’t believe me.

Useful stuff you can use on your computer to help protect you.

Use a search engine that does not track you: for example DuckDuckGo.com – it’s available on all devices and is an optional search engine for iOS and MacOS.

Web of trust: is a website reputation and review service that provides information about whether it considers a website to be trustworthy, based on a combination of crowdsourced reviews and data from other sources. https://www.mywot.com/

Commodo – free certificate to digitally sign your emails

https://www.comodo.com/home/email-security/free-email-certificate.php

Antivirus: Windows and MacOS:
http://uk.pcmag.com/bitdefender-antivirus-plus-2015/34128/review/bitdefender-antivirus-plus-2017
read more reviews here:
http://uk.pcmag.com/antivirus-reviews/8141/guide/the-best-antivirus-protection-of-2017

Password manager: Highly recommended!! If you have a computer, you should use this: 1Password. It’s a fully featured, password management and secure note system. Works on MacOS, Windows, iOS and Android.
Remember to use a strong password, but a one that’s easy to remember. For example, think of the phrase “Mary Had A Little Lamb” could be turned into a password like this: 1961mhaLL2017]. Try to have a password that’s 14 characters long and uses numbers, letters, and symbols. At the very least use 1Password for all your sites and perhaps your own strong passwords for Banks, PayPal etc.

https://1password.com

 

Sources of information and resources:

Zero day exploit affecting Adobe Flash in all web browsers with flash installed, including Google Chrome:

https://nakedsecurity.sophos.com/2016/06/15/critical-flash-vulnerability-is-being-exploited-in-the-wild/

 

Kill flash now:

https://www.theregister.co.uk/2016/06/16/adobe_36_flash_flaws/

 

May 2017, Adobe security vulnerabilities:

https://helpx.adobe.com/security/products/flash-player/apsb17-10.html

 

Secure your emails

https://support.office.com/en-gb/article/Secure-messages-by-using-a-digital-signature-549ca2f1-a68f-4366-85fa-b3f4b5856fc6

https://kb.iu.edu/d/bcsn

http://www.techrepublic.com/article/how-to-configure-digitally-signed-email-in-apple-mail/

 

Groundbreaking iOS malware

https://www.technologyreview.com/s/602252/israeli-hacking-firm-said-to-be-behind-groundbreaking-ios-malware/

https://www.forbes.com/forbes/welcome/?toURL=https://www.forbes.com/sites/thomasbrewster/2016/08/25/everything-we-know-about-nso-group-the-professional-spies-who-hacked-iphones-with-a-single-text/&refURL=https://www.google.co.uk/&referrer=https://www.google.co.uk/

 

Hacking and malware news:

https://www.facebook.com/HackingMalwareNews/

 

HP Computers found with pre-installed malware:

http://thehackernews.com/2017/05/hp-audio-driver-laptop-keylogger.html

 

Change your password!

https://www.theguardian.com/barclays-lets-go-forward/2017/may/08/are-you-a-procrastinator-heres-how-youre-helping-online-scammers

 

Privacy International

https://www.privacyinternational.org

 

Implicating the NSA with the cyber-attack

http://www.independent.co.uk/news/uk/home-news/nhs-cyber-attack-edward-snowden-accuses-nsa-not-preventing-ransomware-a7733941.html

 

Check to see if your email address has already been hacked

https://haveibeenpwned.com/