I recently had another candid conversation about hacking, what's possible, how to prevent it and close the door after someone gets in. I thought it was important to publish this where others could find it and get some straight answers from a tech who is out there troubleshooting cases monthly.
Q: How can we keep them out?
That depends on who, how, what, why, etc. There are so many variations to that answer it needs a little more depth than one sentence or one paragraph, but I will try to summarize. The first real answer you will get is "you can't." You can put up roadblocks, speed bumps, fences to go around, but a truly dedicated team or skilled individual will not be denied entry. You can make yourself a difficult target. You can compartmentalize. If you've been the victim of a high-level hack, you need to get used to living with cleanroom protocols. Don't keep email on your phone, passwords, pictures of serial numbers, or anything you don't want to hand to someone on a silver platter. It can take a skilled hacker only minutes to own your phone. Today's phones are like the computers of old — lots of speed and no protection. There currently isn't an architecture that is web-enabled and safe from hackers.
Q: How do I handle my banking and credit cards?
If you suspect your internet connection or computer is compromised, do your banking at the bank. On that note, never use your debit card as such — use it as a credit card. Never put in your pin number at a vendor. With credit cards, the card issuer is liable. With debit cards, you are liable. From a clean computer, you may want to store your Quicken or QuickBooks data on a removable drive and disconnect it when it's not in use. As always, keep one or more copies on different devices — always up to date. If your bank offers an RSA ID device, use it when connecting to the bank over the web — from a clean computer.
Q: When it comes to phones, what do we do about them?
It's sad that it's come full circle back to copper phone lines. An old, analog phone may be the best bet for some of you. Digital phones are too easy to hack to be considered safe. There are companies that offer encrypted calls through a service, and these can be good, but when you are in the range of a device that captures your actual phone information, your ability to secure that phone is gone. You can't use a compromised iCloud or Google account again. You can't create new ones from compromised devices or connections. And you definitely can't trust any known compromised device.
Q: What behaviors do we need to change?
You need to clean up your accessible footprint. Turn off those services you do not use — on every device. If you are not using Bluetooth, wireless, etc., disable them. Done with your phone for the night? Airplane mode. Done with the computer? Turn it off. This includes your router. It makes it very hard to hack a device when it is not on the internet or better yet, powered off. Don't open attachments from someone that you are not expecting them from. This includes text and email. In your email, turn off the preview. If you get something sent to you that you are not expecting, verify it by a voice call. Texts or emails cannot be considered safe.
Q: Are other web-enabled devices safe?
Factory cords are safe. Third-party cords — or ones that were switched while you were in the bathroom — are not safe. Any web-enabled device can likely be hacked. This includes cars, cable boxes, camera security systems, televisions, and phones. TVs today have multiple AI engines in them — lots of software leaves lots of vulnerabilities. If you get a clever individual on the other end who has been browsing your network for the last two hours (or weeks), they know what devices are present and what they can do with them.
Q: Is there a way to get files from old computers without infecting new ones?
If the files are clean, you should be able to transfer them from one device to another, but you cannot do it by means of a connected drive. This would have to be a transfer through a safe middleman, never letting hardware touch any compromised device along the way.
Q: What about passwords?
I advise people to have 3 or 4 password categories. First: Banking — complex, long, never used when a high-level attack is underway, changed every 6 months, protected with MFA whenever possible. Second: Email — the same applies, only use a different password. If they get your email, they get your banking. Third: Social media — use MFA whenever possible. LinkedIn and Facebook offer it. Fourth: Everything else — for most sites, a generic password not found in a dictionary should be fine.
Q: Should I use antivirus?
Yes — they really asked me that. Macs and PCs need antivirus software. Pay for it. Make sure it is used in corporate environments. If it was built for homeowners only, run from it. What worked last year is not good enough any longer.
Q: Is my home router a good enough firewall?
For the average homeowner, yes. For the average business with things to protect, definitely no. I've seen hack attempts inside the vendor-provided routers. Let's look at a common business: 50 cell phones, 15 laptops, 5 printers, 45 computers, camera security, 5 WiFi access points. That's over 120 devices, each with several possible entry points for a hacker. For the average business — it's time to do a review of your security.
I wish I could tell you there was a magic bullet for hacking or a firewall that would solve all your problems. The platform hasn't been built yet and released to the public. Tight security, clean room practices in your digital life, secure backups, good antivirus, better firewalls, and identity monitoring — these are the only tools you have at your disposal at this time.
If anyone has a change they would like to point out, send me an email. I'll be happy to incorporate it.
— Robert