Hello World,
I recently had another candid conversation about hacking, what’s possible, how to prevent it and close the door after someone gets in. I thought it was important to publish this where others could find it and get some straight answers from a tech who is out there troubleshooting cases monthly.
Q: The first question I usually get is: how can we keep them out? A: That depends on who, how, what, why, etc. There are so many variations to that answer it needs a little more depth than one sentence or one paragraph, but I will try to summarize. The first real answer you will get is “you can’t.” You can put up roadblocks, speed bumps, fences to go around, but a truly dedicated team or skilled individual will not be denied entry. You can make yourself a difficult target. You can compartmentalize. If you’ve been the victim of a high-level hack, you need to get used to living with cleanroom protocols. Don’t keep email on your phone, passwords, pictures of serial numbers, or anything you don’t want to hand to someone on a silver platter. It can take a skilled hacker only minutes to own your lettered Phone, the currently more secure option. Today’s phones are like the computers of old, lots of speed and no protection. They can have 6 or 8 core processors, a combined capacity of up to one trillion 8-bit operations per second. In English, they are fast. There currently isn’t an architecture that is web-enabled and safe from hackers.
Q: How do I handle my banking and credit cards? A: If you suspect your internet connection or computer is compromised, do your banking at the bank. On that note, never use your debit card as such, use it as a credit card. Never put in your pin number at a vendor. With credit cards, the card issuer is liable. With debit cards, you are liable. From a clean computer, you may want to store your quicken or QuickBooks data on a removable drive and disconnect it when it’s not in use. As always, keep one or more copies on different devices – always up to date. To be honest, if you are living with high-level hackers, you shouldn’t be using these anyway. If your bank offers an RSA ID device, use it when connecting to the bank over the web – from a clean computer.
Q: When it comes to phones, what do we do about them? A: It’s sad that it’s come full circle back to copper phone lines. An old, analog phone may be the best bet for some of you. Digital phones are too easy to hack to be considered safe. There are companies that offer encrypted calls through a service, and these can be good, but when you are in the range of a device that captures your actual phone information, not the one offered by that service, your ability to secure that phone is gone. Anytime someone has been watching you or your devices for a while, they have a starting point of data already collected on you. Waiting for a new phone to come online, a new number or both is all part of the game. You can’t use a compromised iCloud or Google account again. You can’t create new ones from compromised devices or connections. And you definitely can’t trust any known compromised device. Q: Are phone conversations safe? From governments with 3 and 4 letter security divisions, no. From everyone else, they should be. Calls can be recorded, especially if someone “owns” your phone, but really, who has the time to review all calls for a low profile target? A high profile target may be another story.
Q: What behaviors do we need to change? A: You need to clean up your accessible footprint. Turn off those services you do not use – on every device. If you are not using Bluetooth, wireless, etc., disable them! Done with your phone for the night? Airplane mode. Done with the computer? Turn it off. This includes your router. It makes it very hard to hack a device when it is not on the internet or better yet, powered off. Don’t open attachments from someone that you are not expecting them from. This includes text and email. In your email, turn off the preview. If you get something sent to you that you are not expecting, verify it by a voice call. Texts or emails cannot be considered safe.
Q: Are other web-enabled devices safe and what about cords or other connections? A: Factory cords are safe. 3rd party cords – or ones that were switched while you were in the bathroom – are not safe. Leave a security mark if you are concerned. See my earlier blog post about cables on the market that hack your devices. Any web-enabled device can likely be hacked. This includes cars, cable boxes, camera security systems, televisions, phones, etc. What they can do with them may or may not be limited. For example, TV’s today have 2,3 or more AI engines in them. Lots of software leaves lots of vulnerabilities. They are web-enabled and have little to no security. If you get a clever individual on the other end, that has been browsing your network for the last two hours (or weeks), they know what devices are present and what they can do with them.
Q: Is there a way to get files from our old computers without infecting our new ones? A: IF the files are clean, you should be able to transfer them from one device to another but you cannot do it by means of a connected drive. This would have to be a transfer through a safe middleman, never letting hardware touch any device along the way.
Q: What about passwords? A: I advise people to have 3, 4 or more password categories. 1. Banking. This can be used for the majority of your banking needs. Complex, long, and never, ever used when a high-level attack is underway. Change every 6 months. Protect yourself with MFA or RSA whenever possible. 2. Email. The same applies as 1, only use a different password. If they get your email, they get your banking. 3. Social media. Use MFA whenever possible. Linked-In and Facebook offer it. 4. Everything else. For most sites, a generic password, not found in a dictionary or super commonly guessed, should be fine.
Q: Should I use antivirus? A: Yes, they really asked me that. Macs and PCs need antivirus software. Pay for it. Make sure it is used in Corporate environments. If it was built for homeowners only, run from it. What worked last year is not good enough any longer.
Q: How can I get control over my email again. A: It depends on who is hacking you. Some unskilled kid is easy to lockout. High-level hackers are not so easy. Control over your environment helps. If you have a good firewall, a clean or segmented network, limited access to that email account from only a clean computer, strong MFA and passwords, you might be able to stop the kids. Even on the best-configured systems, I haven’t seen one that can’t be hacked by a pro. Whether they get in from your devices or directly from the server over the web, it is a tough job keeping out unwanted guests. Always treat email as insecure. If you commonly do wire transfers, review the routing information. Confirm everything by voice. Keep in mind, even if your server is secure, the person you are emailing is likely not to be as secure as you. Things can still be changed before they get to you or before they are read by your recipient.
Q: Is my home router a good enough firewall? A: Great question. For the average homeowner, yes. For the average business, with things to protect, definitely NO. I’ve seen hack attempts inside the vendor-provided routers. Whether people get through the device or attack another machine inside the network and bounce off that machine, people find a way in. Let’s look at a home set up as an example. 3 cell phones, 3 computers, 2 TVs and a few connected devices. Not much to steal when they have everything backed up. Looking at a common business… 50 cell phones, 15 laptops, 5 printers, 45 computers, camera security – web-enabled (read that as web-hackable), 5 WiFi access points covering their office and an outside range of 7,000 feet in any direction. I know I left off a few devices here. This example has over 120 devices, each with several possible entry points for a hacker. And this model assumes a business class firewall with a mythical rock-solid configuration. The average homeowner has much less to worry about. For the average business – it’s time to do a review of your security.
I wish I could tell you there was a magic bullet for hacking or a firewall that would solve all your problems. The platform hasn’t been built yet and released to the public. Tight security, clean room practices in your digital life, secure backups, good antivirus, better firewalls, and identity monitoring. These are the only tools you have at your disposal at this time to be able to take parts of your life back and try to live normally when someone makes you a target.
If anyone has a change they would like to point out, send me an email. I’ll be happy to incorporate it.
-Robert
