Archives

gainbacktest

How you have to protect yourself

How can I protect myself online?

Simply observing a number of ground rules increases your safety when you are online.

1. Computer software should be updated regularly. Software manufacturers release updates that close known security holes, making it more difficult for attackers to find a way into the system.

2. Installing an anti-virus program helps the computer protect itself against malware and keep it free of viruses. But the same applies here: the software must be kept up to date, because cyber criminals are always refining their methods of attack.

3. You can reduce the amount of spam you receive by using software that blocks or filters unwanted emails. And if a spam email contains a link that you can click to unsubscribe from the mailings, never, ever click on it! If you do so, you are only confirming that your email address is valid, which will lead to even more spam in your inbox. It is also a good idea to ensure that you don’t give out your email address to all and sundry. You can read how to secure your emails here.

4. Never open an email if its sender appears suspect. And do not click on links or open attachments in emails from senders you do not know or whose trustworthiness cannot be guaranteed.

5. Never send account or credit card details over an insecure connection. The URL should always begin with ‘https://’. This shows that it uses a secure protocol.

6. You should remember user names and passwords and not store them on the computer, especially not all contained in one document. You can find some tips on choosing secure passwords here.

7. Be careful when using public computers. You never know whether malware is installed on them, for example a keylogger that records all of the keys that you press. It is also best if you avoid inserting USB sticks into public computers. Remember: it was a USB stick that transferred the Stuxnet worm from an Iranian nuclear plant onto the wider internet.

8. After performing data-sensitive tasks such as online banking or shopping, ensure that you are properly logged out of the website before closing and then restarting the browser.

OK, I should ensure that my computer is properly protected. But how can I be certain that malware isn’t already installed on it?

You should ensure that a good virus scanner is installed. It recognises malicious programs and new modifications to known malicious software. Virus scanners can even find malware that is hidden in file attachments. But in this instance, the motto ‘two are better than one’ doesn’t apply. If you have two virus scanners running, they will more than likely hinder each other in their searches. Just one regularly updated program should be enough.

Are there any first aid measures that can help if my computer is infected with malware?

If your computer starts to exhibit a life of its own, you should become suspicious. Here are some typical indications that a computer is infected with malware: windows open randomly, the cursor moves all by itself, the computer suddenly seems to run much slower than usual or unauthorised payments have been taken from bank accounts.

Your first action: pull the plug! The computer should be isolated from all network connections. Therefore, the router should also be turned off. Because malware programs transmit their data over the internet (for example, snooping software such as keyloggers) or receive their instructions from the internet (such as a botnet being used in a DDOS attack), disconnecting the internet connection is the first stage in regaining control.

If you suspect that you have malware on your computer, you should run the latest version of your virus scanner. It detects trojans and other malicious software and is able to remove them reliably.  If you are suspicious of any particular program, you should uninstall it immediately. In some cases, you may only eliminate the malware’s carrier and not the malware itself.

Before the virus scanner moves from scanning the hard drive to removing malicious software, you should ensure that your most important data is backed up. The experts from netzwelt.de recommend that you also scan the backup media for malicious software, otherwise you could simply reintroduce the virus.

When you have done this, you can then begin removing the malware. If this doesn’t have the desired effect, you should then engage the services of an expert. Or you could do your own research on the internet: try and find out which malware it could be and what further steps are necessary to deal with it. In the worst case scenario, the entire operating system should be reinstalled. Although that is indeed time-consuming, it’s not the end of the world. And when you’ve done, you are free of your uninvited guests!

 

gainbacktest

How others have to protect themselves

I do my best to protect my computer and my files. But what happens when organisations or individuals online are attacked?

In the worst case scenario, even the best digital self-defence cannot help. If an organisation with a web presence is attacked, individual users of that site or service are also affected. If a bank’s server crashes, its services are unavailable for all of its customers. An attack on critical infrastructure is especially dangerous. In the worst case scenario, the consequences are not only felt in the digital world, but in the offline world too. For example, if electricity or water supplies are interrupted by a hack at a power station or processing station.

Are the authorities aware of the dangers?

You can assume so. Electricity and water supplies, transport, health, financial systems and telecommunications: today’s world is based on the same electronic control modules. They represent the connection between cyberspace and the real world. This ever-increasing interconnectedness has made us more vulnerable.

For years now, the German Federal Office for Information Security has been pointing out that critical infrastructures are still insufficiently protected. SCADA (supervisory control and data acquisition) systems can be detected by digital hackers without any great effort. They tend not to be as secure as they should be; often, the data that they contain isn’t even encrypted. SCADA systems are easy prey for hackers. This is shown by this excellent example: in 2011, the hacker pr0f gained access to the controls of the water works in South Houston. He was able to crack the three-character password in an extremely short time. This was intended as a protest against lax security precautions.

And what precautions do they take?

Ever since Estonia came under the fire of hackers for several weeks in 2007, Europe and the USA carry out exercises in order to prepare countries for digital emergencies. In 2008 and 2010, the USA’s Cyber Storm training programme tested their ability to resist an attack on critical infrastructure. The Department of Homeland Security simulated breakdowns of the communications, transport and energy networks. The exercises revealed that the USA’s digital defence walls were in no real position to withstand an attack.

Cyber Europe 2010 was a programme that simulated an incremental breakdown of the internet connections in European countries, affecting essential online services and making communication between countries increasingly difficult. The training was organised by the European Network and Information Security Agency (ENISA). Two years later followed Cyber Europe 2012, which simulated a botnet attack on government servers, the private sector and individual users. Several hundred security experts had to deal with over 1,000 incidents that not only paralysed banks’ payment systems and telecommunications systems, but also brought the worlds of politics and the media to a standstill. The aim of the exercises is to detect weaknesses, both in the systems themselves and in crisis management procedures, so as to learn lessons for the future.

In Europe, there is also the European Defence Agency (EDA), which was founded in 2004. It is responsible for defence planning, procurement and research, including in the realm of cybersecurity. In this respect, the EDA is carrying out research in the field of cybersecurity, and aims to establish an early warning system that can detect any weak points so that any security holes can be patched as quickly as possible.

However, these exercises are not always enough. Many businesses are simply not well-enough prepared for any possible online attack. Recent incidents like malware infecting a Japanese nuclear plant control room demonstrate that many operators of industrial facilities still underestimate the dangers facing them from the internet. There are even some system operators who are aware of the security holes in current control systems, such as SCADA, and yet who ignore these dangers. This is what made it possible for the USA and Israel to implant their Stuxnet worm in the Natanz nuclear plant in Iran. Unfortunately, it cannot be ruled out that the west will come into the sights of hackers. Security researcher Kyle Wilhoit’s experiment proves this: he created a simulation of a virtual system for a hydroelectric plant, and within a month, had recorded 39 attacks on the control system.

 

gainbacktest

Useful Technology

I don’t want to install countless programmes on my computer. Is there an all-in-one solution?

Yes, there is. Some providers tie mail, browse and chat applications into bundles. Which basically means that you’re giving all your data into the hands of a single provider. In the end you’re always putting your data into the hands of an unknown third party.

One of these applications is Ipredia OS. It is a Linux operating system for anonymous web browsing, email, chat and file sharing. Ipredia uses the I2P anonymous network to ensure a safe connection.

The software Tails also ensures a good protection against any digital attacks. It is an alternative to the TOR Browser Bundle, which enables anonymous browsing as well as secure emailing and chatting

The Amnesic Incognito Live System (short: Tails) aims for the users protection and anonymity. The software is for free and has to be booted via DVD, USB flash drive or SD card. Tails directs all outgoing traffic via the TOR network. It disguises the user’s IP address by transferring all requests to several servers. In addition to that, Tails includes the add-on HTTPS Everywhere. This browser extension establishes a secure HTTPS connection to any accessed website as long as the site supports HTTPS. This way sensitive data can be transmitted safely via the internet. Furthermore, Tails sends encrypted emails by using PGP.

I can secure my computer – but what about my smartphone?

No worries! There are multiple solutions for this matter as well – however, they come with restrictions. In the case of smart phones, there are good programmes to encrypt emails and ensure safe browsing and chatting. Someone who cannot do without cool apps will always have to accept certain security gaps on his phone. Apps like Snapchat or Instagram hardly conduct a safe data transmission.

The App CilentPhone ciphers phone and video conversations and uses a peer-to-peer connection. The service is not for free though. The service comes to a montly fee of almost $10. A package that comes with encrypted text messaging comes with a higher fee.

Still not enough? In that case, just installing software won’t do – the hardware has to be prepared against attacks as well. iPhones or Android phones can be upgraded with, for example, a headset that encrypts each conversation separately. However, it’s not completely safe if you still use apps. And again, both parties have to use this upgrade to ensure a secure call. If you want to play safe, you need an alternative to the common smart phones – but those are pretty expensive. The high security devices by GMSK (Germany) or Bull (France) are used by secret services and cost about four to five times as much as current smartphones.

gainbacktest

Safe Browsing

What’s important?

What applies to precautions for mailing or chatting is also valid for surfing the internet: do not disclose sensitive data via open channels. If you want to shop online and use online banking, do so by establishing a HTTPS-connection which uses a secure SSL-protocol. The protocol ensures that both the sender and recipient are not posing for somebody else. This security measure protects you against phishing and other frauds. Of course you should never offhand download files if you want to prevent Trojans or worms from infiltrating your system.

What can I do to prevent other people tapping into my web activities?

When it comes to securely transmitting sensitive data browser extensions like HTTPS Everywhere are entirely sufficient. The add-on tries to establish an encrypted connection with every website you visit. Usually the browser connects to the server via HTTP, but a lot of websites additionally support HTTPS requests. These ensure encrypted data transmissions and the authentication of your communication partners. HTTPS Everywhere always establishes a HTTPS-connections, if the website supports it. By now, there are several apps with which users can prevent the recording and analysis of their browsing habits. A lot of websites collect user data in order to use those for commercial purposes. Free browser extensions like Ghostery or Do Not Track Plus might help keeping your data private. If you want to surf the internet completely anonymous, you will have to go one step further: the TOR software functions as a cloak of invisibility on the internet.

How does it work?

TOR encrypts your IP address and therefore enables complete online anonymity. This way neither your provider nor the target page can retrace your network activity. If you navigate your browser to a website, it always runs via several servers (usually three or more), which only recognise their direct precursor and successor. With each intermediate stop, the IP-address changes. This method ensures the maximum possible anonymity for the sender and the recipient. If an unauthorised third party intercepts the connection, they are not able to trace back to either one of them. As soon as you navigate to another website the connection is established via whole different servers – this way the conversation cannot be logged. You can find a manual on how to install TOR on the provider’s website (for operating systems Windows, OS X and Linux).

How do I protect my data when I am using someone else’s computer?

TOR does not exclusively come in the home edition but, so to speak, is also available to-go: The TOR Browser Bundle features a browser, the TOR-client and a user interface. The bundle fits on almost any USB flash drive and is thus easily used on another person’s computer. In addition, you can run the The Amnesic Incognito Live System (Tails) from your USB flash drive as well. This software is for free and forces all connections to the Internet to go through the TOR network. You can also encrypt your emails and all instant messaging conversations via Tails (more about that in “Useful Technology”)

Are there any limitations if I use TOR?

Anonymity has its price. The browsing speed is throttled albeit bearable. TOR uses entirely different fonts and deactivates Flash content – this includes YouTube and Vimeo videos.

,,,,,,,,,,,,

What’s important? What applies to precautions for mailing or chatting is also valid for surfing the internet: do not disclose sensitive data via open channels. If you want to shop online and use online banking, do so by establishing a HTTPS-connection which uses a secure SSL-protocol. The protocol ensures that both the sender and recipient […]

gainbacktest

Safe Chats

Are there any risks and threats using instant messaging clients?

Mostly chat programmes do not enable encryption. Messages sent via instant messaging could easily be read by unauthorised third parties. Scammers could intercept personal data and potentially use it for social engineering later on. The transfer of data is rather unsafe as well. The computer can easily get infected by a virus or a Trojan, not least since chat rooms barely encrypt user data. For scammers it is an easy matter to gain access to passwords and to assume a fake identity.

So what can I do?

For starters, it is important not to disclose any sensitive data in chat rooms. Login- , bank- or credit card data should not be given to anyone via instant messaging. It is advised not to send or transmit files. It is safest to ensure that all messages are encrypted and communicating parties are not to be found out by unauthorised third parties.

How does it work?

The magic word is Off-the-Record Messaging or – abbreviated – OTR. It is a protocol that encrypts chat messages. Moreover, it ensures forward secrecy (the session key cannot be compromised): just like a personal conversation, the online conversation is between the conversation partners, thus no one is able to reconstruct the messages sent. You will find an instruction on how to use OTR to initiate secure messaging sessions in Pidgin on the following website.

Does it work with smartphones, too?

Sure it does. However, you will have to do without applications such as Whatsapp & Co. An alternative app is myEnigma Secure Messaging which you can download for Android based systems and iOS for free. Using a valid mobile number and email address allows you to register and login. Once the app has been successfully installed, myEnigma scans your contacts for users who use the service as well. The principle of email encryption also applies to instant messaging: only if both parties use the same service, a secure instant messaging can be provided. MyEnigma provides the same functions as Whatsapp & Co.: texting and sending multimedia attachments is no problem. The only downside to this app: you will have to do without smileys.

,,,,

Are there any risks and threats using instant messaging clients? Mostly chat programmes do not enable encryption. Messages sent via instant messaging could easily be read by unauthorised third parties. Scammers could intercept personal data and potentially use it for social engineering later on. The transfer of data is rather unsafe as well. The computer […]

gainbacktest

Set a Serious Password

How to crack a password?

Usually passwords are cracked via online theft. A tremendous amount of user data is continuously “disappearing” into the internet, and unfortunately this also includes passwords. Adobe and Snapchat have been the most recent cases of such security breaches. Normally, passwords are encrypted and can only be cracked by a method of trial-and-error (brute-force-attack) – the feasibility of an attack is only a matter of time. If you want to check how long it would take someone to decode your password, please visit this website. Creating a long and rather unpredictable password obviously might give you an advantage. However, as soon as the password has been stolen, it’s for your own protection to close any security gaps, especially if the password has been repeatedly used on other websites as well. The second most common method for cracking passwords is spying, for example – keylogging or phishing. Nevertheless, in this case the password’s complexity and unpredictability hardly matters – see last paragraph.

How to create a strong password?

For a password to be considered “strong”, it has to be long (more than eight characters, if possible more than twelve), new (should not be used longer than a year), globally unique and last but not least, hard to guess. Names, birthplaces, numerical codes (birthdays, phone numbers, 123456), as well as words listed in a dictionary are considered to be weak passwords, as combinations like this can easily be guessed. Passwords used on multiple websites are also not safe. Here’s an example of a good password: „!Lya_mm3$#ObAsAck:Vay“. If you’re going to use this exact password from now on, please know that it’s at your own risk. It  has been made public and is therefore considered weak.

How to create a password to remember?

You might have to use a mnemonic device. The creators of the Mozilla browser wrote an article on this particular matter. The trick is to choose a phrase or a favorite quote, shall we say “Adversity is the first path to truth.” (Lord Byron)? Pick the first two letters of each word and alternate between upper and lower case, in this case it would be “AdIsThFiPaToTr”. According to http://www.howsecureismypassword.net/ it would take a desktop PC eight million years to hack this combination. Add some special characters (“?AdIsThFiPaToTr*”, approximately 70 million years to hack) and with this the first part of your new password is now complete. To generate the second part, set your own rules and couple the name of the website in question with the year you registered, for example – one digit, one letter (Facebook would turn into „2f0a1c4“). Combine it with the first part of the password (“?AdIsThFiPaToTr*2F0a1c3″) and it would take approximately 30 octillion years for someone to hack this password combination.

Can I at least write it down?

The idea doesn’t seem to be unreasonable and some experts agree that it might be the lesser evil (this article gives a recap of the discussion). At any rate, writing down your password is better than using a weak one or the same password for several websites. Of course there is an apparent downside: you could loose the note or it might fall into the wrong hands. Still, to secure a copy of the note in a sealed envelope in a safe location might prevent the chance of losing it.

Isn’t there an app for that?

Sure, there are a whole range of useful apps and little tools. You only have to remember one password in order to access a list which features a number of your highly complex passwords. Most applications have the option to generate a random but secure password. Usually the app automatically stores the created password in the clipboard, all you have to do is paste it into the password field. Roboform is a highly recommended and easy-to-use tool. You can find a comparative overview on tools with similar features on PCmag and Information Week. Security expert Bruce Schneier created a tool for his own passwords: download the open source software Password Safe here. Most tools enable you to save encrypted passwords and even transfer those from your computer to your smartphone. Of course it is still possible for someone to intercept your data during the process. Nevertheless, you’d be safer this way than repeatedly using the same password on various websites.

I’ve created a strong password – am I good now?

Absolutely not! A password which can not be intercepted or snooped on by an unauthorised third party has yet to be created. Maybe your computer is bugged. Maybe some malware sends your every keystroke to a hijacked computer on another continent. Or maybe the website, which required you to enter a password, could’ve already been hacked a long time ago. In order to prevent such a scenario, you’d need much more than a strong password, for example -  a fingerprint or an authentication via text message (two-factor-authentication).

,,,,,,

How to crack a password? Usually passwords are cracked via online theft. A tremendous amount of user data is continuously “disappearing” into the internet, and unfortunately this also includes passwords. Adobe and Snapchat have been the most recent cases of such security breaches. Normally, passwords are encrypted and can only be cracked by a method […]