There’s no shortage of panic-inducing security news, such as flaws in web encryption that could allow attackers to slurp up your banking information. Then there are the proof-of-concept attacks. Security researchers seem to find hacks for every new Apple product within days, such as making a cast of someone’s fingerprint with glue to fool the iPhone’s Touch ID sensor.
But sensational attacks require a lot of work, and luck. Hackers save them for giant corporations and governments, not individuals or small companies. “It’s interesting to read the stories, but you don’t really need to worry abut an elite squad of cyber soldiers going after your machine,” says Patrick Nielsen, senior security researcher at antivirus company Kaspersky, and one of four security experts I spoke with to sort the media hype from the real dangers out there.
All four had similar answers when I asked them to name the main security threats. The biggest dangers I culled from their input are data breaches, unsafe Wi-Fi networks, and mass-distributed malware that takes over a computer.
In December 2013, hackers stole credit and debit card numbers of about 40 million customers from Target. In February 2015, health insurer Anthem revealed that attackers had gained personal information for about 80 million customers. This month, hackers stole records from up to 37 million members of AshleyMadison, an online dating site for cheating spouses.
There’s no point breaking into someone’s personal computer when the data of millions of people are stored on servers owned by a mega-corporation like Home Depot or a government agency like the Office of Personnel Management.
Individuals and businesses can’t do anything to keep a big target with their data from getting hacked, but they can limit how much information is in there. Volunteering information about turn-ons and affairs to an online database is not a good idea. And don’t pay by debit card, says Robert Hansen, VP of White Hat Security. “When you lose your credit card, you lose the ability to transact with that credit card, nothing else,” he says. “When you lose your debit card, you lose control of your banking assets.”
Even a breach at a minor site can be dangerous, because it provides access to usernames and passwords that people re-use for more important sites, like their bank. A 2014 study by the University of Illinois, Princeton University, and Indiana University called “The Tangled Web Of Password Reuse,” estimates that about half of people recycle passwords. That seems conservative. “Nearly everyone uses the same passwords on different services,” says Nielsen.
It’s not an easy problem to solve, according to a study called “Password Portfolios And The Finite-Effort User” by Microsoft Research and Canada’s Carlton University. “Mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows,” said the report. More realistic, it said, is to develop strong, unique passwords for important sites, and weaker, reused ones for the others.
One of the meanest things someone can get on their own computer is ransomware that locks the machine until the owner pays up. “That’s where the cybercriminal community get the most of their money,” says Chase Cunningham, threat intelligence lead at security firm FireHost (now Armor Defense). Ransomware has also evolved into blackmailware. Cybercrooks can find juicy material on the computer, like incriminating photos, then demand payment or favors to keep it secret.
“Ransom ware combined with blackmail is . . . a great way to get access to corporate environments,” says Cunningham. “I’ve seen a case in the past in which [crooks] say, If you don’t want your wife to know what you were doing in Vegas, you’d better give us access to your VPN.”
Ransomware or other malware often gets on to computers the old-fashioned way: Fifteen years after the ILoveYou worm, people are still clicking on infected attachments in emails. And bogus links in emails go to sites riddled with malware that automatically infects a system in what’s called a drive-by download. Even legit sites host malware that slips in through the automatically placed ads that are becoming the lifeblood of online revenue. A massive infection in late 2014 hit about two dozen sites, including Yahoo, AOL, and The Atlantic. “It’s very easy to sneak stuff into ads. The advertising industry is not very good about filtering that stuff out,” Cunningham says.
Ad-blocking software can fix the “malvertising” problem, but that’s an uncomfortable topic for any company that makes its money through advertising—from news sites to mighty Google and Facebook.
Banking trojans infect people’s web browsers as drive-by downloads and take over their bank accounts, performing transactions without the user knowing, Jerome Segura, senior researcher at security software maker Malwarebytes, told me in an email. Mass infections from email attachments and drive-by downloads are also turning computers into nodes in botnets—tens of thousands of machines commandeered for jobs like churning out spam email or launching distributed denial of service attacks on websites. “If you did a pretty in-depth analysis [of any computer], chances are good you’d see some kind of botnet that’s been there in the past,” says Cunningham.
Antivirus or anti-malware has a good chance of stopping trojans from infecting computers, or eventually removing them once anti-virus companies learn how to recognize a new threat, said Nielsen.
Public Wi-Fi networks are the public toilets of the Internet—conveniently located, but likely to cause infections. One danger is that you don’t know who else is on the network. “A lot of hackers visit coffee shops,” says Hansen. They might just find it fun to poke around.
A bigger danger is that the network is not what you think it is. “For $50, I can grab a system that mimics any Wi-Fi network around,” says Cunningham. Instead of expending effort to snare one person sharing the real café network, hackers can get trick the whole café into logging onto the bogus network.
And it’s not just free Wi-Fi. Many hotel networks can be managed remotely from a cloud interface, a vulnerability which hackers can leverage, even if they are miles away. A common trick is to push out alerts for bogus software updates, like the constant Adobe Flash player notifications. “We actually recommend updating [all your software] at home and then not updating when you’re away from home or on any public network,” says Nielsen.
If you have to use public Wi-Fi, connect through a virtual private network (VPN), says Cunningham. Many companies provide and even require employees to use their VPN connection, and VPN services cost less than $10 a month for individuals to sign up with. There’s also the option of using a smartphone as a personal Wi-Fi hotspot, though that may require upping your monthly data plan.
Internet security, for most of us, is pretty dull—centered on routine attacks that utilize infected attachments, dubious links, lousy passwords or compromised Wi-Fi. But those boring threats fund a multibillion-dollar industry that can ruin individual lives, and even companies, through theft, extortion and espionage.
Even as sensational hacking stories grab the headlines, keeping safe is about sweating the small stuff. “The drama is on this new advanced tech,” says Nielsen. “But where you should be putting attention is all the boring stuff . . . making sure your software is up to date, running security software, trusting your instincts when you get an email.”
This article has been updated to reflect the renaming of security firm FireHost.