Skip to content
Permalink
1c2db35ddd
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

DADA/Articles/st41_ProtectYourself.md

Go to file
 
 
Cannot retrieve contributors at this time
Protecting Yourself Passwords On the Web Man-in-the-Middle and Eavesdroppers
112 lines (92 sloc) 5.58 KB
Raw Blame

Protecting Yourself

Here we collect together what we feel are some of the key pieces of advice for personal cyber safety. This isn't an exhaustive list and should be used as one source only, ensuring you pay attention to changes and trends that might invalidate the points made here.

We hope that the whole course has given you the knowledge you need to be more safe on-line, and the points below are merely reminders!

General advice on staying safe on-line can be found on the National Cyber Security Centre's website at https://www.ncsc.gov.uk/section/information-for/individuals-families

Passwords

This first piece of advice is a slightly contentious one. Use a password manager.

It is true that the most secure passwords are those that are never recorded anywhere in plain text, but it is also true that using the same password for multiple services lowers security and, with the number of services we all use daily, it is almost impossible to keep a unique password for each service in our minds.

Most security professionals today seem to recommend the use of a password manager. This piece of software is often integrated in your devices in such a way that as long as you know the master password, it simplifies logging in to services by storing your passwords for each one. Of course, this makes it a juicy target for hackers, and a forgotten password can be daunting if it is the master password. But, it stops password reuse and encourages stronger passwords to be used.

On the Web

The web is a hostile place. It looks friendly enough, but even the most benignly-intentioned website can have security flaws that cause your data or credentials to become exposed. So, the first piece of advice in this section is:

Share the smallest amount of personal information you can. Every extra piece of info is something that could be used to forge your identity, guess credentials or find some other value in your data.

Adverts on the web come from multiple sources. Quite often, the website owner has no idea what will be displayed in the advertising portion and there have been many cases discovered of malware inside those adverts. When you click, you might find yourself taken to sites with low effort spent on security at best.

Finally, wherever possible use multi factor authentication. This simple idea adds a second layer of security by requiring you to log in with your password as usual as well as another factor. This second factor can be one of a number of things. It could be as simple as clicking a box on your mobile to confirm you are the correct person (because only you have your mobile...) or as complex as having a special device that will tell you which letters and numbers to press before you can continue. If someone sees your password, this second layer of authentication should make it very difficult for them to compromise your account.

Man-in-the-Middle and Eavesdroppers

Our final section on advice is to be aware of the dangers of unencrypted traffic and public WiFi.

Public WiFi is fantastically useful but also potentially hazardous. Most public WiFi access points don't prevent other users from claiming to be the website you want to log in to. In fact, they are likely to direct your traffic to the hostile machine, which will then process your data before sending it on to the real recipient. This last step is useful for maintaining the illusion - without it, you would most certainly be greeted with some sort of error and be alerted to possible issues. What this means is that on public WiFi networks, you should always be suspicious of websites even if they look "normal". The lock icon indicates secure communication, but your browser might not be able to guarantee to whom you are talking securely. The best advice is to avoid logging in to anything critical from public WiFi access points and make sure you use different passwords for all accounts. If one account does get compromised, you don't want it to lead to all of your others being compromised too. If you know how to do it, you can also use a virtual private network (VPN), which is getting easier and easier to do with a number of companies selling simple VPN services.

Unencrypted traffic refers to any communication that is not secured and made private by encryption. In the public WiFi scenario above, any traffic you send unencrypted will be potentially visible to all other patrons. Even worse, your data is visible to the owners of all of the devices your data travels through to get to its destination. This could be twenty different people in different parts of the world! So, even if you're not in a coffee-shop, if your data is insecure, it can be read by someone else. This is why we use HTTPS. The S on the end tells us that the communication is secure in the sense that it is encrypted by your browser and decrypted by the server. Nobody in-between can read it. When using websites, look for "https" at the start of the URL, or the lock icon to the left of your address bar, to check if the website is secure. If not, you have to decide if you want to keep using it. If it's a web-site about hamsters and you don't have to log-in to use it, you might not care very much. If it is something you have to log-in to, or you are reading something that you would rather people not be able to eavesdrop on, then you might want to see if HTTPS is an option or find another site. Some sites let you choose to use plain HTTP or HTTPS. Try changing "http://" to "https://" in the bar. Many browsers will do this automatically these days for any site that can use encryption, but it doesn't hurt to check.