In the tech realm, a new year brings new gadgets — and new worries about cybersecurity as more and more security breaches are revealed.
The most recent scare, called Spectre or Meltdown, involves vulnerabilities to processing chips that date back to 1995, resulting in billions of devices that are susceptible to intrusion, says Jason Koebler, editor-in-chief of the online publication Motherboard.
“What it does is it allows hackers to gain access to the kernel of the device, which is the system memory that usually a user wouldn't interact with and it allows the hacker to basically knock down the wall between the system memory and the user's memory, so they can access pretty much anything on your device,” Koebler says.
From a holistic perspective, the chip issue is more of an infrastructure issue for large companies as well as ATMs and other devices that regularly updated, Koebler says. Still, private citizens should be diligent about updating their software whenever they are prompted to do so.
“The best thing you can do to protect yourself is to make sure you're updating your software and hardware as often as possible,” he says. “So, if there are new firmware updates or something pops up on your computer or says ‘update this,’ you should probably do it even if it seems pretty annoying.”
Micah Lee serves as a security engineer and open source software developer for The Intercept online news publication. When it comes to cybersecurity, Lee says that people should visualize what he refers to as “threat modeling,” and then act accordingly.
“The simple fact is that it's impossible to predict everything,” Lee says. “It's really just how much effort you want to put into protecting stuff, so it really makes sense to figure out exactly who you think might be after you or your information and what's important to you to protect and then focusing your energy on that.”
Here are some other tips and bits of insight from Koebler and Lee regarding cybersecurity:
Use a password manager: Although one of the best practices for the longest time was to come up with an extremely complicated password for each account with special symbols and a balance of lowercase and uppercase letters, Koebler and Lee both recommend installing a password manager such as Last Pass or 1Password, which both use one master password to unlock its capabilities. “It’s impossible to remember 300 different passwords, but the password manager remembers it for you,” Koebler says.
The key is to create a master password that is easy for the user to remember but that is secure and not easy for an outsider to guess, Koebler says, and commit it to memory.
“It could be a sentence from your favorite novel or poem … something that you'll remember, is long, not easily hacked, but it doesn't need to be a lot of symbols," he says.
“This is one of the most important things that I think everyone should do regardless of your threat model because the rationale behind it is that the worst thing you can do with passwords is reuse them,” Lee adds.
Use two-factor authentication: Instead of needing to just have a password, a user must have a second way to verify his or her identity. In most cases, this is a code that is texted to the user’s cell phone.
“Two-factor authentication makes your life slightly more annoying but it makes your accounts way more secure,” Lee says. “It's the best way to protect yourself against spear phishing," which is an email attack targeted at a particular individual or business, "or if your password is somehow stolen.”
Use a VPN when using public Wi-Fi: Koebler recently tested a series of VPNs (virtual private networks) to see if they would slow down his internet speed. He found out that in most cases, they did exactly that. Given his findings, he does not recommend using one when inside one’s home or using another secure connection.
When using public Wi-Fi, such as at a coffee shop or restaurant, Koebler says that a VPN is a must, but be wary of choosing one of the free ones. “The reason for using a VPN would be to protect your privacy,” he says, “and many of the free options sell your data. So they are changing your connection, but they are selling your data to a third party on the other side.”
Two services that Koebler recommends are Freedome and Private Internet Access. Lee adds that he recommends the service provided by Mullvad.
Realize that Alexa, Siri and Google Home may always be listening: Although personal service assistant devices such as Amazon’s Echo and Google Home have become very trendy living room additions, Lee says that consumers have a right to be “fearful” that the devices could be sending whatever is being recorded right back to the mothership.
“I don't know if they're necessarily that much of a security risk, but they're definitely a privacy risk,” Lee says. “You should consider, do you want recordings of what you're saying in your living room to be stored on a computer somewhere else that you don't own?”
Koebler says that it’s important to consider the business models of the companies involved. For instance, Google is primarily centered around advertising. Amazon’s big focus is selling products. Whereas a company like Apple has made security and privacy core to its business model in a way the other two have not, he says.
"I think the difference between security and privacy is ‘Are you going to get hacked?’ versus ‘Are you going to get advertised to?,’ which I don't know if that's fair or not but that's the way that I personally look at it. And I think you know Google is always trying to sell you something. But … it takes itself very seriously when it comes to protecting that data.”
This article is based on an interview that aired on PRI’s Science Friday with Ira Flatow.
Our coverage reaches millions each week, but only a small fraction of listeners contribute to sustain our program. We still need 224 more people to donate $100 or $10/monthly to unlock our $67,000 match. Will you help us get there today?