Today, December 25th, Cloudflare offices around the world are taking a break. From San Francisco to London and Singapore; engineers have retreated home for the holidays (albeit with those engineers on-call closely monitoring their mobile phones).
Software engineering pro-tip:— Chris Albon (@chrisalbon) December 20, 2017
Do not, I repeat, do not deploy this week. That is how you end up debugging a critical issue from your parent's wifi in your old bedroom while your spouse hates you for abandoning them with your racist uncle.
Whilst our Support and SRE teams operated on a schedule to ensure fingers were on keyboards; on Saturday, I headed out of the London bound for the Warwickshire countryside. Away from the barracks of the London tech scene, it didn't take long for the following conversation to happen:
- Family member: "So what do you do nowadays?"
- Me: "I work in Cyber Security."
- Family member: "There seems to be a new cyber attack every day on the news! What can I possibly do to keep myself safe?"
If you work in the tech industry, you may find a family member asking you for advice on cybersecurity. This blog post will hopefully save you from stuttering whilst trying to formulate advice (like I did).
The WannaCry Ransomware Attack was one of the most high-profile cyberattacks of 2017. In essence, ransomware works by infecting a computer, then encrypting files - preventing users from being able to access them. Users then see a window on their screen demanding payment with the promise of decrypting files. Multiple copycat viruses also sprung up, using the same exploit as WannaCry.
It is worth noting that even after paying, you're unlikely to see your files back (don't expect an honest transaction from criminals).
WannaCry was estimated to have infected over 300 000 computers around the world; this included high-profile government agencies and corporations, the UK's National Health Service was one notable instance of this.
Despite the wide-ranging impact of this attack, a lot of victims could have protected themselves fairly easily. Security patches had already been available to fix the bug that allowed this attack to happen and installing anti-virus software could have contained the spread of this ransomware.
For consumers; it is generally a good idea to install updates, particularly security updates. Platforms like Windows XP no longer receive security updates, and therefore shouldn't be used - regardless of how up-to-date they are on security patches.
Of course, it is also essential to back-up your most indispensable files, not just because of the damage security vulnerabilities.
Don't put your eggs in one Basket
It may not be Easter, but you certainly should not be putting all your eggs in one basket. For this reason; it is often not a good idea to use the same password across multiple sites.
Passwords have been around since 1961, however, no alternative has been found which keeps all their benefits; users continue to set passwords weakly, and website developers continue to store them insecurely.
When developers store computer passwords, they should do so in a way that they can check a computer password is correct but they can never know what the original password is. Unfortunately many websites (including some popular ones) implement internet security poorly. When they get hacked, a password dump can be leaked with everyone's emails/usernames alongside their passwords.
If the same email/username and password combination are used on multiple sites, hackers can automatically use the breached user data from one site to attempt logins against other websites you use online.
For this reason, it's absolutely critical to use a unique password across multiple sites. Password manager apps like LastPass or 1Password allow you to use unique randomly-generated passwords for each site but manage them from one encrypted wallet using a master password.
Simple passwords, based on personal information or using individual words in the dictionary, are far from safe too. Computers can repeatedly go through common passwords in order to crack them. Similarly, adding numbers and symbols (i.e. changing password to p4$$w0rd) will do little to help also.
When you have to choose a password you need to remember, you can create strong passwords from sentences. For example: "At Christmas my dog stole 2 pairs of Doc Martens shoes!" can become ACmds2poDMs! Passwords based on simple sentences can be long, but still easy to remember.
Another approach is to simply select four random dictionary words, for example: WindySoapLongBoulevard. (For obvious reasons, don't actually use that as your password.) Although this password uses solely letters, it is more secure than a shorter password that would also use numbers and symbols.
Authentication is how computers confirm you are who you say you are. Fundamentally, is done using either:
- Something you know
- Something you have
- Something you are
A password is an example of how you can log-in using "something you know"; if someone is able to gain access to that password, it's game-over for that online account.
Instead, it is possible to use "something you have" as well. This means, should your password be intercepted or disclosed, you still have another safeguard to protect your account.
In practice, this means that after entering your password onto a website, you may also be prompted for another code that you need to read off an app on your phone. This is known as Two-Factor Authentication.
Two-Factor Authentication is supported on many of the worlds most popular social media, banking and shopping sites.
Know who you talk to
When you browse to a website online, you may notice a lock symbol light up in your address bar. This indicates encryption is enabled when talking to the website, this is important in order to prevent interception.
When inputting personal information into websites, it is important you check this green lock appears and that the website address starts with "https://".
It is, however, important to double check the address bar you're putting your personal information into. Is it cloudflare.com or have you been redirected away to a dodgy website at cloudflair.com or cloudflare.net?
Despite how common encrypted web traffic has become, on many sites, it still remains relatively easy to strip away this encryption - by pointing internet traffic to a different address. I describe how this can be done in:
Performing & Preventing SSL Stripping: A Plain-English Primer
It is also often good guidance to be careful about the links you see in emails; they legitimate emails from your bank, or just someone trying to capture your personal information from their fake "phishing" website that looks just like your bank? Just because someone has a little bit of information about you, doesn't mean they are who they say they are. When in doubt; void following links directly in emails, and check the validity of the email independently (such as by directly going to your banking website). A correct looking "to" address isn't enough to prove an email is coming from who it says it's from.
We always hear of new and innovative security vulnerabilities, but for most users, remembering a handful of simple security tips is enough to protect against the majority of security threats.
- As a rule-of-thumb, install the latest security patches
- Don't use obsolete software which doesn't provide security patches
- Use well-trusted anti-virus
- Back-up the files and folders you can't expect to lose
- Use a Password Manager to set random, unique passwords for every site
- Don't use common keywords or personal information as passwords
- Adding numbers and symbols to passwords often doesn't add security but impacts how easy they are to remember
- Enable Two-Factor Authentication on sites which support it
- Check the address bar when inputting personal information, make sure the connection is encrypted and the site address is correct
- Don't believe everything you see in your email inbox or trust every link sent through email; even if the sender has some information about you.
Finally, from everyone at Cloudflare, we wish you a wonderful and safe holiday season. For further reading, check out the Internet Mince Pie Database.