A while back near the end of a Zoom call with old friends, the conversation briefly drifted to a thing called Log4J, because it was a trending news topic at the time. If you don't know what Log4J is, don't Google it; You'll only get depressed. Tl;dr: It's a recently-discovered, widespread computer vulnerability that will flush all of your data down the toilet. It's really bad. Now you're depressed anyway. Sorry about that.
One friend asked what we can do to protect ourselves from crap like Log4J. Another friend's husband, who's an IT geek like I used to be but far more talented I'm sure, responded with "nothing". I agreed with him then, and I still kinda do, but that "nothing" answer has bugged me ever since. On one level it's true; Your data is like your car; If the bad guys want it bad enough, they're gonna steal it. (I'm safe in the knowledge that no one wants to steal our 2003 Subaru.)
Anyway, there are things that we can do to slow down the bad guys, and that's what this post is about. There are tons of "best practices" security articles out there, and I've read too many of them, and they're mostly bewildering and depressing. From all of the ponderous crap that I've ever read, I've compiled a short list of stuff that I've decided to try in order to save my digital life. If my list can be of benefit to you, you're welcome to it. Here's the tl;dr version:
1. Get a YubiKey.
2. Install Google Authenticator for Android or IOS on your phone.
3. Get 1Password.
4. Protect yourself from a SIM swap attack.
5. Get Bitdefender.
6. Get two external backup drives.
7. Never use removeable media to share files with someone else. Use one of these methods instead.
Have I done all of these things myself? Hell no. I'm way too lazy for that - but I'm trying. Maybe not everything on this list applies to you; I feel a special camaraderie with folks who are small biz people like I used to be; If you earn your living with the stuff that's on your laptop, you may wanna seriously consider doing all of these things. There are quite obviously a lot of threats besides Log4J out there, and they've proliferated exponentially during the pandemic, since so many people are working from home where computer security is especially lousy.
This list is by no means complete, but it's my idea of what is doable by the common human, even if some of these steps are a pain in the ass. Keep reading in the following section in case you have absolutely nothing better to do and you want to know more.
tl; but read this anyway:
Keys, Authenticators, and Sim Card Protection
"But what if I lose it?" you're gonna ask. Well, there's always a backup plan, and that's a part of the problem. Most places use SMS text messages to your phone as a primary or backup 2FA method. That sucks, because plain text messaging can be vulnerable. Sometimes the bad guys can convince your mobile carrier to switch your number to use a SIM card that they control. If that happens, your life can become quite miserable for all of the obvious reasons. Fortunately, mobile carriers are getting a little better at stopping such things. T-Mobile added an extra layer of SIM card security after they had two (yes, two) data breaches last year. And of course we have T-Mobile phones, and of course we were notified that all of our personal info had been compromised, and so of course we signed up for the extra T-Mobile protections. I'm reasonably happy with those safeguards so far, but I do my best to avoid the use of SMS for any kind of 2FA. IMHO, a Yubikey with an authenticator app as a backup is what everybody should be using. Some of our financial institutions allow that; Some are maddeningly resistant to change. I keep pestering those hidebound businesses who refuse to change to find a better way; Wish me luck. Maybe join me by pestering them yourselves?
When we can't use a Yubikey, we use Google Authenticator for primary or backup 2FA, and it's just fine. I've used Microsoft Authenticator in the past, and it's just fine, too. You probably don't need a paid authenticator app like Duo or LastPass, but hey, that's up to you. Check them out here if you wish:
Here's the T-Mobile link about account takeover protection. If you use a different carrier, please do seek out similar info from them. It's kinda important.
Password Managers
Picking a password manager was a tough decision, because there are a lot of very good ones out there, and the "best of" lists keep shifting. After reading countless articles I've finally settled on 1Password because it's consistently on everyone's top 5 list and hey, it's a Canadian company. (My wife is Canadian, eh?) If you want to shop around yourself, here are some recent reviews from sites that I trust:
https://www.tomsguide.com/us/best-password-managers,review-3785.html
https://www.wired.com/story/best-password-managers/
https://www.pcmag.com/picks/the-best-password-managers
https://www.cnet.com/tech/services-and-software/best-password-manager/
What finally convinced me to go with 1Password was this article from the Wirecutter section of the NYT, which may be paywalled. BTW, some of the Wired links may be paywalled too; I highly recommend that you spring for a subscription, 'cuz Wired is great:.
The Wireutter article mentioned all of the same sites that I've listed here, and that made me feel good. Wirecutter likes Wired, PCMag, TomsGuide, and C|net, and so do I. Of those Wired and TomsGuide are my favorites for all things tech; Jimbob sez check 'em out.
Antivirus Software
I hate talking about antivirus software. You hate reading about it. Just go install BitDefender and be done with it.
Still here? Then you're probably one of those people who has a PC and thinks like me that Windows Defender is plenty good enough, and that you shouldn't bother with anything else. And you'd be right. But, it's complicated. If you don't mind a bit of geekiness, read on.
If you do use Windows Defender, please make sure that you do a regular *full* scan. Yes, it takes a lot of resources. Yes, Microsoft will tell you that you don't need to do a full scan. Yes, you should ignore them. Just run a full scan when you know that you'll be away from your computer for a while, or schedule it to run at night. Windows runs a regular scan as a scheduled process, but it often fails. From my days as a geek I have several laptops running different versions of Windows, and the scheduled process fails on most of them most of the time. If you want to read about the problem, just Google this phrase: "Defender (0x2)".
One solution is to regularly run a manual full scan. Here's how.
Another solution (which appeals to me because I'm lazy) is to schedule your own full scan. This article tells you how, but it's a bit geeky. Scroll down until you see the header, "Schedule a Windows Defender Antivirus custom scan."
Just make sure that you add the arguments "-Scan -ScanType 2" as described in step 15.
Why do you need to run a full scan? Mostly because the bad guys are getting a lot better at hiding malware inside of MS Office documents (Word and Excel, mostly). These threats are no longer just of the old-fashioned macro type; You probably know enough to not enable macros when opening Office docs from an untrusted source, but some newer threats are embedded into the docs in a different way. I won't bother to talk about how just now; This topic is depressing enough as it is. Just know that you need to scan everything, and often, and that you should trust no one.
How often should you schedule a scan? Every night, why not? You never turn your computer off anyway, right? At least do it once/week. NB: There is a probability that Windows Defender will return a false positive once in a while; When it does, you're gonna freak out like I have because the error message that Defender returns will be very scary. What do you do then? Call everyone you know and scream that maybe they gave you or you gave them a virus? Sure! Then go stand up in a crowded theatre and scream that there may be a fire! Just delete or quarantine the file in question and scan again. If you haven't already opened it, nothing bad can happen. That's why it's also a good idea to right click on any file that you receive and select "Scan..." before you open it. All antivirus systems allow you to do that. If you've deleted a suspect file, scanned again, and your software still detects a problem, then you can start screaming. And at that point you should seek the help of a good geek. I'm serious.
BitDefender
If you don't wanna bother with all of this geeky stuff, or if you have a Mac, consider getting BitDefender. It works well on PCs and Macs. The chatter on the internets is that Apple's intrinsic antivirus software is archaic, and it doesn't provide adequate protection against the ever-rising threat level. As with everything else there are an infinite variety of third-party options out there; I decided on BitDefender for my wife's Mac because it's very good, and it imposes the smallest burden on resources of any major AV package. You can read about it here.
Update 1/28/2022: When I first wrote this article, I added a very cavalier paragraph. Here it is:
"If you use a Chromebook or a Linux machine well then, good for you. You don't really need to worry about antivirus software. Go worry about something else. You probably should still get BitDefender for your phone though; It's lightweight and works well on Android or IOS devices."
Well then, guess what happened. A long-dormant, very serious flaw was discovered lurking in most major Linux distributions. If you're a Linux user then you don't need any advice from me about antivirus software, but you do have my sympathies. Like the rest of us, you're learning that you can run, but you can't hide. Sigh.
Air-gapped external hard drives and ransomware
For maximum protection against ransomware, get two external hard drives and back up everything on a regular basis using a father-grandfather backup scheme. Keep the drives disconnected when you're not backing up your files. An air-gapped backup is your best protection against ransomware.
What about the new anti-ransomware features that are now baked into Windows? They're a pain in the ass. Use them if you wanna, but I think that you'll discover, like I did, that regularly backing up all of your stuff onto two external drives is less of a pain in the ass, even though it requires a bit of discipline.
Why two drives? And why can't you just use Windows OneDrive, Google Drive, or some other automated cloud storage? Well, the horrible possibility is that, if you get infected by ransomware, it may encrypt all of the files in your cloud storage too. There is also the unfortunate chance that if ransomware sees an external backup drive connected to your system, it may clobber that as well. It may even wait to pounce until it sees that you're trying to back up your stuff. Yes, the bad guys are getting that good. The really scary and depressing thing about ransomware is that it's usually designed to "lurk" on your system before it acts. It will probably upload all of your stuff to some server somewhere in a distant time zone, and then encrypt your whole drive, and then demand that you pay some bitcoins to some shadowy someone. That's one of many reasons why I hate cryptocurrencies. But that's a different topic for a different rant.
Most likely you'll be able to find very affordable, very large capacity solid state hard drives (SSDs) with USB3. That's what I recommend that you get; SSDs with USB3 make for very fast backups of very large data sets. But if you're like me, the amount of data that's really critical to you isn't very large anyway.
If you're lucky, the backup drives that you buy will come with some backup software; Windows backup really sucks. If you need something for a PC, try the free version of fbackup - It works just fine:
https://download.cnet.com/FBackup/3000-2242_4-10907579.html
or
https://www.fbackup.com/download.html
Fortunately for Mac users, Time Machine works just fine:
https://www.switchingtomac.com/tutorials/osx/backup-your-mac-using-time-machine/
If you're using Linux you're probably a far better geek than I ever was, and you don't need any advice from me about how to do backups.
Really, though - If your laptop is your life, please consider using air-gapped backup drives to safeguard your stuff. Please.
Swapping external media with other humans
This is something that I've been too guilty of too many times. My New Year's resolution for 2022 is to never do it again. Why? Well, be it a memory stick or an external hard drive, when you stick the male USB thingy of a device that's been with another computer into the female USB thingy of your computer, it's like your computer is having sex with the other computer, and with every other computer that the other computer has ever had sex with. Unless you put a condom over the male USB thingy before you insert it into your female USB thingy, you're running the risk of infection.
Of course you can help to prevent problems by disabling autorun for removable drives on a PC - Here's how:
https://www.techrepublic.com/article/how-to-disable-autoplay-and-autorun-in-windows-10
So, do that, but just don't swap removable media with anyone ever again anyway - No matter how much you trust them. Example: My long-suffering accountant, bless his heart, is a great guy but not the most tech-savvy person I know. He's done our company taxes for years; Long ago before the advent of real cloud storage I tried to set up a way to transfer our company QuickBooks file to him securely over the net. After he gave me enough deer-in-the-headlights looks I just gave up and handed the books file to him on a USB stick. Once I fell into that bad habit with him, I just kept on doing it. For years. Because I'm lazy. I did it again last year, and ever since I've started to feel guilty about it. Finally. The threat goes both ways of course; I don't know who's been with his computer and he doesn't know anything about mine. That's as it should be, but we simply shouldn't exchange files that way anymore. USB sticks are banned by a lot of big companies now, for all of the obvious reasons. It's just not good practice to use them for data exchange, and I'm just not gonna do it anymore, no matter how difficult it is for me to get our files to him. It should actually be a lot easier now; OneDrive, Google Drive, and third party systems like Drop Box all work pretty well. I should have set that up with him long ago, but better late than never.
One more lament before I go. Sometimes I'm glad that I'm old. I'm glad that I'm retired, and I'm especially glad that I'm out of the IT world, because it's getting really, really bad out there. Maybe I sound a bit melodramatic, but unfortunately it's true. Ja, modern technology is great, but for me, the fun factor of working with it disappeared a long time ago. I spent most days during the pandemic fighting off hack attacks against a bunch of virtual servers that we hosted for clients - Servers that had all kinds of sensitive data on them. I did a lot of work in Ukraine - Yes, poor old about-to-be-invaded Ukraine, just after the whole country got nailed by the most terrible virus of all time (so far) called NotPetya. And last year I started having nightmares about Solar Winds, and what the consequences of that will be, which no one wants to talk about because it's so bad. Maybe that's another topic for another time. See the links below if you want to be fascinated and terrified.
NotPetya:
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Solar Winds:
https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12
And OK, Log4J. Sigh.
https://www.wired.com/story/log4j-log4shell/
What's particularly frightening about the NotPetya and Solar Winds stories is that the bad guys managed to hack the systems of legitimate software companies, and then they inserted their malicious grossness into the software of those companies. Anybody who uses that "legitimate" software is then infected, and guess what? Anybody is just about everybody.
Sometimes I really just wanna grab a survival kit and a portable generator and crawl off to a cabin in the woods. If I decide to do that, I'll post the Google Maps coordinates here before I go so that you can come and visit me if you wish, dear reader. If you do, please bring me some canned beans and bottled water?
Comments
Post a Comment