Scott’s Cyber Safety Primer

Lately the topic of cyber safety has come up a few times for me. I’m the point person for CyberChip for my son’s Scout troop. I help the Scouts earn the award which is required for the Scout and Star ranks; I’ve overseen a few Scouts complete the requirements. In addition to this, I’ve seen how something innocuous that has been posted years ago can come back and be devastating. Lastly, have seen how someone could easily get scammed.

While I don’t claim to be an expert on cyber security, I did have lunch with Phil Zimmerman to discuss working on he Mac port of PGP and had Phil Karn as a mentor teaching me about Linux! I’ve been using the Internet for over a quarter of a century and have learned a few things about “being safe”.

Using two of the points of CyberChip Internet Safety Pledge as a starting point, I’m going to elaborate on what I think is important.

I will think before I post.

This is a pretty important point as everything on the Internet exists forever. If you do a search on my name, you’ll find posts I made years ago. Luckily, most of it is innocent. Recently I learned of someone that was terminated from a position because of a post they made many years ago. Even if you post something that you think is private, send a picture to someone or send a text, there could be a data breach or the recipient could take the message and post it, blackmail you, or in other way cause you irreparable harm.

While your messages to others could be encrypted (like using iMessage), the other end can easily take a screenshot of whatever you wrote and use it against you.

Unless you want something to come back on you at some point in the future, don’t post it or send it electronically.

Also, remember that when you take photos, the location of the photo is stamped (in the metadata) on the photo. If you are on vacation or traveling and post pictures with the location data on the photo, people can know that you aren’t home. If you are home, people can know where you live. While there are a number of ways to find out where people live, you don’t want to make it easy on them. When sharing photos, remove the location data (in iOS when you share, there is an option to remove the data) and don’t post photos when you are traveling; wait until you return home.

I will protect myself online.

This point requires a little more effort than “thinking before you post” and relates to password security, fake websites and scammers.

Passwords

The common thinking on passwords is to create complex passwords that you can remember such as substituting numbers for letters and symbols for other letters. This thinking is nearly impossible to combine with the thinking that you should create a separate password for every website. The only way to reconcile this is to use a password manager such as 1Password, LastPass, or Dashlane to name a few. Each site must have a separate password and each password must be complex. Of course, you have to remember your “master” password to get into the password manager.

You cannot write down any of your passwords with the exception that some of the password managers setup a “recovery” sheet where you write down your master key and then the sheet should be placed in a safe or a safe deposit box. It is quite unlikely that someone will go through the trouble of getting your recovery sheet.

Websites

When I first registered a domain many years ago through Network Solutions, it wasn’t easy to do. This became a slight hurdle in people setting up scammy websites. Since then, getting a domain name and setting up a website can be done in minutes. There are tons of sites that rely on typos to major websites to redirect users to their sites. Luckily many browsers pick up on this and make it easy to get to the right site. People are taught that seeing the lock icon in a browser means that a site is secure. While that is true, you have to look at what that means. Obtaining an SSL certificate up until recently took a little extra effort and wasn’t particularly cheap. With the advent of Let’s Encrypt, getting an SSL certificate is now free and easy to setup. I use Let’s Encrypt and securing traffic from my browser to servers is great.

Securing traffic is only part of a secure website. You have no idea what happens behind the scenes. Years ago I worked for a company that stored credit cards in clear text in an unencrypted database along with the CVV codes. In my tenure at the company I worked to bring it into compliance with PCI DSS, but credit card numbers were still accessible to employees and they still had roundabout access to CVV codes.

So even if a site has a lock icon, it doesn’t mean that it is safe to visit the website. Securing the traffic is very different from a site being safe to visit. Even the federal government has given given bad advice on this.

One of the safest ways to visit a website is to use a trusted search engine such as Google or DuckDuckGo and click the links from there; most popular websites should be at the top of the search results. However, before clicking a link check that it is indeed the site you want to visit.

Scammers

The other day I got a phone call that purported to be from Apple security saying that my Apple ID had been compromised. The call came from a Michigan number and was a recording. I pressed one and was connected to an agent. I asked for his employee ID and he responded with FUC…

Companies will not proactively call you about security issues. If you suspect there is an issue, hang up and call the company to verify the information. Also asking for an employee ID is a good way to weed out some scammers.

Never give out information to anyone that calls you; always call the company back if you have questions. Also never give anyone access to your computer remotely.

AppStores/Installing Software/Malware

If possible, always install software from an AppStore. While this doesn’t guarantee that you won’t get malware, it does reduce the possibility. Verify that software comes from a known source if you can’t install it from an App Store.

If you see messages that your computer is running slow or “click here” to get support, you may have malware on your computer. If this happens, immediately turn off WiFi and either contact your most tech savvy friend or family member for advice or take the computer to BestBuy’s GeekSquad to remove the malware.

Credit Cards

Whenever you pay for something online, always use a credit card. Never use a debit card. Credit cards have better consumer protections than debit cards. Never give a credit card number to anyone that calls you! If you make a purchase over the phone, verify that the phone number you are calling belongs to the proper company. Don’t just call any random number you find doing a Google search.

Conclusion

  • Anything you post on the Internet even in private could come back to haunt you.
  • Remove location data from photos before sharing.
  • Always use a different password for every website.
  • Use a password manager.
  • The lock icon on a website doesn’t mean the site is safe.
  • If you have to call a company, verify the number that you are calling is actually for the right company and not just some random number you found.
  • Install software from an App Store or a known source.
  • Never give your credit card number to someone that calls you. Always call a company back.
  • Never use a debit card on the Internet; only use credit cards.

8 Replies to “Scott’s Cyber Safety Primer”

  1. 9 points seems like a lot to remember, but not really. Each one is a stand alone point and can be learned or PRINTED ON A 3 x 5 card.

    Thanks.

    1. It’s really hard to distill the points down further. If you want to make flashcards with the points on them and have a quiz to see if you remember them, have at it!

  2. One minor point about debit cards and credit cards: If you are sending money, you will incur a cash advance fee if you use a credit card. Not so on a debit card.

    And I agree that your posting was worth the read.

  3. I think writing down passwords is safer than using software to store them. Software can be hacked and password managers are prime targets, especially those that sync over the internet.

    Who wrote your password manager? Has the NSA or KGB infiltrated those companies? What about disgruntled employees? Do they outsource work to shady contractors?

    There are six billion people who can attempt to hack your passwords on the internet or your computer compared to a small handful that could attempt to steal a physical password cheat-sheet hidden at home. Your attack surface area for paper is orders of magnitude less.

    1. I guess you could question who wrote any of the software or systems you use. Are there backdoors in the software? Good question. Is it one I’m going to lose sleep over? Nope. Make sure that you keep your little book of passwords with you wherever you go in case you need a password!

  4. Thanks for the tips. I’m not on social media and never send photos and only use credit cards with companies that I do business with regularly, so I’m not in much danger of being scammed.
    By the way I’m glad that you are back from Istanbul where you ran out of money and needed it urgently.
    I assume that you got the $1,500 I sent.
    Cousin Allen

Leave a Reply to Scott Gruby Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.