Insights For Success

Strategy, Innovation, Leadership and Security

General

How to make yourself an easier target for hackers

GeneralEdward Kiledjian

I've talked about different technologies to provide additional protection when working online (Chromebooks1, Chromebooks2, VPN1, VPN2, VPN3, etc.) The truth is that anything that is posted, shared, stored or connected online risks being hacked and leaked. 

Instead of telling you how to protect yourself, I want to share tips on how to make yourself a flashier and easier target for hackers. After all, why make their lives more difficult than it needs to be? 

Reuse the same passwords everywhere

Reusing the same passwords everywhere is convenient for you and hackers. If they manage to crack or steal your password from one site, they can then reuse that same one on your other accounts. Don't make their lives difficult and reuse the same password for all your online accounts. While you're at it, use simple short passwords using only letters to make it easier to crack.

Don't use 2-factor authentication

2-factor authentication is usually a secret code generated on your phone using a free tool like the Google Authenticator or Authy. The purpose of 2-factor authentication is to provide additional account protect that would prevent someone from accessing your account if they somehow manage to get your password.

2-factor authentication goes against our goal of making you easier to hack. Doesn't 2-factor authentication sound like a lot of trouble for nothing? Why would you want to make it difficult for hackers to access your account if they have gone through all the effort of finding and cracking your password? 

Whatever you do, do not enable 2-factor authentication so your account can be stolen easier. 

Trust everyone and click on those links

Security advocates always caution users not to click on "strange" links from known or unknown sources. Sure often these types of links are used to install malware on your machine or to steal your login credentials (phishing), but you may miss that funny joke a friend sent. 

Hackers go to great lengths to make their emails look legitimate so why not reward all their hard work by clicking on them? If you don't click on those links, you will force the hackers to work harder to steal your information, and who wants to work harder? 

So I say click on those links quickly. If you see a link click on it regardless of any doubts you may have. 

Don't update your software and operating system

All software is written by humans and is therefore imperfect. Reputable software vendors (that hate hackers) release regular updates to their products to patch vulnerabilities that may be exploited. 

Our goal is to make you an easy target so why install updates? Updates take time. It is easy to forget checking for them (on smartphones, tablets and PCs). The easiest thing to do (the most hacker-friendly) is just to leave your machine as it is, and not install any updates. After all, what if the update changes a function? 

The moral of this story is to just leave well enough alone.  Don't make a hacker's life more difficult than it has to be, don't update your software or operating system.

Don't ever turn off Bluetooth

You work hard, and anything that makes your life easier should be encouraged and used. Bluetooth is a modern convenience for anyone that uses wireless headphones. You turn it on and pair it with your favourite headphones when you first set up your device and forget about it. 

Convenience is king. When you want to listen to a podcast or some music, you shouldn't be bothered to fiddle with small switches in some control menu to turn on Bluetooth. 

There are well-known attacks against Bluetooth that could allow a remote attacker to connect to your device and steal data stored on it. Who cares? Convenience is king and outranks security. We want to make your devices as vulnerable as possible, so whatever you do, leave Bluetooth on. While you are at it, leave other data transfer features on (like Airdrop on Apple and WIFI). 

Don't use a VPN

I have written about VPNs for years. How they can be used to protect your data when using unknown or untrusted WIFI networks. This article is about making your life and the hackers life easier, not making you more secure. 
VPNs are a hassled. You have to buy a subscription, install the app on your devices and remember to turn it on everytime you connect to an untrusted WIFI network. When using a VPN you are paying to make your WIFI experience more complicated. Does this seem logical to you?

Hackers love using unprotected or poorly protected WIFI networks to perform reconnaissance and even break into your devices. Hackers have a wide variety of easy to use tools that work on devices connected to these open WIFI networks where users aren't using a VPN. So the moral of the story is convenience. After all, if you can't trust your local coffee shop with your data security, who can you trust. 

Remeber that your goal is to make your and the hacker's life easier so trust easily and trust often. Don't use a VPN to encrypt your traffic and make it impossible for a local hacker to steal your data or compromise your device. 

Share a lot and often

The purpose of social media is to share information with friends and other strangers that are connected to you. So the hacker rule is to share as much data as possible and share it often.

Peacing data together is a fantastic way for a hacker to build a profile about you so they can reset passwords, use your credit or craft believable phishing emails. Make sure that all your social media profiles are public. Then once you your profile is visible to everyone on the internet, make sure you post a tone of "useful" information such as 

  • habits: (when you go to the gym, restaurant, stores, etc) so hackers can figure out where you live
  • vacations:  everyone wants to know that you have left the country for a week of sun and relaxation. Especially those hackers and thieves. It is so much easier when the target (oops... I mean friend) lets you know it is a good time to steal from them. 
  • Date of birth: MAke sure you use your real date of birth on social media sites so friends (that can't be bothered to remember your birthday) can wish you a happy birthday. Hackers can then use this information to apply for credit in your name. It's a win-win for everyone. 

The moral of the story is to post lots of personal data, regularly and as quickly as possible. 

Conclusion

I hope you have found these tips useful. I know many hackers will thank you for being such a friendly and trusting person. Remember that good security is inconvenient and convenience is the most important factor to a busy person like you. You are too busy to worry about securing each and every service you use, so don't. 

After all, people are generally nice and trustworthy. So open that attachment. Click on that link. Share that vacation departure notice. Life is short, live a little.

Google's new Pixelbook ad is a hard jab at Windows

GeneralEdward Kiledjian

Windows is the most popular operating system in the world and Google will naturally target it, in an attempt to win new customers for its upmarket Pixelbook offering.

Statistic: Global market share held by operating systems for desktop PCs, from January 2013 to January 2019 | Statista
Find more statistics at Statista

January 2019, according to Statistica:

  • Windows market share 75.47%

  • MacOS market share 12.33%

  • Linux market share 1.61%

  • ChromeOS market share 1.17%

Google released a one-minute promo video entitles “If you want a laptop you can count on. You Chromebook. “ .

Truth be told the latest version of Windows 10 has been incredibly stable but this ad will be fun to watch for any Windows user annoyed with constant forced patches, badly designed progress bars and the infamous Blue Screen of Death.

This is an exaggeration of issues users experience but does highlight the main reason why many security professionals have moved to Chromebooks. Patching is almost seamless, the device is normally very stable (except v 72.x has introduced some bugs Google does need to fix) and security is on by default.

Current belief is that on a Chromebook, you have no regular maintenance, no need for an antivirus, no big bang updates that take 30-45 minutes to complete, etc.

Let’s just say Google got even with Microsoft for running the Scrooggled campaign years ago.

Google One finally available to all US customers

GeneralEdward Kiledjian

I first wrote about Google One in May 2018, when it was still shrouded in secrecy.  The new storage program with improved storage capacities was an invitation-only program until today (for US residents anyway).

Per the original (Google Drive) model, storage is shared across all of the Google properties you use (GMAIL, Photos stored in full resolution, Drive, etc.)

  • 100 GB for $1.99
  • 200 GB for $2.99 (New)
  • 2 TB for $9.99 (2TB for the price of 1TB on the old plan)
  • 10 TB for $99.99
  • 20 TB for $199.99
  • 30 TB for $299.99

If you use the Google Family sharing program (not available to Google Apps accounts, unfortunately), you can share your Google One storage with up to 5 family members. In addition to storage, Google is offering Google Play credit to Google One subscribers and promises to add even more benefits (24x7 support is now also included).

Many still see the Google One page as invitation only but expect this to change shortly. Rolling this new program out to its millions of customers is likely being undertaken in stages.

As a Canadian, I anxiously await any indication about when it will open for us.

US bans use of Huawei technology through Defense Authorization Act

GeneralEdward Kiledjian

US President Donald Trump has signed the Defense Authorization Act into law. Section 889 ( PROHIBITION ON CERTAIN TELECOMMUNICATIONS AND VIDEO SURVEILLANCE SERVICES OR EQUIPMENT) bans use by government agencies and contractors of Huawei or ZTE technologies. 

The language of the act is ambiguous and doesn't clearly list what technology is or isn't covered by the prohibition. 

procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system

ZTE and Huawei should not be used to access government systems that display personal data, therefore it is safe to assume that most agencies and contractors will purge their networks of systems designed or that use these technologies.

I have not yet seen an official response from either of the tech complanies.

Stay tuned. 

OPSEC : What should I include in my bug-out bag

GeneralEdward Kiledjian

Search Google for "Bug-out bag," and you will get 137M results. YouTube has a 144K videos discussing it. A Bug-out bag (also called Go Bag, BOB, 72-hour kit, grab bag, a battle box, personal emergency relocation kit) is a small personal maintenance kit that would allow you to survive 72-hours when faced with an emergency. 

Most emergency agencies reconnect you prepare some kind of emergency kit. Emergency Preparedness Canada has a website dedicated to building basic bug-out kits. The US Department of Homeland security offers similar suggestions on their website

Without going overboard, the purpose of this article is to provide general guidelines for the average Joe interested in being better prepared (not for a survivalist or extreme prepper).

Where should I keep it?

Location, location, location... You Bug-out bag is useless if you cannot quickly grab it during an emergency and quickly leave the risk region. 

Your bug-out bag should be kept close to the main exit for your dwelling so you can grab it and go. 

An operational security expert will typically run several scenarios to evaluate possible calamities and what the best exits would be (it isn't always your front door). Spent some time thinking about this and place your bug-out bag close to the exit you are most likely to use (garage, front door, back door, bedroom windows, etc).

Basic bug-out bag items

In security, you can spend a little or a lot, it really depends on your level of paranoia. Most people don't need a 200lb bug-out bag that contains $500 of survival items. So here are the basic everyone should have in their kit:

Documents

  1. National identification documents (originals or copies). These can include drivers licenses, passports, medical identification cards, etc
  2. Keep a couple hundred dollars of cash money in different denominations (assume the electronic payment networks may be unavailable)
  3. A printed list of emergency contacts (local hospitals, police stations, family members, friends, etc) 

Personal Items

  1. A basic $20 first aid kit (from the pharmacy or Costco)
  2. A couple of litres of drinking water in sealed containers
  3. High calorie easy to eat snacks (that do not require preparation)
  4. Head covering (in case you have to walk in the sun, rain or snow), I keep a buff multiuse scarf
  5. Bug repellent
  6. Sunblock
  7. Prescription medication, glasses and contact lenses

Communication Gear

  1. A mobile phone (if possible an extra pre-paid SIM on a different network)
  2. Hand crank powered emergency radio 
  3. Small notebook, pen and pencil
  4. Printed local maps (street and topographic)
  5. A large (at least 20,000 mAh) external battery to charge your electronic gear. My battery of choice right now is the OmniChage Pro

General Gear

  1. A multipurpose knife (my choice is the Victorinox SwissChamp)
  2. Flashlight (ideally something that can be charged with your external battery via USB).
  3. "Normal" candle and weather resistant matches
  4. 550-lb paracord
  5. Handheld mirror
  6. Phrasebook if travelling abroad

The Pack

Talking about Bug-out bags is like discussing religion. Everyone has strong opinions about that the "best" bag is. My recommendation is to choose a backpack (since these balance the weight better and are easier to carry over long distances). 

My only recommendation is to choose something that is as light as possible while being resistant.