‘Cover my webcam?’ Security myths debunked

Posted on 15 December 2017 by Ruskin Constant

 Our first meetup – Cybersecurity with Countercept – was held on December 6, 2017 and was a roaring success. Aside from mince pies, beer, and pizza, the evening featured three presentations from the Countercept team. The first – Cover My Webcam?! – was presented by software engineer Ruskin Constant.

 

In my time at Countercept, I have learned that total security is a myth. However, I have also discovered – somewhat more reassuringly – that there exists a far more achievable goal:

“Try not to have the most vulnerable data in the [cyber] room”.

 

This is my collection of hardline security advice, where I counter some prevailing cybersecurity myths with better informed, practical guidance. Integrating the tips below into your everyday life will go a long way towards making you a less likely target or an unwitting participant in dodgy digital activity.

 

Myth Number One: Unsecured Public Wifi is dangerous

This myth is legit. There are a number of reasons why you should stick to your phone’s mobile data or an alternative secured network if possible.

 

If you are going to use a public hotspot anyway, there are a few easy red flags that indicate your data may be falling into the wrong hands.

 

Firstly, is the wifi network being offered by who you think it is?

 

Just because you’re in a pub called The King’s Arms doesn’t mean that they are broadcasting the wifi network of the same name. Check if it’s authentic.

 

Once you’re on the network the main risk is that your data can be intercepted en route to the web service you’re connecting to. This can either be because someone is impersonating a site that you know and trust or some nosy hacker could be ‘sniffing’ your data as it travels from your device to the wifi router.

 

Both scenarios are thwarted by using an encrypted connection, denoted by an ‘https’ in the URL of your browser when you’re online. If the URL doesn’t start with ‘https’ and you’re sending sensitive information, then everything you send may be intercepted.

 

You know those ‘Your connection is not private’ popups that you typically ignore? Heed these warnings, especially on unsecured public wifi.

 

Quick win: Check for a secure connection (https) or enforce it with an add-on/VPN.

 

Myth Number Two: ‘P@ssw0rd’ is fine for multiple logins

No, it isn’t. It isn’t long enough, it isn’t unique enough, and it certainly should not be shared across services.

The National Cyber Security Centre in the UK (NCSC) recently published stats that show most people share most passwords across a minimum of four accounts. The problem? If one gets compromised, they all get compromised...and they are very likely to be compromised at some point.

 

Even if your password is not guessed, or brute forced, or you’re savvy enough to never fall for a phishing scam, you might still be the involuntary victim of a data breach at a company database somewhere.

 

If you haven’t already, replace your passwords with passphrases of at least 16 characters - remember that you can often include spaces. At the very least, definitely use unique and random passphrases for your most important logins. Password managers are your friend here.

 

Quick win: Use long and unique phrases - length will trump complexity.

 

Myth Number Three: Use multi-step verification everywhere

Yes! This is good advice wherever you can conveniently apply it. It may not always be available, but definitely use it for your most important and precious services (for example, email, banking, and your most used retail site).

Multi-step verification combines what you have with something you know. For example, if you combine your password (obviously a 16 character random passphrase) with an additional layer of security via authentication apps – such as Duo or Google Authenticator – you have an extra layer of harder-to-crack security.

Quick win: Better two-factor authentication than none.

 

Myth Number Four: Cover your webcam

Who remembers the Mark Zuckerberg Instagram photo that showed that he covers laptop’s webcam and microphone? The media had a field day. If Mark Zuckerberg does it, shouldn’t we all?

 

Uh, no. The truth is, if someone has managed to compromise your laptop to use these tools, they can already do all the things you can do and some things you possibly didn’t know you could.

 

Takeaway: You’ve got bigger things to worry about.

Check back here over the new few weeks for more presentation write-ups, including ‘Memory Injection like a Boss’ and ‘Have I Got Cyber News for You – 2017 in Review’. Want an overview of the whole fabulous evening? You can find it here. Want to come to our next meetup? Sign-up here for updates.