Confinement measures adopted all over the world to fight the spread of the SARS-CoV-2 virus have practically forced us to increase our online activity as a way to stay informed, reachable and productive.
Even though we cannot foresee the changes our society will go through as a consequence of the COVID-19 pandemic, it would not be wild to anticipate a significant increase in our online activities for the foreseeable future. To some, the current situation has simply provided momentum to a tendency already present in our society. This emergency had forced individuals and organizations reticent to develop an online presence to reconsider their stance in order to alleviate the severe reduction of in-person economic and social activities.
In light of this significantly expanded digital life, there are three important subjects that require our attention:
- Cybersecurity
- Data privacy
- Fake news
As online security and data privacy have become urgent issues and the topic of fake news has been addressed in our article How to Immunize Yourself against Fake News in a Crisis, I want to provide you with some context about the first of these points and offer some guidance and links to resources on these matters.
Viruses Are Not the Only Threat
As COVID-19 started to spread, some newspapers published articles about criminal organizations that reportedly announced a truce, declaring they would not attack hospitals in those areas affected by the epidemic. However, hopes of a “truce” were short-lived; in the last week of March, Spain's National Police reported a sustained attack on hospital IT systems via a wave of emails addressed to personnel at these centers. It was a ransomware attack named Netwalker which used an executable file (CORONAVIRUS_COVID-19.vbs) attached to the email messages. Only a week earlier, the University Hospital in Brno, Czech Republic, had to turn away patients and shut down all its computers as it fell victim to a similar cyber attack.
While it is scary, my intention is not instill more unease in these strange times. I just want to underscore the point that crime is relentless, so much so, that security professionals now speak of CaaS or “crime as a service.” Moreover, history has taught us that times of disarray allow those experienced in using the cracks in our systems to up the ante. For instance, Spain's Data Protection Agency has issued a notice to raise awareness about the upcropping of websites and apps to self-diagnose for COVID-19 that ask for health, location and other personal data that pose a different kind of risk. We must stay alert, even if we are watching the world from the safety of our homes.
What would it mean for you to have your devices compromised at this moment, if you are self employed and working from home? And, if you telework, what would happen if your computer becomes the gateway through which your company's IT infrastructure and your coworkers’ devices are put in jeopardy? Or, the other way around: a careless coworker is disseminating malware? What if your kid’s always-connected laptop behaves as a zombie computer and inadvertently sends messages that end up crippling your hospital’s computers?
On a personal level, I can't think of a more ill-suited moment to fall victim to ransomware. Just imagine: just when you thought you finally had everything under control, suddenly your photos, songs and the kids’ homework are locked. In one fell swoop you are not only unable to access your files, you are disconnected from your work, your relatives (your Netflix!) and all other social connections. You would have to report the incident to the police and find IT services to help you solve the problem… You get the picture.
Cyber-Flu Shots
You've stockpiled toilet paper and you have taken the time to prepare the background and lighting for your video meetings. It is time to take some measures to help you cope with cyberthreats.
Many of the techniques cyber criminals use might surprise you. They simply translate their MO to the digital realm relying on what they already know about human nature.They know we are sloppy, careless and busy. In consequence, they base their attacks on our behavior and the trail of digital breadcrumbs we leave behind in our online life. Some of our behaviors are so predictable and frequent that most attacks are automated.
The most basic measures to improve your digital defenses are:
- Keep the operating system and internet software of your devices updated with the most recent security updates and patches. This applies to ALL of your connected devices (cameras and smart devices too). The weakest of your barriers will make your line of defense fail.
- Keep a schedule to regularly back-up your data. This won't prevent you from suffering a cyber attack but it will significantly reduce the scope of digital losses if your systems are shut down, kidnapped, hijacked or somehow compromised.
- Use strong passwords whenever possible and install a password manager. In a system protected by encrypted passwords we are the weakest link. If you use the same password everywhere intruders only have to crack one password to gain access to all your accounts. Keeping track of all the websites, apps and services we are subscribed to can be a daunting task. Here is where a password manager can ease your life. For their business model, features and integration, I'd recommend LastPass and Bitwarden.
- In social networks, treat everything as public. This is info that will be used by friends and foes alike.
- Don't let anxiety, boredom or the mirage of being at home relax your awareness and practices preventing cybercrime.
If the terms used here are new to you, you can find a small dictionary of terms on Europol's website.
Reduce Your Risk
Digital security is a very wide topic. Next, I’ll address subjects that are key, at our reach and don’t require great effort from us to take action. In each case I’ve indicated a tool or a source of advice in the matter (please kindly spare me the nuisance of addressing the issue of anti-viruses).
To find out if one of your email accounts has been exposed, use have i been pwned?, a web service that checks accounts included on known breached datasets. If you find one of your accounts here, chances are, your credentials have been made public. Consequently, get rid of them: change immediately your password in the breached account; substitute the exposed account with a different one (new if possible) wherever you have used it; notify all your acquaintances about the breach and indicate you'll not use it anymore and delete or abandon it.
A recent PC Magazine article cites a Google report indicating that phishing attacks have increased 350% amid the COVID-19 quarantine. But, can you tell your phishing from your smishing? And what about vishing? Security Tip ST04-014 published by US National Cyber Awareness Team (US-CERT) explains the differences and guides you on how to identify and avoid these attacks.
Secure Your Network
Digital networks where all exchanges happen. Keep your home network as guarded as possible following US-CERT Security Tip ST15-002 on home network security. Europol's infographic to Make your home a cyber safe stronghold is also a handy resource.
In terms of network security, your phone is the new USB pen drive that would bring your home network down. You carry your mobile wherever you go and connect it willingly or inadvertently to multiple networks. This converts your phone into not only a device to track you but a vector of vulnerability to every network it attaches to. A very complete guide about this issue is US-CERT Cyber Threats to Mobile Devices. Also, an article in CSO, a publication specialized in digital security, tells us about the main security threats for mobiles this year.
If we do not pay attention, in the Internet of Things world, we will become the Things of the Internet. British National Cyber Security Centre has published a guide to securely set smart cameras. The advice in the document can be applied to all smart devices. Also, there is an information service set by Mozilla Foundation to help us with advice when shopping for smart devices called privacy not included.
Safe Teleworking Practices
Working from home poses different data-security challenges to employers and employees. Two infographics from Europol summarize basic tips for safe teleworking for both. Ideally, you should connect to your company using a computer other than the one you use at home regularly. If your company or you cannot afford that, then it would be advisable that in order to isolate work from personal data, you create a new user account in your computer to exclusively perform any work related activity. Another tool to consider while connecting to the office remotely are Virtual Private Network (VPN) services. Here are a couple of articles with advice from the Spanish National Cybersecurity Institute INCIBE-CERT and PC Magazine.
If you are a victim of cyber crime in Spain, INCIBE-CERT offers a service to report the incident. See the details on its Incident Response web page.
The more we rely on digital systems the more important digital security becomes. If you think you are not skilled enough to tackle these tasks, a trusted, tech savvy friend could be all you need. Also, consider calling a technician, after all, you would not hesitate to call a locksmith to secure your home.
Remember, in the same way that our doctors are not ultimately responsible for our health, our devices, digital tools and IT technicians are not responsible for our digital wellbeing. In these days of confinement do not get bored or anxious: get smart. Take charge. Stay safe.
Resources
Europol: Infographic. Make your home a cyber safe stronghold
US-CERT: Avoiding Social Engineering and Phishing Attacks
US-CERT: Home Network Security
US-CERT: Cyber Threats to Mobile Devices
CSO: 8 mobile security threats you should take seriously in 2020
British National Cyber Security Centre: 'Smart' security cameras: Using them safely in your home
Mozilla Foundation: Privacy not included
Europol: Infographic. Safe Teleworking tips and advice
INCIBE: Teleworking: VPN and other recommendations
Héctor Cols is an occasional contributor to the Barcelona Metropolitan, covering human or geographical landscapes and helping with data related issues. Héctor is a curious software developer that finds no joy in conversation with Siri or Alexa and prefers to mingle with other kinds of outsiders. A fan of all things Barcelona, Héctor was in charge of the culture section of Resident Aliens, a podcast of the American Society of Barcelona. You can read more by Héctor here.