Checklist 151: Too Close for Security Comfort

This week on the Checklist podcast, we’ll talk about how to deal with security risks that come from those closest to you (literally). We’ll take you through some bad iOS news from the past week, and also discuss how it relates to a larger issue related to mobile security. And finally, we revisit a familiar topic—passwords—and tell you about some newly released Google research that probably means we’ll have to keep talking about passwords for the foreseeable future. Here’s our weekly Checklist:

• Protecting your data from the people – literally – closest to you
• Jailbreaks: New for 2019!
• People who KNOW they’re using hacked passwords

When cybersecurity hits close to home

When we think about cybersecurity threats, most of us immediately default to Hollywood imagery: shadowy hacker collectives banging out lines of code in an abandoned warehouse, or military intelligence agencies half a world away.

But what about the person sitting across the breakfast table from you?

Here’s the hard truth. If someone shares the same living space, office, or even coffee shop with you, then even a few minutes away from your computer or mobile device could give them access to your entire digital world.

While this is something that comes up a lot in the context of relationships (think jealous spouses and snooping partners), it really applies to anyone who could potentially have physical access to your computer. In other words, coworkers and bosses, classmates and roommates, kids and parents, or just that harmless looking dad sitting next to you at Starbucks.

So without being paranoid (or at least, too paranoid), here are some ways you can harden your security against these somewhat mundane but often overlooked threats.

1. Clear that browser

We’re not suggesting that you hide things from your partners or loved ones, but the fact is that there will be times when you don’t really want or need anyone else to know what you’ve been doing online.

Whether you’ve been planning a surprise party, doing some birthday shopping, or maybe something a little more serious like researching a medical issue, you may just need your online privacy, even in your own home.

In addition, it’s probably good to get into the habit of keeping your browser history clear of potentially sensitive data anyway, so that you don’t lapse into complacency when you’re using a work machine or have guests in the house.

If you need to keep something private, make sure to use your web browser’s privacy mode. Every browser has one, though they may call it something different (Chrome calls it “Incognito Mode” whereas the other major browsers go with “Private Browsing”).

This will keep your browsing history private. But perhaps even more importantly, it will make sure that the kind of sensitive data you may have entered on web forms (things like search terms, phone numbers and credit card details) aren’t kept around as part of an autocomplete feature for someone else to see.

You might also consider using a dedicated privacy tool that you can run periodically to purge your system of any trace of cached data and potentially sensitive files. Bear in mind that there are more and less secure ways of deleting such files from your computer. A strong privacy tool can ensure that deleted data is unrecoverable. 

And just one final caveat: Be aware that while these privacy modes prevent your activity and data from being recorded and stored locally in the browser, they don’t hide your activity from the people who control your network (your employers, for example) or from your ISP. Anyone who handles that network traffic can still see what you’re doing, even if you’re using a browser’s privacy features. 

2. Don’t leave computers unattended

Another very simple thing you can do to protect yourself at home, work, or in public places is to get into the habit of securing your computer when you walk away from it, even if it’s just to grab a cup of coffee or hit the restroom.

It goes without saying that your computer or laptop should always have some kind of password protection. You should also configure your system to require a password when it “wakes up” from sleep mode.

You can set a very short time limit on desktops or laptops to make sure they go into a sleep or screensaver mode if they’re idle for more than a few moments. Another option for macOS users is to set up a Hot Corners shortcut. This will allow you to put your display to sleep by just moving your mouse pointer to a designated corner of your desktop. 

If you’re using a laptop, close the lid if you have to be away from it for a minute. That way, if someone in the vicinity gets curious (or, worst case, walks off with your laptop), they can’t access your machine. 

And if you’re going to be away for a longer stretch—say if you’re leaving the office for lunch or heading out of the house, just shut your computer down completely. 

3. Passwords should be strong, unique, and private

Passwords are powerful. If someone knows your password, then they have access to absolutely everything in that account—and maybe more, if you’ve made the mistake of reusing passwords on multiple sites.

Make sure you’ve created a strong, unique password for each and every service you use. If you’re not sure what that entails, check out one of our very first Checklists for a complete guide to password best practices.

Obviously, if you use more than a handful of accounts, that’s going to be an awful lot of passwords to remember. So make sure you use a password manager like iCloud Keychain, 1Password, or Dashlane to keep track of them all.

Whenever possible, use two-factor authentication to add an extra layer of security to your password-protected accounts.

And lastly, we recommend that you never share your password with anyone else—even your best friend from college who really, really wants to use your Netflix account. 

4. Secure your mobile devices

Mobile phones and tablets—especially when used for work or linked to important cloud service accounts—need to be secured every bit as rigorously as laptops or desktops.

Make sure you use a strong passcode. Choose something that isn’t going to be easy to guess or figure out with a casual glance (e.g. don’t use “123456”, “000000”, or your birthday). Use Touch ID if that option is available to you.

If you have a newer phone with Face ID, be sure that “Require Attention” is enabled. Some people have taken to disabling this feature as a way to make their phones unlock more quickly, but there’s a serious security risk here: If Require Attention is not turned on, someone could use your face to unlock your phone while you’re sleeping…or unconscious. Double check those settings by going to Settings > General > Accessibility and make sure Require Attention is enabled.

5. Watch out for keyloggers and monitoring software

Keyloggers, or keystroke loggers, are little programs that record every single key press you make on your computer. 

If you have a suspicious partner, relative, or employer, these programs can be used to spy on you.

Keyloggers are designed to be very hard to find. Unless you know exactly what to look for, chances are you won’t be able to detect a keystroke logger on your system manually.

Your best bet is to use an up-to-date file scanner to check your system for keylogger software and then safely remove it.

Monitoring software, similar to keyloggers, is designed to run silently in the background and report back to its owner—sending everything from activity reports to location data back to a snooping third party. It’s often used by parents in an attempt to keep tabs on their children, but can obviously be used by anyone who wants to spy on another person.

The existence of this kind of software is exactly why you should make sure that you’re the only one with access to your devices—and why you should avoid letting other people download software or install apps for you. 

If you’re using a macOS system, you can use third-party detection tools to ferret out and get rid of spyware and monitoring software.

Jailbreak! (and why you should update iOS now)

Moving on to some worrying iOS news, a Vice article last week reported a public jailbreak for up-to-date iPhones—the first in years—which meant a potentially serious security issue for iOS users. 

Fortunately, Apple moved quickly to resolve the issue, and has already released iOS 12.4.1, which contains a patch for the jailbreak. If you haven’t updated already, please do so right away! 

But even though the immediate danger has passed, this incident offers a good opportunity to discuss a serious mobile security issue, and underscore the importance of using your iOS devices as intended by the manufacturer. 

Some readers might be wondering what a “jailbreak” is, or what it has to do with iOS security. If that’s you, you’re not alone—the term is often used somewhat loosely, and contains a bit of ambiguity as well.

Generally speaking, to “jailbreak” an iPhone means to exploit some iOS code vulnerability in order to gain “root” or administrative privileges (the kind normal users aren’t supposed to have) in order to perform actions that ordinarily aren’t allowed by Apple.

What kind of actions? Typically it has to do with removing content or customization restrictions imposed by Apple, or with installing unapproved software on the device. Someone might, for example, jailbreak an iPhone in order to install an app which is banned in the App Store, to download third-party software, or to allow customization of an iOS app in a way which is not officially approved by Apple.

So why do people do this? Some have ideological reasons for jailbreaking their phones. They may find the app review process unfair, or consider it a form of censorship. Others simply love to tinker, and jailbreak their phone for the fun of it, just “because they can”. 

But malicious actors can also jailbreak phones—and the bad guys use their newly acquired administrative permissions to execute code or install malicious software on the iOS devices they control.

This is why Apple goes to great lengths to make sure that no one can jailbreak an iPhone in the first place—and why they move quickly to release patches and updates as soon as they find a vulnerability that makes iOS “jailbreakable”. 

This is also why public jailbreaks typically only affect people running older iOS versions, since the most up-to-date OS has already been patched. It’s one reason why you’re encouraged to always update your OS whenever possible.

So what happened last week, and why was it such big news?

Because for the first time in years, a jailbreak was made public which affected the most up-to-date version of iOS—in this case, iOS 12.4. Apparently, in updating the code for the release of iOS 12.4, Apple accidentally “un-patched” a vulnerability they’d previously fixed in iOS 12.3, exposing millions of iPhone users to risk.

Before Apple released the 12.4.1 update, there wasn’t much that iOS users could do to protect themselves, other than watch, wait, and be extra careful about downloading new apps from the App Store.

So are there any larger lessons we can take away from this? 

At the very least, we hope it serves as a good reminder that Apple’s restrictions on administrative privileges are there for a reason—and that removing these restrictions can also mean removing protections. This is why you should never, never jailbreak a phone: because you’re opening yourself up to a host of security issues. Although the lure of playing the original Flappy Bird is understandable, it’s just not worth the risk.

“Please hack me!” (another word about passwords)

Turning back to the topic of passwords and security, a recent Google study has brought to light some disturbing data about just how many people are reusing passwords—even when they know those passwords have been hacked! 

Google realized that many people were reusing passwords on multiple sites and sometimes using passwords which had been exposed in a data breach or hack. In an attempt to help people mitigate their risk online, Google developed the Password Checkup extension for their Chrome browser. The extension would warn users when they were attempting to use credentials which were known to be hacked and publically available, and prompt them to change their password.

As part of their study, Google kept track of how many people heeded their warnings…and how many ignored them. Shockingly, around 25% of users, when informed that they were using hacked credentials, opted to keep on using them. 

The researchers surmised that some of those ignored warnings could be explained by the fact that people weren’t completely in control of the accounts they were using—which points to something else we’ve warned about: password sharing. 

But they also say that some users may not have considered a password reset worthwhile, as the hacked password wasn’t being used for an important account. Again, this comes back to something we’ve said before—when it comes to cybersecurity, there are no “unimportant accounts” where you can reuse credentials or use weak passwords. Every site can be hacked, and that stolen password can be made public for criminals to exploit. If you’re using the same password on multiple sites, one of your “minor” accounts could lead to major problems.

So at the risk of sounding repetitive: Don’t share passwords. Don’t reuse passwords. Make sure every single service you use has a strong password. And keep track of it all with a password manager. 

In cybersecurity, danger sometimes comes from the places you’d least expect—whether it’s reused passwords or the new intern at work. There’s a lot to consider, but that’s why we’re here for you every week, and why we make the archives and notes of past shows available on this website.