April 17, 2019

Stop thinking like a good, law-abiding citizen. Whatever you know about technology, forget it. If you want to stay safe online, you need to start thinking like a hacker. And hackers are more paranoid about digital technology than anyone else in the world. Because they know, better than the rest of us, about all the dangers out there.

There’s no point sugar-coating it: a computer is a portal to a very dangerous world. You can’t see cyber-crime. It happens on screens behind closed doors. Most victims don’t report it to the police. Many are embarrassed to even tell relatives.

But crime has completely transformed over the last decade. A touch under half of the crimes that people in the UK fall victim to are committed over the internet. Online fraud is now the most common crime in the country. Your social media accounts are as likely to be burgled as your house. You are more likely to be hit by a computer virus than all forms of violent crime put together.

Crime on the internet – like anything on the internet – traverses borders effortlessly. But law enforcement doesn’t. You’re more likely to be victimised by someone on the other side of the world than across the street, and your local police force will struggle to get that person into a courtroom – assuming they can find the perp in the first place.

Any hacker worth their salt knows all this. And they know that there is only one person  responsible for their online safety. Not the tech giants, not police forces, not their banks. They can rely only on themselves – and there’s a phrase they use when they think about keeping safe. The phrase is ‘OPSEC’ – or operations security.

OPSEC isn’t rocket science. You don’t need to be a computer genius; you don’t need to know how to code. It’s a mentality that acknowledges there are bad actors out there. It sees every action that you take online as having implications for your security, it urges you to think systematically about them, and tells you to use countermeasures.

OPSEC is your online footprint – it reaches from the furthest corners of the internet to the devices that you use and takes into account the things that you do every day. This is your ‘attack surface’; this is where you are vulnerable. You must do hostile reconnaissance on it to discover what you have left for others to exploit.

So step one is to see if any information has already been leaked, hacked or dumped about you over the years that you’ve been online. Visit the website www.haveibeenpwned.comwhich allows you to type in your email or account information to check if you’ve been caught up in any of the umpteen data breaches that have happened over the last few decades, often without companies either telling you about them or even knowing about it themselves.

Then, try to put all the open source information that exists about you into a single picture. Visit pipl.com and type your own name in. There you will find all the information about you that’s freely available in the public records. Carry out targeted Google searches for your bank account number, telephone number, specific address, national insurance number. All of these can be put together to begin to take your identity away from you. Check your social media to see if there any password unlock clues there – your eye colour, a pet’s name, your mother’s maiden name. Compile a dossier. If you didn’t find a lot – great. If you did, visit each source to see what you can remove.

Then visit Clearscore by Equifax and check who’s looking at your credit history. Someone you don’t recognise? It might be that they’re scanning identities to see who’s alive. It’s not proof you’re being targeted, but they are like small calling cards, indications that a threat might exist.

Check your devices and networks. Anything connected to your home network can be compromised. What in your house is connected to the internet? Do these devices (Alexa; telly; heating system and so on) have default passwords? If so, change them.

Do you use a router? Update its firmware. If you don’t use a firewall on your computer, get one or enable it. If you don’t use a VPN to connect to the Internet, look it up and buy one today.

If you don’t use two-factor-authentication for your accounts, then you are asking for trouble. Check and install it. New flaws are found all the time in all the software that you use. Keeping them all updated and patched is absolutely vital.

The most important part of OPSEC, however, is behaviour – what you actually do with your computer. And your riskiest behaviour will be how you handle your passwords. If it’s a recognisable word, why are you even bothering. If you use the same password across a number of different platforms, change it. If you have passwords stored in browsers, they can be got at. If you are trying to remember all your passwords, you won’t be able to.

This brings me to a general rule of OPSEC: the most convenient option is never going to be the safest. So you, like many hackers, need to take your most private parts of your life out of the digital realm. The most important piece of technology to keep your passwords secure? The humble notebook. Write each of your passwords in the notebook, and use a cypher so if it is stolen, it is useless.

Meanwhile, stay vigilant. A lot of hacking is what is known as ‘social engineering’. This isn’t about fooling your device, it’s about fooling you. An email from your ‘boss’ that gets you to click a link. A mailed USB stick that you plug into your computer. A telephone call from your ‘bank’ that causes you to reveal account information.

OPSEC begins with a simple ABC: Assume Nothing. Believe No-one. Check everything. It’s a way of turning the deep, lurking, unknown dangers of the digital world into ones which are understood, measured and mitigated against. There is, remember, no such thing as being completely safe. Nothing and no one is completely un-hackable. But you really can make yourself a more difficult target.

With all the debate now erupting about government regulation, about the role of the tech giants, fines for harmful content and likely new laws to criminalise certain activity, don’t rely on the big institutions that surround you to keep you safe. Remember that you, yourself, remain the best layer of defence against the threats of the digital world. All it takes is a bit of healthy paranoia.