Date aired: August 20th, 2019
In this webinar, we’ll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers. We’ll also cover improvements to items such as 2FA, browser add-ons, and other such considerations.
Victor Santoyo
Account Executive
Victor is an Account Executive for Sucuri. A technology enthusiast focused on expanding his knowledge of online security. When away from the keyboard, going out for long runs or watching sports with his family.
Question #1 – Where do I get to those detailed stats you showed about your password accounts?
Answer – LastPass’s Security Challenge is where I grabbed that information. It will grade you on a number of factors (even deducting points for not enabling 2FA with LastPass itself!)
You can learn more about it here: https://helpdesk.lastpass.com/lastpass-security-challenge/
Some websites allow for auto-changing your passwords after revealing the results of the challenge so it makes it easy to bulk change passwords while you’re working on something else.
Question #2 – Are they any programs you would suggest to remove right away? I’m not familiar with what should stay on my laptop.
Answer – If you go through your program list, and you see something you don’t recognize/remember using then you’re likely not to use it if you haven’t already.
Beyond security, a lot of these programs consume a lot of disk space and will also result in some good performance boost just by removing those unused programs.
Question #3 – I hear about browser plugins that block ads on my browser and can install malware; are there reliable ones out there?
Answer – There are good ones, especially those that block Javascript by default. We have a blog post that speaks on browser add-ons and good practices. You can read more about that here: https://blog.sucuri.net/2017/05/personal-security-guide-web-browsers.html
I’ll also provide a list of other tools you can use in response to another question below!
Question #4 –How do I change my username in router (is it a router-to-router basis?)
Answer – Most routers should allow you to change the username/login name but it’s router to router. For example, EnGenius allows you to modify the username. My Motorala router/modem allows it, as well. Just depends. Here is an example of how to modify it on an EnGenius device: https://helpcenter.engeniustech.com/hc/en-us/articles/234701727-Can-I-change-the-router-login-username-to-something-other-than-admin-
Question #5 – Is hidden SSID recommended?
Answer – Yes, because what that means is that your network remains hidden from public view and you’re only allowing certain devices to connect to your WiFi if you allow it. For example, allowlisting laptops and phones in an office setting. If you know you’re working with 20 employees, you should be allowing 20 phones and 20 desktops at most.
It’s also a good way to maintain visibility over how many active devices are connected. It may not be as practical at home since you may have family who won’t understand the depth of the security efforts, but definitely would recommend in an office environment.
Question #6 – Is there an auto-firewall configuration for Windows and Mac?
Answer – No, you will likely need to review your default configuration to ensure that the Firewall is active. There’s no further action beyond confirming your administrative password. Default settings are not always the best settings.
Question #7 – Any brand you can recommend for webcam cover? (mobile and tablet appreciated)
Answer – Well, tablets are easier to protect since most webcam covers fit on those devices. Phones are trickier because not every cover will fit properly on top (or back) of your phone’s camera(s). There are some specialty covers that will work that are part of a larger protective piece (see: https://eyepatchcase.com/)
If you’re a social media user, then its likely not practical because you’re always going to need instant access to your camera being available.
Question #8 – Should you specify certain MAC addresses as acceptable and block all others?
Answer – You don’t need to block MAC addresses; unless you’re concerned about a disgruntled user. Accepting them is a good practice in combination with hiding your SSID. Some will also allow you to add a note to those MAC addresses for employee reference, for example.
Question #9 – Can hidden SSID be found by hackers tools?
Answer – It’s definitely possible. However, you’re never going to eliminate the risk of being exposed or targetted but the main driving point is that you’re putting yourself in the best position possible.
Hiding your SSID will discourage a lot of novice/less experienced attackers from making any kind of a negative impact. At the end of the day, those may end up being the only types that bother you so worrying about advanced hacker tools disclosing your SSID shouldn’t necessarily keep you up at night.
Question #10 – Are there any programs I can run on a PC to find out if I have been hacked or compromised?
Answer – Antivirus software, in general, will be effective for that. I would say that if you have an existing Antivirus software installed, by default, then leverage that.
CCleaner is also a good piece of software which allows for a more effective way of going through your existing programs to ensure that you can manage that inventory of software.
Question #11 – Should I use Javascript blockers?
Answer –Yes, I do. And while I don’t utilize every security blocker/add-on for my browser, here are a list of others you can evaluate to use based on your own preferences:
Question #12 –Other resources other than haveibeenpwned.com?
Answer – Yes, I would also recommend https://www.deseat.me/ for checking out what sites have established an online account with you that’s still active. You allow it to scan and then go through a list to verify all accounts tied to the email you searched with.
https://howsecureismypassword.net/ is also a great resource for grading the strength of your password by providing how long it would take a hacker to crack your password.
See all Questions & Answers
ExpandVictor Santoyo: My name is Victor, I’m officially an account executive here at Sucuri. They’ll kind of dabble all trades here. If you ever have a question or concern about anything and if you have my contact, feel free to reach out to me.
A bit more about me, if you’ve attended all the webinars in the past last year and whatnot. I’ve noticed I’ve done quite a few. So I try to introduce new details about myself. So keeping up with what’s going on in my household. I’m a father to know two tightly bonded sons. The little one there born in January. I’m now training for a half marathon with my awesome wife who is taking this out from couch to half marathon, which is awesome ambition and goal. So hopefully I can get her trained up for that in February and do not let anyone that knows me personally tell you that I turned to anything but 25 this month. August is my birth month.
Having said that, what are we here to learn? So in this webinar, Nikki described it best right, we’re trying to talk about things outside of website security, which is what Sucuri does so some of the topics we’re going to be touching on will be security as it pertains to everyday devices you connect through at your house, on the road, just things that you are always connecting to but never really thinking through or security wise.
We’ll also touch on multifactor authentication. Most people commonly know that as 2FA but there are of course ways you can add on additional layers. So with authentication or in security and online account management. Right now, we’ll cross that bridge when we get there. So who would this pertain to? Well it’s 2019 so everybody. You know, everybody’s got some laptops, some tablets, some mobile device, you know, something that connects them online. Right? So whether it’s you, your mom, your grandmother, you know, somebody is always carrying some kind of device to stay online. Whether it’s for social media purposes, whether it’s for business, you’re all connecting online somehow. So we’re all connecting online though, primarily to do what? To access a website. Which, you know, we’ve kind of gone through a bit over the year about how best to secure it and whatnot, but what’s the road to the website, right?
How do we get there? How do we connect online? A lot of people often don’t think about that path or what it takes to connect online. So hopefully I can shed some light on what that entails and what you can do along the way to help you know, further secure yourself if not for yourself but for your family. So what are we connecting to? We’re connecting through WiFi routers, right? We’re all setting that up. Whether it’s something we purchased ourselves, whether we’re leasing through our internet provider, right? You know, Xfinity does something similar. Then we connect from the WiFi router to our desktop or our phones or our tablets or our laptops. And is it just things we take for granted, right? We’re just, okay, wake up, get on my phone, go to work, connect to my desktop, get online through my WiFi. So what happens within each of these components though, security wise that we’re not factoring in, right?
Some things that we just sort of spin up, install and then forget about for years and years and years. So we’ll focus first on WiFi routers, right? How we connect online to begin with. When we connect, when we first get a WiFi router, right? We’re typically looking at something like this to get connected, right? What’s the password I need to get in? What’s the password I need to use to, you know, create either my new password or whatnot. But people often don’t realize is that these default passwords are terrible, right? You look at this end router here on the right and they’re using admin admin as their username and pass. They’ll get you into their configuration for the WiFi by, that’s pretty awful. Most people don’t think to change it. They just leave it, right? I mean they leave it as admin and admin.
If you know anything about security you know it’s just terrible, terrible security posture. So one of the things we always want to make sure and we’re being conscious is, you know, how we’re logging in. And more importantly, once we do have the WiFi set up, and you know this information, you should do your best to either block, scratch it out, tape it over so that if somebody breaks into your house or somebody you don’t want to having access in the office to look at it after hours doesn’t take advantage of, it’s already blocked off and you should make notes somewhere of that login IP or the host name, the admin password you’re using and the admin username as well. But once we log into the interface, there’s a couple of things we should also be conscious about doing, right?
So most people who do this regularly will recognize a panel like this. One of the first things you should do of course is change your password from either admin or password. My in-laws as an example, use password for their WiFi router. It’s password password and it drives me crazy. But you know, you can’t convince everybody to make technical changes that way. So make sure it follows the same methodology that we practice here, right? That it’s complex, that it’s too long and unique from other passwords you’re using. You know, it’s not being shared amongst different platforms or whatnot. So very critical and if possible, change it every now and again. And of course, basic principles can be hidden. It’s not out on the coffee table for everyone to see, only distribute to people who you know should have access to the WiFi. So what are other best Practices when it comes to your WiFi?
Well, changing your network name or otherwise known as your SSID. Essentially what this is, is when you log on, let’s say your phone and you go to Starbucks and you’re trying to connect to their WiFi, Macy’s, Starbucks WiFi, that is the SSID designated to their WiFi router. Of course, that makes it very easy to pinpoint that it belongs to Starbucks, which is fine for them, for your home, maybe not so much. You might want to keep it something a slightly more encrypted or otherwise just doesn’t give away exactly who you are. Last thing you’d want is if, bit of an extreme, but if someone’s targeting you specifically, they’re not driving around the general neighborhood and then looking for your last name, you know like looking for a Santoyo WiFi, you will find here, right. We have a very random generation of a name for our WiFi.
Next thing is of course updating it. The WiFi firmware as it’s known, does require updates from time to time and much like anything else requires probably includes some security related updates as well, so you don’t have to log into this every day, you know, at least once a month or every couple of months. But as long as you’re checking in to make sure that your WiFi firmware is up to date to prevent exploits of attacks through internet connected devices. If you’re in the industry or aware, you know WiFi routers can be used for distributing attacks. We want to make sure you’re up to date on that. Using WPA2 encryption. This is the encryption method utilized when you’re using pass keys and passwords and whatnot. This is important. You want to use this by default if it’s not already there, because this is the latest in the encryption standard.
If you’re using anything else, you know it’s not as [inaudible 00:12:22] and or you know, dependable. So if you can, make sure that you’re utilizing this method instead, and of course, limit access when you’re away. And this is interesting, people don’t think about this, like if you’re going to go on vacation for three weeks, people just sort of leave their WiFi running 24/7. Well no one’s going to be at the house for two or three weeks. Or if you’re going to take off the office for a week, you know, you might as well either just unplug the router altogether, right? So people aren’t consuming your bandwidth in the event that a, you don’t want to see spikes and bandwidth usage and whatnot, especially you got home stream video or otherwise you have off hours.
Say I’m off from nine to five every day at home, I can schedule my router to just sort of disable during that timeframe. Some routers are capable of doing that. So consider that. You know, how often are you away from this device? So if you’re not there, there’s no real reason that it should be on. Good practice on that. Now we’ve put our WiFi router in the best position to succeed. So let’s connect online. So what are we using to connect online, right? Let’s, what vessels are we choosing? So let’s first think about traditional desktops, right? We have our windows and our Mac operating systems, right? So as we go through this, I will touch on topics in general and I’ll include guidance on the left and right for each platform. Of course they may vary based on what device you’re using, but just the general idea is something kind of want to harp on and at least general guidance on where you can find it within your system settings.
So first things first, your timeouts logging in after that time out, right? So it seems like a dumb thing to go over and over, but strong passwords should always be encouraged when you’re logging onto your desktop, right? Make sure you’re changing it at minimum every six months or at the very least, you know, every three to four months to make sure that you’re properly secured there. You know if you are off, you’re one to always walk away from the machine cause you have things to do or meetings to attend, a screensaver with a short inactivity time out period is definitely encouraged, especially if you’re handling sensitive data, right? Like you don’t know how often it may take to grab a coffee, you get distracted into a conversation with a coworker and then someone might walk by your desk and you’ve got all kinds of credit card data information in front of you.
You don’t have an inactivity period where your screen goes blank. That’s kind of a big no-no. So one thing I recommend is two minutes or less if possible and of course logging back in. Should require use of that strong password that you should have ideally set up. Secondly, of course as well as removing unwanted programs. If you’ve heard me speak at events of what the previous webinars, you’ve heard me for a use a phrase, if you don’t use it, lose it. Same should go for the software on your machines. So there’s a lot of stuff that comes pre-installed, especially on tablets and phones. Some people call it bloatware, whatever you call it. There’s just certain applications or software that you may not actually use.
So I would say if you have the time, go through what you have, research online to see whether it’s actually necessary to what you’re doing or what you need it for, or if it’s something you can safely remove and if you can, do so. As I mentioned on the left and right, Mac and Windows have different ways of uninstalling these programs. Of course, we’ll be sharing these slides after, I won’t go through the specific steps, but do take the time. If you really don’t need to use a program, lose it therefore, if you’re connecting online,
Victor Santoyo: It’s less likelihood that something like that could get exploited if particular malware viruses get on your computer.
Third is enabling what are already built-in security measures. Really straightforward guys. You’ve got your Windows firewall, your Mac firewalls. Mac, in particular, it’s really easy. We just go right into that panel you see there is Security & Privacy and you just Turn On Firewall. That’s it, takes you 10 seconds. You could probably even do it while I’m describing this to you. So, do that. It helps any… The more layers of security you have through your browsing experience online, the better it’ll be for you.
And of course, cover up your webcam if possible. More applicable if you’re using your tablets or your laptops. So, of course, there is malware that is known to record, take pictures without you ever knowing. The light will not turn on. It just records anyway and you would never be the wiser if your webcam was running. If you found this at an event and have seen it, you know that we distribute these malware webcam covers. Plug. We’re actually going to be at Inbound this year in Boston in a couple of weeks at the first week of September. If you’re going to be in the area or are attending Inbound 2019, we’ll be at booth S20 for those who want to stop by and say hello or pick up one of these webcam covers. So, just something you want to make sure you’re doing if you’re not already. I’ve heard other means, electrical tape, Band-aids or whatever for the interim. But if you can get your hands on one of these which are available in stores, I would definitely recommend doing so.
So, of course, the desktops and laptops aren’t the only way we connect online. I imagine everybody on this webinar is connected through their phone to some way or even watching this on their phone. That’s just 2019, it’s where we are. And as important as it is to secure our Wi-Fi router and our desktop, our mobile devices are also something you need to be very conscious of.
So, what are the things we worry about with our Androids or iPhone? Unlocking it, of course. Some people just do a swipe up. That’s it. Don’t recommend. If you can at least do a pin or even better, using what we call biometric unlocking. So whether it’s your fingerprints, on some more recent phones can do ocular scanning or face recognition, whatever it is that can personally identify you as a person unlocking your phone is what you should be doing. So, in your iOS and Android settings, you have it there. I use my thumb as a fingerprint to authorize stuff, to unlock my phone. So definitely would encourage using what’s known as biometric unlocking as often as possible.
In addition, the lock screen timeout, we’ve talked about this on your desktops. Same thing goes for your phones. I might set my phone down to go pick up what’s going to be my food order at Panera or whatever. And if I didn’t think to, let’s say close off my phone and go dark, I might have sensitive information or sensitive emails that are passing through. If a bystander walks past and reads something really critical or important. And I didn’t do a good job of making sure I had a proper screen timeout, that’s on me. So, anything within a minute I think is spare on this. Depending on your industry and what you’re working with, even less so. If you’re using something like a fingerprint unlock, it’s not that inconvenient to just have to use your thumbprint every time to unlock your phone. We’re talking security versus convenience. And if you’re constantly working with sensitive data or information, definitely consider how limited your phone remains on when you’re either stepping away inadvertently. I have kids, I forget to leave my phone everywhere all the time. It’s just human nature.
Hiding notifications. So, not so much the notification itself but what’s the information in the notification. We all get flooded with notifications ad nauseam at times. What’s important is if we are handling sensitive information or just things we don’t want people to know about that we don’t show what’s the content of that. So, Gmail can tell me I have a number of notifications but it won’t actually show me the preview of what that content is. You have certain ways you can do that. Left on Android is a bit more explicit there. You can hide the contents while the notifications remain on. Good security practice. Because you just never know who’s looking or who’s trying to steal your phone in the middle of the subway or whatnot. So, just another good security suggestion for your phone.
Software updates, go through this briefly. We talk about this all the time. Same with your website. The same with your computer. Keep up with updates and for your apps as well. You never know what security-specific updates are included to maybe further help or prevent data breaches and whatnot. So the more up-to-date you are on software, the better positioned you will be.
Network housekeeping, this applies to your desktops and your laptops as well. I just kept it here because it’s easier to sort of go through in one section. We all connect remotely and travel a lot. And because of that, we have to connect through a lot of different hotspots. So, I might be going through the Denver airport to connect to their Wi-Fi, coffee shop Wi-Fi, Barnes & Noble, you name it. It can be some kind of indication of where we travel and how often we are in a certain place. So, one thing I would recommend is if you go somewhere even temporarily, let’s say you make no more use of the hotel Wi-Fi you connected to, I would delete that from your history. Primarily because if someone were to get their hands on your phone, as an example, and they were to go through how many different hotels you’ve stayed at. It can just be another crumb to unlocking sensitive information about yourself.
So, anything that just provides less of an indication of where you’ve been is just always in your best interest. It’s really easy. Especially like here on your MacBook, you can literally just click a Wi-Fi, hit the minus, just delete it. So kind of a similar approach on your phone. If you have a time just waiting in line somewhere, go through your networks, see where you’ve been. You’d be surprised that, “Hey, I connected to that hotel Wi-Fi four years ago.” Probably don’t anticipate doing that again so you could delete that off your phone.
So, we’ve made it to the browser. We’ve secured the Wi-Fi router or we’ve chosen our vessel, whether it’s our desktop, whether it’s our phone, and we’re going to cut that line to our website. So we’re going to, in this example, go fivebyfive.com.au. While we’re going to this website though, we still have to consider some of the things we’re connecting through on our browser to ensure that we’re safe there as well. So what are some of the things that we can do in terms of, let’s say logging into our website or some information or whatever the case is? Well, first things first is making sure that we’re always instilling this principle of strong passwords. And whether it’s connecting to Facebook or going to Amazon to buy something or getting on Salesforce for work purposes or whatever it is that we’re doing. We got to make sure that we’re using strong, long, complex, and unique passwords for each and every one of these access points.
I’m going to use LastPass as an example here, primarily because I use it. It’s not to speak ill of any other ones. I know that KeePass is a prominently well-used one. I’m just very familiar with LastPass, so this is the little example I’ll be using. Now, password managers are really awesome because they help in just making the generation of the passwords easier. You’ll notice on the right-hand side, you can even dictate what the length is, how many factors you’re using to generate these passwords. I use 16-character passwords for my own purposes. And from there, you can just log into your main LastPass account, create your own master password that unlocks them all.
What does this do for you? It means you only need to remember your master password. So it’s one password you need to remember. And you can have access to several dozen others that you don’t have to. It makes it really easy. It’s also available on mobile and that way you can also take that same security experience from your browser to your phone. And it’s just something really easy, I think, for everybody to use and I think if you’re using something like this already, great. I’ll also touch on some password management cleanup we can do later on in this presentation.
Next thing is, of course, two-factor authentication. For those that don’t know, and if you don’t, please take this seriously. If you do, great. Try to enable 2FA when you can. A strong password won’t always be sufficient. Sometimes a second layer, whether it’s receiving some temporary one-time code on your phone via text, whether it’s using some type of tool like Google Authenticator to log online. Something that’ll tie to something, another device of yours. To ensure that it is you accessing these sites will further sort of spotlight the potential of people trying to compromise your accounts. My wife and I often enough get emails, say from Dropbox or Amazon or Instagram saying, “Hey, here is your tokens to reset your password.” We never did that. And so we know that someone’s trying to get in. Of course, they won’t be able to because we’re getting some type of verification on our phones to validate those requests. If we didn’t, someone might’ve already compromised those accounts for us. So, try to use it.
Google Authenticator is really cool and it’s really easy to use if you’re not already. In addition, actually, two-factor is also used to keep up with your LastPass. So when you, let’s say, log onto a new browser or set up a new computer, you can set up 2FA and LastPass as well to further authenticate that it is you trying to access this master library of passwords.
Last thing I’ll touch on is our online account inventory management. This sounds complicated but the principle is actually really straightforward. So, biggest thing is just insuring that you’re deleting information where it is possible. And oftentimes, that comes in the form of old accounts we forget we ever created. I can still vaguely remember that I used LiveJournal, maybe even DeadJournal for people who are old enough. And so what that means though is I may not have remembered those. Either delete that account or otherwise update my password in a very long time.
So, one of the things you want to make sure you’re doing is that if you don’t use it, lose it. Or you can use that same philosophy for online accounts. And so, one of the things that you want to make sure to do if you can is either go online and search for your username. If it’s unique enough, you might end up seeing it pop up in search results. Look through your old emails so just to see where you’ve logged into or gotten updates from. If you’re getting updates from somewhere, you’ve probably logged in somewhere. If you’re using LastPass or KeePass, go through your entire inventory to see what you have there.
As an example, actually, a recent cleanup I did for myself was making sure that I went through all of my existing stuff. So I had 53 passwords, I needed some major updating over 103 accounts, and as I was doing my cleanup, I realized I did not need nearly 20 of those accounts. So I just killed it or went online and deleted those accounts outright. And I’m in a much better position now than I was before I did this, the summer purge. So, just something to keep in mind.
One thing I’ll highlight, actually going back to the previous slide, is using something like haveibeenpwned.com as an online resource. It’s actually really good because it will also give you an indication if your email may have been potentially compromised in a data breach, which we read about pretty often in the news. So, if you see that pop up on your results, you know to hit those accounts first, whether it’s delete them or just creating your password, enable 2FA. You have your action items here, so whatever you can do to further ensure that your online presence is secure away from the website will always be important. A quote that Apple’s CEO, Tim Cook was, “If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it.”
Data is a major commodity these days. You see it all the time with all types of manner of breaches, whether it’s through Capital One, through Target. Why? Because that’s access to your financial information, to funds or means to exploits or whatever the malicious intent is. So your data’s out there everywhere and it’s ultimately really your responsibility as well to ensure that either, hey, if you no longer have an account with Capital One or no longer using anything at Old Navy and you have a store credit card on there, you should probably delete the account. Because someone who can hack in to, say, your Old Navy account could just start buying all kinds of stuff and putting all kinds of charges on your pre-saved card. Consider that. If you know you’re no longer using some type of online account, lose it.
Having said that, I definitely encourage going to our blog to stay ahead of all security threats. I know we focus on websites and web application security but we do dabble on other things as well, as evidenced in this webinar. So hopefully, you can follow the blog and keep up with the latest news. But otherwise, thank you for the time. And I’m sure there’s some questions in the chats that have come through. Otherwise, tweet us, use the hashtag. Let me know what’s going on.
Nikki Gerren: Oh yeah, we have some questions. So, let’s see here. I think this was from the beginning earlier when you were talking about passwords. Warren was actually asking us a few questions. But is it so important to change the username as well or not so much?
Victor Santoyo: It can be. In particular, because I think a lot of attackers may identify patterns. So, if you’re… I don’t use this password, so I feel better about using this. But if you were to use vsantoyo@gmail.com, it can be an indicator that vsantoyo is what I’m typically using for my user IDs. So that I may start testing that username against other online accounts to see if that will produce some type of result. I would definitely say if it’s somewhere where, especially personal devices or whatnot or secure accounts, try to keep your usernames also unique. I’m not saying something completely different than who you are. You could use vsantoyo with a different string or use special characters, periods, things like that. But definitely try to think through about what is something that will least identify you or at least also offer less of an indication of a trend of what you’re using.
Nikki Gerren: Okay. So, I have to change that up now. Mine always has my email, so I’m like, okay. Let’s see. Also, is hidden SSID
Nikki Gerren: …be recommended. Do you know about that?
Victor Santoyo: Yes, it can be, because what that means, for those that don’t know, is that basically your network remains hidden from public view, and you’re only inviting specific devices if you allow it. Right? So, you basically allowlist, like let’s say somebody’s phone or somebody’s laptop. At an office setting, definitely recommend it. Because, that way if you know you’re going to be working with 20 employees, you should only be allowing 20 desktops and 20 phones at max. Right?
It also, it’s a good way to keep management through your router settings, because you can then check how many active devices are connected. For those that are paranoid, it’s a good tactic to use, definitely. At home, maybe not so much, because you’re going to have family over who may not understand the depths of this stuff, so you can just keep it public. But, if you’re in a work environment, I would recommend doing something like that.
Nikki Gerren: Okay. Good to know. I actually get this question too. I think a lot of people, I guess they just, they’re not sure with firewalls. So, do like Windows and Mac do it automatically, and it’s like a firewall you have to do like for websites. We always say that, but you know-
Victor Santoyo: Yeah, there’s definitely differences. The topic about firewalls and what it covers that’s a big topic, right? So, for the purposes of that question, we’re talking about the firewall that protects your laptop. Right?
Nikki Gerren: Yes.
Victor Santoyo: So, let’s say your MacBook Pro. It does not come enabled by default. You need to go in there. You need to actually enable it. If you have the chance now, check it through your security settings and enable it. There’s no further thing needed besides just I think verifying your password or your fingerprint, if you use a fingerprint to log onto your MacBook. But yeah, it does not come enabled by default. Or, you can always check to see what default settings are set up. That’s another principle as well when it comes to websites, for those that have heard me talk. Default settings are not always the best settings. So, if you have a chance, review your computer, your tablets, and make sure that you have something set up in there already.
Nikki Gerren: Okay. Gotcha. Are we okay on time? Are you good? Because we have several questions.
Victor Santoyo: Go for it. I’ve got enough time. Okay. I [crosstalk 00:34:17] today.
Nikki Gerren: Okay. Let’s see. Oh, well you talked about the webcam and when we’re going to be at INBOUND. We have our little webcams, but does it matter? Like is there anything we should recommend for mobile and tablet?
Victor Santoyo: Well, tablets are easier to use with the type of a webcam covers we have. It’s just like a sticky back, and you place it there, and then the piece basically slides left to right to cover the webcam.
As for phones, it’s a little trickier. There are some protectors of the phone itself for like drop purposes, but that also include like a cover piece that help protect your camera as well. Right?
Nikki Gerren: Mm-hmm (affirmative).
Victor Santoyo: They’re a little more expensive, of course. Don’t… I’m not saying you guys need to break the bank to do something like this. But, I mean if you’re a social media person, maybe not the most practical thing, because you’re always going to need to have, let’s say instant access to your camera and whatnot. But, for those that either are concerned or whatnot, there are some additional add on pieces that kind of hold onto your phone as more protective purposes, but that can also cover your camera.
Nikki Gerren: Okay. Good to know. You also mentioned… Oh, but I Have Been Pwned. Is there any other website you can think of, or that do that?
Victor Santoyo: I’m sure there’s a list. I think probably without spending too much time racking my mind about it, I can include that in the Q&A of the transcripts. I’ll include a couple of examples of good ones. I will also include, for those who are going to download the presentation, there’s actually a good online tool. I wish I remembered it. It is what it’ll do is grade your password use, or rather your password choice.
So, what it’ll do is you could just submit the password. If you’re not using a random generator, like LastPass or whatever, if you’re trying to think of a password you’ll remember, you can use this site to basically type it in. It’ll tell you an estimate of how long they suspect hackers will take to crack that password. So, for example, my master password on LastPass, I remember would take four billion years for any automated tool to crack, which is really ideal. Right? Then the color will change in a screen. So, the more safe it is, the more it’ll change from red to green. It’s really cool. I’ll share that in the Q&A as well.
Nikki Gerren: Yeah, I want to know that one.
Victor Santoyo: I’m sure.
Nikki Gerren: Should you specify certain Mac addresses as acceptable and block others? Like all others?
Victor Santoyo: You don’t need to block others, unless you know you have a disgruntled employee type situation, where you’re concerned about a specific, let’s say phone, doing damage to your home, or office, or whatever. That’s probably a little extreme. Allowlisting though, it’s good practice. Mainly because, especially if you’re in an office setting, it can also prevent issues like not being able to connect online. You know, heaven forbid somebody messes around with the configuration of your Wi-Fi, or your modem, or router. But, that’s a good tactic to use. Some may allow you to name those Mac address devices, which is also good reference. For example, tracking employees who sign on and off, and whatnot. So, it could work. It just depends on your needs realistically.
Nikki Gerren: Okay. Let’s see. Are there any programs that this… It’s an anonymous person… can run on a PC to find out if I have been hacked or compromised?
Victor Santoyo: Antivirus software will typically be good for that, and there are a number that are out there. People know them. Like Norton, you have [inaudible 00:38:11] and some of their stuff. I would say that if you have an existing antivirus software, run it. There’s some that do require like a subscription fee, that may go more in depth, which can be worth it if you’re really concerned.
I think another tool I would recommend for the purposes of going through your software inventory, if you’re not too comfortable, let’s say on Mac going through those screens and trying to track everything, is CCleaner Ccleaner is free. There’s a premium model, but the free version does let you sort of go through your inventory when you go through a clean, but you also like flush your cache and a number of other things. So, you know it gives you good visibility there. But, in terms of actually addressing potential malware viruses on your computer, you know traditional antiviruses should do a good job with that.
Nikki Gerren: Oh, okay. All right. A few more. People are interested in the password accounts. Is there anywhere to get those detailed stats you showed?
Victor Santoyo: Oh, so get LastPass. It’s called their security assessments. They grade you. They give you like what percentile, you fit in based on like all these parameters you hit. You get deducted if you done enable 2FA at some point, or even 2FA LastPass.
So, I think what I’ll do is share probably like the LastPass knowledge base article for exactly how to do that. But, the cool thing about that assessment is that first it’ll tell you how long ago you’ve changed the password. Some sites allow for auto-changing, so that you can literally just run the assessment. Click some sites to auto change the password, and you can just work on something else while it’s just changing a bunch of passwords, which is really cool. Some don’t, but at least it gives you sort of an understanding of like, “Okay, you have this many passwords out of date. You have certain passwords that are duplicated, right? Which can be an indication of an issue.” So, that’s a really interesting way of judging your password inventory.
Nikki Gerren: Okay, we can do that after this. That’s good. Are there any programs you would suggest to remove right away? They don’t know which ones should stay on the laptop, and which ones like has to stay.
Victor Santoyo: Sure. That’s a tougher one. I mean, I think this goes to everyday mindset, right? If you go through your program list, let’s say you go to window, your start menu, and go through all your software. I mean if there’s something you don’t even recognize, you probably don’t need it. It could be benign. It could just be like an art web-related thing, or whatever. But, ultimately if you don’t even recognize it, and you’ve had your computer for five years, you’re likely not going to use it in next five either.
I mean look, also beyond security, the whole performance, because a lot of these programs are really heavy, take up a lot of space, disc space in specific. So, not only could it help in your security posture, but also, you might be surprised to see how much of a performance boost you may get from your computer just removing like 10, 20 programs you never use.
Nikki Gerren: Oh, wow. That’s true.
Victor Santoyo: Yeah.
Nikki Gerren: Gosh, I’ve got so much to do.
Victor Santoyo: That happens on my phone. I have like all social media stuff I thought I was going to use, and I never do. So, just deleting like 10 apps, all of a sudden like, “Oh, yeah, Twitter’s connecting twice as fast today.” Yeah, so.
Nikki Gerren: Yeah, we can all be better, that’s for sure.
Victor Santoyo: Sure.
Nikki Gerren: Let’s see. They’re hearing about browser plugins that block ads on their browser that can install malware. Are there reliable ones out there?
Victor Santoyo: There are good ones, especially ones that, let’s say block JavaScript by default, for those that are security conscious. So, those are really good ones, anything that do that. There’s a lot I can… We have a post, actually I think we did ones that talks on a few that are really good, so I think that’ll be better for followup. I can just list them for you guys, and you can link to those particular plugins, or add-ons, anyway. There are some good ones, but if you can block Flash or JavaScript by default, it’s a good starting point. And, then allow wherever you need it.
Nikki Gerren: Okay. Okay. So, I see you’re going to have to add a lot of stuff after this. A lot of links, a lot of information. We’re relying on you, Victor. Oh, I forgot about this last one. It was when we were talking about the SSID, I mean SSIDs. They’re saying is hidden SSID, can they find like by hacker tools, so like something with hackers?
Victor Santoyo: There may be, and there are certainly ways that can happen. I won’t go down the rabbit hole too far about other things that can happen as, just like, using your own home Wi-Fi. I would say though that just… You’re never going to completely eliminate the risk that you may get exposed or targeted anyway. The main driving thing here is that you’re putting yourself in the best position possible. Right?
Your disguising, or rather your hiding your SSID may not eliminate the most advanced attackers out there, but at the very least you’re going to eliminate a lot of novices, or people that are just trying to bother you on the day-to-day. If they can’t find you, that’s fine. Because at the end of the day, maybe those are the only types of people that come to bug, and if you can hide yourselves from them, great.
Advanced attackers, if they’re really that proficient in this kind of stuff, I mean there’s oftentimes little you can do. I mean, let’s face it, when you have banks, and Capital One, and Target also susceptible to these things themselves, don’t feel too burdened to try and keep up with those standards. Right? Just do what you can. If disguising your SSID is something that’s easy for you to do, and you know how to do it, [inaudible 00:12:18]. Good. It doesn’t take too much effort.
Nikki Gerren: I like that. That’s a good ending. We do what we can, right?
Victor Santoyo: [crosstalk 00:44:26] We’re not perfect, or we’re God. You know?
Nikki Gerren: No, we’re just human.
Victor Santoyo: I’m sure I’m going to forget about 10 accounts in six months, and I’m going to have to go back and clean those up. But, as long as we try to remember as best as possible instead of letting it sit there for five years, you know that’s the best we can do.
Nikki Gerren: Well, thank you so much, Victor. You’ve really, I think educated, I know myself and others here today. As we mentioned, this is recorded. I believe I got to almost everybody’s questions, but if I missed any, I’ll definitely go through this and shoot them to Victor, and he’ll answer it.
The webinar itself will be with all our webinars, which is at sucuri.net/webinars. Thank you again. Oh, we have our next webinar, which is a guest presenter. It’s about understanding logs and how to use them to better manage your WordPress site. So, that will be on September 10th, so just a few weeks away. We have Robert Abela from WP White Security.
Victor Santoyo: Oh, yes.
Nikki Gerren: You’re going to be at INBOUND? No?
Victor Santoyo: Yes. Yes, I will be.
Nikki Gerren: Okay. Okay. So, that’s in early September, I believe.
Victor Santoyo: Yup.
Nikki Gerren: Right?
Victor Santoyo: September 2nd through the 6th, if I recall correctly. Boston, Massachusetts, for those that are in the area, and we’d love to see you out there.
Nikki Gerren: Great. Well thanks for joining us, everybody. Have a good day.
See Full Transcript
ExpandIn the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.
Join us on April 5th as we cover the latest findings from our 2022 Hacked Website Threat Report. We’ll shed light on some of the most common tactics and techniques we saw within compromised website environments.
All software has bugs – but some bugs can lead to serious security vulnerabilities that can impact your website and traffic. In this webinar, we dive into the steps you can take to migrate risk from infection and virtually patch known vulnerabilities in your website’s environment.
The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. Join us on July 6th as we cover the latest findings from our Hacked Website Threat Report for 2021.
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.
Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..
Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..
If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..
Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..