Free chapter of Firewalls Don’t Stop Dragons- A Step by Step Guide to Computer Security For Non-Techies

Firewalls Don't Stop Dragons

Below is the preface and first chapter of Parker's book, which he has kindly agreed to share with vpnMentor readers. The full edition of the book is available for purchase via Amazon.

Preface

Let’s take a little quiz. If I asked you right now to rate your personal computer security on a scale from one to ten - with ten being Fort Knox and one being a wet paper bag - what rating would you give yourself? Seriously, give that some thought right now. Unless you’re a techie person, I’m going to guess that you don’t really know how to come up with that number… and that almost surely means that your ranking is closer to the wet paper bag end of the scale. Do you really need to be as secure as Fort Knox? No, of course, not, and that’s not what this book is about. However, there are many things you can do (or avoid doing) that will significantly increase your security and privacy, and this book is chock full of them. You don’t have to do them all - even I don’t do them all - but I firmly believe that everyone should at least consider the specific tips and techniques described in this book. I’m guessing that a few questions are popping into your mind right now. Do I really need this book? Do I need to be a “computer person” to understand it? How much effort is this going to take? All good questions! Let’s answer them right up front.

The answer to the first question is easy: yes! Okay, why do you need this book? Because so many important parts of our lives are moving to the Internet now - banking, shopping, paying bills, socializing, gaming, you name it. And it’s not just our desktop computers that are connecting to the Internet, it’s our laptops, smart phones, tablets, and even our appliances. Unlike the days of dial-up modems, our devices are now connected almost 100% of the time. These facts have not gone unnoticed by the bad guys. As the famous saying goes: why do criminals rob banks? Because that’s where the money is ! You need this book because it will make you safer - significantly safer, if you follow most of the advice. In fact, it will not only make you safer, it will make those around you safer, even if they don’t do any of the things I recommend in this book. (I’ll explain that bit of magic later in the book.)

This book is for my mother, my friends, my neighbors, and all the other totally normal, everyday people like them: people who use computers and mobile devices, but don’t really know (or frankly care) how they work. This book is for people who just want to know what they need to do to protect themselves - step by step, without judgment, and with as little jargon as possible. I’ve structured this book to give you the maximum benefit with the least amount of effort (and cost). The purpose of this book is to cut to the chase and clearly explain the things you need to do to protect yourself in this increasingly connected world of ours. Along the way, if you want to learn a little of the ‘why’ and ‘how’, in language you can understand, I’ve included a good bit of that, too. In this book I use a lot of analogies to help explain these technical topics in ways that everyone can understand, and I also include some fascinating stories that help to drive the points home. I’ve made this book not only easy to read, but hopefully even fun to read!

But can’t I find all of this information on the web, you ask? Sure you can! The problem is not lack of information - the problem is that there is too much. How do you find what you need and weed out the stuff you don’t? Most people wouldn’t even know what to search for. Even if you knew some of the technical terms, you’d still have to collect all the info and figure out what parts are relevant to you. To make matters worse, the common news sources that most people turn to have done a horrible job covering these topics (when they cover them at all). They tend to focus on the wrong things, crank the hype to ridiculous levels, and generally give poor advice. There are lots of good web sites that get it right, but you’ve probably never heard of them and they tend to be very technical. If only someone could find all the most important stuff, break it down into manageable pieces, and explain it so anyone can get it…

That’s the main reason I’m writing this book. I firmly believe that in this day and age everyone needs a fundamental understanding of computer safety - not only for each individual’s sake, but also for everyone’s sake because we’re all connected now. It’s not just about protecting ourselves from criminals that want our money, but also from corporations and governments that want to track what we do, what we say, who we associate with, what we buy, what we read… well, basically everything. It’s important that we understand all of these threats. My goal is to not only give you the tools you need to protect your data and your privacy, but to arm you with the knowledge you need to be an informed citizen when it comes time to vote, either at the ballot box or at the cash register. So… let’s get to it!

A Note to my Fellow Geeks

If you’re a techie person, then you’re probably the go-to “IT guy” (or gal) in the family. Your friends constantly ask you for advice when buying a computer. Your relatives email you whenever their Mac is “acting funny”. And your college-aged niece who downloads tons of “free” music and movies can’t understand why her PC is riddled with viruses. If you’re a real softie, you probably forward them emails about scams to watch out for, web sites to avoid, and suggestions on how to protect their privacy. Most of the time, your advice is never followed, unless you give them detailed, step-by-step instructions or just do it for them. Remote desktop sharing has saved you much time and effort, but it’s still frustrating trying to keep your friends and loved ones safe and up to date.

This book isn’t for you - it’s for them. You already know most of this stuff, or at least know where to find it. But your loved ones are still struggling, despite your best efforts. This book is going to be the stocking stuffer you give to everyone in your family. It’s the book you issue to each friend who buys a new computer. It’s the book that’s going to save you countless hours explaining to Aunt May why she needs to have more than one password, or answering your neighbor’s constant questions about which anti-virus software he should be using, or helping your mom remove ten different Internet Explorer toolbars so that she can actually see more web page than buttons.

The purpose of this book is to walk the average, non-techie person through the basic things that everyone should do to protect their computers and their data. It also takes the time to explain why these things are important and how they work, at a high level. This is the stuff you wish you had time to explain to all your friends and family. Note that I’m going to have to simplify a lot of things in this book, including making some key decisions on which tools to use. This just can’t be helped. Entire books could be written on any chapter of this book. My goal here is to give everyone a valid path to computer safety, not every possible path. That said, I’m always open to suggestions for future revisions of the book. Please feel free to reach out to me if you would like to provide feedback. (See the Feedback section in the next chapter.)

Before we Begin

HOW WORRIED SHOULD I BE? I’d say people fall into three camps when it comes to computer security. There’s a large camp of people who are blissfully ignorant. They like their computers and gadgets, but don’t really worry about security. Let’s call this Camp Pollyanna. Why would anyone target me? Surely the computer and gadget companies have built in lots of safeguards, right? The people in this camp have probably not had anything bad happen to them and they feel safe enough. (They’re almost surely not.)

There’s another camp of people who are scared to death of computers and online life in general. They refuse to shop or bank online, but maybe they send some emails, surf the web to look something up, and dabble in Facebook. This would be more like Camp Luddite. In my experience, the folks in this camp tend to be older - they didn’t grow up with computers and can live just fine without them, thank you very much. (You can live without “horseless carriages”, too – but why would you?)

And there’s a small camp of folks that understand the likely risks, take proper precautions, and proceed confidently with a wary respect for the dangers. That’s my camp. Sorta like Camp Goldilocks - not too scared, not too indifferent - just cautiously confident. (I considered going with “Camp Super Amazing Awesome Cool”, but figured that probably sounded a little biased.) The goal of this book is to bring everyone into my camp!

Computers and the Internet have already changed the world, and there’s no looking back. Like any powerful tool, it can be used for good and for ill. We shouldn’t shun the tool because we don’t understand it, but we also need to learn to use it properly so that we don’t endanger others or ourselves. Automobiles can be lethally dangerous, but the benefits of mobility are undeniably worth the risks. However, unlike with cars, where we are carefully trained before being allowed onto the highway with others, there is no “Internet surfing license”. Also, the dangers of piloting a 3500-pound metal box at 70 miles per hour are readily apparent to the driver: if I crash, I’m going to seriously injure myself and probably others, as well. But the dangers of surfing the net are not intuitively obvious and people just don’t have an instinctual feel for the dangers. Before computers were connected to the Internet, this lack of understanding didn’t matter much. If you had computer problems, they were probably caused by you and only affected you. Today, with everything connected 24/7, our computers are much more vulnerable - and a security lapse by one person can have serious effects on many others.

What are the actual risks involved? How severe is the situation? These questions will be addressed in greater detail in the upcoming chapter. However, let's provide a brief overview. Security professionals refer to this process as threat analysis.

Threat Analysis

At the end of the day, you have two things you really need to protect: your money and your privacy. While it’s obvious why you would want to protect your money, for some reason people seem to be extremely cavalier these days about their privacy. However, private information can also be used to get your hard-earned cash (more on that in a minute). Most bad guys are motivated by good old-fashioned money. While it’s certainly possible that someone might want to personally do you harm, unless you’re a politician or a celebrity, it’s not the most common threat. There are lots of ways to get money from people, however, and hackers are extremely creative. Let’s look at the most common direct threats to your money and privacy.

Credit Card Fraud

People worry a lot about their credit card information being stolen online, but in reality this is probably one of the least scary scenarios. Why? Well, as long as you report the fraudulent charges in a timely manner, you won’t be liable for them. Sure, you might have to get a new credit card, which is annoying, but you haven’t actually lost any money. It shouldn’t even affect your credit score. The credit card companies have insurance and they charge all sorts of fees to cover losses like these. They’re also getting very good at spotting suspicious activity - they will probably catch the bad charges before you do. So, while credit card fraud is a very real problem for the credit card companies, it’s really not a major problem for the cardholders.

Spam and scams

The Internet is a con artist’s dream come true. You no longer have to find and meet your marks one at time, you can reach millions of gullible people for almost zero cost (and almost zero risk) via email. It’s estimated that about 70% of emails are junk or “spam”. That’s a staggering figure. Junk mail filters now catch most of these emails, and most of the rest are rightly ignored and deleted. But if I can send 100 million emails for almost no cost, and only 0.1% of these emails are read, I’ve still reached 100,000 people! If I can convince just 1% of those people to bite on our scam, I’ve landed 1000 “clients”. And that’s just today.

Using email as a delivery mechanism, bad guys will try to trick you into sending them money, signing up for expensive services, buying phony products, or divulging online account credentials (a scam known as “phishing” – see the next section). The list of scams is long and is only limited by the perpetrator’s imagination. They will use “social engineering” techniques to capture your interest and play on your emotions: guilt, shame, fear, even generosity. It’s a classic tale, just told via a new medium.

Phishing

Unfortunately, this has nothing to do with a rod and a reel and whistling the theme to The Andy Griffith Show. Phishing is a technique used by scammers to get sensitive information from people by pretending to be someone else – usually via email or a web page (or both). Basically, they trick you into thinking you’re dealing with your bank, a popular web site (PayPal, eBay, Amazon, etc.), or even the government. Sometimes they entice you with good stuff (winning a prize, free stuff, special opportunity) and sometimes scare you with bad stuff (freezing your account, reporting you to some authority, or telling you that your account has been hacked). But in all cases, they try to compel you to give up information like passwords or credit card numbers.

Unfortunately, it’s extremely easy to create exact duplicates of web pages. There’s just no real way to identify a fake by looking at it. Sometimes you can tell by looking at the web site’s address, but scammers are very good at finding plausible web site names that look very much like the real one they’re impersonating.

Viruses and Other Malware

Emails are often used to lure unsuspecting people to fake and/or malicious web sites. These web sites use bugs in computer software to surreptitiously download software to your computer. Sometimes the emails have infected files or applications directly attached, as well. This “malware” may be used to steal information from you, cause senseless harm to your computer or data, or make your computer a slave in their army in order to wage war on some third party. That sounds like a science fiction story, but it’s very real. We’ll talk more about this in the next chapter.

Identity Theft

When someone uses your private information to impersonate you for the purpose of gaining access to your money or your credit, this is called identity theft or identity fraud. This is probably the most serious threat for the average computer user. If someone can successfully pretend to be you to your bank or a credit card company, they can do anything you can do, including draining your bank accounts and opening credit cards and/or loans in your name. If someone can gain access to your bank accounts, they can simply withdraw all your money. If they can open and max out a new loan or credit card in your name, you will be stuck holding the bill. Now you have to convince the bank and the credit agencies that it wasn’t really you, and that you weren’t somehow negligent in allowing it to happen. If you’re lucky enough to get your money back and get the debt waived, you may still have a big black mark on your credit history. This is where privacy really comes into play - it’s not just about someone reading your emails or knowing what you did last weekend, it’s about someone using that information to convince someone else that they are you.

Email Hacking

While it’s obvious why criminals would want to target your bank and investment accounts, it might surprise you how lucrative it can be to hack into someone’s email account. When you forget your password, how do you recover it? The most common method today, by far, is via email. If a crook can gain access to your email account, they can use the automated password reset service on your bank’s web page to change your password - locking you out and giving them full access all in one fell swoop.

Furthermore, they can use your email to get money from your friends and family. One of the more popular scams is to email everyone in your contact list and tell them you’re stranded somewhere - your wallet, passport and cell phone have been stolen, and you need emergency money wired right away. If you got this email from someone you didn’t know, you would surely ignore it. But if you got it directly from your daughter, your best friend, or your brother - maybe even a reply to an earlier email from them - you could very well be duped into believing it was real.

For these reasons (and others), it’s very important to lock down your email accounts and take action if you believe they’ve been compromised.

Tracking and Surveillance

I personally cannot fathom why people aren’t more upset about the massive invasion of our privacy by corporations and governments. We freely give away all sorts of significantly important bits of information left and right in return for “free” services. And we collectively shrug when whistleblowers reveal astonishing levels of surveillance on the entire population by our governments. But I won’t get on this soapbox just yet; we’ll save that for a later chapter.

I will say, however, that our online activities are being tracked at unbelievable levels today. Personal information is gold to advertisers and they are building massive profiles on each one of us and selling it to whoever is willing to pay (including the government). This includes your sex, income range, spending habits, political leanings, religious affiliation, sexual orientation, personal associations and connections, search history, web sites visited, and even medical and health information. I will cover this in detail later in the book.

Indirect Threats

So far we’ve only discussed direct threats - bad guys targeting individuals (even if they sometimes do it on a massive scale, as with spam). While some crooks prefer to mug a series of people in dark alleys, more ambitious thieves might prefer to just rob one bank vault and be done with it. It’s the classic risk versus reward tradeoff. While we’ve had centuries to figure out how to properly protect physical assets like jewels, gold, and cash, we’re still trying to figure out how best to protect our digital assets.

That “we” doesn’t just refer to you and I - it also refers to large corporations. It seems like nary a month goes by now without hearing about another massive security breach at a brand name company… the stealing of credit card info from Target and Home Depot, the “hacking” of Apple’s iCloud service to download risqué celebrity photos, or the colossal breach at Sony Entertainment that divulged astounding amounts of personal and financial information. And while those were high-profile breaches that made the headlines, there are many others that didn’t make the nightly news - either because they were smaller and escaped notice by the mainstream press, or because the companies just kept the breaches quiet.

As regular consumers, we can’t do anything to improve the security of these corporate server farms. However, we can do a lot to mitigate the impacts of these now-inevitable breaches.

Summary

How scared should you be? How likely is it that you will be hacked or swindled or robbed? The bad news is that I can’t really give you a solid answer to that - it’s like asking me to predict whether you will get mugged on the street or have your home robbed. It’s a risk we all face, and that risk depends not just on where we live but also on our behaviors. But even those risk factors can’t predict whether a particular person will be the victim of a crime. The good news is that there are many relatively simple and affordable things you can do to significantly reduce your risks, and that’s the point of this book.

As an added bonus, taking steps to protect yourself will also increase the security of those around you, even if they don’t read this book. It’s very much like getting your child vaccinated. (Let’s leave aside the hot-button topic of inoculations causing autism, and just focus squarely on the preventative aspects.) You’re not just helping to protect your child, you’re actually helping to protect everyone else, including those that have not been vaccinated. It’s the same with computer security: if your computer or online accounts are compromised, they can be used to compromise others - particularly those with whom you are connected to directly. When you leave yourself vulnerable, you’re not just risking your own safety - you’re risking the safety of others, as well. Therefore, protecting yourself will actually help to protect your friends and family, too.