In this Edition:
Change Edition

The Secret of Digital Security Is That It's No Secret

Imagine showing up at your bank only to find out that not only is all your money gone, but the entire bank might be going out of business because a system administrator opened a poisoned webpage and her servers were cracked.

Or imagine learning that anonymous strangers are posting details of your most sensitive medical conditions because the hospital that treated you didn’t secure its records properly.

Or imagine arriving for your job as a movie studio executive and learning that your lineup of summer blockbusters has been posted online for free, and all your rude emails gossiping about colleagues have been published for all the world to read and enjoy.

A few years ago, those scenarios were hypothetical movie plots. Now they are headlines.

And so, as we close out this year of infamous hacking and cracking, we have moved from imagining hypotheticals to wondering how anyone can be safe online against an invisible army of hackers—the imagery always includes someone in his mother’s basement, or deep in a military bunker—that conspires to steal your sensitive information. If the Government's own Office of Personnel Management cannot protect its (or your) information, what hope does an ordinary person have to secure their own information online?

But there’s a secret, and it’s one we needn’t imagine or wonder about. It is this: The overwhelming majority of successful digital security breaches today are entirely preventable.

We often describe human error as the root issue, but many common technologies make it far too easy for people to do the wrong thing: to use a weak password, or open an innocuous-looking image, or think a fake login page is the real deal. When technology makes it easy for so many things to go wrong, it’s just a matter of time until one of them does—but technologies exist today that make it much harder for things to go wrong. If we move from bemoaning human fallibility to thinking of it as something against which we need to protect ourselves in the course of everyday life, we can make ourselves much more cybersecure.

Digital security has only three areas of technical risk: Server vulnerabilities, tampering or spying on the connection, and popular attacks on personal devices. There could be a server vulnerability, as with the Heartbleed bug; these are hard for hackers to find, but also hard for the good guys to protect against. There could tampering or spying on the connection, using systems like Narus to listen in on the wire; this is common in repressive regimes, but can be mitigated with proxies or free tools like the Electronic Frontier Foundation’s “HTTPS Everywhere.” Or, finally, there could be a variety of popular attacks on your devices, which are often the weakest link, and where it is worth spending the most time discussing available protections. 

That’s it. Three risks. And we can mitigate each of them.

The third risk—attacks on devices—is taken advantage of most, and is relevant to all of us in our daily lives. But we all already have tools at our disposal to make our devices vastly more secure, none of which require a complex behavioral training regime or an advanced degree. There’s a finite list of weak points through which digital security can be compromised—and simple technologies, correctly deployed, can help protect these weak points.

The first main risk to device security comes through stolen passwords, or phishing. One out of fifty emails sent to Gmail are phishing attempts (though Google filters most of them out). One easy first step to take to protect yourself against phishing is a free “Authenticator” app for your smartphone, which functions as a second layer of your password: To log into your account, you’ll need both your written password and physical access to your smartphone app. If someone steals your password, they are still out of luck without getting your device too. Other apps, including RSA SecurID and Duo Security, follow the same logic. You can use these second factors to log into an ever-growing list of services. Free Chrome extensions like Password Alert can also help reduce your password reuse and provide a simple layer of defense against phishing.

If you are determined to doggedly defeat phishing, you can go a step further. A device no bigger than a stick of gum, costing less than $20 (a pretty cheap holiday gift), provides world-class protection against password theft. The device, made by Yubico, is called a “security key,” and it sits in your computer’s USB slot, requiring a gentle tap every time you want to log into your account. Its built-in cryptographic protocol makes it extremely resilient against even very sophisticated attackers, and using the key is simpler, faster, and far safer than adopting long, hard-to-remember passwords.

We are also fully capable of protecting ourselves against the other ubiquitous risk: malware, or software that can be used to remotely take over a device. Roughly one out of three computers around the world are infected with malware. Any antivirus software, such as Avira, is a good start. But a sophisticated attacker might use custom attacks that won’t be caught by common antivirus software — and most common operating systems were not designed with a security focus, so they have to play whack-a-mole with malware designers.

And so, to be sure you won’t be maligned by malicious malware, get a device with better security properties. For example, Chromebooks — simple laptops that only run Google’s Chrome web browser — are extremely hard to infect with malware (in the interest of full disclosure, I am the lead product manager of Google Ideas, and Google funds New America's Open Technology Institute, where I am an adjunct fellow). After all, they can’t run anything that’s not Chrome, so the only exploits that can infect them are security holes in the Chrome browser itself — which is a much, much smaller risk profile. Chromebooks are not for everybody, but, over time, streamlined systems like them will become viable malware-resistant options for more and more of us.

Though these newer tools are diverse, they all have one thing in common: They take the guesswork—the imagination, the wonder—out of staying safe online. Digital security is not black magic — just sound, human-centric engineering that quietly reduces number of things that can go wrong. In fact, the best security tools are practically invisible. When you buy a car, you don’t have to turn on the anti-lock brakes or manually inflate the airbags—the car’s security tools automatically stay out of your way and protect you in a pinch. We should start seriously deploying existing digital security technologies that do the same. Imagine that.


Justin Kosslyn was an Adjunct Fellow at New America’s Open Technology Institute.