A message to RVtravel.com readers about safe internet use

Some of our readers received this message when trying to access our website or newsletters.

By Kim Christiansen
Today, January 5, 2018, more than 1.4 billion usernames and passwords were posted to the Dark Web, a part of the internet that is not publicly available but frequented by hackers and criminals. These hackers then used thousands of computers to target hundreds of thousands WordPress servers, which is the most popular publishing platform, and the one used by RVtravel.com. This leak is combined of names and passwords from known breaches and new leaks. More than 196 million of the usernames/password combinations have never been seen before.

The security software RVtravel.com uses to block the attacks ended up further blocking some of the worst offending networks. This resulted in us inadvertently blocking some RVtravel.com readers from our websites and newsletters: they just so happened to be on the same network as computers attacking our site. We have since unblocked those readers and are monitoring the situation closely.

New Vulnerability in Hardware of Computers, Phones and Tablets

Where our hackers attacked us from during the last week.

On January 3, Google’s Project Zero, or GPZ, released details of new vulnerabilities that exist in almost every single computer currently in use. There are actually two vulnerabilities, one called Meltdown and another called Spectre.

Meltdown allows a hacker to read information in a computer’s memory chips, the computer’s work space if you will. Normally, this area is off limits but with this new vulnerability hackers could access the memory of a computer directly and read the information. 

Spectre is a new flaw found in the speculative speed enhancements in modern computer processors. Processors have programs that try to guess what you’re going to do next and then they hold that information close by to speed up any requests that need it. With this flaw, hackers could use code to read that data.

These are fairly serious problems in the underlying hardware that makes our modern world possible. There will have to be significant updates to both software and hardware in the coming weeks to plug these holes.

Watch for your computer or phone to warn you about available updates and apply those updates as soon as they arrive. As a general rule you should always keep your computer and mobile devices up to date. Security is an ever-moving target and the people who make these devices and software are working hard to make sure your device is safe to use.

Because the two above-mentioned vulnerabilities deal with speed enhancements in hardware, you may notice an impact in the performance of your computer or mobile device after it has been patched. For most users, the impact will be minimal, if even felt at all. For more high-end users, though, the impact could be as much as a 30% reduction in speed. We’ll just have to wait and see how the patches affect performance in day-to-day computer use.

Safe computing is a term for how I recommend people use the internet on their smart phones and PCs (Mac or Windows). This can be summed up in these easy steps:

1. Never use the same username and password combination.
Even though we all have done this and many of us still do, it’s the most insecure thing you can do. If hackers break into someone you have done business with and get that username and password, they get instant access to your entire digital life where you used that password.

2. Never use passwords that are easy to guess or very common.
Passwords like “password” or “1234” or your home address or phone number are easy to find or guess. Try to use a pass phrase or, better yet, obtain a password locker program such as 1password or LastPass (there are several more available). And yes, the most common password is still “password.”

3. Avoid online quiz or tests that ask for personal information.
Don’t answer any quizzes or tests on social media like Facebook that ask for personal info like what month you were born in, what your favorite color is, etc. While many of these are harmless, they have been used to compile data by hackers. Know who you are giving such information to. Online polls aren’t bad things, but they can be and are abused by hackers.

4. Always use an anti-virus program for your computer, tablet or phone.
It doesn’t matter if you have Mac or Windows, you need to run an anti-virus program and you need to pay for the yearly updates. Hackers aren’t sitting still – they are actively trying to steal your information and infect your computer in new ways. While the current Mac and Windows operating systems are way more secure than they used to be, they aren’t perfect, and this is an important part of owning a computer. If you have an Android phone, this is important for you as well, since the Android marketplace has had several instances of infected apps. iOS is more secure because Apple limits access to developers, but having another layer of protection is recommended.

5. Never, ever, ever use public Wi-Fi.
All of those coffee shops that offer free Wi-Fi are fertile ground for hackers. They don’t even need to be IN the coffee shop – they could be sitting nearby.  Everything you send over public, shared Wi-Fi is readable to any hacker over the age of 8 with readily available tools they can download online. Think of it like this: Would you share a cup of coffee with someone you didn’t know? Imagine if a coffee shop had one big mug that everyone took a sip from. That’s disgusting, isn’t it? That’s the real-world equivalent of everyone in the shop using the same Wi-Fi password. Just don’t do it. Check with your mobile phone provider for tethering options, and if you must use your computer in a public space, connect to the internet through your phone or tablet’s Wi-Fi connection. If you’re on your phone or tablet, use your mobile provider’s data connection at all times unless you are on a Wi-Fi network that you know is secure, like your home network, a friend or family member’s network, or at work.

6. If you are on the road and need a reliable/secure internet connection.
Consider purchasing a virtual private network connection or VPN. A VPN is a service that you subscribe to that encrypts all of the information you send over the internet so even though a hacker might be able to intercept your data, it will be unintelligible to them. This keeps you and your data safe. Another method of remote access is to obtain a Wi-Fi Hot-Spot from your mobile provider. You connect your computer to the Hot-Spot over Wi-Fi and then it connects to the internet via your mobile provider’s network. They are secure and easy to use. Many RVers may already have these, as internet connections on the road can be spotty at best.

7. Don’t underestimate the value of your online information.
The damage identity thieves can do to you with even a minimal amount of information is daunting. They can use a few bits of information to get access to more. The holy grail is your mother’s maiden name, the last four digits of your social security number, or your entire social security number, and your date of birth. From the Equifax data breach alone they have access to all of that information readily available to them. Once an identity thief gets their hooks into you, the amount of time and money you will spend trying to clear your good name will far outstrip the time and money spent upfront practicing Safe Computing.

Related

11 Thoughts to “A message to RVtravel.com readers about safe internet use”

  1. JB

    Another way to help alleviate hackers,although not a sure fire one,is to use a form of Linux,such as Ubuntu.I stopped using Microsoft long ago because of their bloated software which is full of bugs when shipped. Linux just does a better job of updating and runs way smoother on older PC’s than anything MS puts out. Try it,you might just like it.

    1. WhiteHat

      I used to recommend Ubuntu; Now I’ve been won over to Mint. Ubuntu lost my love with all their interface mangling when everyone loved gnome, and Mint is a bit easier “out of box” for most Linux newbies to configure IMHO.

      For any readers who want to try Mint, it is free to download and free to use in perpetuity, and can even be run from CD as a demo or installed in parallel if you have reason to still keep Windows for certain legacy programs. And it’s FAST.

      Personally I don’t recommend W10 as much more secure than W7/8… It has different, but still serious security issues, including its tendency to spy for Microsoft itself.

      1. Booneyrat

        Never heard of Mint,but will check it out.Almost anything is better than any form of winblows.

  2. Gord

    Question about ‘public wifi networks’. Is using HTTPS (SSL/SSH) not a secure way to use these public networks?

    1. Jim

      I would like an answer to Gord’s question as well.

    2. Kim Christiansen

      The short answer is no.
      HTTPS over public Wi-Fi is still not secure enough for any financial transactions, file transfers or anything you might want to keep confidential.

      The long answer is a little more complex:
      1) There remains the possibility of a ‘man in the middle’ attack where a hacker puts a pitstop in between you and your destination. Anything you enter on your device, username, password, bank account info etc, is captured by them. If someone was to set up ‘shop’ outside of a coffee shop this is a good way to siphon off info.
      2) SSL itself has been shown to have certain vulnerabilities that can be exploited if someone has access to your data stream from the start. There is a secret handshake that your browser does over HTTPS with a web server to set up a secure connection. Right at that moment you’re vulnerable to a hacker. It’s not a commonly used tactic just yet, but it will be further exploited as hackers get more sophisticated with their attacks.
      3) Hackers have been able to obtain legitimate SSL certificates that allows them to set up a secure SSL connection to your browser. So you’ll see the little green lock at the top of the screen and think you’re safe. Up until the past 18 months, HTTPS using SSL was considered to be safe in a public Wi-Fi situation. Security experts now agree this is no longer the case.

      So, HTTPS connections using SSL are better than regular HTTP connections, but they are not a panacea.

      My hope is that we’ll see some new technology from Wi-Fi vendors in the near future that ties into a point of sale system to generate unique one time Wi-Fi passwords that expire after a period of time. This would give you essentially a short term private Wi-Fi network that hackers would have to break into first before they could try to gain access to your computer’s internet connections. While this sounds like a great idea, the implementation would take time and money and since it’s shops, parks and restaurants offering this as a free service, it likely won’t happen anytime soon.

      As WhiteHat has mentioned, setting up a VPN over a public Wi-Fi hot spot is more secure and many higher-end home routers have this capability built in. If you have a modicum of technical knowledge using one of these might be a good way to avoid paying a fee for one. But do be aware, VPNs slow down your internet speed a little to a lot, depending on how busy the VPN is, how much data you’re moving around and how fast your computer or mobile device is. So they are fine for simple web browsing, buying parts off of Amazon or eBay or checking email. I wouldn’t play an online game over one but I have streamed the Olympics over one before when the sports I wanted to watch were not available in the US. As we say so often in the tech and automotive worlds, your mileage may vary.

      Finally, JB mentions getting a Linux based computer and that’s not bad advice. Linux is free and as they said it can make an older laptop zip along for another couple of years. One could say get a Mac as well, since they tend to last longer than Windows PCs and are very user friendly. They both have fewer viruses to their name than Windows.
      But hear me out, this is really important…
      Operating systems won’t save you from the hacks and vulnerabilities listed in this article. It doesn’t matter what phone, tablet, desktop or laptop you are using, ALL of the things mentioned above apply to you. And for the record, Windows is actually a little more secure than Mac OS or Linux right now. Microsoft has been getting pretty serious about security in the past few years. They may still be the biggest target, but at least they are doing things to make that target harder to hit for hackers. Oh, and if you’re not on Windows 10 yet, make that a priority in the next few months. Older versions of Windows are way more vulnerable.

      Stay informed, pay attention to your connections, add in a little ‘making sure your wallet is safe in a crowd’ paranoia, and you should be fine.

      Also, I watched the video about bad Wi-Fi in parks listed in the related links above. It’s a great overview on the issues facing parks and Wi-Fi, worth watching for sure.

  3. George

    Was the start of the article “Today, December 5, 2018” as test to see who reads the details? Did I pass?

    1. You not only passed the test, you win the gold star for the day, George! Thanks! It’s been corrected. 😀 –Diane at RVtravel.com

  4. WhiteHat

    Kim: Great writeup of a complex technical issue! Ironically I am both a security expert and one of the ones blocked last weekend while traveling north, so I appreciate the challenge of an ever moving target.

    I haven’t read through all the technicalities of how predictive caching is being exploited *this* time, but I wonder if Linux (my usual OS) suffers quite the same software vulnerabilities — already generally much faster than winDOZE, I expect it’s more atomic patching method to lessen the performance hit of any software remedy, but we’ll see.

    Another “mobile secure network” option is operating your OWN free VPN if you have a stable home base. Traveling RV folks here would tunnel from a more public ISP through their own private VPN back to their home internet connection, which is presumably (maybe?) more secure. Slightly more techie, but not much harder to do than a paid VPN.

    By the way, you failed to mention the most secure way to protect your data — I have two airgapped networks (and who doesn’t have multiple computers?). Put simply, the machine(s) that have sensitive data don’t have external internet most of the time, and AT ALL other than through a heavily encrypted channel. They don’t run “social” or data-promiscuous software or visit questionable sites. To access that network, you’d have to physically plug into my lab’s router. Conversely, I have a “frozen” virtual machine for exploring those suspect sites when needed (which of course “forgets” any infection every shutdown).

    Because I’m evil, I also operate a dead-end honeypot virtual machine to caution me when someone is even trying to attack my networks, but that’s an extra layer of paranoia. 🙂 It is horrifying to watch all the incoming port scans et al… Most users have no idea how often someone “rattles their doorknob”…

    Stay safe!

    1. Kim Christiansen

      Hi WhiteHat,

      You indeed are an expert and have taken the same measures I have seen other security experts take, a physical barrier between that which want to make sure stays private and everything else. It’s necessary when you’re exploring potentially infected sites or trying to isolate a virus or hacking attempt. But it is a little outside what the average user can do themselves.

      Unfortunately, the vulnerabilities I listed above are OS independent, platform independent and device independent. They use vulnerabilities within the infrastructure of the 802.11 standard and SSL itself to gain access to your data. So using Android, Linux, MacOS or Windows makes no difference.

      Also, these new memory and processor vulnerabilities discovered by Google affect >>>every single computing device in use today<<<<. From laptops to workstations to phones and tablets. They even affect streaming devices such as smart TVs and streaming sticks you plug into your TV. They could even affect your security system, internet connected cars/trucks/RVs and Wi-Fi cameras. It's going to be a monumental task to update and secure all of these systems. Some just won't be updated due to the age of the device or the disappearance of the company that made them. The reverberations of these two vulnerabilities will be felt for a long while yet. All we can do is pay attention for updates and apply them religiously.

  5. Mike

    Thanks for the reminders. I’ve been hit by hackers involving ransom bitcoin payment about a year ago and that was a eye opener for taking things for granted. Keep up the good work.

Comments are closed.