Five Computer Security Myths, Debunked by Experts
We're no strangers to helping you secure your computer, but there are some computer
A few weeks ago, Wired shared their five biggest cybersecurity myths and the truth behind them. Their list is good, but we thought there had to be some computer security stories that everyday users still believe, even though they've either been long debunked, or because they keep getting spread around.
We sat down with computer security and forensics experts Frederick Lane and Peter Theobald to get to the truth behind some security
Myth #1: No One Would Want To Hack Me, I Don't Have Anything Worth Taking
This one comes in many forms, but it's often referred to as "security through obscurity." The idea is that because the internet is vast and the odds are in your favor, you'll never be targeted-and even if you were, you don't have any personal data of value on your computer worth taking. This one is pretty common, and both of our experts noted that they've heard this before.
The problem with playing the odds is that, of course, it only takes one bad roll to ruin your day. While it's true that most of us don't have to worry about being specifically targeted, the most common threats aren't the ones that target you specifically-they're internet-wide fishing expeditions by automated bots looking for vulnerable computers and networks. Similarly, it may not be your data someone wants-it's your vulnerable, broadband-connected PC. Your computer is the valuable asset, Frederick Lane explains:
The device itself (or the storage space on it) is potentially useful to a hacker as a remote storage unit for contraband materials (i.e., child pornography), or as a zombie/slave in coordinated denial-of-service (DOS) attacks on Web sites.
don't think your data is valuable, keep in mind that
personal or financial information is valuable to a potential identity thief. Bits and pieces can be assembled with other information from other sources to make a complete picture. In this case,
a little prevention
Myth #2: Services Like
Tor and VPNs Make Me Completely Anonymous
service that disguises your web browsing so you stay anonymous
[I've heard that] If I use Tor, no one can figure out what I'm doing. Tell that to the Harvard kid who logged into TOR on a campus computer to post a bomb threat last December, only to be stunned when law enforcement and Harvard IT employees were able to identify the computers that were used to access the network within a given time frame. They narrowed the suspects down to one who actually had a final, and when they showed up at his door, he confessed (no doubt out of shock). It is REALLY hard to be completely anonymous online.
Lane is right.
Eldo Kim used Tor to post bomb threats in December of 2013
in an attempt to delay final exams at Harvard. He would have gotten away with it too, had he not
left a trail of other evidence
that led the FBI to his door, including the fact that he used Tor from the Harvard wireless network. Had he used a
Bottom line: Remember that services like Tor and your favorite VPN are great for protecting your identity and security on the internet, but they're not foolproof. Tor offers incredible anonymity from companies that harvest your data, your ISP, and even the government to a degree. A VPN encrypts all of your traffic so you can be sure your communications are secure from prying eyes or snoops. However, in both cases what you do can give you away, you're still riding someone else's network, and someone skilled and determined enough to decrypt or log your activity can do so. We still believe Tor and a good VPN should be tools in your security arsenal, but if you think they're all it takes to be completely secure and anonymous, think again.
Myth #3: MAC Filtering and Disabling SSID Broadcast Is Enough Protection For My
Most of us know better than to leave our Wi-Fi networks open to the world, but wireless security isn't something you should trust to obscurity. We still see people who leave Wi-Fi networks unencrypted, and instead hide their SSID or use MAC filtering to "secure" them. Unfortunately, while these methods may deter non-technical passers-by, it won't stop anyone with technical knowhow. Theobald explains:
Hiding your wireless network's SSID is a mostly useless attempt at security. It may keep your nosy neighbor from seeing the name of your network, but as soon as you use your wireless network, you send your SSID name over the air anyway. In addition, hiding your SSID makes it more painful for your own computers and devices to connect to it. Hiding your SSID will make it difficult for legitimate users and won't stop any hackers. So go ahead and display your SSID, and while you're at it have some fun and scare the neighbors by naming your network "NSA_MobileTappingStation".
Don't run your wireless network unencrypted and don't use the obsolete WEP encryption standard. It can now be cracked in seconds with simple, free-to-download tools. The best encryption standard to use is WPA2. While not perfect, it is the best available. Use a good long password that isn't in the dictionary for better security.
Some wireless routers have an option to let you list all of the MAC addresses, which are similar to a serial number for your devices, that will be allowed to connect to your router. If you don't mind the additional housekeeping of keeping track of your devices' MAC addresses and your visiting friends and relatives devices' MAC addresses there is no harm in using this setting to add another obstacle to hackers. It won't stop a persistent hacker though, as they can watch your wireless traffic and see what MAC addresses you are using, then spoof one of those to gain access.
Lane agreed, and noted that easily available Wi-Fi scanning tools like
can pull hidden SSIDs and MAC addresses out of the air. He also reiterated that WPA2 was the way to go.
We've shown you how easy it is to hack WEP and WPA
Incognito Mode Protects My Privacy
Actually, Incognito mode
protect your privacy-but only from other people using your computer. It's not actually a privacy tool that protects you from the rest of the internet. Even though you're warned each time you open an Incognito window, many people still think that
Google explains in their FAQ (linked on every Incognito tab) that the sites you visit may still have records of your visit, and anything downloaded from those sites (including cookies, in some cases) will remain. Firefox has a similar FAQ on each Private Browsing tab. So, for example, if you log in to your Google account while browsing in Incognito mode, your Google Searches will still be saved in your web history. If you allow extensions to run in Incognito, any information they record or transmit will persist as well.
Perhaps most importantly, Lane explained that the sites or webapps you visit downstream still know who you are, have your IP address (and can match it to previous or future sessions) and can keep track of what you do while there. On mobile devices, Incognito mode may offer even less protection than on the desktop. Superuser has a great thread on this topic as well.
Myth #5: I Don't Need Anti-Malware Tools, I Don't Do Anything Risky
Perhaps the biggest and most persistent computer security myth we see is the idea that one person's definition of "common sense" is all that's required for everyone to stay secure-to the point where as long as you have it, you don't need anti-malware or
Secure computing, just safe driving, doesn't just depend on your habits. It depends on the habits of everyone else as well. Recently it was found that hackers had managed to put the 'Styx exploit' into advertisements that were shown on YouTube. Anyone who viewed a YouTube page with those ads had their computer attacked and possibly infected with the Styx virus. So you could have been only visiting "safe" websites, but even YouTube got hacked! The only defenses to these "drive-by" viruses is to update your operating system and software frequently to get the latest security patches and run anti-virus software. If you want to be more proactive you can be even safer with software like NoScript and Privoxy which give you great security at the cost of more hassle.
Both of our experts agreed on this point, and added that while
That aside, it's fair to say that all of us likely do a few things off-color with our computers, and even if you're sure that you don't visit anything "risky" or have tools in place to protect yourself, it's important to have the right tools at your disposal just in case.
To be sure, none of these myths are perfectly false, but in the vast majority of cases putting faith in them only puts you and your data at risk. Instead, take the initiative to secure yourself or learn a little more about computer security, and you'll be in a far better position than someone who's playing the odds or relying on their own confidence to get them by.
Frederick Lane is an author, attorney, educational consultant, expert witness, and lecturer who has appeared on The Daily Show, CNN, NBC, ABC, CBS, the BBC, and MSNBC. He has written seven books, including most recently " Cybertraps for the Young ." All of his books are available on Amazon or through his Web site . You can follow him on Twitter at @fsl3 , or at Computer Forensics Digest .
Peter Theobald a Computer Forensics expert and president of TCForensics.com . He spends most of his time finding things that were supposed to have been deleted.
Both gentlemen offered their expertise for this piece, and we thank them.