What’s Your Hacker’s Motivation? Dashboard Dashboard

WGAW member and cybersecurity expert David Chasteen shares his tips for staying safe online.

As the COVID-19 pandemic forces us to distance and live more of our lives online, many of us are concerned about being hacked.

When not writing, I’m an executive cybersecurity consultant, so a lot of my friends and fellow writers ask me what they can do to keep themselves safe. As storytellers, we know that a character's motivation helps you understand what they are doing and why. When it comes to stopping hackers, the same method applies.

While there are high-profile hacks by state-sponsored hackers, most hacking is organized crime. Hacking has become a very profitable and established part of the global economy, estimated to cost $6 trillion annually by 2021. Some writers working on politically sensitive projects might find themselves targeted by state-sponsored hackers (call me), yet, for the vast majority, if they get hacked, it was probably someone's job. Their motivation is money. To make that money they need access.

In the same way that there are locks on the house and bank where you store your valuables, there are locks on the computers that store your valuable information. Hackers want to bypass those locks. How do they do it?

1. They ask you to let them in.

If a stranger showed up at your house, knocked on your door, and asked to come in, would you let them? Probably not. What if they were wearing a uniform?

Our intuition about risk works relatively well in the real world, but falls apart as soon as that interaction moves online. A number of hacking techniques rely on impersonation to fool a target into granting them access to a sensitive system.

2. They make a copy of the key.

Imagine someone making a fake house that looks exactly like your *real* house just to trick you into sticking your key into a "lock" that actually scans and makes a copy of your key. That's not practical in the physical world, but easy online. The most common "phishing" attacks work like this. They send an email that looks almost identical to a real email from a friend, your bank, or a colleague. They include a link that sends you to a perfect copy of a website you trust. When you put your "key" (your username and password, aka “credentials”) into the lock, they make a copy.

Worse, when large web services are breached, hackers steal their master database of credentials. They take these credentials around to other services and see if you used the same keys there. If you did, they’re in.

3. They find an unlocked door.

While the locks on your house probably won’t ever need to be changed, the locks that secure computers are constantly being probed for vulnerabilities by hackers. What’s more, lists of vulnerable locks and how to hack them are collected and automated. Hackers’ scanners constantly walk around the “neighborhood” of the Internet jiggling every lock to see if it’s been left unlocked or whether it’s one of the hacked locks.

What can you do to stop them? You can think like a hacker.

1. Trust no one.

On the Internet or on the phone, it’s easy to pretend to be anyone you want. Never give sensitive information to someone who calls or emails you. This is any information that can serve as a “key” to unlock your accounts: credit card or account numbers, passwords, PINs, codes texted or emailed to you. If you’re being contacted by your “bank” or other service provider, look up their information independently and contact them. It’s the only way to know you’re talking to the right person.

2. Use a password manager and MFA.

Passwords don’t work. If they’re complex enough to be strong, they’re too easy to forget. So we reuse them or reuse variations of them. If you only use a couple “keys,” anyone who gets ahold of them can make a copy and run amok. Use a password manager instead.

Modern web browsers like Firefox, Chrome, Safari, and Edge will suggest, fill, save, and sync randomized passwords across devices if you use the same browser on mobile and desktop. I strongly recommend using the browser that’s made for your device, which means Safari on Mac, Chrome on Android and Chromebook, and Edge on Windows devices. This will let you unlock your passwords using biometrics like fingerprint or face recognition so you don’t have to type in a complex password on a tiny keyboard. It’s the rare case where doing the more secure thing is also more convenient. With a password manager, a random password is generated for every service you use. When it’s inevitably hacked, those keys won’t work anywhere else and the damage will be limited.

Also, turn on Multi-Factor (or two-factor) Authentication where it’s possible. Apple and your bank have already turned this on for you—it’s the text message that comes to your phone or the code in the app you have to use when you log in to a new device. Never share this code with anyone. The key metaphor breaks down here, a bit, but multi-factor information makes sure that someone can’t access your stuff with only a password. It’s a very minor inconvenience for you and a massive headache for hackers. 99% of credential theft can be prevented with this feature turned on.

3. Let your devices update themselves.

While hackers are constantly figuring out how to break the “locks” that secure the Internet, technology companies are constantly figuring out how to fix or replace them. This is why modern devices are always updating themselves. Let them. If you have a device old enough that you can turn off automatic updates, turn them back on. They’re absolutely necessary.

Do you need anti-virus software? Not really. If you haven’t jailbroken (if you don’t know what this means, don’t worry about it) your iPhone or Google device, they don’t need antivirus. Neither does your Mac. If you have a PC, Windows Defender, which is free and built into Windows 10, is as good or better than anything consumers can buy. Leave it alone and follow its recommendations.

What about Zoom?

Zoom got in trouble for making misleading claims about the security of its software and for erring on the side of “easy.” They said that their software had end-to-end encryption, which meant they were incapable of reading the traffic that passed through their servers. That wasn’t quite true. But that’s the kind of thing that you only tend to worry about if you’re a Chinese dissident or breaking the law. Less serious and more entertaining, they enabled the phenomenon known as “Zoom-bombing” by making it a little too easy for guests to join and disrupt a Zoom meeting, regardless of whether they were invited. How do you avoid this? The same principles apply. If you don’t want uninvited people showing up to your meeting, don’t hang the keys and the address in public where everyone can find them. Ideally, use some kind of authentication to make sure your guests are who they say they are, using whatever video conferencing service you and your guests have in common, whether that’s FaceTime for Mac users, Google Meet for Google accounts, or Microsoft Teams for Microsoft-based organizations.

The good news is that this stuff is getting easier, not harder. Modern devices and services do a lot of these things for you without you having to know about it. They patch themselves, they manage passwords, they have MFA turned on by default. If you understand what hackers want, you can understand why your devices want to do these things, and why you should let them. Think like your hacker and you should be able to stay one step ahead of them.

David Chasteen is a former Army and CIA officer and served as the Chief Information Security Officer for the San Francisco Police Department. He’s a WGAW writer and consulting producer on Amazon Prime’s El Candidato.