Recent revelations in the ongoing Edward Snowden scandal are shining a new light on the far-reaching cyber capabilities of the National Security Agency -- including the agency's ability to bypass the online encryption standards used by the majority of the web.
It's hard to overstate the significance of this revelation -- online encryption is what has allowed online banking, online purchasing, email, even mobile apps to flourish over the past few years. While the security industry has known for years that encryption was vulnerable to hackers, this raises the stakes so much more.
And it begs the question: Is it any longer possible to be private online?
The honest answer is, "No." Until recently, we were under a collective delusion about online privacy -- the reality is, there's never been any such thing, and today the threats are far more widespread, sophisticated and high-level. There is no such thing as a 100 percent safe computer network, internet browser, email provider, encryption service, data backup service or cloud provider or mobile operating system. Even The Onion Router (TOR), the often cited private web browsing framework, can and has been hacked allegedly by government agents.
While I wouldn't recommend overreacting to this news, it is a great opportunity to raise awareness among consumers about the relative frailty of the online world. Just because the website you're on has a lock symbol in the address bar, doesn't mean it's 100 percent safe. Just because it's an Apple product, doesn't mean it can't get a virus. Just because your WiFi is WEP/WPA/WPA2 protected, doesn't mean someone can't eavesdrop on you.
The U.S. government isn't the only one with the capability to break into online services that many consumers have long assumed to be "unhackable." Cyber criminals, hacktivists and others can also do it.
Here are four ways you didn't know you could get hacked:
- Forget About the Padlock Symbol: That padlock symbol that appears in your internet address bar whenever you visit a "secure" website like a bank, retail checkout page, etc. isn't as ironclad as it may seem. Obviously, the NSA may have a backdoor. But in the past few years, other hackers have been figuring out new ways to bypass HTTPS to steal a person's login credentials. In fact, the Department of Homeland Security issued a formal alert about one of these attacks (called BREACH) on August 6th. There are several others too, that go by such names as SSLStrip, CRIME, BEAST, Lucky13, etc. In the case of SSL stripping, an attacker can create a fake padlock symbol ("favicon") that shows up in your address bar, even while you're getting hacked. Now, that isn't to say it's easy to get hacked over an HTTPS connection -- but it is possible, and in a few years, we could see these attacks really take off. Best advice: don't rely solely on HTTPS to protect you. That means you shouldn't be fooled into thinking it's ok to visit a sensitive website (like a bank or shopping cart page) over an open WiFi network because you believe you are "already protected" by HTTPS. Use a virtual private network (VPN) and use one credit card to make online purchases.