How to not get hacked by China


So you might not be a newspaper who plans to run an expose on the finances of the Chinese central committee. But if you’re a journalist, an academic, or a national security professional, there’s a startlingly decent chance that the Chinese intelligence apparatus wants to get inside your brain.
There’s an information asymmetry, though. Regular folks know only as much as our government tells us about the tactics, techniques, and procedures used by foreign governments to spy on us. Investigative journalism helps fill in part of the picture, but huge gaps remain. Our spies don’t want THEIR spies to know how much WE know about them. And yet those who might have access to that information still live most of their lives in an unclassified world. How do they protect themselves?
What follows are tips from the pros. All of it is unclassified, but it’s straight up knowledge from those whose job it is to protect servers and domains from sophisticated cyber criminals and spies.
* Use a VPN service as an intermediary (eg: In terms of remote exploitation, this can make things harder (sometimes impossible) for a state actor unless they’ve got a lot of data on your online presence already. At the very minimum, you’re removing the easy options from the table and making them decided if they really want to work for it.
* Use Chrome. It’s not perfect, but it’s less likely to get you successfully remotely exploited by orders of magnitude. You also benefit from a smaller and typically personal (in other words, non-corporate) and more savvy user base.
In aggregate, these make it hard to justify development resources against Internet Explorer/Firefox, which are likely being used in the corporate networks that states want access to, and 50-year-old or older users who financial scammers and spammers are hoping for.
Or — use Linux (Ubuntu, for day-to-day desktop use). Again, it’s not perfect, but much of the same logic behind Chrome applies (especially for web-based remote exploitation). The small installed base of desktop users really helps here. This is still true for Macs, but not to the same degree due to increasing market share (the sole driver of increased development interest). Perhaps you could say, then, ‘don’t use Windows.’
* Seriously, don’t jailbreak your smartphone. If you do, you’re pretty much asking for any random drive-by remote exploit if you do it, and this is quadruply true for Android platforms. If you don’t jailbreak phones, stick with an iPhone. Unless you’re logging into a service and providing personal data, it’s nearly impossible to tell one iPhone user from another over cellular or common-use WiFi networks.
* When a smartphone or tablet app equivalent exists for a website, particularly a common one (eg, gmail), use it instead. Remote exploits that get people in trouble are all targeting PC web browsers because of their ubiquity in day-to-day use and the limited target set to develop to (IE, Firefox, Safari, Chrome). It is extremely resource intensive to target apps one-by-one, and they’re improved so frequently that the return on interest doesn’t exist to keep up. If you’re surfing the web, use your smartphone or tablet then too. These systems are substantially more locked down than PCs, so any access that a remote exploit may attain is likely to be more limited. Also, these devices are rarely given full access to valuable network services or data the same way PCs are in Windows domains. So it’s not that there aren’t actual risks here, but the value proposition typically results in efforts being focused on lower hanging fruit that can bear out more access growth opportunities.
* Change the default password on your ISP’s cable/fibre box and turn off the remote access features. They’re all still there for the ISP, but at least you’ve made it harder. At the minimum, put a firewall (another access point like an Airport Extreme, for example) between you and that box and do not use any of its services (eg, DHCP). You will *never* be able to secure it.
* Things that protect you only from newbies and script kiddies but, for this reason, you should still do: anti-virus, long passwords, firewalls.
Finally, NEVER check your email or Facebook or something from a public computer — it is worth waiting. Assume that computer is compromised.