Many thanks to Albert Wong and Alex Gaynor for their guidance and comments.
Last time, we explained what a password manager is and how to use one. This week, we are going to talk about software updates and go over a couple of tasks you can do once that, when completed, will improve your security going forward without further action on your part. These small actions will help protect you against malware and hacking, threats that secure passwords alone cannot defend against. We’ll describe some of these threats and then tell you how to protect yourself from them by enabling auto-updates whenever possible and being consistent in manually installing updates when it’s not.
Hackers want control of your computer for a variety of reasons. The most straightforward is to steal your information, your money, or your identity. Another is to conscript your computer into an army of bots that they can use to attack bigger targets. Recently, yet another method has gotten a lot of traction: ransomware. When your computer is infected with ransomware, all your personal data is locked so that you can’t read it, and the software then demands that you pay a ransom to gain access to it again. All of these attacks require the hacker to gain access to your computer without your permission, something that your computer is designed to stop, so they use flaws in the operating system or in other software you’re running to break in.
Computer security is an arms race. Hackers amass vulnerabilities, searching for weak points in popular software that can let them take control of your computer, and software companies plug the holes as fast as they can discover them. This is the unsung portion of many of the software updates that come across your screen and installing them makes your computer, tablet, or phone immune to the latest set of known threats. For example, the ransomware disaster that hit the NHS in May exploited a vulnerability that had been fixed months before. A simple software update would have shored up their defenses and prevented the ransomware from doing any damage. If you are running vulnerable software, your computer can be taken over by a hacker if you visit a webpage that is running their code, download an attachment that they have crafted, or open a Word document they got to you. These actions are normally safe, but if someone has found a bug to exploit it becomes unsafe until you’ve updated with a fix. When visiting a site that is serving malware, a recent software update can be the difference between someone extorting you to regain access to all of your most important data or you breezing by, blissfully unaware that someone was even trying to do you harm.
Accept Software Updates. Period.
It’s easy to ignore those little pleas to install updates, isn’t it? Ask again in an hour. Ask me tonight. Tomorrow. Enough delays, and “Ask me later” becomes “Ignore it forever.” Even if you have your system set to automatically install updates (which you should), there are often updates that require a restart or some other interruption, and your operating system’s relative politeness about this can mean that some updates are put off indefinitely.
There’s no simple hack to achieve this one. The key is: accept them when they are available.
Really, that’s it. Maybe you’re busy; maybe this isn’t the right time. Is it ever? It won’t be just the right time tonight or tomorrow either, so take your computer or phone’s pleas to update as a gift from the heavens: click or tap “Accept” or “Install” - and go make a nice cup of tea. Tea tastes better when you’re practicing good infosec, anyway. It can be easy to only update when some vulnerability gets a lot of press, but this is like waiting to get a vaccine until after an outbreak has occurred. It’s likely too late for the vaccine to be effective, and the herd immunity of everyone having applied updates as soon as they come out help prevents an outbreak from happening in the first place.
An aside: people sometimes take advantage of the importance of software updates and create alerts made to look like software update notifications. Watch out for apps or websites attempting to offer you an update for your operating system, enticing you to click on a link that you shouldn't. If something ever seems phishy, you can always follow the update instructions below to make sure you are getting them straight from the source.
Wherever possible, enable auto-updates for your software so that you don’t have to think about when and where to update and can just rely on it happening in the background when there is time. Here are some links that will tell you how to enable auto-updates for lots of popular software, and how to check for updates now where that’s not possible.
- iOS Apps
- For iOS system updates, auto updates are not an option, so install the first time it offers them to you. You can select that they be installed overnight. In case you miss it and want to install it before the next reminder, here's how to install the latest iOS update.
- macOS/OS X
- Android Apps
- Like iOS updates, Android system auto updates are not an option, so install the first time it offers them to you. Here's how to install the latest Android Update:
- Samsung: Go to http://www.samsung.com/us/support/search/ and type in as a search term “What is the software version on my <name of your phone goes here>” This will find a page that tells you how to update.
- Google: https://support.google.com/nexus/answer/4457705?hl=en
As for browsers, Chrome and Firefox automatically apply updates to themselves regularly, but those updates don’t take effect until the browser has been restarted, so if you run your computer for weeks at a time without quitting your browser look out for a little notification saying that an update is available and restart if you see it.
Set It and Forget It
With software updates on full auto and with a switch in your habits to accept all updates that can’t be automated, you can rest easy knowing that your computer is as secure as can be. As the war of attrition rages on, keeping your computer safe not only prevents your private information from being exposed or your identity from being stolen but also prevents your computer from being assimilated into the hacker’s network and becoming a part of their future attacks.
Not practicing this basic hygiene exposes you to serious risks. The nature of the internet means that danger is not mitigated by where you live or who you know but is instead always just a click away. As such, these methods are intended for anyone and everyone to adopt. The risks are not particular to power users or techies or journalists—they apply to everyone online.