Preventing Unauthorized Access
Modern cybercrime…the perfect storm.
[O]rganized crime now gains more revenue from cybercrime than from the illegal drug trade and is on pace to eclipse all its other forms of illegal activities combined within a few years.Combine that with the global shortage of experienced security professionals and the forecast calls for very rough weather ahead. — Trustwave
From the dawn of civilization until 2003, humankind generated five exabytes of data. Now we produce five exabytes every two days…and the pace is accelerating. — Eric Schmidt
To fight this trend, businesses need to train their employees and increase their security budget. Home users need to educate their families about the risks.
How Cyber Safe Are You In The Digital Age? See the full infographic to learn more.
Stop and Think Before Acting
Most of today's devices (computers, phones, tablets, etc.) are continuously connected to the Internet. Many services and applications record private information and report on your activities.
Be sure to read the privacy policies and terms of service for everything you subscribe to before signing up for that service or installing that app.
You can avoid a lot of problems if you follow the advice on StaySafeOnline.org:
STOP. THINK. CONNECT.™
Protect yourself and help keep the web a safer place for everyone.
- STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
- THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
- CONNECT: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.
Resources on their site include:
- How to stay safe online.
- Online safety basics.
- Responding to identity theft, fraud and cybercrime.
- Securing key accounts and devices.
- Managing your privacy.
Verify Legitimacy of Emails
Don't assume emails are either safe or have come from where they say they have. Remember that breaks down as ass - u - me.
Don't Be Hasty to Click
Take the time to determine if the message is legitimate, even if it appears to come from someone you know.
- It is easy to copy images and use them to commit fraud or identity theft.
- No one legitimate will EVER ask for you reveal your password in an email.
- Don't trust the linked text in an email or on a website. Links can be faked.
- Be wary of phone calls or emails that ask for personal information or insist you to go to a website to fix a problem — these calls are scams, no matter who they say they are.
If you're unsure about the legitimacy of an email (including unexpected attachments), website or security warning, call the sender before opening attachments or clicking on any links.
Verify Phone Numbers
Never rely on the contact information in an email or dialogue box displaying a warning. Look it up in a recent invoice or statement you received from that company.
Take Care in What You Share
Think before posting on social media. Many people post information commonly used to recover lost passwords or to verify accounts including family names and relationships, schools attended, marriage dates, etc.
If you wouldn't share it with everyone everywhere, don't share it online!
Only share online what you'd like others to share about you. Once posted, that information is public forever. In an instant you could ruin someone's reputation — even yours.
Security Isn't Just a Technical Issue
We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: the people who could protect a system are not the ones who suffer the costs of failure. — Bruce Schneier's Crypto-Gram
Microsoft Products More Vulnerable
Microsoft has placed the emphasis on ease-of-use rather than on making their software secure. Not only Windows, but Office and other software is designed to easily exchange information. That ease allows any vulnerability in one component to affect ALL the others.
If Microsoft bore the cost of security failures in their Windows and Office software, as Ralph Nader forced the auto industry to accept responsibility for their failures, fewer vulnerabilities would exist or be allowed to continue unchecked. Instead, we are spending large amounts of money annually on security programs.
Hacking Windows: Easier Than You'd Think
The following are instructive videos on YouTube or Wonder How To that demonstrate a hacker gaining access to a computer without the user being aware they've been hacked. Some of the examples below use older (even obsolete versions) of Windows, but these were once considered secure.
- Hacking Vista: Easier than you'd think.
- Hack Windows 7 (become Admin).
- How to hack Windows 7 password without any software.
- Hacking Windows 10: How to break into somebody's computer without a password (setting up the payload).
What is particularly interesting is how the user can misinterpret the “infection” incident so that the hacker gained total access in a very short time.
Windows Updates Critical
One example of a vulnerability that could be avoided by installing updates is the WannaCry ransomware variation:
Your first line of defense is to diligently install every security update as soon as it becomes available, and to migrate to systems that vendors still support. Microsoft issued a security patch that protects against WannaCry months before the ransomware started infecting systems; it only works against computers that haven't been patched. And many of the systems it infects are older computers, no longer normally supported by Microsoft -- though it did belatedly release a patch for those older systems. — Bruce Schneier
Unfortunately, Microsoft chose to trick people into updating to Windows 10 via Windows Update and as a result many of those have turned off Windows Update (and some people never restored it).
Other Systems Vulnerable
Mac Security Threats Increasing Rapidly
While Macs have a reputation for security, in 2019 the number of threats to Apple devices and computers have outpaced Windows computers two-to-one.
Linux Systems Suffer Threats
While more secure than other systems, Linux is often involved in cross-platform threats because they form a critical role as web servers and internal servers.
This 2019 security report lists Linux distributions including Debian, SUSE, Ubuntu and Red Hat within the top ten affected vendors:
Just five vendors accounted for nearly one quarter of vulnerabilities in the first half of 2019.
— Risk Based Security
- Web-related vulnerabilities accounted for 54.5% of those vulnerabilities.
- 34% have public exploits.
- 34% do not have a documented solution.
- 53% can be exploited remotely.
And it's not just operating systems. Hardware is also vulnerable since so many of our devices are now connected via Wi-Fi.
Every Brother printer with an embedded web server are vulnerable to denial-of-service attacks that could allow attackers to remotely disable the machines, rendering them unusable. — Trustwave
Don't Run Obsolete Software
Running obsolete (unsupported or unpatched) software makes you vulnerable and puts everyone at risk by allowing the spread of malware, viruses, ransomware and security holes that can be exploited by hackers, governments and other parties that threaten our privacy.
Beware of Software Utilities
Many folks search the Web looking for a quick fix for an issue they're having. Many download and install utilities that promise to repair the issue or to provide them with updated drivers with one click.
These utilities may do as they say, but it is far more likely that they'll also add vulnerabilities — particularly if they're free. There is good software out there, but you need to be sure to vet it first. Try searching for the software name to see what others say about it.
Legacy Windows Particularly Vulnerable
- Windows 7 support ended January 14, 2020. It is the last version of Windows to run and store data primarily on your computer as well as configured for keyboard & mouse users.
- Windows 8 was Microsoft's first attempt to address the mobile market. Because it sacrificed the needs of legacy users, it was problematic for Microsoft and users alike.
- Windows 8 users need to upgrade to Windows 8.1 to remain supported, but should upgrade to Windows 10.
- Windows 10 has improved support for newer protocols and hardware and is rated as the safest version by Microsoft (partially because it updates you whether asked to or not). However, Microsoft also collects much more about you and monetizes your Windows system.
Upgrades from Windows 7 are best done on newer hardware since the system requirements (the speed, storage and memory needed to run them) are more demanding. Windows 10 seems to be less demanding of hardware but many of the newer technologies require modern hardware that supports it.
- Be sure the latest Service Pack is installed as well as all critical updates. Windows 10 does this automatically.
- Learn about Microsoft's End of Support Guidelines
- While much there has been much improvement, I still have some concerns about Windows 10 privacy particularly because it took them so long to be transparent about the use as well as their move towards monetizing software that used to be provided free with Windows.
If your computer is not capable of running Windows 10, you might want to consider using an alternative like the free Linux Mint or its variations.
- Linux is free to download, install and use (you can also purchase support if needed).
- The system requirements are lighter than the newest Windows versions so you can continue to use your current hardware.
- Many current distributions (Linux Mint recommended) automatically installs most of the software the average person uses including LibreOffice, an excellent alternative to Microsoft Office.
- Linux is more secure than Windows by design (it allows you to run your system while keeping out unauthorized users yet you can perform administrator tasks by providing the Administrator password).
- Many Windows programs can be run under Linux using WINE. Be sure to read the FAQ before installing WINE.
Linux updates itself in a similar manner to Microsoft Update (you need to download and install newer versions but not updates to the installed version). If you are a typical user not requiring specialized software, it will work better on your existing hardware than the currently installed Windows.
Close Security Loopholes
Windows is full of security loopholes and we're exposed to many others if we give precedence to convenience over security.
- Secunia Research shows how long known vulnerabilities can remain unpatched.
- Symantec notified users in 2012 that their pcAnywhere remote connection software had been compromised.
- Windows Remote Access is enabled by default — an unnecessary security hole because few users ever need it (and the “I'm calling from Microsoft” scammers use it to hack into your computer).
Scammers usually try to get you to have you search for and download an older (insecure) version of TeamViewer. Newer versions have been patched for a number of vulnerabilities. These older versions were once the most secure available. Think about that the next time someone urges you to install TeamViewer.
Create a security policy for the computers in your home or office. This will provide guidelines in making security decisions and help your family or employees understand the need for security.
Free Wi-Fi Presents a Risk
We're constantly on the go and want to remain connected but choosing an unsecured Wi-Fi network could undo all that we've done to secure our computers and devices.
Others on the same network could intercept information like passwords and confidential information using easily-available hacking software. Watch this YouTube video.
Captive Portals No Safer
Don't be fooled by a log-in screen requiring you to agree to the Wi-Fi network's terms in coffee shops and elsewhere. These are called captive portals and are no safer than an open Wi-Fi network, but give you the illusion of safety.
Captive portals can interfere with secure (HTTPS) sites, calling them “untrusted connections” which leads people to ignore such warnings in the future.
ZoneAlarm's infographic, The risks of public hotspots: How Free Wi-Fi can harm you (shown to the right) provides some excellent advice on precautions when connecting to free Wi-Fi.
KRACK Wi-Fi Security Flaw
ZoneAlarm recommends you consider the following BEFORE you connect:
- A secured home or office network is always preferable to an unsecured network.
- Ensure that your security software (antivirus, firewall) is turned on.
- Using a VPN (Virtual Private Network) is recommended.*
- Confirm the Wi-Fi network name with the business owner.
- Be sure to use secure sites, those starting with HTTPS, especially where you need to login to an account.
- Turn on two-factor authentication for your accounts.
- Disable file sharing.
*NEVER access financial sites like banks, PayPal or shopping sites while on a network you don't control without using a trusted VPN.
Check Your Settings
Several settings in devices capable of Wi-Fi (laptops, smart phones, tablets, etc.) are convenient but can become a security issue when in public.
- Cellular is more secure than public Wi-Fi.
- Turn off automatic Wi-Fi connectivity on your devices to avoid being connected either to unknown networks. If Wi-Fi is enabled it nulls the better security provided by a cellular connection.
- Turn off Bluetooth when you're in public. An unscrupulous person can gain access to your device via an open Bluetooth connection.
- VPN encrypts all your wireless traffic to protect you and the person or service you're connected with.
I'd recommend a password manager.
The vast number of sites and services that require you to log into them today makes it virtually impossible to use generate and remember unique, secure passwords for every site without a password manager. LastPass is recommended.
Since 91% of all cyber attacks begin with a phishing email, taking steps to defend against phishing attack might be the single most important aspect of an overall threat defense plan. — DuoCircle
Restrict access to business computers:
- Only employees with significant understanding of the risks should have administrative rights.
- Your company policies should indicate what software each level of user can or can't add or remove without express permission.
- Software, security and Windows updates are best done by you (or a single trusted employee reporting directly to you) so that you know your computers are protected.
- Access to personal social media sites like Facebook or personal software on business computers can lead to security risks for your business.
- Business social media accounts should be managed by experienced employees that understand the medium as used by a business. It is easy for followers to un-Like you if something goes wrong.
- The use of unsafe media like USB thumb drives can infect computers, including those on your network.
When your employees fall victim to a phishing attack, your entire corporate network and brand is at risk. The cost can be stunning. — Vade Secure
One creative alternative is Menlo Security's Secure Web Gateway:
For companies that don't want to isolate all web traffic, we are providing greater ability to specify which users or categories of websites to isolate. For example, we can now automatically isolate any web service that was created with software known to be vulnerable to hacking, such as unpatched versions of WordPress and Drupal. End users don't even realize their web sessions are actually occurring on our platform rather than on their PCs. With our new "Isolate and Read-Only" capability, administrators can allow employees to access — but not interact on — webmail and social media sites. That way, they can't be tricked into providing credentials to clever phishing scams. — Menlo Security Blog
Protecting Home Computers
While this section primarily discusses computers, people are increasingly accessing the Internet over tablets and smartphones as well as smart devices like Google Home and Alexa.
Protect the Integrity of Your Devices
Protect the integrity of your computers and devices by restricting access.
- Use secure and unique passwords as well as your answers to security questions (anything based upon information posted on social media sites like Facebook or common knowledge about you can be easily guessed by others).
- Don't put your business data at risk. Business computers in your home or business should be used ONLY for business and should be secured with a decent password.
- Provide your family with a separate computer (they are relatively inexpensive these days).
Restrict Children's Access
Your children should not have full access to devices they use, including the ability to install or remove software. This includes:
- administrator privileges, even on their own computers and devices.
- denying the ability for their friends to make changes of any kind to the family's computers.
You are legally liable for any computers and devices as well as the Internet access you provide no matter who uses them. Visits to illegal or unauthorized copyright material could result in very large fines.
Protect Your Children
It's important to know what threats kids are facing so that you can have the right conversations and implement the precautionary measures. It's also hugely important to set some fair and effective ground rules for how your kids use the internet. — 17 Rules to Protect My Child Online
Children are curious and often more comfortable with technology than their parents. It is important that you monitor their activities for their own protection.
- Children are vulnerable because of their ignorance and curiosity. They often want to hide their activities from their parents in their eagerness to be “grown up.”
- While it is important that children's privacy is protected on corporate and public sites and social media, it is important that parents understand what their children are doing online and who they are interacting with.
- Ensure that your children don't share personal information online. Information like age (birth dates), home address, full name, etc. can be used for identity theft.
- Predators want to sexually exploit your children or entice them to meet secretly outside of your home.
- Place computers in common areas of your house and don't allow Internet-accessing devices in their rooms, particularly when the door is closed or at night.
- There is more on 17 Rules to Protect My Child Online.
It is important that anyone servicing your computers is knowledgable and trustworthy.
- Get professional help from a reliable source. Ask friends or colleagues for recommendations.
- While an employee or the kid across the street might know more than you, they might not know enough.
- Your policies should indicate how servicing is to be carried out and by whom.
- Be aware of potential industrial or political spying. The FBI has been accused of using Best Buy Geek Squad employees to conduct warrantless searches of customers' computers.
Educate About Evaluating Risks
Ensure that everyone using your computers understands how to evaluate risks.
Warnings by phone or email indicating your computer is “infected” are common. ALL are scams. Watch for these signs:
- Simply opening an infected image or other attached file can be enough to endanger the data on your computer. More….
- Any warnings that appear on your screen, particularly if they indicate that you have hundreds of infections, are scams. Know how the security software you installed reacts to an infection.
- Do NOT follow instructions given by an unsolicited email or phone call. These are scams, no matter who they say they are. Just hang up.
- There are logs on Windows computers that show errors even when they are operating normally. Scammers may try to use these logs to convince you that your computer is infected.
- If you provide a caller with access to your computer so they can “fix a problem” you'll end up with an infected computer, an expensive credit card bill, or both.
Family members and employees should be instructed NOT to respond to such ploys. If you're concerned, call the person that maintains your computers.
Increase Your Security Budget
Corporate and business Information technology (IT) departments are seriously underfunded and a significant number of employees aren't concerned about the affect their lax security habits could have on the company.
The Equifax data breach, which exposed the sensitive personal information of nearly 146 million Americans, happened because of a mistake by a single employee… — The New York Times (emphasis mine)
Saving money on IT security may benefit you in the short term, but could cost you a great deal in the long term. You could lose your company's credibility if you're hacked and lose critical business information or suffer a data breach revealing your customer database.
- Security awareness training is crucial for your business.
- 9 steps to slowing and stopping your next data breach.
- Q&A: How to think smarter about database security.
- Potential security threats to your computer systems.
Key Elements of Security
To enhance the security of your computer(s) and computer networks, you need to include the following components in your protection plan:
- Wise choice of programs
- Effective security software
- Firewall protection (a router & software backup)
- Strong Passwords
- Protect Your Email Address(es)
There is more information about each of these, either on this page or on other pages on this site. Follow the links in each of these subsections to learn more.
Choose Your Programs Wisely
The choice of software you install on your computer affects how vulnerable you are to security-related attacks. This is particularly true for Windows users, specifically in regards to your choice of web browser and email client.
Free Software May Be “Expensive”
There is some excellent free software available to you (LibreOffice, Firefox, CCleaner and several others come to mind) but not all are truly free.
Many of the free utilities, screen savers and similar programs available on the Web contain either malware or collect information about you or install potentially unwanted third-party software (PUPs).
Search for what others have said about a program using the program name or executable file as the search criteria. Blogs often provide interesting insight to the usability of such programs and their relative merits.
Krebs's 3 basic rules for online safety:
- If you didn't go looking for it, don't install it.
- If you installed, update it.
- If you no longer need it, get rid of it!
Scroll through the options and de-select the extra software like toolbars (rarer today), Google Chrome, McAfee Security, etc. before downloading or installing the software you actually wanted to install.
Microsoft Products Share Vulnerabilities
Microsoft pursued a policy of making Windows “friendly.” Sharing between programs is seamless and greatly reduced the technical experience necessary to operate a Windows computer.
However, this practiced has made us more vulnerable to inappropriate uses of that technology such as viruses, hacking, phishing, and more. The widespread use of Microsoft Office exacerbated the spread of the GDI+ Windows vulnerability for JPEG images which was a direct result of this seamless sharing.
I strongly recommend using Firefox as your primary browser. It focuses on the needs of the user rather than the corporation that sponsors it.
As the developer of the only major browser that isn't owned by a tech giant, the company is free from ulterior motives. — VentureBeat
Internet Explorer is not recommended. Released in 2013, IE11 will receive only critical updates for the life of Windows 7 (now expired) and 8.1. Not new features will be added, including improved security. Even Microsoft indicates that it is only included for viewing obsolete websites.
While Chrome is very popular, it got that way by surreptitiously installing itself as the default browser as a paid add-on to other free software such as CCleaner, Java and Adobe Flash. While it was an “optional” addon, it was pre-selected and folks simply clicked through the options without checking for extra software.
When uninstalling Chrome, it automatically made Internet Explorer the default browser for Windows rather than asking which browser should be default (this has now changed).
Google Chrome collects a great deal about your surfing habits, particularly if you sign in. This data is used to create a profile on you to sell targeted advertising. Advertising is Google's business and Google NEVER forgets.
Java, Reader and Flash Most-exploited Windows Programs
Adobe Reader, Flash and Java are responsible the majority of vulnerabilities in Windows systems exploited by malware:
A long-term examination carried out by AV-TEST has proven that Adobe's Reader and Flash and all versions of Java are together responsible for a total of 66 percent of the vulnerabilities in Windows systems exploited by malware. Such weaknesses enable Trojans and other forms of malware to invade PC systems, in some cases in an unstoppable manner. — AV-TEST
These programs are so widely installed that they make an attractive target for malware.
- Regularly check to see if your Firefox plugins are up to date (click on the menu, choose Addons, select Extensions on the left if not already displayed, then click the cog by the search bar and select Check for Updates (Update Add-ons Automatically should be checked).
- Adobe Flash is frequently updated because of a massive number of security flaws. Fortunately it is rapidly losing ground to HTML5's native rendering and will soon no longer be supported.
- Adobe Reader has tried to include everything and as a result is bloated and more vulnerable. Modern browsers will read PDFs natively, but try alternatives which are safer and provides more features.
- Java should be removed if unnecessary, but if installed should be checked frequently for updates. Older versions should be removed (manually, if they aren't removed by the Java updater). Browsers no longer support Java except Internet Explorer (which is generally unsafe to use).
Use Peer Sharing Carefully
Peer-to-peer (P2P) sharing can be useful, but that depends upon what is being shared and what service is being used.
The attraction of downloading free music, movies and more using peer-to-peer software have created problems for many users.
- You're exposing your computer to any viruses and malware on the peer computers you're connecting to.
- If you download (or, worse, upload) copyrighted content you could be liable for thousands of dollars in fines.
- Most file-sharing programs automatically create an upload of files from your computer. This costs you bandwidth and an increased risk of being tagged with copyright violations.
- The owner of the Internet connection (you, not your children or their friends) is liable for any illegal activity on your Internet account.
What you need to know about peer-to-peer file sharing includes the following suggestions (see the article for explanation):
- Before you start, make sure your computer's security software is up-to-date.
- Stick to legal file-sharing services.
- Use your computer's security software to scan downloads.
- Don't upload (or download) copyrighted material.
- Pay attention when you install P2P programs.
- Close the P2P connection when you're finished (default settings start it with Windows and leave it running continually).
- Using P2P file sharing at work could put your business at risk.
- Make sure your kids understand the risks and ensure they have your permission before using these services.
if you have any doubts, just don't do it.
Effective Security Software
Traditional security products, firewalls, security suites, antivirus, and antispyware products, are made to fight PC-based threats, but you also need to deal with web-based threats which can develop very quickly.
Threats are no longer simple viruses (or “worms”) but multifaceted attacks on several fronts at once. You need a security suite that protects you simultaneously from all possibilities and is constantly updated to deal with the threats you face when surfing the Web.
Have You Been Hacked?
More and more we're saving our private information in cloud-based servers elsewhere. Unfortunately, these companies spend far less on securing your data from attack than their own.
Find out if your email address has been in a known breach. If so, change passwords for those accounts (and any others using the same user names and/or password).
In most cases these companies didn't bother to encrypt the information they kept about your account. This is unlikely to change as long as they suffer no major financial loss when breaches of public data occur.
Beware of the Impact on Computer Performance
Be sure that your security suite can do the job without degrading your computer's performance too much. I strongly recommend ZoneAlarm's Extreme Security for the most extensive protection including protection from keylogging (the capturing of data entered via the keyboard) but you can review alternatives here.
Malware or Spyware Protection
Your privacy has never been under attack as intensely as it is today. You need to protect yourself using legitimate privacy tools. All current security suites and most antivirus software contains some form of antispyware/antimalware protection.
Router & Firewall Protection
Today's computers and devices are continuously connected to the Internet. Without firewall security it is like leaving your front door open for anyone to walk into your home uninvited.
Effective Protection is Multifaceted
An effective hardware and software firewall combination is an essential part of your protection.
You need two kinds of firewall protection:
- Routers are a hardware firewall that provides the first line of defense but many don't regulate outgoing activity.
- Software firewalls are a security program on your computer that catches anything that comes through the router.
Your router not only secures your high-speed access to the Internet, but it allows you to share it between both hard-wired (LAN) and wireless (WLAN) computers, laptops, tablets, smartphones, game consoles, and TVs.
Besides the issues that have been fixed in newer routers, there are undocumented and unpatched vulnerabilities (zero day exploits) that both governments and hackers take advantage of to steal information from your devices.
More than half the routers currently in use are easily hacked and the recommendation is to replace your router if it is more than a few years old, especially if it is listed here.
Your Software Firewall
Your software firewall protects you from outgoing as well as incoming attacks and should be part of your security suite. Microsoft's built-in firewall is insufficient.
Portable Devices Need Protection Too
More and more we connect our devices to third-party wireless services in coffee shops, the mall and elsewhere. Since we don't control the hardware portion of the firewall (the router) it is essential that your security suite be up to the task of protecting you (a VPN is recommended).
Passwords are an essential part of Internet life today. They are used for everything from access to your email to the millions of websites and forums that require you to identify yourself using a username/password combination.
Long and Strong
Make your passwords long and strong using random upper and lower case letter, numbers and symbols (some symbols are not permitted by some sites or vendors). Generally, the longer your passwords, the harder they are to hack.
Everyone has far too many passwords today to manage strong and unique passwords for every site and account we hold on the Internet without using a password manager. Humans simply have too much difficulty creating and remembering effective passwords.
I strongly recommend LastPass to manage your passwords. LastPass is secure, encrypts the passwords BEFORE uploading them and can be shared between your various computers and devices.
We don't generally think of Wireless connections in this category, but you need to secure your wireless connections. WEP and newer variants like WPA & WPA2 use a similar format to how we access email from out ISP.
The wireless key provides security like an email account password:
|Account Type:||User Name:||Security:|
|Wireless (WEP or WPA)||SSID||Security Key|
|The Smith's WLAN||Smith||5D969892AF|
|Email Account||User name||Password|
In both wireless networks and email accounts, at least part of the information is public:
- The SSID is the public name of a wireless network which is broadcast unless the router is configured not to (making it harder for new computers to connect to it).
- The email user name is public because it is placed before the @ symbol (e.g. the jsmith in [email protected]) and some use the entire email address for the user name.
- Only the WEP or WPA2 key provides security just like your email account's password does.
Protect Your Email Address(es)
Increasingly, sites are using your email address as your identity, making it very easy to hack your other accounts if you use weak passwords or use the same combinations on multiple sites.
Hackers use social engineering to gain access. People naturally want to trust people that they know and businesses they use. Hackers use this trust along with social media “friends” to gain their trust (essentially usurping that trust for malicious purposes).
Because of this tendency, you need to be particularly careful to examine any messages before opening them including their attachments (JPG images can be infected as can ZIP files, PDFs and others).
Not only can attached images be used to infect your computer and network, but proprietary images can be used in the body of a message for fraudulent purposes.
The following comes from a sample phishing attempt requesting that you login to your email account from the linked images below in order to obtain a shared document:
If you click on the images, you're taken to a fake site duplicating the actual login page on each of these email services. You then provide your login credentials to thieves who sent the email, allowing them to gain access to your actual email account.
Once they have that access, they can use your email account to gain further access to other accounts where the security protocol requires you to respond to an confirmation sent to the registered email address.
I've seen messages using Google Docs or Dropbox images with similar requests and consequences.
Instead of hacking your password, the “Forgot password?” recovery option on a site can provide a much easier place to obtain access to your email account.
People post much personal information about themselves on public places including social media sites like Facebook that can be harvested for the answers to typical security questions. The nature of these questions are such that many are easily known by friends and family such as:
- your favourite sports team(s);
- your favourite authors or movies;
- your best man or maid of honour at your wedding; and
- your first address or car.
How your email account could be the weakest link to your online accounts provides more detail about this vulnerability.
So how do you protect yourself?
You can add a second method of authenticating your email passwords, preferably something that is always with you and inaccessible to potential hackers.
Two-factor authentication provides additional security that isn't available with even a strong password. As implied by the name, two-factor authentication has two components:
The second device could be
- a cell phone number (recommended); or
- a specially-design hardware authentication device like the YubiKey (shown above) in combination with LastPass; or
- a second email address (less secure as it too could be hacked).
Unfortunately, it appears that it isn't that hard to hijack your cellphone's SIM card, after which they have access to the very two-factor security that is supposed to protect you.
There is more about two-factor security on passwords.
Good Security Practices
Ensuring a secure computing experience involves all of the following:
- Choose your software with care, particularly your web browser and email client.
- Purchase and frequently update a current security suite that includes a minimum of reliable antivirus, antimalware and firewall protection. Some products are free for personal use.
- Both a hardware and software firewall are an essential part of your protection.
- Check regularly for malware on your system.
- Passwords and encryption can be effective tools only if you use them correctly.
- Only shop on secure websites (https:// and/or a padlock symbol in a web address means a safer website than http:// because it is encrypted).
Ease of use is contrary to good security, although there are some tools that can help you retain security yet help you manage passwords and other settings.
Keep Everything Updated Frequently
Because things change so fast on the Internet, it is important that you both keep your antivirus, firewall and anti-spyware security software current (install all updates).
- If you have to download the update (i.e. save it to your Downloads) you need to install that download.
One study indicated that the time from the discovery of a vulnerability to when it is exploited is now four days or less. More recently that window of discovery has narrowed to less than a day. Zero-day exploits are usable immediately (0 days until useful because they are generally undiscovered except by hackers and government spy agencies).
- Check for updates at least daily.
- Weekly scans are a bare minimum.
- Real-time scanning is critical for today's threats.
You should also ensure that you're regularly clearing unnecessary programs and data from your computer.
- Utilities like CCleaner effectively remove obsolete or unnecessary files and logs.
- Uninstall unnecessary software (including browser add-ons and plugins).
- Prepare for recovery by backing up key files like email, browser settings, etc. to a recovery folder (e.g. “Backups”) then save the data and files on your computer to an external (unconnected) device or service.
- Store your backups where they will be safe but accessible if there is a disaster like fire or flood.
- Alternative on-site backups allow you to recover from human error or malware infections. These are your only realistic recovery from ransomware.
While these precautions may take time and cost money, they are invaluable (and irreplaceable) when disaster strikes.
Updated information about security issues can be found here:
- Crypto-Gram is a free monthly email newsletter from security expert Bruce Schneier. Each issue is filled with interesting commentary, pointed critique, and serious debate about security.
- DarkReading is InformationWeek's security news.
- OpenMedia works to keep the Internet open, affordable, and surveillance-free.