The One and the Many

Safety online

Someone asked me recently about how they can stay safe and secure online. I didn't really have a good short answer beyond "don't go online". Partly because there is no one thing you can do, and also because there is no way to be completely secure online (without, indeed, not going online at all). It is more a set of habits to follow that can improve your security.

I will give some suggestions here about what you can do to be safer.

A caveat about what I will say: I will try to focus on protecting yourself from hackers and viruses and threats of that nature, rather than other related areas such as trying to be private or anonymous online, or whether you can trust the software you have in general.

I mention this to try to put what I say in perspective as there is a lot more to say under the general topic of computer security.

As well I'm going to write this without touching too much on technical details and with the idea of it being for a fairly non-technical audience.

Use a different password for every site

The reason this helps is that if one of the sites you are on gets hacked, and your password gets compromised, then the hackers do not automatically gain access to all of your other accounts.

Often you will register for a site by your email address. Then if this site gets compromised, and the password you used is the same as your email address password, or other sites, then hackers can access a lot more than the one site they compromised.

Note that websites typically will store your password in a way that is not easily able to be read even if a hacker gets access, but there is no guarantee that this is the case.

This can be a bit of a nuisance on your side though as you then have to enter or remember many different passwords. I have hundreds of passwords for example. The method I use to work around this is to use a program called KeepassX which keeps an encrypted database of passwords on my computer. Then for each site I keep one entry in this program's database, and to access the database, I have one master password. This is not the most convenient as I have to go to the program every time I want to log into a site, and I have to have the program everywhere I want to log in from (e.g., tablet), but it's a lot more convenient than being hacked. Using this program also lets me use strong passwords as it can randomly generate them and I never even need to know what my password is because I can simply copy and paste from it.

There are other similar programs or websites that help you do this - I've heard about one called Lastpass for example. Alternatively you could stick with a handwritten list, but that has downsides too!

Set strong passwords

On top of having a different password for each site, you also need to have strong passwords that are hard to figure out. For example you don't want to have your password be based on an easy to remember pattern, something like "1986-youtube" for YouTube, and "1986-gmail" for Gmail because if a hacker figures out your pattern, then they gain access to all of your accounts.

You ideally will want a password that really has no relation to something personally identifying (no birthdays) because if a hacker targets you (or if someone you know wants to hack you) then they can't rely on information about you to get into your account.

The best passwords are long (I usually use the longest password a site will allow) and random characters, numbers, and symbols. For example:

!$\efXB5]*GjolUt[)f!

Such passwords can be generated using programs if you don't feel like smashing your face on your keyboard to come up with them.

The reason it is important to have strong passwords like this is it prevents hackers from guessing your password. Normally sites will prevent repeated attempts to log in and fail, but there's no guarantee.

Be careful with password hints

Websites will often ask you to provide hints so that if you forget your password then you can still get into your account. This comes in the form of things about you, such as your mother's maiden name, or the street you grew up on, or the name of your first pet, and so on. Of course anyone who knows you then has the ability to break into your account by taking this route.

What I recommend with these is that you treat them as another password and enter a big string of random characters. For example the street I grew up on may be hmMJ1.!%O~i+Joec)jUi.

Obviously this assumes you will never forget or lose your password or the hint answers. If you do, then you'll be in trouble and likely lose your account for good. It's a trade off to be more secure.

Use two factor authentication

Many websites now offer a way to authenticate you through more than just a password. For example they might allow you to enter your cell phone number and then they will text you with a code to enter to allow access (on top of your password).

You should always take advantage of these if they are offered, though they are not available for every site yet.

Keep software up to date

Software running on your computer is continually being updated. This is because there is no such thing as non-trivial software without bugs. Often these are security updates that will prevent hackers from getting into your computer, so it's important to always run the latest updates.

Web browsers are probably the most important program to keep up to date. Otherwise simply visiting the wrong website (or the right website that happens to show malicious advertisements) could end up allowing hackers into your computer.

Something that has come up recently is Microsoft has stopped providing updates for its Windows XP operating system. If you're running Windows XP then you should update to a supported operating system immediately (which might mean buying a new computer).

You should try to keep up to date on the status of support for the software (and hardware) you use regularly. This is most important for your web browser, but some other things to keep up to date on are:

Only download software from trusted sources

Hackers will try to masquerade as software you trust in order to get you to install it and give them access to your computer. So it is important that you are sure of the source where you get your software and not download it from any random website.

As to how to do this, the best is to always find the official source of software rather than searching online for where to download it or clicking ads, and then go directly to where you know it should come from.

For example I know that Mozilla creates Firefox, so I will go to Mozilla's website if I want to download Firefox.

This is less important if you run something like Android or Apple's iOS because you will get software from their central software "stores" and they take care of worrying about the source of the software for you (well, for big name software, anyway).

Be suspicious of links in emails (and email in general)

It is easy to pretend to be someone else in emails. Hackers can say they are the FBI if they like, and you will be hard pressed to know whether it is true or not.

You should always be suspicious of emails unless you are sure (and how to be sure?) of who they are from. If you get an email from your bank telling you to do something, then don't click any link in the email, but instead go to your bank's website in your browser on your own. Hackers will send you emails that appear to be sending you to your bank, but are really luring you to imposter sites.

For example they might say:

"Click here to update your account: www.rbc.com"

But the link that shows for "www.rbc.com" may actually be "www.rbc.com.hackers.com" and only appear to be "www.rbc.com".

Unfortunately there are a lot of people online who live off tricking people into doing things, so you need to always think about whether an email is legitimate or not. If in doubt then ask someone you trust or call up who allegedly sent you the email (and don't use the phone number they might have emailed you!).

Use an adblocker (and a good browser)

A vector of infection from viruses and hackers is advertisements. This is a problem in that you can receive advertisements from shady sources even when visiting a site that you trust, such as a newspaper's site. The newspaper may not worry about vetting each and every ad they show you.

This means that a hacker can deliver advertisements that might hack your computer even if you only stay on "safe" sites.

The best means of defense here is to install adblocker software, and then you should never be exposed to this risk, because your computer will no longer even load the ads.

Firefox offers a good adblocker plugin called Adblock Plus.

People who run sites that rely on revenue from ads will say that you are stealing from them. Unfortunately for them, security takes precedence over their ads (which I personally will never click anyway, so they aren't losing anything from me). If they feel strongly and would rather not have my attention, then they can try to block me of course. There are plenty of sites on the internet!

As well, while it's not as important these days, it's a good idea to use a well respected browser, such as my preference, Firefox, Especially instead of something like Internet Explorer. Internet Explorer has had a lot of problems historically, and will not allow you to have effective adblocking (nor will Chrome, for that matter).

Avoid web browser plugins

Likely the most common browser plugin right now is Adobe Flash. This is what has historically allowed internet video to work (on sites like YouTube). Unfortunately it is also a plugin that has had a lot of security problems and could allow hackers into your computer (especially if you let it get out of date).

I suggest seeing if you can survive without such plugins. I have not had Flash installed in years myself. In fact many sites will now work without Flash, even for video, though you are sure to run into some that ask you to install it.

If you find that you really need to use Flash, then I suggest also installing a plugin such as Flashblock for Firefox. Flashblock makes it so that Flash will not run on a website unless you explicitly tell it to, so you might allow videos on YouTube, but you won't automatically run Flash programs on every random website you might visit.

Be careful about the sites you visit

The surest way to not get hacked is to not go online and not visit any websites. Clearly this is not feasible. The alternative is to try to be as safe as possible by being aware of the risks.

You can be aware that not all sites are trustworthy and only visit those you know and trust, for example your bank's website (once you are sure that it is actually your bank's website, and not a hacker forging it).

Avoid the temptation to click on any random website when you go searching for something online. Of course you must at some point visit a site for the first time, and not every site is out to get you, but my suggestion is to be cautious.

If you find that you need to visit sites that you are not sure about, then it's best to use a browser that is locked down (by, for example, running an adblocker, and without any risky plugins such as Flash), or even a different computer that will not have anything sensitive on it. You might have one computer for doing things that you want to be safe about, such as banking, and one for general web browsing and looking at cat pictures!

Don't ignore warnings from your computer

Software will tell you a lot of things, and you may not understand a lot of them and so simply choose to ignore them. Unfortunately poor software will often be too noisy and tell you about things that you don't need to know or are not truly important.

However you should try to be aware of what your software is telling you because some of it is genuinely helpful in protecting yourself.

An example of this is a certificate warning when visiting a website. You may have seen these warnings before: When trying to visit a website that its "certificate is not genuine" or similar. Certificates are ways for your computer to know if the site you are visiting is who it claims to be. If such a warning shows up you should almost never continue to visit the website, as it means that the website is failing its identification checks. Hackers are not able to pretend to be your bank (usually) so if they want to trick you into visiting their imposter bank site, then they end up showing you these warnings and hope that you will visit anyway.

Though not seeing a security warning is no guarantee that a site is genuine either.

If you don't know what a warning means, then try looking it up online, or asking someone.

Use good software

Software is written by people like me, and a lot still assumes that you know a lot of technical details so that you can use it safely.

An example of this is desktop Windows or Linux. These operating systems allow you a lot of control over your computer, and trust a great deal that you know what you are doing.

An alternative is to use something like Apple's iOS or Google's Android on devices such as tablets, or Google's Chromebooks (a type of laptop). These operating systems do a lot more for you (and restrict you a lot more) but by restricting you they help protect you. With a good tablet you will not have to worry so much about keeping your software up to date, it will just do it for you. Nor do you have to worry so much about "is this a trustworthy place to download this program?" because you can just go to Google's software store and you will have at least some safety in Google will not allow some random hacker to put up an app called "Firefox" to trick you.

You should be aware that not all such devices are created equal, and that all of them will end up becoming unsupported by their vendors sooner or later.

For example, with Android, you should always look at tablets that are created by trustworthy brands, or those endorsed by Google, such as the Nexus line. Otherwise you might end up running Android on a tablet that will never receive the updates you need. Many vendors will put out a cheap tablet and then abandon it and you will end up running outdated software. And remember what I said about outdated software!

As well, since devices are always improving, the software running on them will eventually not be updated. Apple, for example, no longer provides the latest versions of their software for the first version of the iPad they released, and so you can end up, if you use the same tablet for many years, running software that is unsafe.

The best approach is to keep up to date on how supported your tablet is, and to do good research before buying a tablet. If you find that your tablet is unsupported, then it's time to get a new one, unfortunately, or be at risk.

Use antivirus

Antivirus is not really great protection. It only protects you from viruses that it knows about. So good hackers that hide well, or viruses that are not particularly widely used, or are just plain brand new, are not going to be caught by antivirus.

That is not to say it's useless, as I think it is better than nothing, but you should not consider it an impenetrable suit of armor.

This is really only applicable if you are running Windows on a desktop, or maybe Mac OSX on a desktop these days (so don't go looking for it for your tablet, for example). And you almost certainly don't need to pay for it at least on Windows: Microsoft offers a free antivirus program called Microsoft Security Essentials that you can install.

Summary

As you can see, there's a lot to be aware of and to keep up to date on. Doing all of this can, at least initially, be a bit of a burden and make using your computer a nuisance. Security comes at a cost. I might find it irritating to have to carry around keys to my house and my bike, but unfortunately I find it necessary.

Back

Comment