November 8, 2011

8. Online security - preventing your digital catastrophe

I have just read an article about a womans' great misfortune where her Gmail account was not only hacked but all her online data erased. A chilling reminder of how vulnerable we are with our life stored in the cloud; years of correspondance, documents and personal photos. An event like this would leave me stunned for weeks as most if not everything I have created is now online. The article is a must read for everyone, it is not only a wake up call but  a lesson learned how to defend your self from modern crimes - being hacked online.

Being both paranoid and proactive I have never in my years of computing had an intrusion, neither at home or online. As IT engaged doctors, defending our online forte is on of our most important tasks. Unlike other physical things that we insure because they can be replaced, the day that you are hacked is the day you can loose it all. Thus I would like to share with you my experience and techniques.

Please remember to also read the article, they are 10 minutes well spent!

Protect your email address

A login is a combination of password and email. Thus keeping your primary email away from the Internet is a strong tactic of defense since the hacker has no way of cracking your password.

I have two Gmail addresses. The primary one I give out only to those I fully trust, thus mainly family and friends. I would even hesitate to give it out to people I am not sure about since if their email accounts are hacked, my address will most probably go to some hacker's database and thus online. The other email I use as my "shield" and I use it for registrations, postlists etc where anything can happen.
Then I use the primary Gmail account to import from the secondary one. Gmail's spam filter has then automatically removed 99% of suspicious emails and even though a few "genuine" emails get caught in the spam filter I don't care since they're not personal anyway.

In the end your email will eventually leak (in my case, my mother's email account got hacked, I never had spam emails until then) but this technique minimizes the visibility of your email. This is why I also use my secondary email for postlists or online orders, even though I trust the companies they just might get hacked one day and the hackers most surely will be looking for gmails to hack!

Secure your password

Hackers are not guessing your passwords today and trying a few entries until they give up. They have robots which make "brute-force" attacks on your accounts with thousands of words per second, combinations of words caught by spying your online social life (e.g. birthdays and children's names) and a pool of "most common passwords". Not only do you have to choose your password carefully but you should renew if at least every 6 months. The IT friendly site Makeuseof has a nice article on creating a password a little harder to break, if you really want to dwell (highly recommended!) into this subject I can also recommend Lifehacker's articles.

A very common mistake is that of reusing passwords. You might for example have the same password on your Gmail account as on some general news-site, say your subscription to Wall Street Journal. Hackers know this and therefor put efforts into breaking into the databases of these seemingly non-important sites to catch logins. Someone breaking into my WSJ account is utterly unimportant to me - at most the hacker will be able to read some locked WSJ articles but they will not be threatening my online world in any way. My online bank login on the other hand is a very vulnerable one obviously. With so many online logins to hold account on you need to define which ones are truly vulnerable and take special care of these. For the rest, you can ease your paranoia and reuse your password. This will also make it much easier to hold account of tens of logins as modern IT life requires us to do.

With special care I mean choosing your password wisely, renewing it on regular basis and storing it carefully. There are many nice  software solutions for this, I prefer phone based ones since I have my phone always with me and thus easily used for looking up not only web-site passwords but PIN- and door codes. For this I use the highly recommended Android  app Pocket - there are iPhone apps for this too.

Beware unsecure wireless networks

Modern hackers will not only try to pick lock your passwords - another less known method is that of sniffing network traffic to eventually find your password amongst millions of data packets. It may sound difficult but this can be done in just seconds with software easily found on the Internet. Free networks ("hotspots") are available all over, especially in caf├ęterias where you are welcomed to sit down with a nice Cappuccino to browse the Internet and do your work. To save you from the hassle of logins the hotspots commonly offer open WiFis meaning that every single data packet coming to or from your computer is open to the public. If you are like me you most probably have accessed these WiFis with your smartphone, I have to admit I hadn't realised the danger of this until I read the article above.

Your only protection is to be truly paranoid and avoid unsecure WiFis. If you insist, minimise access to your personal sites requiring login.

This is impossible, I know. Fortunately there are less dramatic alternatives - securing browser traffic with https for example (see below) and using VPN (virtual private networks). Until you feel totally sure about your hotspot vulnerabilities I recommend you to use your laptop lightly unless you have access to a secured WiFi, some cafeterias actually do provide their customers with a password for this purpose.

And remember to check your WiFi setup at home - the once trusted WPA protocol is now easily hacked and you should only be using WPA2.

Now this is not something for the average computer user to understand from just one blogpost. Because how truly important this is I highly recommend that you give yourself some time and read more about WiFi security, here is a great website which will cover the basics in an easily read text:
 http://www.nowiressecurity.com/about_wi-fi_security.htm

Be very afraid of malware

In the early days of PCs you were required physical actions to install software such as inserting a CD. Today the mere click of a link is enough to wreak havoc, unless your computer is well protected (Windows is especially vulnerable). Malware is tiny piece of malicious software - computer virus is one kind of these - built with the purpose of taking over your computer or parts of it for various purposes. The least scary ones just want to use some of your CPU power for a bigger project while the true beasts will record every single keyboard stroke, waiting to catch your passwords or credit card numbers. What is most frightening with malware is that they will commonly install themselves without you noticing anything, sitting in the background waiting for you to fall to it's mischiefs, like a spider in it's net.

Unfortunately there is no one solution to fight off malware but having a decent anti-virus software will do it for most of these - at the same time clogging your computers' resources (some will take up to 20% of your CPU). This is one of the reasons I am totally converted to Linux - something I will be blogging about in just a few days.

Pick your browser

Internet Explorer used to dominate the world of browsing thus becoming a popular target for hackers. A depressive fact considering so much of your work goes through this wonderful technology. But then, IE simply is awful when it comes to security and has caused many days of embarrassment at the offices of Microsoft. Yet another reason to switch to other browsers not only more secure but in every aspect better than IE.
You might have noticed from previous posts my love for Chrome, the fact that Google has offered $20.000 to anyone who claims it can be hacked says all that needs to be said.

Special tips for your Google cloud data

The article told about an unfortunate Gmail user and being a very active G user my self I want to emphasize a few points which will dramatically reduce the risk of you being hacked, in addition to those above.
  • Set Gmail to use https, secure connection. This is your last forte e if you insist on using unsafe hotspots (see above).
  • Activate Gmail's 2-step verification; this will disarm anyone who is even making an attempt to hack your account with the little cost of occasional verification codes.
  • Activate the recovery options in case you loose your password, it will give you more confidence while picking a truly uncrackable password.
  • Beware suspicious links in emails! Although Gmail's spam filter is doing a hell of a good job, an occasional email will slip through and commonly they seduce you to click a link. Which could be the beginning of your worst day of life. Be informed and you won't run into this trap.
  • The spam filter works so well because it's crowdsourced - Gmail users report fraud email and the servers will automatically act when a particular email is being repeatedly reported. So it is important that you as well flag mail that you consider fraud, this is easily done with the "report spam" button.
  • A backup of your cloud data on Google's servers will give you the ultimate feeling of comfort and good nights' sleep. Here is a great article on this subject and fyi there are rumours about a Google "Gdrive" coming with function simliar to Dropbox. Which would mean automatic backup of everything in Google docs - and maybe more.

See also