Never thought I’d be writing a “Top 10″ list, but I get asked this question often enough that I figured I’d just list off a few ways that people can better protect themselves from hackers, identity theft, and the random mayhem that takes place on the internet. I’m going to try to order it according to what I believe is priority.
So, without further adieu….
10) Make sure your social sites aren’t leaking information
As I’ve shown here many times now, social networking provides a wealth of information to someone interested. Whether it’s your location, family, friends, etc., it’s all available there for someone looking. You want to share this information with your friends, but not with people who just stumble across your Facebook page. Right now, go spend 5 minutes checking and double-checking your privacy settings. It’s under “Account” at the top right of your Facebook page. Also, this is kind of a sub point of #10. Don’t divulge your address/phone number when posting on someones wall or responding to someone posting on your wall. Bad. Idea. Email it to them, if necessary. Or, pick up the phone!
9) Don’t randomly accept friend requests on social sites
I understand the idea is to be social and meet new people on these sites. However. If I can’t get information from your page anonymously, I will simply set up a fake Facebook account and send you a friend request. 9 times out of 10 it will get accepted and I will have all of the information that you spent the last 5 minutes trying to secure.
8 ) Keep your computer up to date
Don’t put off updates. When a pop-up gets displayed saying that updates are available, it actually means something. Most of the exploits that are out there today would be obsolete if people followed a strict update policy. This also includes anti spyware/malware and virus software as well.
7) Secure your wireless network
Most people don’t really realize the risk of leaving their wireless network open. I think they understand that it means that anyone can use their internet connection, but I don’t think they understand the issues beyond that. Honestly, here’s what an open wireless network allows me to do:
Are you taking wireless security seriously yet? Visit the website of the vendor of your wireless equipment and learn how to enable WPA level security. No, it’s not perfect, but if I’m faced with a house that has a WEP secured wireless and one that’s using WPA, I’ll choose the WEP network every time. Also, look into how to turn off SSID broadcasting. If I’m war driving and your SSID doesn’t pop up, I wont be targeting it. These are simple steps that you can take to mitigate your exposure.
7.1) Windows now ships with firewall software built into it. Spend some time configuring it and making sure that it’s set up properly. You can go through the document here to help guide you through the process of configuring it. If you’re using Linux, there are plenty of scripts out there to help with iptables, though if you’re running Linux, you really should know how to use iptables via the command line.. *cough*.
6) Do NOT use Internet Explorer
Internet Explorer is constantly being exploited using new vulnerabilities. These vulnerabilities lead to spyware, malware, and virus infection. Not to mention that someone could specifically target you, take over your computer, read your email, turn on your webcam, etc etc etc. Do. Not. Use. It. Period. For someone looking simply to replace IE without any issues, use FireFox. For those who prefer an even faster, more secure experience and are willing to put up with some minor quirks, check out Google Chrome. I use Chrome and I love it, but there are some minor quirks that still need to be worked out that Google has been working on. I prefer Chrome to Firefox, to be honest.
5) Use caution when clicking!
This one is huge, but it’s a little less of a threat if you followed #6. When you’re on the web (or in your email), the links that you click on can do things that you’re not expecting. On the internet, there are Rogue AntiVirus websites floating around that pop up and look almost identical to what you see when you go into “My Computer”. It also shows an apparent virus scan and then displays the results, indicating that you’re loaded with viruses. It then asks you to download something. If you know what you’re actually looking at, however, you can determine that this is fake. Also, NEVER download a .exe, .com, .bat, .vbs, .what, .ever unless you’ve specifically set out in search of this file and you’re downloading it from a trusted source. You can add .pdf to this list now, too, as .pdf’s are riddled with bugs.
4) Choose a strong password!
Everyone in the IT industry keeps hounding you to use a complex password, yet I still see people using passwords like, “meow01″ or “woof02″ or “meowoof03″. Look at it this way, if you’re using a password that you can pronounce, it can be guessed easily. That said, if you were to use “Me0w0oF58″, that would be quite a bit better than any of the previous three. It’s really hard for any of us involved in computer security to feel too sympathetic for people who get their identity stolen, their accounts hacked, or whatever, if they’re using simple passwords to protect themselves. Use this rule: Two capital letters, two numbers, 8 characters long, not a word from the dictionary. Using that policy, your passwords should wind up looking something like this: Hg89yZ46 Say that a few times and you’ll start to hear a rhythm to it which will make it easier to remember.
3) Question everything
Hackers regularly exploit human nature.. and we do a pretty good job at it. We know that 9 times out of 10 when a human is faced with a certain scenario, that they’ll respond in a certain way. We know that humans feel good about themselves when they help someone else, so we can set up elaborate schemes where we, the hackers, act in distress in someway in order to trigger this human response. Women are especially susceptible to this. The easiest way to secure this vulnerability is by simply questioning and relying upon your instincts. Everyone who has faced a social engineering exploit says the same thing: “It didn’t feel right..” or “My gut told me not to but I did it anyway” or “It seemed fishy”, yet even though their entire being was telling them NOT to do something, the social pressure and desire to help someone overran their internal instinct to protect themselves. By simply asking questions and going with your gut reaction, most social engineering attacks would fail.
2) Guard your information as if your life depended on it
This ties in with #10. So often I come across information on the internet that I simply cannot believe people intentionally put out there for other people to find. Addresses, personal information, where you went to school, for how long, names of your children, name of your spouse, full names, etc. If you read my “Invasion of Privacy” post, you’ll see what little information is needed in order to steal someones identity. Because Ralph and his wife had no problem posting all of their information across the web, all I needed was his email address in order to get his social security number. Websites like Myspace, Facebook, Linkedin, Twitter, so on and so forth are all gold mines for hackers, only because you like giving out information. A real simple way to keep yourself in check: Would you like everyone in the world to know the information that you’re posting? Do you want someone in North Korea to have your cell phone number and home address? “*shrug* I don’t care..” Ok, do you want ME to have your cell phone number and home address? If not, don’t post it on the web! Google will find the information and index it. Once indexed, it’s indexed for life. It wont go away. Ever.
One other way to guard your information is to enlist the help of professionals to monitor your credit and protect your personal details. The most recent Reputation Defender review was very positive – and they are one of the more established companies who provides this type of service.
1) Use common sense
These last two have basically focused on common sense. If you use common sense, you will greatly reduce the risk of infection and exploitation. If you get an email from one of your contacts that seems out of character that has a link or attachment, don’t click on it. If a web site opens a window asking you to download something, don’t download it. If someone contacts you, asking for information that you normally wouldn’t give out, but this person is in need of some kind of help, don’t go against your better judgment. When posting stuff on the internet, don’t divulge personal information. When shopping online, verify that it’s secured before submitting your credit card #. The use of common sense would greatly reduce the issues that we face online. Don’t send your passwords through email.
If I asked you.. if some person in Nigeria emailed you, saying that they had $14.2 million dollars in an offshore account and just needed help getting it to a US account and were willing to give you half of it if you helped them.. would you give them your account information? No? Why not? Don’t laugh.. hundreds of people have fallen victim to this scam. It exploits two human vulnerabilities.. kindness and greed. Again, common sense and intuition could prevent this from ever working.
Also, there are plenty of cloud security solutions on the market that can keep your online data safe, so before registering a new account somewhere, make sure they’re offering some form of protection.
I hope you found these helpful and I’d like to hear back from you. I realize that I can’t cover everything in 10 tips, but I feel that these are huge ones that really would help reduce some of the risk. If you have anything to add to this list, please do!
Related posts:
while not practical for everyday surfing for most users, what do you think of krebs suggestion to use a boot cd (ubuntu, mint, etc) to do online banking? not necessarily a way to prevent identity theft, but worth the trouble in your opinion?
A strong password can definitely protect your online privacy. Either you create a strong password by your own or make use of aafter.com. Visit the site and ask for a stronger password by typing password: in the search box and pressing enter.
@Carol: I was going to put a password generator on my website for people to use, however.. this is a major security issue. By creating a password for someone, you’d know their password.. and if you knew the websites that they used, you would be able to access their accounts.
It’s a bad, bad idea to have someone else create passwords for you. Plain and simple. Generate it yourself, or use the ‘mkpasswd’ script that I posted on my blog.
@josh: Actually, I think he’s got it backwards. I run Linux full time and use a vmware image of Windows when I need to do Windows type stuff..
Linux has grown leaps and bounds over the past few years and as a result, it’s become easier to use and more adaptive to new technologies, so there’s not as big of a gap as there once was between Windows and Linux. Rarely do I ever need to boot my image of Windows. I would recommend running Ubuntu, as it’s the easiest of the distros out there for first timers.
But, if for some reason this isn’t practical, I’m not totally against his idea of using an image of Linux when you need to make sure that you’re safe. Though, if you’re following my tips, you probably could avoid having to go through the hassle of this by just running a solid web browser (Chrome/Firefox) and making sure you’re running some kind of AV, anti spyware, anti malware, anti.. anti.. anti.. and updates.
That said, Windows will never be as solid and secure as *Nix.
That said Matt what AV do you use on your *nix system out of interest?
(BTW running Linux and using a Windoze VM is exactly the way I work at home, work wise I have to stick with their corporate image)
@Sie: Actually, none.. nor have I ever. lol. Mostly because I know of no real viruses that target *nix.. plus, there’d be pretty limited damage due to my security policies.
HOWEVER.. I do use Clam to scan for viruses on my mail gateway that delivers to a server that gets accessed by Windows clients.
Great tips and advice.. I think that picking a good/strong password is one of the most important things one can do to protect their information. It just seems that everywhere you look online, someone is there to take advantage of you… It sucks.
Hi Matt. Great article. I dug it after I read “Invasion of Privacy” (with Rapportive, Etacts or Gist we are now offered some of that info without effort). One question: LastPass is pretty convenient; do you know if it’s sufficiently safe?
I use the browser plugin lastpass (works with firefox, chrome and safari. It randomly generates passwords locally not online.
http://lastpass.com/help.php?topic=genpw&nw=1&fromwebsite=1
For Facebook, I made a fake account but I decided to close the account since I really didn’t need it.
I don’t upload any pics.
I avoid wireless as much as I can. At home I don’t use wireless at all.
.