Thursday, February 2, 2017

Keeping Safe Online - Avoid Scammers, Spammers, and other Scallywags

You've heard the horrifying tales, ranging from annoying ads to ransomware and cyper-peeping toms. You want to know how to minimize your risk. You've come to the right blog post.

First let me say this: I don't do Macs. Some of this advice is applicable to macs, but not all of it. I don't like to give lengthy, witty intros, so I'll just jump right in to the tips.

1. Keep Your Operating System Updated
The vast majority of security risks come from not updating your operating system. If you update your operating system every few days, you'll be protected against most known security issues. I have my computer check for updates and install them every day. In most recent versions of Windows, you can check for updates and install them by going to Start > Settings > Control Panel > Windows Update. Click on "check for updates". When it is done "thinking", it will tell you which updates are available. Select all the "important" ones, and click "install". You'll want to save all your work because you may be required to restart your computer. After all the updates are installed, run windows update again to make sure there aren't any nested updates waiting.

2. Keep Your Browser and Plugins Updated
The second group of security risks come directly from your browser and plugins. First off, DO NOT USE MICROSOFT EXPLORER. I cannot stress this enough. Explorer is absolute garbage from a security standpoint. I recommend installing Firefox and Chrome. The vast majority of sites will run perfectly fine in either browser. Once you have Firefox installed, fire it up and navigate to:
Run the plugin updater, update the out of date plugins, and come back to run it again. Lather, rinse, repeat until everything is updated. Run this at least once per week. This won't update any of your Chrome plugins, but it will ensure your basics are covered: flash, java, silverlight, and adobe reader. That should patch most security issues.

3. Antivirus and Anti-Malware
You should always have good antivirus and anti-malware software running on your computer. Set them to update the virus and malware databases every night, and set them to scan after the update (again, every night). AVG is a decent free antivirus, but ESET is far superior. MalwareBytes is by far the best anti-malware software on the market.

4. No Script
I recommend that everyone download and run No Script (linked here) for Firefox. This plugin allows you to selectively allow or deny certain website's permission to run javascript. This will block another huge gateway to being infected. No Script takes some getting used to. For example: when I load CNN's website, none of the news content shows up (because it's all loaded via javascript). I have to "temporarily allow" cnn.com to execute javascript, then the content appears. One really nice benefit is, none of the ads show up because they are loaded by sites other than cnn.com. One slight pain is, none of the videos will play unless I also temporarily allow the "turner.com" domain. I recommend using "temporarily allow" because you don't want cnn to be able to execute javascript on another site. When I load CNN, 17 other domains try to execute javascript. Because you're blocking javascript, flash is usually not allowed to run unless you specifically allow a certain domain to execute the javascript. The only site I cannot use with No Script is Forbes. You can also take a look at Flashblock, Ghostery, and Lightbeam. You'll be surprised just how many websites are tracking you via cookies and cross-domain javascript.

5. Don't Click on Ads or Links in Emails
Tip 3 will save you from most website-based problems. Still, it's a good idea to not click on ads or links in emails / text messages unless you know the domain it is sending you to. Google does a pretty good job of stripping out websites that have harmful content. It's still a good idea to load a Google-referred website without javascript first. If you get an email out of the blue, even from someone you know, don't click on the link unless you're certain the sender intended to send you an email. Some malware and viruses will send emails to all contacts trying to spread itself. When it doubt, contact the person directly to make sure they intended to send the email / link.

6. Use a Firewall
A firewall is basically a thing that filters out traffic to and from your network. There are two types of firewalls: software and hardware. A software firewall is a program that filters out requests from the outside world, and can provide some protection if a virus or worm does happen to get through. A hardware firewall is basically a computer that sits between your network and the outside world to play gatekeeper. A good hardware firewall can block a virus from being spread outside your network, and a software firewall can block the spread of a virus inside the network. I recommend using both types of firewall. Most newer versions of Windows come with a software firewall, and it's a pretty good one (provided you keep your OS updated). You can get a wireless router that also has a firewall built in. To find the best router firewalls, use Google to find keywords like "best wireless routers firewall" (sans quotes). You can usually trust websites like cnet and pcmag to give unbiased reviews. I won't provide any links because they will be outdated. Using Google you will find the most updated information when you do your searching. Just make sure you check the dateline to ensure you aren't looking at an old article.

7. Use a Password Vault
It's virtually impossible to remember every password these days. Using the same password on multiple sites is a like putting a big red target on your life. Instead, use a password vault (Keepass, Keeper, LassPass, etc.). Generate a unique password for each site. I also recommend setting different (and random) security questions for each site. For example: instead of answering "spot" for your first pet, enter a random string of numbers and letters. Keep that information stored in your password vault (questions and answers) for each site. That way, if one site is hacked, the answers to the common security questions won't be compromised. After all, you don't have 5 different "first pets" withe 5 different names comprised of random strings of letters and numbers. If you use an offline password manager, make sure you keep a backup of the file just in case the original becomes corrupted (rare but it does happen). I'd keep the backup on a thumb drive and keep the thumb drive in a very secure place. If you use a browser plugin-based password vault, make sure you constantly update the plugin to the latest version.

8. Use Common Sense
  1. Don't open emails from unknown people. Don't click links you receive, even from friends, if the email is unexpected or unusual. Watch out for a missing salutation line. If your friend usually says "Hey Bob", but the email doesn't, it might not be from your friend. When in doubt, contact the person directly.
  2. Don't give your password, security questions / answers, or verification codes to anyone over the phone, via email, or text.
  3. Make sure the website you are looking at is actually the website you intend. Keep in mind, a lower case L and a 1 look very similar, and the letter O looks very much like a 0. When in doubt, copy the address in the address bar and paste it into notepad and look for the proper spelling and easily confused characters. Keep in mind, the scammers could have cleverly hidden the real name inside a fake domain or sub-domain. For example: microsoftinfo.com and microsoft.info.com are not microsoft. When in doubt, put the real / known domain name in the address bar, or call the real company to find out if they sent the email. If it looks suspicious, it probably is.
  4. Always use SSL (secure socket layer) whenever you are sending or receiving something private over the internet. The way to do this is to look at the address bar and see if it says "https://". If the "s" is missing, that is a non-encrypted connection, and what you're doing could be watched by anybody with simple (and freely available) hacking software. If your email provider doesn't use SSL, ditch them immediately.
9. Don't Change Passwords Often
The traditional wisdom was to change passwords frequently. But knowing exactly how hacks work, changing your password probably won't protect you. Most hackers immediately use the data they steal. They don't wait for 3 months to use it. Unless you just happen to change your password immediately after the hack, you're going to get no benefit. It is still a good idea to change your password every few months just in case a hacker publishes a huge list of usernames and passwords. They usually do this well after they're done with the data, so the damage is already done. Because they often publish username and password lists on the dark web, it's VITAL to never use the same password on more than one site. This is why it is so important to use a password manager.

10. Secure Your Wifi
Your wifi router can encrypt everything between the router and your computer. If you run a wifi that doesn't require a password to connect, everything you do can be seen by someone sitting outside your house with some basic equipment. To secure your router, read this article. Make sure you set a really good password. Your password vault can generate a good one. I recommend writing it down and keeping it somewhere secure.

11. Encrypt Your Hard Drive
If your laptop gets stolen, or you forget to properly wipe a discarded hard drive, your files will be vulnerable. The best defense is to encrypt your hard drive with an encryption system like BitLocker. An encrypted drive is useless unless the thief cracks the encryption algorithm or has your password.

12. Securely Delete Files
When you want to delete a file, make sure it is fully erased. There are tools out there that will overwrite the deleted file with random junk, then deletes the junk. A few good ones are: Eraser, Freeraser, and CCleaner.

13. Delete Cookies Often
Cookies are used for good and nefarious purposes. Good purposes mean you bank recognizes your computer and doesn't require you to go through the two-step verification process each time. Nefarious purposes mean advertisers, spammers, hackers, and government agencies can track your online browsing. Regularly deleting cookies is a great idea. I use a Firefox plugin called Cookie Culler. It clears my cookies every time I close the browser, but it allows me to set certain cookies to be "protected" against the cookie culling.

14. Don't Undress in Front of Your Webcam
Seriously. It is a well-known fact that government actors can turn on webcams (without the warning light). Now that this ability is well known, it's only a matter of time before hackers figure it out (probably already have). Since a laptop has a battery, it's entirely possible the webcam or microphone could be turned on even if the computer is off or in standby mode. Seriously. Don't do anything in front of a camera unless you're comfortable with that being watched by strangers. A piece of electrical tape can fix the camera problem. There probably isn't a way to fix the microphone thing.

I'm sure I'll think of other tips, and I'll update this post at a later date. Good luck to you.

No comments:

Post a Comment