Off Topic: Sensible Online Security
Security is on my mind right now. I am not the most careful person when it comes to online security, but I’m better at it than most people. Not because I give in to paranoia and stop browsing the internet altogether (which is probably the best thing to do if you are paranoid) but because I make use of a few tools which look out for me, so I can afford to be a little less vigilant and because I keep a track of genuine alerts (not the ones forwarded to you via email), via normal news channels like BBC and CNN.
I’ve noticed most people who aren’t as comfortable with tech related issues tend to fall into two camps when it comes to online security; either complete paranoia resulting in minimal use (sometimes missing the best bits of the internet) or shocking laxity; giving out personal information to anyone who asks nicely assuming that because they have an anti-virus they will be protected from everything (this is not the case).
If you aren’t interested in reading my lengthy exposition, there is a list of handy and quick clickable links at the end of this post. Feel free to skip to the bottom.
I’d like to add one proviso first; this is by no means a complete list of all that can go wrong and the respective solutions. Its just a primer, so be smart.
Let me give you a short answer right now: If you apply the same principles to online security that you do in your everyday life, you are already halfway there. If you don’t go out and post photocopied chain mail (the ones where you have to buy stamps) then don’t do it with email; if you don’t hand out your name and address and personal details to any stranger on the street who asks, then don’t do it online; if in real life you avoid anything that sounds too good to be true (particularly when coming from strangers you just met) then don’t get taken in by online scams in identical circumstances.
Of course, it isn’t always that simple but the critical thing to remember always is to analogize any online issue with real life, bearing in mind that written communication does not represent emotional context as easily as verbal and visual communication. You can’t tell easily from an email if a person is being honest, you can’t tell from a comment on a website if a person is angry or sarcastic.
And as far as giving out payment details; sometimes “bargains” aren’t what they seem. If, in real life you see two shops side by side, selling the same products, one unknown the other a well know chain; would you give your private payment details to the unknown one with suspiciously low prices? Not likely, so don’t do it online. The internet makes some things harder (visual cues) but makes other things easier (research).
Do a little ground work first. Once you find reputable online merchants you don’t have to search again. Or simply ask friends who have experiences (you can add this as a rule, asking friends is the easiest way to find anything trustworthy).
Trust me on this: Neither Colonel Gaddafi, his wife, his son, his main body guard, the widow of his driver nor anyone connected with him is seeking your help in getting the forgotten jewels/money out of Libya (it’s only a matter of time before this one shows up).
Let me add in this minor rant: Do not forward emails to me which have been forwarded to you and a hundred of your other friends. These are always junk! I swear to you the drug companies are not conspiring to hide the fact that lemon juice cures cancer (unless they are, in which case, sorry). Bill Gates will not give you and everyone you know $2,000, bunnies will not be trampled to death if you don’t forward an email out (and even if they are, the saying “multiplying like rabbits” didn’t come about by accident, there are lots of them let them be trampled).
If you do feel compelled for whatever reason then please, please use the BCC feature in your email. If you do not use BCC you are creating the possibility that spammers and other unfriendly people can get your friends’ email address, plus the possibility of embarrassing mistakes. I used BCC when I sent this post out to my friends.
As I am on email at the moment; there is another sensible precaution you should take when it comes to email – Don’t Click On Unsolicited Links or Attachments (memorize this one by heart and keep it in mind every time you see a new email notification. If a friend or colleague sends you a link or an attachment that you didn’t specifically ask them to send, don’t click on it.
No matter how enticing that link may be, don’t click on it. Copy and paste the words into google or Snopes (debunking online scams, urban legends and email “alerts”) and that should give you an idea if the link is safe or not. It’s not hard I do it all the time. Most email clients now scan for viruses in attachments. But still, if you didn’t ask for it, odds are you didn’t want it. If you must see it, google it first.
Many of your friends may use the word “password” as their password. Or 12345, or their names, or their children’s names (I know you aren’t that silly). This means that crackers can easily take over their online accounts. In an attempt to ensnare as many people as possible, those crackers will then send their bad stuff to all of that person’s contacts so: Don’t Click On Unsolicited Links or Attachments.
Finally read up about 419 scams, it won’t take long and it will open your eyes. Advance fee frauds are the most popular via email, but that doesn’t mean there aren’t others. The rules of thumb to avoid these things are the same as in real life (a/k meatspace). If it sounds too good to be true, it is. No matter what anyone tells you, ask a friend’s advice before you pay anyone anything. Never, never act on impulse no matter how hard it is to resist, wait a week and ask for advice from a friend. Oh, and those spam emails advertising cheap herbal Viagra? Well if anyone has to tell you to avoid any such email with a ten foot pole (well, the size of the pole doesn’t really matter, I’ve been told :)) . . .
So I’m a curmudgeon, that doesn’t mean you shouldn’t take my advice.
Okay, now that you are being sensible about your general habits you need some tools that will assist in keeping you safe. Depending on your level of paranoia there are a number of sensible tools you can make use of (this is for people like me, not security professionals or the ultra-paranoid).
First, and most important; if you are using Internet Explorer (a lot of you still do) go and download Mozilla Firefox or Google Chrome or Opera and immediately stop using internet explorer (all of the alternatives I’ve suggested will import your bookmarks and history). For a variety of reasons the conventional wisdom is that Internet Explorer is not as secure as Chrome, Firefox or Opera. I use Firefox but can recommend either of the other two. [Edit: A reader took umbrage at my suggestion that IE may be less secure than the other and it does appear that the versions of IE from 8 are on par with the others. An ad-blocker is available, as is LastPass, for a fee, but I haven't been able to find any of the other add ons which are available for Firefox. In other words, ensure you are upgraded to the latest version of IE if this is your preference].
The second required tool is an ad-blocker. There is a lot of debate on the internet as to whether it is morally right to use ad-blockers. The theory is, you are getting a lot of the available content on the internet for free with the only obligation being that you view the ads and click on those that interest you. I think if you want to make money from your stuff, charge for it. Don’t try get your charges through a back door, then cry about it when people avoid your back door.
The bottom line though, is that quite a lot of bad stuff can be delivered from the internet via cleverly crafted malicious ads (many of the security issues you hear about are delivered this way). Enable an ad-blocker and this is no longer a consideration.
Next up (number three) is protecting your actual browsing session. When you are browsing the internet data to and from your computer travels a long route via many intermediaries. If you are using a wireless network data moves from your computer through your wireless network to the phone lines (or cable line, or fibre optic lines etc) to the ISP. From the ISP it takes a number of routes to the computer providing the website you are browsing. Along this way, there are many points at which a malicious person can intercept your data to see or steal your information.
There is a secure protocol to protect your data along the way using secure http. Some websites automatically require it but many don’t. If you log into your Amazon or Paypal account (or quite likely your bank account) you will notice that the “http” in the address bar of your browser changes to “https” this means that the website is requiring your browser to use the secure protocol and your browsing session is then encrypted.
Many, or most sites make this optional. Google allows you to chose whether checking your email is secure or not and Facebook is only now allowing you to chose to force all of your facebooking to be protected by secure http. This, to me is unacceptable. While there are many websites (mine, for example) which you will not care if anyone sees in an attempt to crack your connection, as a matter of course you should opt for security, especially when it can be easy to accomplish.
It is trivially easy to force secure http if you are using Firefox by installing this add on. There is no similar add on for any of the other browsers (that I know of) for now. Beware of any website offering such a plugin, ensure it is tested by the maker of the browser (the one for Firefox was created by a trusted organisation and has been tested by Mozilla).
Okay, now for the doozy; passwords (or number four on our little list). Even the most anal retentive, obsessive and compulsive people (like me) hate passwords. You know the rules probably as well as I. Come up with something unique . . . for each and every online account you have. And then remember each one of them. Oh, and don’t use your own name, the names of anyone you know, don’t use important dates (or even names and dates in combination). Don’t use your phone number, license number or any combination of birth dates. If you don’t follow these rules and have something someone wants badly enough, they will figure out your password (especially if you write it down on paper and stick it to your monitor, the bottom of your desk or keyboard or one of your desk drawers or if you file it under “P” in your filing cabinet).
One other thing, you need to change your master password regularly. It is a pain, but it keeps you safe (particularly considering that it is the key to the vault containing all that you need to keep safe). I find that if I write even the most complicated alpha-numeric password down and type it in regularly for a week, I remember it without any other problems. After, I make sure I destroy the paper on which I wrote the password. [Edit: since posting this I've learned that changing passwords regularly is not necessarily best practice. People who change their passwords regularly tend to write them down, thus reducing security. If you have a strong password which you can easily remember it may be best to stick with that password]
Alternatively, you can use many methods to create a password which you can easily recover; anything from taking letters and punctuation characters from specific, different locations in a favourite book, to choosing a word familiar to you, then alternating between using the character on a keyboard above and below the letters of the work you’ve chosen.
If you want to check relative strength of your password, have a look here. They will tell you whether yours is easy or difficult to crack. Just to be on the safe side, change the password once you’ve checked it. [Edit: This password checker is not a reliable tool, use LastPass to generate a password, or follow the guidance of the links in the paragraph above.]
So what are we to do. Unfortunately, there is no kind of certainty, there is no un-crackable password (it’s only a matter motivation and of time). There are, however, things you can do to make sure that when the bear starts chasing you, you are running faster than someone else. I use LastPass (the person who doesn’t use something similar is the one who’s running slower than me :). LastPass is a web application with add ons for Firefox, Chrome, Opera and many others. LastPass is proprietary software that is free for most ordinary uses, but which offers additional features for an annual fee.
LastPass gets its own section because passwords are arguably the most critical part of online security and as befits, it is a fairly complicated bit of software. This is one area where I can’t really give you an easy one-click solution. You see, even after you install LastPass, you have to then go change all the passwords for all your critical websites and services and most importantly you have to generate (and remember) the master password which unlocks LastPass’ vault. Anytime you click on a box to change a password LastPass will offer to generate a random secure password (which it will also remember automatically if you accept). You can invoke the password generator tool by holding the <ALT> key and pressing <G>.
The alternative to LastPass is a free, open source bit of software called KeePass. The reason I use LastPass instead of this is convenience. All LastPass passwords are stored online and synchronized among all the computers you use. You can achieve similar convenience with KeePass, but it is not quite as easy. The major benefit to KeePass (in my view) is that being open source, any qualified person can examine the code and ensure they are not doing anything suspicious, or leaving security holes. And many programmers do keep a close eye.
Facebook is one of the (if not the) premiere social networking site on the internet. And like their creator they have a questionable philosophy when it comes to your right to privacy. You see, the more of your personal information they know, the more they know about your browsing habits, the more they know about your offline habits and your likes, the more valuable they are a company, because they can sell very specific data to any purchaser in an effort to allow those purchasers (mainly advertisers) to determine what to sell you.
For most people, particularly younger people who aren’t appalled at the thought of someone else knowing everything about them this may not seem a big problem (until you are first bitten anyway). For the rest of us, there is facebook blocker.
Facebook blocker doesn’t stop you from browsing facebook at all. It also doesn’t stop you from logging into any site using your facebook credentials. What it does is stop facebook from tracking you across the internet using various methods (mainly cookies). Have you ever noticed that there are some sites encouraging you to “Like” them and giving you the pictures of some of your friends who have already “Liked” them? Every wonder how that site knows who your friends are? Isn’t it a little freaky that they do? Want to stop that from happening with little or no loss of convenience?
Use facebook blocker!
As usual, I was prompted by something to post this (and no it wasn’t yet another forwarded message from someone) it was this post from Cracked (a humour site, but often the writers of interesting articles which have to be taken with large spoonfuls of salt). It occurs to me many of my friends and relatives (and this is really the group I am writing this for) aren’t overly familiar with the things to watch out for and need a bit of a primer (or some links to click on quickly and be done).
This writer explains 25 most common email security mistakes. I think it’s a good read, but it’s a little beyond what the audience of this post requires.
Last Wordy Bit
Unfortunately, although I’ve outlined a number of steps you can take, there is no add on that will beat being vigilant and smart. It is shocking the number of personal thing someone can find out about you online. And it may not even be your fault. If one of your friends uploads a photo of you and tags it with your name anyone around the world can easily find out what you look like. The same goes for your children and other family.
You can’t be sure anymore that anyone approaching you who might be familiar with your history and family is actually a “friend”. This means we have to be a lot more suspicious about everything. But here’s the silver lining; as easily as a stranger can google you, you can google them (and anything they are selling or promising). And if something makes you suspicious, even if you google it and aren’t successful, ask someone else you trust, in person. It’s tedious, but it ain’t rocket science.
- Get a couple of free email accounts which you will use when any website you don’t trust implicitly asks you to sign up for something that isn’t really important. Or use bugmenot.
- Never forward an email to more than 2 people without using BCC. This is why.
- Don’t Click On Unsolicited Links or Attachments. It’s not smart.
- Very smart people have been taken in by fraudulent schemes sent via email. If it sounds too good to be true, it is.
- Read up on email etiquette. It never, ever hurts to know how to do things the right way.
The List – Browsing Sensibly
- Get Mozilla Firefox (my personal preference), Google Chrome or Opera. See why here.
- Ad Blocker: For Firefox, For Chrome, For Opera. Here’s why you need one of these.
- Secure Browsing: Only for Firefox at this point unfortunately. I think it’s important.
- For passwords use LastPass. You really should read why.
- Do yourself a favour and stop Facebook from tracking you. This is sensible, not paranoia, and I promise, it won’t inconvenience you.
I know it’s all a lot to take in. But run through this post and you won’t need to worry as much about some idle or malicious person successfully attacking you. Governments now, that is another story. But if you need to worry about someone with government resources attacking you, then I’m afraid this blog post isn’t for you.
Hope I’ve been of a little assistance. If not, all reasonable requests for refunds will be entertained
Tell us what do you think.
Websites mentioned my entry.
There are no trackbacks on this entry