Thursday, May 3, 2012

The 15 Commandments of Computer Safety

The Computer Gods hath spake unto us these divine commandments, saying:


1) Thou shalt have complex passwords

Your passwords should look truly random. It should be a minimum of 10-15 characters long, contain upper case letters, lower case letters, digits, and (if possible) special characters. There should be no dictionary words in it.

There are two password managers I can recommend that will automatically do this for you and you will be oblivious to what your actual password is. They are LastPass and 1Pass4All. This will make life easy for you. You still need to make your master password very strong using these services. There is a wonderful password checker at howsecureismypassword.net.

2) Thou shalt not have the same password on more than one website

Never, ever, ever, ever, not ever have the same password for more than one website. There are no exceptions to this rule. There are numerous SAFE ways of not having to remember the actual password for each website. LastPass, mentioned above, is a watertight password manager that uses servers to store your keys in the cloud. However, your passwords are encrypted and decrypted locally. 1Pass4All allows you to have one password for all your websites. It simply runs your password through a complex hashing algorithm that's specific to each website.

Finally, you can come up with your own algorithm. For instance, you could assign each letter of the alphabet a specific three-character alphanumeric string, and use the first three letters of the URL address as your password. Or the last three. Or whatever. Come up with your own solution that takes into account the website URL as part of the password. Make it hard to figure out in case someone hacks one of your accounts.

3) Thou shalt not type your password

You should never type your password for your bank account. This is because there could be a software-based or hardware-based keylogger on your machine. LastPass and 1Pass4all can both fill out the password field automatically, so it is a non-issue with these. But if you must type your password, simply type the characters out of order, using the mouse to move the cursor at some point while you're typing. Or you can use an on-screen keyboard. On a windows computer go to Start → All Programs → Accessories → Accessibility → On Screen Keyboard. Linux also has an on-screen keyboard under Preferences -> Universal Access.

A copy+paste of your password from a file on a USB isn't 100% secure. It's possible that a piece of malware could have access to your clipboard data or the file. Also, storing your passwords without encryption would be a bad idea.

4) Thou shalt change your password often

Many times websites' databases will get hacked and will contain improperly hashed passwords. When passwords are stored on a webserver as hashes, they can be cracked in time with high power computers. If you change your passwords every 1-6 months you will be much less vulnerable to these breaches. You create a moving target for a would-be account thief. If your passwords are strong enough, it will take someone more time to crack it than a weak password, but it can still be cracked. By changing passwords often you make it virtually impossible for someone to keep up within the timeframe. Conversely, by never changing your passwords you allot them more time to crack your password from a password hash.

5) Thou shalt secure thy operating system

Run a supported version of Linux or BSD, if at all possible. If you need to use Windows applications you can still run them inside a virtual machine. If you must run Windows or Mac as a full time environment, keep it patched (security updates), do regular virus scans, and keep abreast of security news for that OS (operating system). If you don't know what an operating system is, you probably shouldn't be using the Internet.

6) Thou shalt keep thy browser and plugins patched and up to date

What browser are you running? Is it the latest version available? It better be. Do you know what plugins you have enabled for that browser? Are those up to date as well?

To check the browser version go to "Help → About" (Firefox and IE) or just "About" (Chrome). To see what plugins are enabled in Firefox, open up a new tab and type “about:plugins” (without the quotes). To check if those plugins are up to date go to mozilla.org/en-US/plugincheck/. To see what plugins are enabled in Chrome type “chrome://plugins/” (without the quotes). It should automatically list which plugins need to be updated. Internet Explorer does not have a sufficient built-in plugin checker (correct me if I'm wrong), but Mozilla's plugin checker should work, although it is very limited with IE.

7) Thou shalt know thy browser settings

For instance, when I close out my Firefox session, it automatically clears out all browsing history, download history, active logins, cache, saved passwords, and offline website data. I keep cookies and form history enabled. I set it to automatically block reported attack sites, web forgeries (phishing sites), and automatic add-on installs.

There’s a Firefox add-on called “HTTPS Everywhere” that forces Facebook, Twitter and popular websites to use secure log-in pages. Another great add-on is NoScript. It keeps website scripting under control. It is very annoying the first week of use, but after you whitelist all of your most commonly used sites it's well worth the trouble.

If using a public computer, always use private browsing mode. In Firefox go to "Tools → Start Private Browsing". In Chrome go to "New Incognito Window".

Again, know how to use your browser.

8) Thou shalt guard their email account with their life

This means don't let friends or family have access to your email account that's associated with your bank accounts. Change your email password 1-6 months or any time you have suspicion it might have been compromised.

If someone has unrestricted access to your email account, they are more than halfway there if they want to ruin your life. Most banks even offer to reset passwords through your email account and some other rudimentary personal information. Yikes!

9) Thou shalt not follow links provided in emails

We've all heard this one before. Just enter the address using bookmarks or your keyboard (making sure not to mis-spell the URL).

10) Thou shalt know how to identify an institution

Phishing continues to be one of the primary ways people get hacked. There are several ways to identify a website. Google, Facebook, and banks with online access all offer https access. Keep in mind this is not always by default. Sometimes you have to type in the “s” part of https manually. When their secure page is displayed, you can click on the left side of the URL address bar (right side for Internet Explorer) and it will display identity information for that website including third party SSL validation, encryption specifications, and the date of last visit. Also, most banks invoke a SiteKey for mutual authentication.

11) Know thy public WiFi dangers

Check your WiFi connection before connecting. If it's WEP or open access, it's totally insecure. If it's WPA2, it might be secure. To make a WPA2 connection completely secure you must (a) not broadcast its existence publicly (to keep a low profile), (b) use a unique SSID (to protect against rainbow table attacks), and (c) use a long, complex and unique password (the most important step).

Any information that you don't want in a stranger's hands should be encrypted when using a public WiFi connection. This means that all URLs should be https and not http. Also, if a clandestine hacker is lucky enough to have access to a forged SSL certificate, know that you could be the victim of a man-in-the-middle attack. In this case your banking session or whatever would be encrypted, but it would be going through that person's laptop and he/she would be accessing your bank on your behalf. That's a very bad situation. The only way to protect against a MITM attack is to stay on top of the news regarding forged SSL certificates, not something the average person is willing to do.
Another consideration when using a public WiFi connection is to use a VPN (virtual private network). This allows for anonymous, secure web browsing in public locations.

12) Thou shalt monitor their logged on locations

Many websites supply this information at the bottom of the page or on the log-in page. If you suspect foul play, check your settings and then reset your password immediately.

13) Thou shalt not download illegal content

Anytime you download illegal content, you're asking to get hacked. If you absolutely can't live without pirating something, do it in a virtual machine and don't ever use the file on the same OS (operating system) you do your banking with.

14) Thou shalt secure all sensitive computer data

If someone gave me a computer to I hack, I could clone the drive in an hour and read the files without having that person's administrator or user password and return it without them knowing. What about if a trojan/virus had access to your file system? What data could they plunder?

The only acceptable way to store sensitive data on a machine is 256-bit symmetric AES encryption (minimum). Personally I use 4096-bit asymmetric PGP encryption. Some people prefer to encrypt the entire file system rather than just the files that need it. You can also encrypt emails before sending them and use encrypted chat rooms to communicate. If you keep your backup data in “the cloud,” encrypt your data before sending it out. If you live in a country where encryption is legal, use your rights! If you don't, well there's always TrueCrypt.

If you delete a sensitive file, make sure you use a program like Eraser (Windows) or the “shred -fuz” command (Linux). Otherwise it can still be recovered. 

15) Thou shalt add extra security layers

Two-factor authentication (AKA two-step verification) is the new security layer in town and it's here to stay. Google offers it. Facebook offers it. My Chase credit card offers it. It essentially does not allow someone to get to the page where a would-be hacker can guess your password unless they also have unrestricted access to your cell phone and/or email account. Once you log in from a computer, the website will remember that computer for 30 days (if you want it to). The process repeats every 30 days. This process automatically phases out computers that you don't use anymore.

Also, make sure your security questions are next to impossible for anyone to guess, including law enforcement, who might have access to your mother's maiden name, previous addresses, etc. FYI Sarah Palin's email account got hacked this way. If Sarah Palin had multi-factor authentication and strong security questions, she would have been safe. Google is one of the few websites that lets you type in your own security questions and answers. This can be a great thing or a terrible thing if used improperly.


1 comment:

  1. Most people are into computer use because of the advantages that come with it. Definitely the tips you shared in this post will make it possible for a worry-free user experience to be guaranteed.

    ReplyDelete