15 Must-Dos to Stay Safe Online

I’ve worked in Information Technology since 1995 - when email was new and exciting, 3.5" floppy disks were tiny, essential commodities, and iPhones were only a tiny spark in Steve Job's brain.  The last 20 years has seen a tremendous and inspiring explosion of innovation, connectivity, and advances.  I love technology.  Unfortunately, along with this brilliance comes increasingly darker pitfalls and dangers, and too many people are not paying attention.

I've held various IT positions in my career, but working in IT Security has given me a healthy dose of technological paranoia after seeing first hand  how easy it is to be compromised.  Frankly, you should be paranoid too.  Also as demonstrated by all of the large scale company hacks lately (Target, Sony, eBay, and so on, ad infinitum), we clearly cannot rely on companies to manage security on our behalf. We must take ownership and do our part to prevent our loss of identity, safety, and personal data.

I can't emphasize enough how easy it is get hacked.  A barely competent teenager can run a simple program from their basement allowing them (in 5 easy steps!) to create a malicious PDF that when opened allows them to turn on your webcam and watch you.  I’m not exaggerating - take for example what happened to this couple that were spied on as they watched TV.  Super creepy.  More sophisticated cyber criminals write malware that infects your computer, gathers your personal data, and sometimes networks itself to other infected computers, making it part of a botnet.  The criminals sell your data on the darknet and use the botnet to do all kinds of malicious things - like sending millions of spam emails with malicious links, or sending so much traffic to a website that it’s overloaded and shuts down (called a distributed denial of service attack, or DDOS).  To put the size in perspective, in February European law enforcement took down a botnet called Ramnit that had 3.2 million Windows computers in it.  That's just one of hundreds of botnets in the wild.

All that, and all you did was open an email, click a link, or open a PDF.  That's it. You're owned (or pwned as the nerds say).

That’s a bit of hyperbole as there are of course other ways to get compromised, but it’s a big one.  There is only so much technology can do to prevent compromises because good cyber criminals are as proficient at hacking humans as they are at hacking computers.  They do this by preying on our gullibility and taking advantage of our trust, greed or altruistic impulses.  Human error is still the biggest reason we get hacked.

So to address the areas we are at most risk (and in honor of Cyber Security Awareness month) here is my list of 15 essential things every user of technology must do to keep as safe as possible online.  There are certainly more, but if you are not at least doing these 15 things, you are at significantly higher risk.  I will go into a little bit of detail on each one, so while this will be a long post I feel it’s important to have it all in one place.  Alternatively you can just read the list below and call it good.

The odds are never in our favor, so let's improve them where we can.  Here they are:

1.   Stop clicking on links and opening attachments without thinking.  Seriously.  Stop it.
2.   Update, update, update.  Keep all operating systems and applications updated regularly – especially           internet browsers, Java, and all things Adobe (Flash, Reader, Acrobat, etc.).
3.   Run antivirus (yes, even on Macs).
4.   Run anti-malware (yes, even on Macs!).
5.   Be smart about passwords, and use two factor authentication where possible.
6.   Never email sensitive personal information (and don’t divulge it over the phone).
7.   Always check for http"S" when shopping or entering in sensitive data online.
8.   Malvertising is a thing.  Block popups and use an Adblocker.
9.   Keep your firewall on.
10.  Social Networks – lock them down and be smart about what you post.
11.  Be wise about Wifi (and your own personal home networks).
12.  Secure your phones and tablets.
13.  Review default device, OS and application settings - turn off ones that affect security and privacy.
14.  Physically secure your devices, back your data up, and use disk encryption.
15.  Be generally privacy aware.

1.  Stop clicking on links and opening attachments without thinking.  Seriously.  Stop it. 
This is #1 because no matter what else we do to try to protect ourselves, we are our own worst enemy.  This is a wide attack vector for hackers and we need to be WAY more cautious than we are.  This goes for email, Facebook links, weird looking website links in Google, and so on.  Many websites exist for the sole purpose of infecting your computer with malware, often using "drive-by downloads", so all you have to do is visit the page once and it’s over.   Sneaky hackers will also craft malicious links to try to get you to go to the website without knowing it, pretending to be a legitimate link.  What to do:

• Be patient.  Before opening any email, see if you recognize who it is from. If you don’t recognize it, or it is from someone you know and it has a strange subject, DON’T OPEN IT.  Just delete it.
• Never open an attachment of any kind unless you are expecting it.  Be especially wary of PDFs.
• Always hover over links to see where they are really going.  As you can see, I can easily craft a link that looks like it is going to RealStrongSmart.com, but if you hover, you can see is really going to badwebsite.com.
• Turn off automatic downloading of pictures.  Pictures can be just as unsafe and should not be downloaded from people or companies you don’t know.
• Beware of urgent language – I saw a spam email recently that said, “Why did you sue me?  Here is the subpoena!”  Tricksy, tricksy.
• You can check a website’s reputation using a site like URLvoid.com.  Enter the website you want to visit, and it will tell you if it is bad.
• If they are using a URL shortener like tinyurl, bit.ly or goo.gl, you can (and should) copy and paste them into http://untiny.me and see where it is really going (bookmark it!).  It’s a couple of extra hops, but it’s worth it
• Remember, free stuff is never really free.  (This goes for free or found USB drives/CDs as well – don’t put just anything in your computer.)

2.  Update, update, update.  Keep all operating systems and applications updated regularly - especially internet browsers, Java, and all things Adobe (Flash, Reader, Acrobat, etc.).
Most viruses and malware are built to exploit specific vulnerabilities in software that already reside on your computer.  According to the CSIS, 75% of attacks use publicly known vulnerabilities in commercial software that could be prevented by regular patching/updating.  Internet browsers top the list of most vulnerable applications (per GFI), which makes sense as they are a primary gateway of information flowing between your computer and the digital world.  Internet Explorer was by far the worst, followed by Chrome, then Firefox.  After browsers, Adobe Flash and Oracle’s Java are by far the most commonly exploited applications.  What to do:

• Update as soon as possible whenever there is an update.  This goes for operating system updates and application updates.  If you are not good at remembering, turn on automatic updates.
• Uninstall it if you do not need it.  I personally uninstalled both Flash and Java from my system and use Chrome (which has Flash it built in) if I ever absolutely must use it to see content on a website.

3.  Run antivirus software (yes, even on Macs).
Antivirus is a must have.  It is good at what it does – catching the low hanging fruit and protecting you from the stuff that has been in the wild for a little while.  It doesn't catch new stuff very quickly, but if you are not running it, consider yourself unvaccinated and you could catch an easily preventable virus.  There is also an idea out there that Apple computers are not vulnerable to viruses and malware.  This is simply untrue.  Yes, they have less of the market share so they aren’t targeted quite as much, but there are definitely viruses and malware out in the wild just for OSX.  What to do:

• Install and run antivirus.  Most Internet Service Providers (ISPs) provide free antivirus for their customers – it is in their best interest to have clean computers on their networks – check their website for the download, and if you can’t find it, call them and have them walk you through it.

4.  Run anti-malware software (yes, even on Macs!).
This is just as important as antivirus and an often overlooked.  It is meant to catch malware that is too sophisticated for antivirus like worms, Trojans, rootkits, spyware, etc.  In December 2014, Kaspersky Labs reported that it is finding 325,000 new malicious files EVERY DAY.  So you are on the losing end of the statistics and need all the help you can get.  What to do:

• One of the more popular apps (and my recommendation) is Malwarebytes, though Spybot is good too.  It is free, so download it and set it up to scan often.
• You can also buy even better protection with Malwarebytes Anti-Malware Premium, and get an instant real-time scanner that automatically prevents malware and websites from infecting your PC.  This is worth more than the $25/year they are asking.

5.  Be smart about passwords, and use two factor authentication where possible.
Passwords are the keys to your private online kingdom and should be safeguarded as such.  The problem is that most people are lazy, often using one password for everything, or short, easy to guess passwords. Short, uncomplicated passwords are easy for hackers to “brute force” in a matter of seconds.  This is the one area we control 100% and we must start taking better responsibility for them.  What to do:

• Use more complex passwords with a minimum of 12 characters, and include three of the four basic character groups: upper-case, lower-case, numbers and special characters.  Passphrases are even better.
• Don’t use personal information, usernames, and easy dictionary words.
• Do NOT use one password for everything.  Using a unique password for every website minimizes your risk as we see company after company get hacked and lose your usernames and passwords.
• Use a password safe like KeePass, which will do your remembering for you. It uses keyboard shortcuts for ease of copying and pasting, and its database is encrypted.
• Don’t store passwords in your browser, it is not encrypted and if your browser is ever compromised (which is likely, see #2), then so are your passwords.
• Don’t use your passwords on a public computer, they are not typically monitored and often have malware with keyloggers.
• Use two-factor authentication where possible.  This means if a site can send you a text message or email to confirm that it is you, do it.  It is MUCH harder for hackers to defeat this method as they rarely have access to both forms of identification (your password AND phone, for example).

6.  Never email sensitive personal information.
Consider email the same as sending a postcard.  Would you write your SSN on a postcard, drop it in the mail and hope it doesn’t get seen?  No.  Well, you shouldn’t email it either.  It is ridiculously easy to “sniff” network traffic and see unencrypted data being sent.  Who on earth would bother sniffing your little network you wonder?  Maybe no one (at the moment).  But who might be sniffing the network at the bank or title company you are sending your personal data to?   Potentially quite a bit more.  What to do:

• NEVER email W2s, tax statements, bank statements, credit card numbers, passwords, or mother’s maiden names (or other security question type data).
• If it is necessary to share with a third party, always call the recipient with sensitive information.
• If you absolutely must email a sensitive document, then please zip it up with a lengthy passphrase and call them with passphrase.  This is not ideal either, but it is better than sending it plain.
• Also be wary of anyone that calls and asks for your sensitive information, most legitimate institutions will NOT do that.

7.  Always check for http"S" when shopping or entering in sensitive data online.
You would be surprised how many familiar, “credible” websites don’t use https when checking out.  It is absolutely essential to take ownership of this and check every time – you will usually see a lock to indicate it as well.  If they don’t have it, don’t use it!  That pair of shoes is so not worth it.  What to do:

• Don’t ever submit your credit card unless you see the “https” at the beginning of the URL.  Make it a habit to check every time!
• Don't store your card details on websites.   It is inconvenient to have to enter it every time, but if your card is never stored in their database, then they can’t be stolen.  Instead try memorizing it if you shop online a lot.
• Use credit cards instead of debit cards (but only if you will and can pay them off every month).  This way if you are ever compromised then they don’t have access to your checking and savings accounts. It’s much easier to dispute charges with the credit card company than try to get money back that was already taken out of your account.
• Check your credit report at a minimum annually and check for irregularities.

8.  Malvertising is a thing.  Block popups and use an Adblocker.
Unfortunately, ad networks are rife with malware, and it is so tricky because ads change all the time.  The worst part is you can visit a legitimate website and as the ads load it suddenly becomes malicious and your computer is owned.  For example in 2014, malicious ads on websites like Disney, Facebook, and The Guardian were the leading way people got one of the worst malwares you can get, ransomware (where your files are encrypted and you have to pay a ransom to have them decrypted).  It’s problematic because ad revenue is also what supports so many free sites, and there aren’t any easy answers.  What to do:

• Install ad blockers in your browser.  Ad Block is among the most popular.  Ad blockers are now on your mobile devices as well and should absolutely be used there too.
• Set your browser to block popups.
• Some sites are asking you to whitelist them in the Adblocker, and if you decide to support them you can and should do that, but only if you are running antivirus and malware protection like I mentioned in #4.

9.  Keep your firewall on.
This is another basic must have. Firewalls help prevent unauthorized communications from coming in or leaving your machine.  If you ever run into issues with it, it is worth the time to troubleshoot so you can leave it on.


10.   Social Networks – lock them down and be cautious about what you post.
Social Networks are a hacker’s dream and should be used cautiously.  You should absolutely set your profile to friends only and check all of the settings and often (because they change them often).  If there is no privacy setting (like on a forum), then just be very careful what you post.  Why does it matter you ask?  Check out this story about a mom fighting with a website that downloads pictures of other people’s kids to use them in an adoption role-playing game on Instagram.  Or even creepier:  Scammers posing as expectant mothers steal pregnancy photos for porn sites.  What to do:

• Unless you are a public persona or company, ensure your privacy settings are set to only share with friends.  It also helps prevent people from stalking you to learn as much as possible, making it easier to steal your identity.
• Even once you are locked down, still be wary of what you post.  For example, mentioning that your entire family is out of town on a great vacation (and thus your home is nice and empty) is still a risk even if you trust all of your friends.  You may trust all of your friends, but what about your friends’ friends?  Once your friend likes it, everyone in their friend’s list will see it too.
• Be wary of how much personal information is displayed – do not provide phone numbers, addresses, or full birth dates on your profile.  Identity thieves use birth dates as cornerstones of their craft.
• If you are on a social site that is public, do not post pictures or information you wouldn’t want out in the wild.
• Think carefully about whom you accept as friends.
• Don’t allow search engines to find you (typically a setting in your profile).
• Do not be lured into sharing your information (and thus your friends’ and company’s information) with any application or person that asks for it, even if they are a “friend”.
• Many Facebook apps share your data, so delete any that you don’t remember installing or just stop using them.
• If you have a public site, watermark your photos.  There are many examples of personal photos that are taken and used for cruel memes,  or to promote products you have never used.

11.   Be “Wise about Wifi” (and your own personal home networks).
There are so many wifi networks now, and people are always trying to find ways not to use their data plans, do work when traveling, and so on.  But it is important to be smart about it – often better to just update your data plan than join every wifi you see.  What to do:

• Be very careful on any public Wi-Fi networks, and never connect to anything called “Free Public Wi-Fi”.  That is almost always someone unsavory that has created a hotspot just to spy on people once they are on their network. If you DO connect to a public WiFi at a coffee shop or something, be sure to set your system to forget it when you leave.
• Keep WiFi turned off except when you need to use it, and don’t set it to automatically connect to networks.  
• Enable WPA2 on your home WiFi network, and use a strong password.
• Hide the SSID (your network name) on your home network, i.e. create a hidden network. Joining it will be a slightly different process then because people will have to know the name of the network in order to find it.  It is still possible to detect WiFi signals with a device, but the folks driving around looking for unsecured networks will go for the ones that are visible, easy targets first.  Yes, there are people that do that.
• You can also do MAC filtering, and only allow specific machines onto your network (by entering their unique network adapter code called a MAC Address).

12.   Secure your phones and tablets.
Our mobile devices are ubiquitous and we spend lots of our time online using them…and hackers know it.  More and more malware is being written specifically for IOS and Android, so the same caution you use browsing at home should be used browsing on your phone.  There are other things you should secure as well.  What to do:

• Set a passcode (preferably a password) and change it often.
• As mentioned earlier, use an adblocker.
• Be cautious of the applications you install. This is particularly true in the Android app market, but Apple’s isn’t perfect either.
• Turn off Bluetooth when you are out of your home until it's needed.  It is annoying to turn it on and off, but it is easy to compromise if you are in reach.  For IOS, turn Airdrop (which is Bluetooth) to contacts only.  If you need a reason to change these settings,  see how not to be cyber-flashed on your iPhone.
• Turn off Siri or Cortana on your lock screens.  This has been a significant attack vector ever since it was created, and if anyone ever gets their hands on your phone there are lots of ways to get into your phone if that is enabled.
• Turn on “Remote Wipe” for mobile devices. This lets you erase all the data off of a device if it is lost or stolen.

13.   Review default device, OS and application settings - turn off ones that affect security and privacy.
Never take an application or device right at face value.  Always, always always, go through settings.  Operating system settings, device settings, application settings.  It is worth the time to learn what your options are and what the apps are trying to do.  Most of the time the “defaults” are set to provide as much information as possible to the companies providing you with the system/device/app.  Turn off anything that seems like it might affect your data and privacy if used the wrong way, and err on the side of caution.  I’ll mention some of the bigger ones I watch out for:  What to do:

• Allow location services to only be on for apps that really need it (like Maps).  Otherwise you are providing information about where you are all the time and you don’t always know who’s checking.
• Turn off ad tracking, so your every site and purchase isn’t tracked.
• Review what applications have access to your contacts, and only allow the ones that absolutely need it.
• Turn off geo-location tagging for photos.  This allows anyone to see where you were when you take these pictures, and they are embedded forever. For an insane example of why this is important check out I Know Where Your Cat Lives which as Sophos puts, could as easily have been called ‘I know where your kid sleeps.”  Eeek.
• Cloud sharing – be very careful what you put out in the cloud and be aware of what apps are sharing what where, always check for encryption and privacy policies.
• Windows 10 – a privacy nightmare.  If you have it, go through all the Privacy settings and turn off as much as possible.  Here’s an article that goes through some of the issues, horrible features like Wi-Fi Sense.

14.   Physically secure your devices, back your data up, and use disk encryption.
This seems obvious, but it is important to physically protect our mobile devices. Don’t leave your phones or laptops where they can be stolen.  That said sh*t happens, lost phones or stolen laptops can happen to anyone. When or if it does happen, you will feel much better about losing your data if you have protected your device with disk encryption and if you have backups.  What to do:

• Turn on disk encryption - both Windows and Mac OS X have encryption built into the operating system.  Be sure to set a long passphrase, and write it somewhere safe.  When you can, set the encryption to erase all data after 10 failed attempts at entering the passphrase.
• Back up your data.  Most OS’s have it built in to set backups to a drive, but nowadays it is so easy to back your data up to the cloud, and services like Backblaze let you store unlimited data in the cloud for just $5/month.  So even if your house (and backup drive) burns down, you’ll be protected.  I personally back up to both a local hard drive as well as an encrypted online cloud provider.  Whatever you choose (Google Drive, iCloud, etc.), make sure the upload process is encrypted also (https).  
• As far as physically securing your devices: don’t leave your devices visible in cars (the #1 way they are stolen), unsecured even in hotel rooms, or even sitting on the library desk while you run to the restroom.  Try to think like a thief.

15.   Be generally privacy aware.
It is important to be aware of privacy matters and to know what is out there about you.  There are always arguments about being too paranoid, what could really happen?  Ask the 12,157,400 US identity fraud victims/year.  You need to make sure you are not publicly sharing anything that someone trying to steal your identity could use, or if the data was stolen from the company could be used against you.  We’ve talked about locking down social media, turning off location settings, but if someone got your name and address from a hack (like the millions in the Target breach), what else could they find out about you?  What to do:

• Google your name, email addresses, and common usernames periodically.  If they show up anywhere you do not expect, take some time and have them taken down. Eventually Google will stop showing the results (but it takes several days sometimes for their cache to clear).
• Opt out of “people search sites”.  A couple of examples of big ones, go to www.peoplefinders.com/manage/. On superpages.com, you can find your name and then opt to remove your listing.  Yes most of the data on those sites are public record, but we need to make it harder than a mouse click for people to find.
• Follow security and privacy news sites to keep up on the assortment of security issues that constantly arise.  You may have noticed I particularly like Sophos's Naked Security, but there are others, or even just check in on any major news network's tech columns.  Just try to check in every once in a while.

In the language of flowers, Begonia means Caution.

Photo credit: Janine, Wikimedia Commons