Online Security

Online Security

Online Security threats seem to be in the news almost every single day.  With this company or that company having its data hacked.  But how safe is your personal data and what should you do to ensure your personal online security?

With recent scares such as the Heart Bleed vulnerability and the increasing threat of Ransom-ware, it is important to ensure your online presence is safe.

Recently Symantec (the people behind such programs as Norton Internet Security) said that in 2011 there were 403 new types of malware created – that is an increase of 41% on the previous year. Additionally, they said that there are an estimated 4500 web-based attacks each day. Symantec 2011 http://www.symantec.com/threatreport/]

Online security has never been more important.  But what are the threats and what can you do about them?  How can you ensure your own personal online security?

Online Security Threats

This isn’t meant to be an exhaustive list, there are many other threats, but these are ones I have chosen to highlight online security threats.

VIRUSES

Viruses are perhaps the best known of all online security threats.  A computer virus is a computer program that can replicate itself and spread from one computer to another.[http://en.wikipedia.org/wiki/Computer_virus].

Don’t mix up viruses with malware, spyware etc – these aren’t self-replicating as a virus is.

At the very least a virus is designed to make changes to your computer settings, at the other end of the spectrum they can cause serious damage to your computer, including, but not restricted to deleting an entire hard drive of all data.

MALWARE

Malware, short for malicious software, is software used or created by hackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. [http://en.wikipedia.org/wiki/Malware].

SPYWARE

Spyware is a type of malware (malicious software) installed on computers that collects information about users without their knowledge. [http://en.wikipedia.org/wiki/Spyware].

Spyware can seriously affect your online security.  It attempts to steal your personal information.  Spyware can include keyloggers to record your username and passwords.  These keyloggers then send the information to their creator.

RANSOMWARE

This type of threat is growing in popularity, ransomware is malicious software that locks your computer and won’t allow you to access it until you have paid an amount of money or similar behaviours. Another variant of this type of malware displays a message pretending to be from your local police authority stating that extreme types of pornography have been found on your computer, you will be asked to pay a fine immediately via a button on the pop-up. Rest assured, the police don’t send this type of message; unless you know you have pornography on your computer, it is very unlikely you will have any!

SCAREWARE

Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. [http://en.wikipedia.org/wiki/Scareware].

Typical examples of scareware are popups that inform you that your computer has so many thousand viruses.  They offer to clean your computer for a fee – by purchasing their software.  They are a real threat to your online security as they are a scam, they offer programs to fix your problem that don’t work.  The only thing they do is take your money, in the worst case scenario, by purchasing them you are also giving your credit/debit card information to scammers.  Most times scareware contains a payload of malware, spyware, viruses etc.

Another scam seen often that is an online security threat and falls under the scareware heading is the phone call from Microsoft, Windows etc.  I personally have seen several people who have fallen for a phone call from “Microsoft” or other companies, including the users ISP.  The caller informs the would-be victim that their computer is full of viruses.  They then offer to take control of the computer to clean it up.  Please don’t fall for this!  Microsoft or whichever company these callers claim to simply don’t have the time or resources to check your computer for viruses – they don’t make these calls, scammers do!

Recently, I was asked for advice about one such call.  The victim had received such a call, but being a little bit wary asked the company to call back. (In this case, it was Microsoft).  I advised when the call-back was made that the person making the call should be told that the victim had contacted Microsoft and Microsoft had informed them that no such call had been placed.  To confirm what I have said here, Microsoft also said they never make such calls.

The victim did indeed receive the call-back.  In due course, they informed the caller what Microsoft had said.  The caller went mad, totally losing their temper with the victim asking how dare they contact Microsoft, how dare they call them a liar etc.

These are bad people who want to access your computer – don’t let them refuse to allow them any access to your computer!

PHISHING

Phishing is attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. [http://en.wikipedia.org/wiki/Phishing].

Great examples of how phishing is used to compromise your online security are emails you receive claiming to be from your bank.  A careful check of the links in the emails often shows a different domain name to that of your bank.  Also, checking the email headers (file > properties on most email programs) shows that the email didn’t come from your bank.

They will contain requests to confirm your online security credentials etc and include a convenient link to your “bank”.

However, following these links take you to sites that, whilst they look like your bank, are set up to harvest your bank login details.

Again, be sure to check sources of these emails and all links they contain.  Most, if not all, banks will not ask you to confirm your security details in this way, if you receive an email asking you to do just that, it won’t be from your bank.

ADWARE

Adware, or advertising-supported software, is any software package which automatically renders advertisements. These advertisements can be in the form of a pop-up. [1] They may also be in the user interface of the software or on a screen presented to the user during the installation process. The object of the Adware is to generate revenue for its author. Adware, by itself, is harmless; however, some adware may come with integrated spyware such as keyloggers and other privacy-invasive software. [http://en.wikipedia.org/wiki/Adware].

So what can you do about these and other threats to your online security?

Internet Security Suites

The first thing to do is to ensure that your computer is protected using a full Internet Security Suite.  Using just an anti-virus program often isn’t enough.  Many of the free anti-virus programs are just intended to search for viruses and often don’t protect against other threats indicated here.

Remember the old adage, there is no such thing as a free lunch.  Often Security firms will give you a free anti-virus package to advertise their full security suite and for no other reason.

But which one?  What is the best anti-virus suite?  I have my personal preference but a look through the following report will help you to decide:

This report at http://internet-security-suite-review.toptenreviews.com/ is quite an in-depth look at the different Internet Security Suites available.  There are lots of different reviews available on the web to help you choose.  My only advice would be to ensure that you aren’t looking at a site created by one of the companies selling an Internet Security Suite.  It is easy for them to claim to be the best.  Also, try to avoid the “expert” friend in this instance.  We all have friends who will recommend X brand as that is the one they use.  Often, however, their choice has been determined by price, not sound technical understanding.  Often they will opt for the free software.

Check out our earlier blog on virus removal if you want more advice on the subject.

My final advice on the subject of Internet Security Suites is that they are only as good as you are.  Ensuring that they update daily and run a check once a week with a full check being carried out at least once a month is the best way to ensure your online security.

Further don’t rely on them entirely.  Internet Security Suites can be compromised.  This will happen if you allow it.  Don’t click dodgy pop-up windows that contain buttons – use Alt-F4 combination on your keyboard to close the dodgy pop-up.  Try to avoid the internet underground – porn sites, free music and software sites are great examples of this.  By free I mean the sites that offer music & software free that you know shouldn’t be free, or the old five finger discount.  You wouldn’t do it in real life, so please don’t do it online either.  Visiting these types of sites opens your computer to risks.  No Internet Security Suite can protect you from viruses etc that you have allowed to bypass the protection provided.

Passwords

Having a safe password is essential when going online.  Now, just a short word here.  Don’t be paranoid about certain passwords.  If your computer never leaves the house and only you use it, you don’t need to be overly fussy about the Windows password.  However, if you regularly take your computer to a public place or others may use your computer please ensure it is protected by a very strong password.

Any website (or software on your computer) that requires you to enter your personal data should be secured by a strong password.

What is a strong password?  When it comes to your online security the first way to answer what a strong password is would be to look at what isn’t a strong password.  We are all tempted to use a password that is easy to remember – don’t!

A password made up of dictionary words or proper nouns can be hacked within minutes.  Most hackers use password crackers that bombard login screens with dictionary words and proper names.  Even character replacement terms are easily cracked by these types of software.  Character replacement terms are worded such a words that you replace key letters with numbers or symbols such as Online Security would become 0n1in3 53curiTy.  password crackers can be set to search for these combinations too.

So what is a secure password?  A strong password will contain 8 to 12 characters, be mixed upper and lower case and include numbers and symbols and importantly be random characters.

A good example of a strong password would be sA2fHe8.  Please don’t use this!

You would be surprised how many people have their wireless signal on their router with no password set or it set to something link:  abc123 or even worse, password.  Leaving your router set with the passwords that came from the factory is a bad mistake, every computer user knows the standard passwords used by router manufacturers.  For example, Netgear username is admin and the password is password.

A great method of choosing a memorable password is to use a pass-phrase.  Recently the BBC’s Chris Jackson for the Inside Out programme investigated online security and suggested the pass-phrase method.  See the short video here.

Basically, the pass-phrase method works like this.  You choose a simple phrase that is personal to you.  For example (from the video above) my son is 11 years old would be your phrase, taking the first letters from each word you would arrive at msi11yo then add two letters at the end for the site you are storing a password, such as Facebook.  the above password would become msi11yofb.  Add some capitals and a symbol (random) you may arrive at mSi11yoFb$.  That is a great 10 character password that won’t be easily broken as it is personal to you.  You don’t need to write down the passwords as you would only need to write a pass-phrase down – this could be easily hidden in a paragraph as a personal note.  If you use the same symbol the only thing you need to remember is the two letter code for each website.

Finally, I would strongly recommend you use a completely new password every six weeks.   If you use the pass-phrase method simply choose a new phrase every six weeks and change each password accordingly.  Whatever you do though, don’t use a password more than once – each site or program should have its own password.

Password Keeper Programs

Some people use a password keeper program to store their passwords.  These are fairly secure and offer you a good means of online security.  They work by storing your passwords in the Cloud and are accessed by a program on your computer or mobile phone.  This program is protected by a password that is only stored locally.  All the passwords contained in the program are encrypted before being placed in the Cloud for you.

The programs mean that you can access your passwords from anywhere as long as you enter your master password – this again isn’t stored in the cloud, only the local computer or phone.

There is no risk of hackers breaking the encryption unless they have access to the device and the master password.

One word of caution, don’t lose your mobile phone if you use a password protection manager especially if you have stored your master password in the phone book as many do!

For a good review of the best password keeper type programs visit PCWorld.  They explain the technology well and offer advice about each of their reviewed programs.

In conclusion, your personal online security online is up to you.  How secure you are is down to you putting in a good regime, making sure your computer is protected, that you don’t fall for dodgy pop-ups and other scams and making sure you have a good password policy.  Change your passwords every six weeks.

This guide isn’t meant to be exhaustive there are many great guides online if you want more details.

Conclusion

At the end of the day, you can have the best antivirus system and regularly check your computer for an array of malware but, sometimes it comes down to plain common sense. Making sure that you don’t open emails with attachments unless you are expecting it (even from your closest friends or family – they may have a virus that is sending itself to everyone on the contact list). Don’t visit sites that may be dodgy – those streaming sites that allow you to watch tv shows or football etc. (apart from the mainstream sites such Netflix or Sky).

If you have children in the house, it is a very good idea to spend time with them looking at the internet and discussing how important it is to not chat with people they don’t know in the real world. Outside of their friends, it is a good idea to have them ask you permission to add someone – you can easily check who they have been chatting to, if your children are under 16 you have every right to inspect their computer and you should exercise that right. Look at who their friends are in chat rooms or chat programs – may be even worth finding the folder of this program on your computer and seeing if there is a chat log. No matter the browser there is always a history of every website visited, check these also – if they have been deleted, be suspicious! Children’s safety online is the parents’ responsibility, don’t rely on the school to have a chat with your children – you must do it and you must discuss things that you may feel uncomfortable about, otherwise, someone else will!

One final thought, the internet is a great place to learn and discuss ideas, you shouldn’t stop your family using it, but you should have very firm rules that the whole family need to stick to.