Security on the Internets

Limit your trust and keep good backups…

Backups

The place to start is good backups. You can’t be sure the bad guys wont get through your defences, but you can take steps to make recovery easy. Good backups also protect you against a hard drive crash – the failure rate for hard drives is 100%!

External hard drives and backup software are cheap.

• get several USB external hard drives (at least 3) and rotate your backups between them
• do a full backup once in a while (weekly/bi-weekly/monthly) and do differential backups frequently. Ideally do backups daily, but it really comes back to how much you are prepared to lose.
• keep one of your backup disks off-site to cover against theft or fire
• keep backups going back several months.  If you get infected with badware and don’t notice for a while, recent backups may contain badware too.

Acronis True Image backup software has saved my bacon on a number of occasions. It can do “bare-metal’ restores.  All you need to get going again is the True Image CD and your backup disk to do a complete restore.

Your Computer

• Use the latest operating system software for your PC. Windows Vista or Windows 7 for a PC, or the latest versions of Mac OSX or Linux.
• Keep your patches up to date. Turn on automatic updates.  Don’t forget to update other software like Microsoft Office, Adobe Flash and Adobe PDF Reader etc.
• Use anti-virus software. AV software is far from perfect, but it’s a lot  better than nothing.
• Use a better browser. Don’t use Internet Explorer. Firefox, Google Chrome, Opera and Apple Safari are alternatives.
• If you’re using FireFox, use the NoScript add-on. NoScript maintains a ‘whitelist’ of websites that are allowed to use Javascript. Using NoScript greatly reduces your exposure to web-delivered badware. You have to add the sites you use and trust to run Javascript. But the effort is well worth it.
• If you use Firefox, use ad-blocking software like AdBlock Plus. Many webites that you visit display third-party ads. These ads have been known to deliver badware to users via well-known and trusted websites. AdBlock Plus also makes the Internet much nicer by removing all the flashing, pulsing ads.
• Remove Administrator rights from your Windows login. Keep a separate admin login and use it only when needed.  If your account doesn’t have admin rights it’s a tougher target for badware.
• Don’t recycle passwords across web sites – see the password section below.
• Use a personal firewall that controls outgoing as well as incoming connections.
• Only install software on your PC when you trust its source. Never use cracked software. It’s often infected with badware.
• Put your computer in standby mode or turn it off when you’re not using it.
• Laptops, cellphones and PDA’s all contain private information. Treat them like a wallet or purse.
• When you do business on a website, check it’s a reputable company. Don’t give out unnecessary personal information.

Email

• Your email software probably will have options to allow Javascript and HTML in emails. Turn both off. Javascript and HTML make it easier for scammers to deceive you or exploit flaws in your software.
• Use anti-virus software that automatically scans your incoming email and attachments.
• Don’t open attachments from untrusted sources. Doubly so for spam.
• Don’t open attachments from trusted sources unless you know the person who sent it was also the author.  i.e. the ha-ha look at this type of stuff can spread badware.
• Protect your email account – access to your email account gives access to many other areas of your life. If you use web-based email, like GMail, treat it like your online-banking.
• Banks etc shouldn’t send you email relating to your accounts. Ignore anything from them that isn’t just general advertising.  Ignore any email that asks you to click on a link and login to one of your accounts.
• Never click on links in emails.
• You can’t trust the “From” address in any email.  Emails are easily forged.
• Delete spam, don’t read it. Never open attachments.
• If you use GMail, there is an option called “Browser connection”. Set it to “Always use https”.  Other web-based email services probably have a similar encryption option.
• Delete any emails that contain paswords.  Move passwords, account information, domain registration details, etc into secure storage – see PasswordSafe, below. If your computer is lost or cracked, doing this will greatly reduce your exposure.

Banking

• Always type the url into your browser.  Never click on a link in an email or on another website. Don’t use your browser’s bookmarks – malware can rewrite these.
• Logout as soon as you are finished.
• Use a separate web browser for banking.  I use Google Chrome for internet banking and a few other secure sites and Firefox for all other browsing. Safari and Opera are other choices.
• Don’t use internet banking unless you need to.  Set up long term savings or trust accounts that have large deposits in separate accounts without internet or phone banking access.
• If your bank offers two-factor authentication, like a code sent via SMS, or a code card, use it.  It wont protect you from if your PC is infected with malware, or from phishing, but it will stop password sniffing software giving access to your bank account.
• Never do Internet banking from a computer you don’t trust, e.g. from an Internet cafe

Credit & EFTPOS Cards

• Read the terms and conditions for your credit card.  If you follow the rules, you’re probably well protected from fraud. My experience is that if there’s a problem with an internet transaction it is pretty easy to get your money back.
• Stick to reputable e-commerce websites.  Check out other customer’s experiences by using Google.
• Only use EFTPOS cards in places you can trust, e.g. banks and ATM’s. Hotwired EFTPOS terminals are not unheard of and it’s probably going to be a lot harder to get your money back compared to using a credit card.

Wireless

• Your wireless access-point has built-in security. Turn it on.
• Use a long password – at least 15 characters and not a dictionary word.
• Use the WPA or WPA2 Personal (aka PSK) security option. Select the AES encryption option. Do not use WEP or TKIP options.
• When using a public access-point (e.g. at a cafe), it may be possible for other users of the access-point to snoop on what you are doing.  If you use public access-points, it’s vital you have a firewall installed on your laptop.

Passwords

• Make them long – 6 letters is inadequate for anything you care about.
• Don’t use cat’s names, birth dates or anything someone could guess if they know something about you. Same goes for the security questions websites use to let you recover your password – remember Sarah Palin.
• Don’t use dictionary words. Substituting number for letters (e.g. l3tt3rs) or miXiNg up the case on dictionary words doesn’t help much, as passwords crackers will do the substitutions as well.
• Use random letters or a long passphrase.
• Don’t re-use passwords or security questions on different websites.
• Bruce Schneier’s PasswordSafe software is a great way to create and manage passwords securely. Use 1Password on a Mac.