Tips for NOT getting Hacked on the Web

Following my TEDxMaui presentation, a great many every day people have been emailing, Facebook’ing, and Tweet’ing me asking for tips on how to keep themselves safe online. Safe from malicious software attacks, safe from their online account getting taken over, and safe from their PC getting hacked. This post is for them.

No one wants to end up like the guy on Flickr who had five years worth of photos deleted, like the woman whose personal email box was hacked and held for ransom, like the thousands on Facebook whose accounts have been taken over and friends scammed for cash thinking they are helping you out of a jam when really some miscreant is assuming your identity. Perhaps worst of all like the people whose computers were hacked into and an intruder quietly flipped on their video camera to record their most intimate moments and proceeded to toy with their lives.

Poor economic conditions being what they are, perhaps having your online bank account liquidated by organized criminals may not be all that bad relative to these poor people — even with no guarantee you’ll get your hard earned money back. The reality is all these things and more are painfully common and go largely undetected.

Don’t be fooled for a second into thinking antivirus companies are going to save you, nor a corporation’s generic we-take-security-very-seriously-we-promise-policy, and certainly not law enforcement. These guys get hacked just like everyone else and are completely overwhelmed by billions of dollars lost every year due to online fraud already. They are very unlikely to understand, help, or even investigate your particular situation.

The undisputable fact is you, and you alone, are the best defense against getting hacked and getting taken advantage of. Keep in mind that getting hacked is not act of nature like a flood, earthquake, or tsunami. Getting hacked can be avoided. The steps to do exactly I’m going to share with you are simple, won’t cost you a dime, are sometimes a little unconventional, but they are most definitely effective. These are the same things security pros do to protect themselves. There is no reason why you can’t use them too!

 

Must-Have Software

 

1) Upgrade Microsoft Windows or Mac OS X

Outdated software is the enemy of online safety and security. Fortunately this process is easy and you should do this right now, even before reading the rest of this article.

If you use Microsoft Windows…

Fire up your Internet Explorer web browser and visit Microsoft Update. Just follow the instructions on the screen to update your system with the latest software. Next download and install Microsoft Security Essentials, which is their free antivirus software package.

If you use Mac OS X…

All you have to do is click the Apple logo in the top left of your screen, select “Software Update…”, and then follow along.

 

2) Install a modern Web browser. Better yet, pick two!

You do know what a Web browser is right? Not everyone does. A Web browser is the software you use to surf the Web and visit websites like Facebook, Gmail, and Amazon. Chrome, Firefox, and Internet Explorer are all solid and speedy Web browsers. The choice between them is largely personal preference.

If you already use one of these browsers, great, just make sure you are running the very latest version. Nothing brings a smile to a malicious hackers face like a victim with an ancient browser, such as Internet Explorer 6. It’s like a professional car thief walking up to a car without any anti-theft devices installed, gone in sixty seconds.

If you are a Windows and Internet Explorer user, and you performed step 1, you are all set. If you use Chrome, click the wrench in one of the browser windows and select “About Google Chrome.” If you need to update, the “Update Now” button will allow you to click it. For Firefox, it’s the same process as Chrome. Go to the “About Firefox” window, and if you need to update a button to press will be there.

Next, install a different browser from the recommended list, because you’ll need two for the safest browsing experience.

 

3) Install ad blocking extensions

If you’ve chosen Chrome or Firefox as one of your Web browsers, you are going to absolutely love ad blocking extensions like Adblock and Adblock Plus. These extensions allows you to surf the Web without ads, which also has a powerful benefit of increasing security and privacy automatically.

Malicious software often infects computers through viewing or clicking of online advertisements. When you actually want to see ads, don’t worry, it is really easy to turn on and off when you want.

For extra privacy, consider installing either Disconnect or Ghostery extensions. Essentially all online advertisements are “trackers,” which stalk you around the Web profiling your online habits, but not all “trackers” are advertisements. Disconnect and Ghostery block these invisible trackers and aid in protecting your online privacy.

 

Online Street Smarts

Think of the Web like an inner city. There are some really great places to visit, enjoy nice meals, and hang out with friends. However, as in any inner city with over one billion people, there will be some shady characters lurking around trying to scam and rob you. You have to keep your guard up. The problem is the digital world makes it tough to see and therefore avoid dangerous street corners. I’ll show you how.

 

4) Your weekend browser and your commuter browser

Many people drive one car every day to work and keep a nicer one in the garage ready for the weekends or a night on the town. Your two browsers should be used the same way. Choose one, your commuter browser, for every day surfing. Read news, play games, watch YouTube, whatever. Just don’t login to anything you consider really important! That is what the other browser is for.

When you bank, upload photos, check your WebMail, trade stock, or buy anything — fire up your weekend browser. This is the browser you protect by going directly to a website, typing the address into the location bar or using a bookmark, and nowhere else. Close it down when you are done.

Then if anything, or anyone, attacks your commuter browser when you are exploring the Web, it is no problem because you’ve never done anything important with it. You don’t take your weekend car down to a bad part of town right?

 

5) Be careful of what you download and paranoid of what you install

After going through all the trouble of making sure you have the latest software, and compartmentalized your risk with two browsers, don’t go and install something evil that will ruin everything. Downloads are like narcotics peddled by drug dealer. Just say no! They might make you feel good temporarily, but long term the effects are deadly.

The bad guys are extremely clever too. They actually disguise their “product” as antivirus software to help protect your computer. HAH! The also might say you need to install a special codec or something to watch the latest celebrity sex tape. Don’t fall for that. Go to YouTube, Break, or some other major video sharing site instead. Email attachments also need to be treated with paranoia, especially from people you know, because they might not have been as cautious as you.

 

6) Make your passwords hard to guess

You wouldn’t have the same key for your home, car, office, safe, etc. For the same reason you shouldn’t use the same password for all your online accounts. Pick passwords that are hard to guess, not found in the dictionary, six characters or more in length, and sprinkle in a number or special character for good measure. Something like: y77Vj6t or JX0r21b

Anything more than having two or three passwords like this gets to hard to remember, so you have a choice to make.

a) Write down your password on a piece of paper

Use a small sheet of paper that fits in your wallet or maybe index cards locked in a desk drawer. It is much easier and safer for people to protect physical paper than data on a computer. Keep two copies around just in case one is lost. Unfortunately storing passwords on paper is not terribly convenient, so you might consider a password manager instead…

b) Use a password manager

Password managers, like LassPass or 1Password, are software that stores your passwords in a safe place on and encrypts the data. Not as secure as writing them down, but that’s the trade-off you make. The password managers that are built into the Web browsers are not terribly safe or secure, at least not nearly as much as their desktop cousins.

 

7) BACKUP! Your computer, blog, email, photos — everything

Sh*t happens. Technology is imperfect, we all make mistakes, computers crash, and bad guys sometimes get lucky.  Hope for the best, but prepare for the worst. Keep copies of your photos, email, blog posts and other treasured digital possessions on a CD/DVD, thumb drive, or even local hard drive. Disk space is way cheap these days so there is no reason not to make the investment.

If you are an Apple fan like me the Time Capsule (DSL Router / Backup device) and MobileMe are excellent choices. There are also several other solid and inexpensive online backup providers including Mozy, Backblaze, and Dropbox. One cannot stress the importance of backups. Should disaster strike, you be really glad that you took the time.

 

Summary

That’s it! You have your survival kit of everything you need to keep your information safe. The cyber criminals out there on the Internet mean business. They are in it for the money, your money. They pride themselves on being well informed and ahead of the curve, which is exactly what is needed to NOT become a victim to online fraud and other nastiness. Being just a little bit safer and secure than the rest of the masses doing little to nothing to protect themselves makes all the difference.

This entry was posted in Technical Insight on by .

About Jeremiah Grossman

Jeremiah Grossman is the Founder and interim CEO of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Over the last decade, Jeremiah has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. As a well-known security expert and industry veteran, Jeremiah has been a guest speaker on six continents at hundreds of events including TED, BlackHat Briefings, RSA, SANS, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, and UCLA. Jeremiah is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. He serves on the advisory board of two hot start-ups, Risk I/O and SD Elements, and is a Brazilian Jiu-Jitsu Black Belt. Before founding WhiteHat, he was an information security officer at Yahoo! Jeremiah can be found on Twitter @jeremiahg.