Following my TEDxMaui presentation, a great many every day people have been emailing, Facebook’ing, and Tweet’ing me asking for tips on how to keep themselves safe online. Safe from malicious software attacks, safe from their online account getting taken over, and safe from their PC getting hacked. This post is for them.
No one wants to end up like the guy on Flickr who had five years worth of photos deleted, like the woman whose personal email box was hacked and held for ransom, like the thousands on Facebook whose accounts have been taken over and friends scammed for cash thinking they are helping you out of a jam when really some miscreant is assuming your identity. Perhaps worst of all like the people whose computers were hacked into and an intruder quietly flipped on their video camera to record their most intimate moments and proceeded to toy with their lives.
Poor economic conditions being what they are, perhaps having your online bank account liquidated by organized criminals may not be all that bad relative to these poor people — even with no guarantee you’ll get your hard earned money back. The reality is all these things and more are painfully common and go largely undetected.
Don’t be fooled for a second into thinking antivirus companies are going to save you, nor a corporation’s generic we-take-security-very-seriously-we-promise-policy, and certainly not law enforcement. These guys get hacked just like everyone else and are completely overwhelmed by billions of dollars lost every year due to online fraud already. They are very unlikely to understand, help, or even investigate your particular situation.
The undisputable fact is you, and you alone, are the best defense against getting hacked and getting taken advantage of. Keep in mind that getting hacked is not act of nature like a flood, earthquake, or tsunami. Getting hacked can be avoided. The steps to do exactly I’m going to share with you are simple, won’t cost you a dime, are sometimes a little unconventional, but they are most definitely effective. These are the same things security pros do to protect themselves. There is no reason why you can’t use them too!
Must-Have Software
1) Upgrade Microsoft Windows or Mac OS X
Outdated software is the enemy of online safety and security. Fortunately this process is easy and you should do this right now, even before reading the rest of this article.
If you use Microsoft Windows…
Fire up your Internet Explorer web browser and visit Microsoft Update. Just follow the instructions on the screen to update your system with the latest software. Next download and install Microsoft Security Essentials, which is their free antivirus software package.
If you use Mac OS X…
All you have to do is click the Apple logo in the top left of your screen, select “Software Update…”, and then follow along.
2) Install a modern Web browser. Better yet, pick two!
You do know what a Web browser is right? Not everyone does. A Web browser is the software you use to surf the Web and visit websites like Facebook, Gmail, and Amazon. Chrome, Firefox, and Internet Explorer are all solid and speedy Web browsers. The choice between them is largely personal preference.
If you already use one of these browsers, great, just make sure you are running the very latest version. Nothing brings a smile to a malicious hackers face like a victim with an ancient browser, such as Internet Explorer 6. It’s like a professional car thief walking up to a car without any anti-theft devices installed, gone in sixty seconds.
If you are a Windows and Internet Explorer user, and you performed step 1, you are all set. If you use Chrome, click the wrench in one of the browser windows and select “About Google Chrome.” If you need to update, the “Update Now” button will allow you to click it. For Firefox, it’s the same process as Chrome. Go to the “About Firefox” window, and if you need to update a button to press will be there.
Next, install a different browser from the recommended list, because you’ll need two for the safest browsing experience.
3) Install ad blocking extensions
If you’ve chosen Chrome or Firefox as one of your Web browsers, you are going to absolutely love ad blocking extensions like Adblock and Adblock Plus. These extensions allows you to surf the Web without ads, which also has a powerful benefit of increasing security and privacy automatically.
Malicious software often infects computers through viewing or clicking of online advertisements. When you actually want to see ads, don’t worry, it is really easy to turn on and off when you want.
For extra privacy, consider installing either Disconnect or Ghostery extensions. Essentially all online advertisements are “trackers,” which stalk you around the Web profiling your online habits, but not all “trackers” are advertisements. Disconnect and Ghostery block these invisible trackers and aid in protecting your online privacy.
Online Street Smarts
Think of the Web like an inner city. There are some really great places to visit, enjoy nice meals, and hang out with friends. However, as in any inner city with over one billion people, there will be some shady characters lurking around trying to scam and rob you. You have to keep your guard up. The problem is the digital world makes it tough to see and therefore avoid dangerous street corners. I’ll show you how.
4) Your weekend browser and your commuter browser
Many people drive one car every day to work and keep a nicer one in the garage ready for the weekends or a night on the town. Your two browsers should be used the same way. Choose one, your commuter browser, for every day surfing. Read news, play games, watch YouTube, whatever. Just don’t login to anything you consider really important! That is what the other browser is for.
When you bank, upload photos, check your WebMail, trade stock, or buy anything — fire up your weekend browser. This is the browser you protect by going directly to a website, typing the address into the location bar or using a bookmark, and nowhere else. Close it down when you are done.
Then if anything, or anyone, attacks your commuter browser when you are exploring the Web, it is no problem because you’ve never done anything important with it. You don’t take your weekend car down to a bad part of town right?
5) Be careful of what you download and paranoid of what you install
After going through all the trouble of making sure you have the latest software, and compartmentalized your risk with two browsers, don’t go and install something evil that will ruin everything. Downloads are like narcotics peddled by drug dealer. Just say no! They might make you feel good temporarily, but long term the effects are deadly.
The bad guys are extremely clever too. They actually disguise their “product” as antivirus software to help protect your computer. HAH! The also might say you need to install a special codec or something to watch the latest celebrity sex tape. Don’t fall for that. Go to YouTube, Break, or some other major video sharing site instead. Email attachments also need to be treated with paranoia, especially from people you know, because they might not have been as cautious as you.
6) Make your passwords hard to guess
You wouldn’t have the same key for your home, car, office, safe, etc. For the same reason you shouldn’t use the same password for all your online accounts. Pick passwords that are hard to guess, not found in the dictionary, six characters or more in length, and sprinkle in a number or special character for good measure. Something like: y77Vj6t or JX0r21b
Anything more than having two or three passwords like this gets to hard to remember, so you have a choice to make.
a) Write down your password on a piece of paper
Use a small sheet of paper that fits in your wallet or maybe index cards locked in a desk drawer. It is much easier and safer for people to protect physical paper than data on a computer. Keep two copies around just in case one is lost. Unfortunately storing passwords on paper is not terribly convenient, so you might consider a password manager instead…
b) Use a password manager
Password managers, like LassPass or 1Password, are software that stores your passwords in a safe place on and encrypts the data. Not as secure as writing them down, but that’s the trade-off you make. The password managers that are built into the Web browsers are not terribly safe or secure, at least not nearly as much as their desktop cousins.
7) BACKUP! Your computer, blog, email, photos — everything
Sh*t happens. Technology is imperfect, we all make mistakes, computers crash, and bad guys sometimes get lucky. Hope for the best, but prepare for the worst. Keep copies of your photos, email, blog posts and other treasured digital possessions on a CD/DVD, thumb drive, or even local hard drive. Disk space is way cheap these days so there is no reason not to make the investment.
If you are an Apple fan like me the Time Capsule (DSL Router / Backup device) and MobileMe are excellent choices. There are also several other solid and inexpensive online backup providers including Mozy, Backblaze, and Dropbox. One cannot stress the importance of backups. Should disaster strike, you be really glad that you took the time.
Summary
That’s it! You have your survival kit of everything you need to keep your information safe. The cyber criminals out there on the Internet mean business. They are in it for the money, your money. They pride themselves on being well informed and ahead of the curve, which is exactly what is needed to NOT become a victim to online fraud and other nastiness. Being just a little bit safer and secure than the rest of the masses doing little to nothing to protect themselves makes all the difference.
[...] He offered a few tips, via a blog post on how not to get hacked on the Web. [...]
[...] He offered a few tips, via a blog post on how not to get hacked on the Web. [...]
[...] He offered a few tips, via a blog post on how not to get hacked on the Web. [...]
[...] He offered a few tips, via a blog post on how not to get hacked on the Web. [...]
[...] He offered a few tips, via a blog post on how not to get hacked on the Web. [...]
You forgot one thing that site operators should heed: DON’T REQUIRE YOUR USERS’ IDs TO BE E-MAIL ADDRESSES.
The idiotic practice of using E-mail addresses as user IDs, implemented by LinkedIn, Facebook, and Apple, represents not only a lack of common sense, but a disturbing disregard for security. Most people’s E-mail addresses are on spammers’ lists. When you cross-reference those lists with lists of common passwords, you get a shitload of cracked accounts.
And when faced with the requirement to log in with an E-mail address, what percentage of the public thinks they have to use the same password for these sites as they use for their E-mail account? I’m guessing at least a quarter. So now these sites have made themselves responsible not only for their own system, but every user’s personal E-mail account, regardless of where it is. That’s why this policy is a monumental security blunder.
You don’t see banks forcing you to use an E-mail address, do you? E-Trade? Credit-card companies? NO. Hell, even the most obscure comment forums let you set up a legitimate user ID. But not LinkedIn. And now now Apple. Calling this amateur hour is generous.
http://goldmanosi.blogspot.com/2012/06/forcing-people-to-use-e-mail-address-as.html
[...] “We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation,” LinkedIn’s Vicente Silveira said in the blog post. [...]
[...] He offered a few tips, via a blog post on how not to get hacked on the Web. [...]
yeah!, very useful advises.Thank you!
Just a couple of additional points:
For all PCs, stop using an administrative account for everyday work. Add a new account (call it “Bob-admin” or the like). Log on with the new account, and “demote” your existing account to a Standard account. If a drive-by download tries to infect your computer, the prompt for an administrator’s username and password gives you the chance to say NO.
For Windows Vista and 7 users: Click Start, type update, and click on “Windows Update.” If you haven’t already done so, switch to Microsoft Update. Also, click on “Check for Updates” no matter what the prompt says. Make the durn thing take some time looking for new updates. It’s surprising how often Windows Update claims there are no new updates when there really are some. Also, install Secunia PSI from secunia.com. It’s not perfect, but it will attempt to update your non-Microsoft software products when they have security patches.
For Mac OS X, there is no Secunia PSI as of this writing (the corporate version supports Macs, but not the personal or online versions). Log on to your administrator account, then open each of the non-Apple apps on your computer (Firefox, Opera, Chrome, Microsoft Office, Adobe Reader, which is required for some onlien forms), and ask it to check for updates.
Both Mac and Windows computers have many other steps to take. I know of no one source that is both complete and up-to-date on this information.
[...] Fontes: WhiteHat Security, Yahoo! [...]
[...] WhiteHat Security, [...]
[...] Jeremiah Grossman of WhiteHat Security offers plenty of tips about how you can make sure you don’t get hacked on the Web. – Salon gives advice as to what you should do when your Twitter account is hacked. – When LinkedIn [...]
[...] Jeremiah Grossman of WhiteHat Security offers plenty of tips about how you can make sure you don’t get hacked on the Web. – Salon gives advice as to what you should do when your Twitter account is hacked. – When LinkedIn [...]
Really useful collection of tips thanks for posting. I’m going to share this with some people I know as you’ve explained it far more eloquently than I could ever hope to!
People are only too happy to accept the ever growing portion of their lives which is moving online, yet still resistant to be responsible and match that new level of dependence with a heightened level of necessary security.
[...] WhiteHat Security, [...]
[...] Fontes: WhiteHat Security, [...]
Hi,
These are great tipshowever it is missing the number one most important item. Do not leave your computer logged on when you are not in front of it.
[...] Fonte: WhiteHat Security, Yahoo!, Folha de S.Paulo. [...]
Hey Jeremiah
Great post, I’m going to link it on mine. I actually just wrote a post, not as eloquent as this, but the idea being the same. It was written to help my friends and family improve their online security posture.
The post I actually just wrote a few days ago: http://tonyonsecurity.com/2013/03/06/web-threats-are-real-be-proactive/
Cheers.
whoah this weblog is fantastic i really like studying your
posts. Stay up the great work! You know, many persons are hunting round for this information, you can
aid them greatly.
[...] I just came across another good post by Jeremiah Grossmon, Founder and CTO over at WhiteHat Security. If you’re not familiar with them you should be. In his post he provides some more very awesome guidance that we should all be adhering too, and the kicker is it’s simple to apply. Take a minute and read it here: http://blog.whitehatsec.com/tips-for-not-getting-hacked-on-the-web/ [...]