RTE recently ran a program called Hacked that explored how easy it can be for bad guys to hack into company computers, personal computers, and cloud based accounts (e.g. email, facebook, etc). What they were trying to demonstrate is that we often make it easy for hackers to attack us, albit unwittingly.
After watching the program I realised that most people probably assumed their operating system, wifi provider, email provider, etc were doing all they could to keep them safe. This is true to a point but ultimately they can only do so much. It’s up to each of us to protect ourselves. Luckily it’s not too difficult. If you follow the steps described bwlow you can protect yourself from 90% of the methods used by scammers.
Contrary to common opinion attackers usually gain unauthorized access to computer systems using social engineering techniques. This means tricking people into doing or saying something that gives the attacker a means to access their target’s computer. For example, they might trick someone into installing a piece of malicious software or handing over their password.
During the Hacked program they ran a few experiments to see if they could fool people into doing something that compromised their computers. In one experiment they used a free wifi point to snoop on what the individuals using that wifi point were doing. By monitoring one particular user’s activity they identified their email address and sent them a phishing email. These are emails that look legitimate but are really just trying to get the recipient to hand over secret information. In this case they managed to get the victim to unwittingly hand over their gmail password.
Use a different password for every service you subscribe to.
This means a different password for your email, facebook, amazon, etc. If you use the same password everywhere and an attacker learns this password then they’ll have access to all your accounts.
To help remember (and generate) passwords use a password manager, for example KeePass, LastPass. These applications store your passwords in an encrypted database. To open that database you use a master password. This is the only password you need to remember. Needless to say you should never divulge your master password.
The site Has my email been hacked? tracks majors security breaches and publishes the email addresses that were compromised. If you find your email address is included in one of these breaches I’d recommend changing your password.
Use two factor authentication on your email account and whenever else you can.
Two factor authentication provides an extra layer of security for those accounts where it’s enabled. When logging in to these accounts you’ll need your usual password and a special one time password. This one time password is generated by an app on your mobile device (usually). It changes every thirty seconds or so and is known only to you and the website you’re logging in to. If an attacker were to discover your password they wouldn’t be able to logon to your account as they wouldn’t have the one time password.
Your email account is very likely your most important account from a security perspective. As well as having lots of sensitive information it’s used to handle password reset emails. If an attacker managed to compromise your email account they could click the “forgot password” link on other sites you use to have an email sent to your address. They would pick up this email, reset the password, and take over that account.
If you only enable two factor authentication on one account make it your email account.
Links for enabling two factor authentication,
The EFF ran a campaign in 2016 called “The 12 Days of 2FA: How to Enable Two-Factor Authentication For Your Online Accounts”. It has lots of great information describing how to enable two factor authentication on many of popular websites.
Never click on links or open attachments in suspicious emails.
This is the number one way attackers install viruses and malware.
A suspicious email may be, From someone you don’t know From someone you know but out of character, e.g. your mother sending you an invoice for something (assuming your mother doesn’t usually invoice you) From a bank, paypal, the revenue (tax authority in your country) asking you to click a link to logon to your account
It might seem harmless opening these documents or clicking links but it’s far from it. Very often it might appear that nothing has happened but behind the scenes a program could be running on your computer waiting or an opportunity to encrypt all your files and demand payment to decrypt them (ransomware) or participate in a botnet or wreck havoc some other way.
Clicking on a link in an email may bring up what looks like your bank’s website but is in fact a dummy page made to look like the real thing. When you enter your details the attackers capture this information and then use it to access your real bank account.
Ensure your operating system’s firewall is running.
A firewall is an application that blocks attackers on the internet from making connections to your computer. If your firewall isn’t running there’s a very good chance your PC will be infected with some sort of malware without you even knowing - until it’s too late.
To check if your firewall is running,
- Open the Control Panel
- Click Windows Firewall
- If your firewall isn’t running you’ll see a red warning message and a button to enable it.
Ensure your firewall is always running.
Don’t visit malware ridden websites
Some (or maybe even most) of what some might consider “shady” websites are littered with aggressive advertising that will do it’s absolute best to trick you into installing malware. Popup windows will appear with what look like legitimate Windows dialogs telling you PC has some problem or other and if you just click this button all will be fixed. Sometimes popups will appear asking you a question and try to trick you into clicking a button that again installs malware.
If you know what you’re doing it is possible to safely navigate these websites but my advice is to stay well away from them.
Hang up on calls from “Microsoft Tech Support”
If you ever get a call from someone saying they’re from Microsoft tech support simply hang up. They’re not from Microsoft. They’re scammers trying to get you to hand over money to fix supposed security problems with your PC.
No matter what they say don’t hand over any personal information. It might seem impolite to hang up but these guys are so persistent they simply won’t let you go any other way.
Use HTTPS rather than HTTP
The “S” in HTTPS stands for secure. When you’re visiting a website and the URL starts with HTTPS any data sent between your browser and that website is encrypted. With regular HTTP any data you send (your name, address, credit card details, etc) is unencrypted and very easy for attackers to capture.
Using HTTPS is an absolute necessity if the website you’re visiting is asking to you to submit any personal details. In this day and age every website should be using HTTPS but many don’t just because they couldn’t be bothered setting it up.
HTTPS is even more important if you’re using public wifi (in a shopping center, coffee shop, airport, library, etc). In these situations you should just assume there’s someone listening and watching to everything you’re doing on the internet.
Some websites support HTTP and HTTPS but won’t always tell you. It’s left up to you to enter “https” in the address bar. To automate this I recommend installing the HTTPS Everywhere browser plugin. It will automatically send you to the HTTPS version of a website if it’s supported.