Security 101

Here's a one-stop shop that offers an overview of many things that'll help keep you safe online, your computer and data safe, and privacy maintained.

I've also written a number of separate, more-detailed articles that discuss various aspects of security, privacy and safety. They are linked in this article.

But this particular article is mostly a punch list of what you should do and perhaps a little bit of why thrown in.

Password Hygiene

Passwords... The bane of online life and a big topic for security.

 

We as an online society have long passed the point of actually remembering passwords. To do passwords correctly, you aren't going to remember them, period. So let's just dispose of that notion right now.

Passwords must be long! Today's best passwords are better called passphrases -- several words strung together. At least 20 characters with mixed uppercase, lowercase, and numbers. At 20+ length, you can do without special characters, which some websites don't allow anyway. Length beats complexity. My passwords are all 25 to 50 characters long, depending on the account and what is permitted. I never type them in or even remember them so what do I care how long they are?

Passwords must be unique! You don't want a cyber-criminal effortlessly logging into your bank account because you reused the password from your favorite website for cute throw pillows -- that got hacked. Yet this happens all the time. By using a unique password for every account and website, then any password breach will be limited to just that one account.

Use a Password Manager! We are long past when people should even try to remember their passwords. So you should be using a password manager. These programs help you choose random, complex passwords and safely store them for you.

 

Another benefit to a password manager is that it can detect if a bogus, look-alike dialog is asking for your password and will refuse to provide it. You might easily be tricked by sophisticated and convincing password prompts, but your password manager won't be fooled.

There's lots of password managers. Here's a recent PC Magazine Article outlining several. No, they aren't free. But the few dollars they cost is well worth the added protection you'll receive since you'll now be using strong and unique passwords.

Fib when setting up your security questions! Lots of websites want to automate the "I forgot my password" recovery system. When you first create an account, your bank for example, they'll often ask you to provide answers to a menu of questions like mother's maiden name, name of first pet, name your high school, stuff like that. Problem is, all that info about you is readily discoverable online either through social media or from big data (discussed more below). But if you provide fake answers to these questions then no one else can use the "real" answers to reset your password to gain access.

Needless to say, you must record those questions and fake answers in the dedicated spiral notebook that you should have.

Use Two Factor Authentication (2FA) whenever it's available! 2FA is when you type in a numeric code that's texted to your phone, or better, displayed by a code-generating app like Google Authenticator, when you log into an account that's 2FA protected. The idea is that even if a hacker figures out your password, s/he will then hit the second-factor roadblock. No phone, no code, no access! Rather than waste time, they'll move on to the next victim. It goes a looooong way to securing your account.

 

Some services, like Gmail, let you trust your commonly-used computers and devices so you aren't pestered for a 2FA code each time you login. But a login attempt from an untrusted computer will prompt for the code -- and that's the protection. You can think of the 2FA code as second, randomly generated password.

 

Interesting info: We've long hit "peak password" -- the flaws are that obvious and glaring. Best security practices are (albeit very slowly) moving away from passwords. One approach is using the 2FA code as the primary, and only, passcode with various options for what to do if you lose your phone. Another approach is biometric, as is common on smartphone screen locks. Eventually, online accounts and websites will deprecate password authentication and leverage these biometric methods instead. But, alas, that's moving very slowly.

More on passwords here.

Multiple Identities

Use a burner email account for less important things. That'll also cut down on spam sent to your main account.

Gmail has a little-known yet incredibly useful "email alias" feature that lets you create special-use email addresses for all your (important) accounts. By using a unique Gmail alias for each of your sensitive accounts, then if another website is breached (usernames and passwords stolen), the bad guys will never know what the email aliases are.

e.g.  Consider this Gmail account: superman+mybank@gmail.com  The portion in red, +mybank, is the alias. Email sent to that address resolves to the root address superman@gmail.com and will land in the same inbox. If you use that alias for your bank login only, then no other web site will know that.  So if that other site got hacked, like the one with the cute throw pillows, the bad guys won't know your bank alias, even if they know your root email address superman@gmail.com.
 

The alias feature is already available and works automatically. Just log into whatever account you want to protect with an alias, like your bank, think up an alias such as +arizona or +mybank or whatever (add the alias just before the @-sign as shown in the examples above), and change your account login. It doesn't matter if someone else uses the same +arizona alias or not because the rest of your email address makes it unique.

 

All your important accounts should have their own alias. For less important accounts, you can use your root email only. Or use a catchall alias for those, like +misc. Note that some web sites won't let you use a + sign in your email address so that trick won't work for them. But most will allow it. I make extensive use of this feature.

Another cool use for aliases is that you can filter incoming email for special processing that is sent to that alias. e.g. Bypass the inbox, or mark it bright red to get your attention.

Just another of the many reasons to use Gmail.

Disable Phone Notifications on the Lock Screen

Most of us like seeing our text messages and other notifications while our phone is locked. Problem is, that's good for thieves as well. If your phone is stolen, especially if it was a targeted theft, a thief who knows or susses out your email address could be inside your online accounts in minutes, including possibly your bank accounts. How?

When you or a bad guy uses the "forgot password" feature of most websites, the first thing the site wants to do is send a one-time security code text message to your phone. We've all done this, you know how that works. That code is how you prove your identity. But If your phone is set to display text messages while locked then that code is visible to anyone holding your phone. They can easily use the security code to reset your passwords and gain entrance to whatever accounts they want.

Imagine this: If I found (or stole!) your phone, chances are pretty good I could suss out who you are and be inside your Amazon.com account in less than five minutes and having lots of nice expensive laptops shipped to a mail drop or to your home and ready to be intercepted by me when the UPS guy drives up in two days. Or, better yet, gift card instant delivery (ka-ching!) And you'll never know this happened because once I'm in your Amazon account, I'll be resetting your password, changing the email address, and changing all your account recovery options to make it that much harder for you to regain rightful access. All without ever unlocking your phone. Wow.

Disable that feature immediately. iPhone and Android defaults to showing text message while locked so you'll want to turn that off now. In fact, you'd be wise to disable all lock screen notifications, but especially text messages. The only thing my phone shows when locked is the time of day, period. Allowing personal content to show on the lock screen undermines the entire point of having a lock screen in the first place.

Freeze Your Credit

Forget LifeLock and other credit monitoring services. They are expensive and unnecessary. You can easily freeze your credit yourself with all three major credit bureaus at no charge. Yep, for free, no catch. Why is this important? When your credit file is frozen, then potential lenders cannot examine your credit worthiness. So if a bad guy tries to get credit in your name, the credit grantor being applied-to cannot access your file. Application denied.

When you need to open a new line of credit, such as getting a car loan, applying for a mortgage, or a credit card, then you can temporarily lift the freeze for, say, 30 days. Then you can apply for the needed credit. The freeze is then automatically reapplied after the temporary lift.

Credit freezes have been around since 2007 yet as of 2018 only 12 percent of Americans have frozen, or locked, their credit file. It's disappointing that 88% of us aren't taking advantage of this free and useful service -- don't be one of them.

Here's the links to freeze your credit file with the three major credit bureaus:

     Equifax, Experian, TransUnion

Stop Using Social Media. Yeah, Right.

We all know that Facebook cannot be trusted. Zuck and other FB executives should be in prison for the data crimes they've committed. But FB isn't unique. All social media companies make their money largely the same way -- monetizing your data. Remember this: On social media, you aren't the customer. You are the product being sold.

We all got along just fine before Facebook came along.

More on social media privacy here.

And while we're on the topic of Big Data, let us not omit the huge data mining companies that you've probably never heard of. You know, household names like Acxiom, DataLogix, Epsilon Data Management, and Intelius. Many of these Big Data companies have free, opt-out features you can use.

For more on opting out of Big Data, click here.

Examine Statements

How often do you examine your credit card statements? Probably never? I'm guilty of that, too. But you should. A lot of fraudulent charges are purposely small dollar amounts that aren't likely to be noticed if all you look at is the outstanding balance. Worse, your credit card company is unlikely to catch or flag small dollar fraud. Although the likelihood is still small, you could be losing a couple of hundred dollars per year in small dollar fraud.

 

Checking your statements is also a good way to make sure you aren't being overcharged for subscription services or that a subscription service that you cancelled is, indeed, cancelled.

You should also check the statements for any investment and brokerage accounts as well. It takes just a few minutes each month to check over your statements.

Lock Down Accounts

If you don't regularly perform wire transfers or other large money transfers, call your bank and ask them to place a notice on your account to disallow any telephone-originated money transfer orders. Ask that such transfers must be made in person at a branch office. Same thing with any investment and brokerage accounts, especially if there's a local office that you can visit if need be.

This is also important for the elders in your life. More on Elder Abuse here.

Install Anti-Virus Software

You should have anti-virus software on your computer. Today's fastest growing malware threat is "ransomware" that silently encrypts all your data then demands a large payment in Bitcoin. But there's plenty of other malware that can do all kinds of bad things. AV software on your computer is the first level of defense. And don't think that using a Mac will necessarily keep you safe -- they are just as vulnerable as PCs. You just don't hear about them as often because Mac market share is so low.

Good products that can identify modern malware and dangerous websites aren't free. And don't reflexively buy Norton or McAfee just because you've heard the name. There's lots of good products out there. As an I.T. professional, I've used Malwarebytes Premium for years and find to be among the best so that's what I recommend. 

Buy Malwarebytes Premium through my link here and receive 25% off a two-year subscription. Full disclosure: I earn a few bucks when you purchase through my link.

More on malware here and here.

Backup Your Data

Malwarebytes Premium may help protect your data from encrypting ransomware, but it won't protect you from data loss due to fire, theft, flood, or equipment failure. For that, you need a data backup system. There are local solutions and cloud-based solutions, each with their own pros and cons. The time to backup is now before data loss occurs.

Local solutions (external hard drives) are far cheaper over the long run, are much faster, and with the right software, will backup everything including the operating system, data, applications, all your settings -- everything.

Cloud-solutions cost a lot more over the long run (they are subscription-based), take longer especially for the first backup, and may not save every file. But depending on your use-case, there may be reasons to consider a cloud-based backup.

More on data backup.

Minimize IoT Gadgets

IoT stands for "Internet of Things". This is when an everyday appliance or gadget becomes cloud-enabled, like a thermostat, security cameras, the refrigerator, coffee maker, door locks, garage door opener, kids toys, and countless other things that never were before. It also applies to new things made possible because of the internet such as Amazon Alexa.

These gadgets are often poorly designed, have crappy security, and unbeknownst to you, may be recruited into a "bot net", attacking other users and websites on the internet. 

Amazon's two-day prime delivery of post-it notes and flashlight batteries is one thing, but how much do you trust Amazon to not abuse your privacy with what is essentially a hot (live), internet-connected microphone in your home? I sure don't.

More on the security hazards of IoT gadgets.

Secure Your Laptop

Laptop theft is rampant and easy. A Kensington survey found that as many as 1 out of 10 laptops will be stolen during its lifetime. Gartner, a well-respected tech research firm, found that a laptop is stolen every 53 seconds. Whatever numbers you read, the takeaway is the same: Millions of laptops are stolen every year from airports, cars, offices, and in public places.
 

Laptop data security is an absolute must. Just having a login password won't cut it, either, because any half competent criminal or an I.T. guy (like me) can bypass that in minutes. Full Disk Encryption (such as BitLocker) combined with a strong password and aggressive lockout policy is the solution. But I'll bet my retirement that you aren't doing that.

And don't think that having no data on your laptop protects you. All your website bookmarks and stored passwords are on the laptop as well. And that's okay, stored passwords relieve you from having to remember passwords so they can be long and complex, which is a good thing. But those stored passwords also let a criminal access your online accounts with ease.

It's bad enough if a laptop with your personal info is stolen. But what if the laptop had sensitive client information on it? Or access to sensitive accounts that contained such information? That could be a ruinously expensive, extinction level event for your company. Upward 60% of companies, usually smaller ones, that experience a data breach are bankrupt within six months.

 

Laptop theft is just one way that data is breached. By properly securing your laptop, you eliminate that particular way as a possibility. 

In Closing

Some of the above advice may seem rather extreme to those who aren't security geeks -- especially the IoT warnings. Feel free to use whatever advice you think best for you. But understand this: Everything I've mentioned above is borne from actual events. It's all happened, many times. Some more than others.

The threats I've discussed above are all fairly easy to prevent but are often impossible to mitigate once it occurs. The time to safeguard is before something happens.

I can assist with pretty much everything you've read above. Or contact your favorite I.T. or security pro to help you.