Not everyone afford their own data security specialist. We are here to help! There are common sense security protocols that everyone should implement, or at least be aware of to be reasonably secure. Generally speaking, you should operate as if someone is potential watching or trying to gain access to your information. Here’s a list of things to keep in mind to be secure, in order of importance:
- Password Strength
- Password Reuse
- Physical Access
- Trojan Horse
- Email History
- Two-Factor Authentication
- Man in the Middle
- Cross Site Scripting
- Hardware and Software
The most common (and easiest) way for a hacker to gain access to your information is through a “brute force attack”. In this attack, the hacker has a huge list of passwords and tries them all at several hundred/thousand per second. Here is a 15 gigabyte dictionary of passwords that contains hundreds of millions of the most common passwords. If you’re interested, you can download the list and see if any of your passwords are on it.
All your passwords should be—at an absolute minimum—10 characters. Computationally guessing passwords is exponentially more difficult as length increases. Length of your password is much more important than randomly substituting 0s for Os and 1s for Ls. For an example of how that works, check out this comic.
Don’t reuse your passwords. This is the second easiest way to hack someone. Every website with which you’ve created an account has your password. If they’re nice, they aren’t storing your password in plain text. If they are nefarious, they can use that password for ill.
For example, let’s say you created an account with “www.site.com” with the email “firstname.lastname@example.org” and the password SecretPaSSw0rd#1 but, while Site.com provides an actual product, their real revenue comes hacking the accounts of their users. What they will do is try that same email-password combination on wellsfargo.com, bankofamerica.com, and every other website from which they can extract value and, if you reused your password, take your stuff.
You might be asking yourself, “But how am I to remember all those unique passwords?” Simple. Use a pattern. An example pattern would be to take two random objects around you. For example, consider the book Breakthrough and the board game called Power Grid. Then pick a random number and a special character to satisfy the requirements of some sites. So your base password will be “1#BreakthroughPowerGrid”.
Then “salt” your password. This is a way of making it unique. An easy way to do this is to take the first and last letter of the domain for which you’re making the password and use the military alphabet equivalent. For example, most people use google.com for online search. The first letter is “g” (golf) and the last letter is “e” (echo). So my new password is golf1#BreakthroughPowerGridecho, which is nearly impossible for a hacker to guess and easy to remember. All you have to do is remember is the base password.
Don’t give physical access of your computer to anyone. It is shockingly easy to take control of someone’s life with just a few seconds of physical access. With 30 seconds of physical access, an intermediate-level programmer can do just about anything with your computer and your data. Check out this article to see just how easy it is.
Not to mention the fact that Snowden, Chelsea/Bradley Manning, the Sony hack (no, it was not North Korea), and almost every other leak you’ve heard of was due to physical access.
Don’t install random applications onto your computer. A trojan horse is a virus that you knowingly install onto your computer, but you didn’t realize that it did more than you had bargained for.
For example, say you installed a free piece of software that converts a video into a different format. This is all well and good, except the person who made the software also included a tracker that sends all of your keystrokes to their server in Russia. Obviously, not ideal, and unless you knew what to look for, you would probably never know this is happening.
Also, be aware that files that end in .exe (windows) and .dmg (mac) are executables. This means they will install themselves on your computer. Don’t run these unless you are confident that the source is legitimate.
These are those random emails you receive from Nigerian princes and hackers in Russia and China. Email is a technology made by people who were too trusting of the motives of others. Most people don’t know this, but it’s trivially easy to spoof an email.
However, while you can send emails promiscuously, only the legitimate owner can receive them. So if a hacker sends a spoofed email pretending to be someone else and you respond, it will go to the proper person. He will likely be very confused since he never sent the original email.
It is for this reason that you should be extremely careful when downloading attachments from emails. Emails are incapable of including executable code in their body, so it isn’t particularly risky to open them.
That said, there are certain trackers that can be added to emails. It is possible for someone to find out whether or not you opened the email, and the location from which you opened it. This doesn’t bother most people, but be aware that these things exist.
First, just accept the fact that the U.S. government and quite possibly the Chinese and Russian governments have all of your emails and there is nothing you can do about it. Email is an inherently insecure form of communication by design. If you need to transfer sensitive information, do not use email.
On another front, since storage space is effectively unlimited, most people keep an archive of their email history that effectively spans their entire digital life. If your email account is compromised, this trove of personal information is a hacker’s dream.
Up until surprisingly recently, it was common practice for websites to send a user’s password via email in plain text. Try searching for the word “password” or search for some of your current passwords in your email history and go back a few years. You’ll probably find a few emails that contain your password in plain text. This is common and obviously problematic.
There are also legal considerations upon which any lawyer can probably elucidate. If you are subpoenaed, you must turn over all of your emails. Technically, these emails cannot be made public by your legal adversary, but with the ubiquity of anonymous drops (wikileaks, et al) they can easily do this with no fear of repercussions.
Personally, we delete all emails >2 years old. We don’t keep old emails offline on a flash drive and we have never once needed an email from any deleted time period. If you’re a security nut, the emails are not technically deleted and overwritten on the server but the keys relating to them are deleted after a two-week waiting period. But for all practical purposes, you can consider them deleted since they’d only be recoverable by an entity like the FBI.
If you are nostalgic and want to keep your emails, most services (gmail, etc) give you the ability to download an archive of your email history. You can then transfer this archive to a flash drive and keep it offline and safely delete all of your existing emails from your mail server. Just be aware that in the event of a subpoena or other legal action, you are still obligated to turn over this flash drive (even if they don’t know about it) and you would be violating the law if you don’t turn it over. It’s probably best to just not have them.
Utilize two-factor authentication for anything important. This is when you receive a text or use a service like Google Authenticator (which is way better than a text for a number of reasons) that you then need to enter before you are granted access to an account. It is much more difficult for a hacker to attain your mobile phone number and online password. This is another barrier to protect your information
Man in the Middle
Be careful when using public wifi networks. A man in the middle attack is when you and someone else are on the same wifi network and they intercept your connection before passing it along. Utilize your smartphone hotspot or use a VPN. I would suggest privateinternetaccess.com, which has a fast VPN and it’s not expensive.
The way browsers are supposed to work is that each domain (i.e. google.com, twitter.com) only has access to its own information. If you access a compromised website, they will inject malicious code into your browser that leaks information across domains. This is probably the most pervasive technical security vulnerability at the moment.
The way around this is to use something like Chrome’s incognito mode when browsing anything sensitive, such as your online banking. If you aren’t using Chrome yet, get with the program and start using a modern browser that protects you against most of this stuff.
This is when a hacker uses an advertising network to inject malicious code into an advertising block of a website. This is one of the most commonly used tactics of governments.
The best solution for this is to use an ad blocker that blocks third-party connections (which they all do). Companies that deal with secure information (banks, et al) generally require their employees to use an ad blocker.
Hardware and Software
Some hardware/software is just better than others at security. As a general rule, be aware that Windows products are more vulnerable to hackers. And nobody should use Internet Explorer under any circumstances.