Importance of computer and online security has been growing steadily with more and more things people can on the Internet. Online shopping and banking are just two examples where you might lose your money to cyber-crooks.
But companies also lose their databases with sensitive information to cyber-criminals. There is really nothing much you can do to prevent this. Breach Level Index has a database of security incidents and their severities. Most companies send information about such break-ins via e-mail, please do not ignore the notices and change your password and other security information immediately.
To quickly check if you've fallen victim of data breach, visit https://pwnedlist.com/ and enter the e-mail address(es) you use for your accounts. If any of your accounts appears to be hacked, change the password and security question (if available) immediately! In case you re-use passwords on other online accounts, change these also.
I'll list some of the most common misunderstandings about security and privacy, followed by steps that help you stay safe online.
Misunderstanding no. 1 - I have nothing interesting on my computer, therefore I do not need protection
Why would you think that bad guys want your pictures or documents? They don't, it is so much easier to steal your (nude) photos from your smartphone and tablet - so please delete all compromising materials from your "smart" devices ASAP.
You are probably not a celebrity, so they couldn't care less about your vacation or bathroom photos and videos (but nude selfies can ruin your career or life). Unless you work for government or security agencies or sensitive industries, they do not care about your CV or documents you have in your Documents folder either.
But cybercriminals do want your computer (plus tablet, smartphone, WiFi router, etc) and your money!
Your PC is a valuable asset for cyber-crooks around the world. They (ab)use hacked, internet-connected devices to send spam e-mails, route malicious traffic through the Internet connection you are paying for, attack and infect other devices, rob valuable information from really important servers that you might log in to (including your bank). And you do not often even notice anything weird. Malicious programs are good at hiding themselves and they often do not disrupt your everyday work. Staying hidden is their second most important purpose. How would you like police knocking on your door and accusing you of bank robbery or international espionage? Can you prove that you did not do it?
And what about your money? You do have online bank and shopping accounts, and credit cards? Malware is capable of stealing your login credentials (including smartcard details) or hijacking your secure (HTTPS) sessions with banks, and this gives cyber-criminals full access to your bank account. Are you really sure you want to share your paycheck with them?
Misunderstanding no. 2 - cybercrooks are just kids, let them have fun
Yes, a few of them are kiddies looking for fame. But what should make you worried is that cybercrime yearly revenue is more than 100 billion U.S. dollars. Some security researchers even state that it is surpassing illegal drug trade by now. In 2011, several cyber gangs were arrested, one of these had over 72 million U.S. dollars on their account; another person had over 12 million dollars on his account. This was the money stolen from victims of fake anti-virus attacks.
Cybercrime is very profitable and that is why they want your computer!
Criminals create botnets that often consist of hundreds of thousands and even more than million computers just by exploiting security holes that lazy or unknowing users do not care to patch. For example, Conficker botnet (created by guys behind a computer virus with the same name) contained about 4.6 million computers around the world. Think - it's bigger than Amazon, bigger than Microsoft, bigger than Google!
Those botnets are used to spread spam and malware, conduct attacks, denial-of-service attacks and illegal break-ins to sites containing sensitive information, banks, etc. This is not for fun. Crooks get paid for doing this.
If your computer is infected, do not ignore it!
Turning a blind eye is not a solution - your infected computer can make lives of hundreds and thousands other people a misery by spamming, attacking or breaking their computers down. Check for viruses and other malware at least once a month - this can be automated easily, links are provided later in this guide.
Misunderstanding no. 3 - I have a patched machine, therefore I do not need anti-virus; I have anti-virus, therefore I do not need patches
Oh yes you do! A fully patched machine can still be infected with malware. Security patches do not mean that your PC is safe from viruses that spread via USB sticks and e-mails. Any decent virus protection program now protects your computer from spyware and rootkits, too. But anti-virus alone cannot protect your computer at all times - you still need to patch security holes. Sometimes it takes a five-second visit to a seemingly good website that has a small hidden script exploiting unpatched security holes on your computer. This script downloads a small nasty program to your computer without you ever noticing it. And there you have it again - your computer has been hijacked by criminals.
Cybercriminals use many different ways to hijack a computer, because it pays off.
Protection is an all-round attitude. You need security patches and anti-virus and anti-malware programs to stay protected. All this can be automated for free, so ask yourself: "Do I want to face the consequences of my lazyness or spend less than one day setting up security and be safe from now on?"
See this fantastic TED presentation by Mikko Hyppönen, head of Finnish anti-virus company F-Secure, about how viruses have evolved and how they threat important parts of our lives. It's 17 minutes long, but well worth your time.
Then extend your knowledge about online attacks and privacy with another TED presentation from the same guy. He knows what he's talking about.
1. Keep your software up-to-date. This applies to Windows, Internet browsers, productivity programs (Microsoft Office, OpenOffice.org, LibreOffice) and especially to "black sheep" such as Java, Adobe Flash Player and Adobe Reader.
Most programs have automatic update checks built in, please turn these features on.
- Configure Automatic Updates in Windows
- Use free Secunia PSI (applies to all Windows versions)
- Configure your Internet browser properly to stay safer online (Google Chrome, Internet Explorer, Mozilla Firefox and Opera)
Use different browsers for different tasks. For example, use Internet Explorer for everyday tasks such as social networking and casual web browsing, and an alternate browser (Chrome, Firefox or Opera) for online banking and shopping only. This will minimize the possible damage.
Use some privacy-enhanced custom web browser, such as Epic Privacy Browser.
If you must access very-very sensitive data frequently, use a bootable Linux CD. This way, nothing of the session will be stored (and therefore cannot be accessed later) on your hard drive, and even if Linux does get infected with malware (highly improbable!), it can be fixed with a simple reboot.
Puppy Linux is a perfect example of such bootable medium. Please note that your Internet Service Provider (ISP) still logs all your Internet-related activity - so this is not a good way of doing something illegal.
2. Use different passwords for different computer accounts and online accounts, and make those passwords strong. Keep your passwords safe - do not write passwords on paper, save to an unencrypted file on a computer or store a password on your mobile devices, do not even think about writing security codes on bank cards. Use free software linked below for storing and auto-filling user names and passwords securely.
If possible, enable two-factor/two-step authentication: this can easily be done for your Google, Microsoft, Twitter, LinkedIn and Facebook accounts. Receiving a confirmation SMS with unique access code is a huge step towards better security - even if cybercrooks steal your password, they cannot misuse your account without having physical access to your mobile phone. 2-step authentication also means that you will know immediately if someone else tries to access your account.
Remember, if you use the same password for Facebook, Gmail, your bank and online stores, it only takes getting a hold of one of these accounts and the rest will be taken over in minutes by automated attack scripts! I repeat: do not reuse passwords!
Do not forget to change default passwords for administrative accounts in network-related hardware and software - (wireless) routers, switches, Wi-Fi access points, security devices, etc. Botnets and attacks misusing default passwords for spreading are not rare anymore.
Never leave your wifi network open (without a password), do not use WEP or WPA encryption because these are easy to crack. Use nothing less than WPA2-PSK (Pre-Shared Key) encryption for Wi-Fi.
Here's a story that you would never want to happen to you.
- GRC ShieldsUP! tests your computer/firewall/router for open ports. After clicking Proceed, use the large yellow button to run the UPnP (Universal Plug and Play) test. Smaller grey buttons below it allow to detect open File Sharing ports, Common ports, or all ports.
Normally, all ports should be closed - typical home users do not share anything with the world.
- check-and-secure also checks for open ports, and the Check IP address for anomalies button verifies that your external IP address has not been active in any botnets.
- F-Secure Router Checker verifies that your router has not been hijacked by some DNS-changing worm. DNS (Domain Name System) resolves website names (such as www.startpage.com) to IP-addresses (such as 184.108.40.206), and malicious servers can send you to some infected website instead of the real one.
Please do not use any open (this means not encrypted) Wi-Fi networks for accessing sites that require logging in - all your account data can be visible for the network owner! Many open access points have been set up just to steal sensitive data. Use either VPN connections or Trusteer Rapport to protect your sensitive data.
Do not reveal your passwords to anyone else - ever! No bank, social network, IT support or any other institution requests passwords and user account names via e-mails or web pages.
If you see a login page after clicking a link, always verify you are on the correct web page by examining browser's Address Bar carefully. No, crooks.co.cc/facebook-login.php is not the same as facebook.com; itwiter.com is not the same as twitter.com, etc. Many phishing pages mimic the looks of important web pages to make sure careless victims enter their user names and passwords. Identity thefts work this way.
Change your most important passwords at least once a year. Use a program to keep your passwords safe; never write down full passwords or user names.
Do not use easy questions for recovering your password (what is your pet's name, what is your kid's name, in which town you were born, etc) for online services, such as banks or Gmail, because the answers are easy to find by visiting your Facebook or Twitter profile or doing a simple search on Google. If possible, create your own security question.
Also secure your Facebook profile so that all personal information is visible to you only.
3. Use effective anti-virus and anti-malware programs and keep them up-to-date. Yes, you can grab such software for free! Perform a monthly full anti-virus and anti-malware check with free scanners such as Malwarebytes Anti-Malware.
4. Use other free security software that keeps you away from malicious web sites and protects your information.
Test and extend your knowledge with the Beware of Spyware Game by OnGuard Online.
5. Do not trust attachments and links in e-mails coming from people or organizations unknown to you. Be especially careful with .zip (compressed) and .exe (executable) files!
Do not click blindly those Yes and Next buttons everywhere, always consider what you are doing, installing or launching. Stop and think before clicking.
Do stop your mouse pointer on a link before clicking and see if it points to the promised or some phony site.
Always verify that you are on the promised web page by taking a careful look at browser's Address Bar.
6. Do not believe everything - web sites, social networks (Facebook, Google+, LinkedIn, Twitter, etc), web advertisements, online conversations (Skype, Yahoo and AOL Messenger, etc) and e-mails that promise you tons of cash, lotto winnings and expensive goods for free or low price are not safe. Even when those e-mails or messages seem to come from your friend or acquaintance! E-mail sender addresses can be easily forged. Never respond to such e-mails; never click on such advertisements or links.
Any web ad that displays scanning progress and then says that you have viruses or malware or anything else bad on your computer is fake! Web advertisements cannot scan your computer and these are cybercriminals' tricks to take over your computer by enticing you to buy a fake antivirus program (aka scareware, rogue software). Do not click on such ads!
Read step 3 to select a free and effective anti-virus program and a free and effective anti-malware program.
Special note for you, boys - e-mail and online conversation links that promise to show hottest female celebrities naked are fake and those web sites try to install malware on your computer and ultimately they will empty your bank account.
See if you can spot spam by playing the Spam Scam Slam Game by OnGuard Online.
7. Do not send your personal or financial information (name, birthday, address, phone numbers, user names and password for online [bank] accounts, social security number, passport id, credit or debit card numbers, etc) to people, organizations and web sites you do not know. When someone sends you an e-mail claiming that you can earn thousands or millions of dollars by just letting someone use your bank account for money transfer, then this is a lie. They will steal your money or identity. If you do not know a person or organization, do not trust them.
8. Take control of information you reveal about yourself on social networks (Facebook, Pinterest, Google+, Twitter, etc). Do not share your personal information with everyone - this can be used in identity theft. Do not accept people you do not know as friends. Where possible, use restricted groups for new online friends and display them only your first name.
9. If you think you can't live without P2P (peer-to-peer) programs such as BitTorrent, Soulseek, LimeWire, eMule, etc, make absolutely sure you are not sharing your whole hard drive contents or entire Documents folder. Create a dedicated download folder for each P2P program and share only that folder! If possible, limit shared file types to MP3 or something alike, but never share documents with extensions such as .doc, .txt, .rtf, .xls, etc.
It is quite shocking what one can find using P2P programs - unprotected files with passwords, credit card, passport and driver license details, PIN codes, etc. Do not give cybercriminals a chance for identity theft!
10. Do not even dream that you are anonymous online. Watch your language and actions; you can be tracked by both criminals and law enforcement. Besides, advertising industry tries to track all your online behavior anyway.
To reduce possible tracking by major search providers, use private search engines: Start Page and Duck Duck Go are good examples.
Use a privacy-aware web browser for sensitive tasks: Epic Privacy Browser is a good one.
11. Learn to distinguish between phishing sites and real sites. Real financial sites always use secure transactions, so their addresses must start with https://, not http://. Furthermore, any modern internet browser (such as Internet Explorer 9 and later, Mozilla Firefox, Google Chrome) displays a light green address bar for sites that use encryption for security purposes.
The easiest method to tell phishing and non-phishing sites apart is to look for misspellings in site address and contents - if you're trying to buy something from eBay, its address is http://www.ebay.com, not http://www.eebay.com or http://www.ebay.com.fakers.cn. Furthermore, phony sites often contain myriad of typos in their contents and headings.
Both WOT Safe Surfing Tool and Trusteer Rapport keep you away from phishing and malicious sites for free.
And believe me, your bank will never ask you to enter your credit or debit card details on their web page! If you get an e-mail that your bank account will be suspended unless you enter your card details or login name and password on some web page, just ignore the e-mail and do not click any links in that mail. No trusted organization will ever ask for your personal information (PIN, user name or password, bank card details) in an e-mail! Never ever!
But go ahead and take a test at VeriSign-sponsored site (they do promote VeriSign a lot there, but the first part of test is really good anyway) and see yourself whether you can spot phishing sites - Symantec Race to Stay Safe
Final things to summarize it all
You are not safe online unless you take preventive actions now. Full stop.
You can also read how people get scammed (this might look a bit boring in the beginning, but read the seven main principles - these are really good!) at Help Net Security.