Sunday, March 20, 2011

Online Security

Recently, a family member of one of our geeks had his Yahoo! account hacked. It was not your everyday “I hacked your account, ha ha!” scenario. It was a systematic, possibly-automated attack that was designed to steal his password, forward all e-mails to a different account, and send out e-mails to a few people in his contact list asking for money by dishing out a tale of woe. Full details and examples of such cases are available in our “More info” links at the end of this post. Another friend we know had a virus attack when she clicked on a pop-up message (while browsing the Internet) that said “Your computer is infected with XXX number of viruses. Click Scan now to clean your computer.” And we’re sure almost all of you have received one of those Skoost boxes, which when you try to open – does nothing perceptible, but then sends out e-mails to a bunch of your contacts with supposed Skoost boxes, thereby harvesting a good number of e-mail account login details. These are just a few examples of threats to our online lives. And at times, such threats could be quite dangerous leading to loss of money, time, data and even harm your reputation (if your account is hacked, and an NSFW link is forwarded from your e-mail ID to all your business contacts, that would definitely harm your reputation).

Many security measures for online accounts and web browsing are being implemented by various websites, and software vendors such as Microsoft (for Windows), Mozilla (for Firefox), etc. but there could be certain things that a user such as yourself could do to prevent (or atleast, reduce) the possibility of becoming a victim to account hacking or phishing. We believe in the old adage, “Prevention is better than cure.” So we’re trying to provide you with some tips and simple thoughts that could help prevent such risks. For all our pointers, please click the “Read more” button below. We’ll kick off, though, with a few basic facts.

  • No password or account is completely “unhackable”
  • A few simple precautions (which require extra effort) could go a long way in increasing online safety
  • DO NOT click anything and everything you see everywhere onscreen. Read any pop-up window or message completely and analyse (read:think) before you click anything

1. You need a secure password

While many may shrug this off by saying “I use a simple password for year; my account has never been hacked”, this is the basic thumb rule of online security. If your name is TheIndianGeek, having a password such as TheIndianGeek or TheIndianGeek123 is really quite asking for trouble. Many websites nowadays require you to have a complex password. What we recommend is using a good mix of letters, numbers and symbols. Try to keep it as something that you’d find easy to remember, so that you won’t have to write it down somewhere. And please, don’t keep telling the password to your bestest friend, your best friend from another town, your cousins, your family or whoever else you want to tell it to. As long as you are the only one who knows it, the secure nature of your password increases a lot. If possible, we would also highly recommend that you use different passwords for your main accounts; don’t try to use a different password for every single online account you possess – that would be madness unless you’re a genius who could remember so many different passwords. Have a combination of a few passwords and distribute them across your accounts. We understand that it could get difficult to keep remembering different passwords for different websites, but for the sake of securing your online accounts, it’s worth the extra effort.

2. You need a secure computer

Again, a point that is sorely overlooked by most people accessing the Internet. The first step in possessing a secure computer, is to not use a pirated Operating System. We’re not saying a genuine version of Windows would enable you to thwart all possible hacker attacks; we’re just saying that it decreases the chances greatly. In the end, it would be well worth the money spent on the Operating System.

Also, assume that any PC that you don’t personally own and maintain is not a secure PC. The PC at an Internet Café, a new shared PC at office – many of them have viruses and malware running amok. Try not to login to any of your personal accounts on such machines.

3. You need a good antivirus

With the Operating System being genuine, you need a decent Antivirus/Malware-sniffing software. We’ve found Microsoft’s Security Essentials to work really well (it’s caught some trojans and viruses by the neck and choked them to death at lightening speeds, after connecting an infected pen drive, or downloading an infected file) and it’s free – so we highly recommend it. Then again, you’re going to need a genuine licensed version of Windows to be able to download and use Microsoft Security Essentials.

4. Do not transmit sensitive data using e-mail, SMS or chat

We’ve seen loads of people happily sending their complete bank account or credit card details via a simple e-mail, or via chat. If you do happen to have extra money lying around in your bank account that you really don’t need, The Indian Geek would be more than happy to relieve you of such a burden. Please don’t just hand it to the hacker who has no regard for privacy or decency or the law.

If you must send details – such as an account login details, bank/credit card details – then use the split-send method to make it harder to hack and use. For example, if your Dad needs certain login details from you, send the username/e-mail ID via an e-mail or chat, and send the required password via an SMS. And please don’t mention this anywhere. Simply send him the ID via e-mail and the password using an SMS; you can always explain things to him over a phone call. This simple step would ensure that your accounts and other details are not compromised even if your primary e-mail/chat account is compromised.

5. Do not click on pop-ups, banners and messages

How simple is this? When you are browsing the Internet, and a banner pops-up with a slight animation and a warning/error symbol asking you to “Click here” with a legitimate looking button – don’t. It’s as simple as that. You know your computer, so you know what Antivirus/Malware-protection software you have installed in that computer. If a virus or malware is detected, then you know the kind of pop-up your Antivirus software would actually display – in most cases, the name of the software would be listed in the title bar of the pop-up or somewhere within the dialog box. So, it’s quite easy to detect these unknown boxes that pop-up with no name/identification on them. A simple way to differentiate messages thrown by malicious software from the Internet and dialog boxes from software present on the computer itself, is to look for the mouse cursor to change from the pointer to a hand. The hand symbol would appear generally when you move the mouse cursor over a link; so if the mouse pointer changes when you move it over the “Click here” or the “OK” button in such a dialog box, then you can rest assured that it’s not your antivirus prompting you, but some ill-meaning website.

6. Secure web browser

Yeah, get yourself a decent, modern web browser which has many security features built-in to thwart the attempts of hackers and other users of malicious code. Basically, any modern web browser would do – such as Internet Explorer 9, Firefox 4, Google Chrome 10 or Safari 5. Some of us prefer to browse unknown websites in Google Chrome, since Google keeps a blacklist of websites that contain malicious code, and when you try opening such a website in Chrome, it instantly warns you of the possible threat and also provides you with the nature of the threat and when it was last detected on the website by Google. That’s really nice, so that you don’t inadvertently download malicious code/software from some random site just because you visited it.

7. Always use HTTPS only, where available

This is an option being offered by many online website accounts now – Gmail has offered the option for quite some time, and twitter recently started offering it. Basically, HTTPS is a slightly more secure connection than HTTP and should keep away all, except the most industrious and dedicated, hackers. Whatever online account service you use, check if such an option is available and how you could enable it. It could save your online account.

8. Lookout for phishing

In our opening lines to this article, we talked about Skoost boxes. If you are wary enough to notice when a website doesn’t look like what it’s supposed to look like, then you can’t and won’t get affected by phishing. Skoost is mostly just a nuisance, but many websites try to mimic online banking services; you really need to be wary of e-mails which are “supposedly” from your bank, asking you to login and do something. As far as we know, banks in India never send out e-mails asking you to login for anything – you have an option to login, but they don’t send out e-mails requesting you to do so. Even if you do get such an e-mail, don’t click the link in the mail. Access your bank account as how you would normally access it – by typing in the address in the URL bar of the web browser that you are using.


Finally, we would like to say that most of online security comes from the user end. If you are wise and act cautiously, then you could be safer – not immune, though. Just keep this in mind – with the billions of dollars that companies like Google, Microsoft and Apple invest in security-related expenses – for their own servers, and for our personal accounts, software, etc. it would be a sheer crime if we didn’t expend even a little of our energy to ensure that those billions of dollars don’t go to waste. Let’s ensure that our online lives are as secure as they can be. If you readers have more ideas on increasing security for online living, please go ahead and point them out in the Comments below.

More info : Yahoo! Answers, Gmail forum, Hotscams


Post a Comment