The Internet is a wide, wonderful place filled with fun and knowledge. A place for global communications and instant access to more information than humans have ever had before. It’s also not without a dark side, a dangerous side filled with people out to steal, defraud and harm. The tools we use to access the Internet have been built for speed and accessibility but the security around those computers, mobile devices, IoT gadgets have been lagging. That leaves the regular users at risk for being compromised and their private data being stolen and used against them. Fear not, there are very simple things you can do that will help you stay safe and avoid 99% of the pitfalls.
Everyone can fall for these tricks and stumble into problems. The John Podesta email hack was nothing more than clicking on a malicious link in an email he thought to be ‘safe’. The criminals recorded his username and password and use that to download all his emails. It’s that simple to do and easier to avoid.
Here are the core practices you should use to avoid being hacked, getting your computer infected and/or your identity and financial information stolen.
Don’t Click On Links In Emails
Email is the primary method of communication for most people now but with the heavy use comes a false sense of security. Instead of assuming every email you get is legitimate assume they aren’t. Even emails from family, friends or your co-workers never assume they are safe. Slow down and check the email first. Make sure the email address, not just the name, is correct. Check the time it was sent, emails sent in the middle of the night tend to not be from them unless they are night owls. Especially be suspicious of every single link in an email you get, trusted sender or not.
Look at this link -> http://binaryblogger.com/Safe-Email-Checker.
Did you blindly click on it? If you did, shame. If not, good for you.
Go back to the link, but don’t click on it. The text looks legit. It’s formatted like a webpage. It’s named professional looking. If you look deeper and understand how HTML links work the text you see is not the actual link. Hover your mouse over the link and you will see the target webpage in your browser show up before you click it. That’s the real webpage and that’s how phish emails work.
They have links with text to fool the un-educated that makes them assume that the link is for the real Wells Fargo or Bank of America. When they click the link the webpage there looks like the real Well Fargo login (anyone can make any page look how they want). When you enter your username and password you just gave it to the hacker. Too late at that point.
The best practice is to use you own bookmarks or manually type in the web address yourself. Don’t trust the email link on unsolicited messages. Make sure the target is going to the legitimate site. Slow down, measure twice and click once… or better don’t click at all.
Don’t Open Attachments
The next big mistake people make is blindly open attached files in emails. We are the point now in the Internet with cloud services, online drives, shared folders to not have to send files in emails. Like emails with links, email with attachments should be deleted unless you are expecting exactly what you are sent. Hackers have brought back an old malware infection method of using MS Office files (Word and Excel primarily) with malicious macros. An attached file is significantly more dangerous than clicking on a link. Once you open a file you have no idea what it is loading or even if the file you think you are opening is what it says it is.
Use Dropbox, Box or OneDrive to share files back and forth between people. Use email services with anti-virus message scanning enabled. If you are not expecting a file from a sender delete the email and contact the sender.
Keep Your Computer, Devices and Software Up-To-Date
Patch your stuff. Apply every update that is released for your computers, phones and browsers as they are released. Turn on auto updates to make sure you don’t forget to patch. Most patches released fix security holes. Hackers use those patches to attack those they lag behind. When a patch is released everyone knows what security gaps exist. Hackers attack those.
Don’t wait to update. If you get a notice to update, do it.
Don’t Download Every Browser Extension Or Software You Come Across
Games, browser plugins, desktop themes, cool shareware apps… most are crap. Stop downloading them, you can live without them. If you insist on downloading something do some research first. The first step is to find and goto the maker’s website and download it from the source. Try to stay away from downloading websites. Most of those sties repackage software and throw in bloatware, malware packages and other stuff that gets you into trouble. When you install anything don’t hit Next, Next, Next to get through it. Read each screen because another trick is to slide in additional software that you may not want installed. The common ones are to install the Chrome Browser, Flash, Yahoo toolbars and other extensions that will fill your computer with bloat.
Don’t Trust Web Based Update Alerts
Eventually you will be browsing normally and suddenly an alert box will pop up that your Flash, Anti-Virus, Windows or some other software is out of date. There is a link or button to hit that will supposedly take you to an update page. 99% of the time these are malicious and will infect you with malware if you go through it. They are website pop ups delivered through malicious ads or web pages you hit. Ignore them. Like emails, if you are concerned about the legitimacy of the message you can do these steps to ensure your safety. Close all the browser windows and open a fresh browser. Then goto the websites of the alert directly yourself through a bookmark or manually typing in the address. If the alert was a generic ‘security software’ update without naming it. Fake.
Once on the vendor’s webpage check for the latest versions to make sure. That’s the safe way to go about it, never, ever trust of follow a pop up window that tell you otherwise. There are more fake messages like that than real ones from your system.
Have Good Account And Password Practices
I cant stress this one enough and have written about it many times before – here, here and here. Follow the main rules. Never use the same password on two different websites. Create complex passwords not based on words. Change them often. Better yet, use a password management tool like LastPass to do it for you.
Be Smart By Being Skeptical
If it seems to be too good to be true, it is. Especially on the Internet.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.