The Internet is a marvelous, but scary and dangerous, place. And there's a good chance that most of what you think you know about staying safe is out of date.
Here's a summary of the major risks I've seen for individual users recently, and some tips on how to protect yourself against them. (A business or government will of course face more, and more sophisticated, threats- this article is about individual users, with mobile gadgets or home PCs.)
Not everyone faces the same risks, or has the same technical skills to counteract them, so where it's applicable, I suggest three levels of prevention.
Level 1 is the most basic stuff that everyone can, and should, do to protect themselves. If you can't follow these rules, then no offence, but you really should not be on the Internet unsupervised.
Level 2 is a reasonable, not-too-onerous level of caution. If computing is a significant part of your day to day life, you owe it to yourself to learn about, and follow, these techniques.
Level 3 is additional steps I recommend for anyone who deals with sensitive information, software or tasks beyond the standard consumer fare, and anything involving the... sketchier parts of the Internet. Patience and a willingness to learn new things are required.
Email & Phishing Scams
We've all seen more than our share of traditional junk email. Drug ads, 419 scams (the "Can you help me smuggle $19M out of Nigeria" memo), and just plain incoherent nonsense.
The modern stuff is more clever and more insidious. Targeted spam often includes logos and templates stolen from the websites of real banks, carefully obfuscated links, and legitimate-sounding lawyer or banker language designed to scare you into immediate action.
- Delete as "junk" any email that includes a login link for a financial insitution of any kind. No legitimate bank or payment service ever sends, or requests, account information over email.
- Never send a password or username in response to an email.
- Never send sensitive information (credit card numbers, tax IDs, etc.) over email.
- When logging in to PayPal, VISA, your bank, etc., always enter the address directly (e.g. by typing www.paypal.com in your browser), never by clicking a link in an email.
I have accounts on at least 95 different services: forums, stores, banks, email accounts, server control panels, the office network, and more. I am not atypical in this.
If I use the same password everywhere, then a successful hack on only one of those 95 services will compromise my accounts on all of them.
What often happens is a list of hashed passwords gets stolen from some backwater site, and- after a few days of poking at it- the bad guys manage to extract the plaintext login credentials as email/username/password groups. They then try these credentials on more popular sites, like Hotmail and Paypal. When they find some that work, they use them to wreak mayhem under your name, or sell them to spammers.
- Have several passwords for different security levels- perhaps it's OK to use the same password on all your discussion forums, but don't use your bank password or your email password for anything else.
- Passwords should be as long as you can remember, and the most important ones (email and bank) should be changed periodically.
- Passwords must not be real words, or anything that resembles real words. (There are exhaustive dictionaries of the most popular passwords and what patterns work for breaking them; writing in L337speak, for example, is very easy for a computer to break.)
- Change the default admin passwords on your router, computer and other gadgets. The bad guys have lists of the default passwords to every gadget ever sold.
- Use a unique password for each service, and use a cryptographically secure tool like KeePass or LastPass to store them so you don't have to remember 95 different random strings.
- Protect the master database with a really long, impossible-to-guess passphrase. A string of four or five random words chosen from three different languages is a good bet.
- Use public key authentication (eg. SSH) whenever possible, and use two-factor authentication for any services that offer it.
A lot of popular software comes bundled with advertising toolbars, spyware and other undesirable junk. Many cases of "my computer is slow and there are ads everywhere" have their roots in a piece of "free" software that had a bunch of crap hidden alongside it.
- Never accept a prompt saying "You need to install ___ to view this content". Instead, write down the name of the program, then get it directly from its manufacturer.
- Never click through an elevation prompt (a "This operation requires administrator privileges" box) without first confirming that the program requesting access is, in fact, the one you are trying to run and that it makes sense for it to need that access.
- When installing software, always choose the "custom" install mode and turn off any toolbars or other unnecessary tag-along junk.
- Before installing any piece of software, Google for terms like "program x malware", "program x spyware" and "program x removal". If the results look fishy, don't install it.
- If it comes from a company, they have to make money somehow. Be suspicious of "free" commercial software from companies whose business model is not obvious- you just might be the product they're selling to their real customers. (This does not apply to genuinely free software, such as software written for the GNU project.)
Websites loaded with nasty software are nothing new. We've all known for a long time that there are certain parts of the Internet that you should just stay away from.
Malware is a profitable business now, though, so you can bet that every possible way of distributing it will be exploited. Some popular tactics include:
- Buying ad space from a legitimate ad placement service, and including malicious code in the ads.
- Hijacking author or administrator accounts on popular websites, and using them to publish malicious code to that site.
- Exploiting vulnerabilities in server-side programs to hide malicious code in a legitimate website.
All of these attacks rely on a flaw present in all Web browsers: they will trust, and run, any code that is part of a Web page. While that code may be run in a restricted environment where it can't get to the rest of your computer, it will- by default- always be run. There is no way to change this behaviour without breaking many legitimate websites, which rely on your browser executing their own code in order to function properly.
In other words, you can never assume that any given website is safe, even a legitimate one that you visit regularly.
- Keep your Web browser, and all its plugins, up to date. As of April 2013, that means Firefox 19+, Chrome 25+, Safari 6+, Opera 12.1+ or Internet Explorer 9+. Anything older is not safe to use on the open Web.
- Before clicking any link or ad, hover the cursor over it; the destination will appear at the bottom of your browser window. If the destination looks sketchy, don't click it.
- If a website should be secure- a banking site, for instance- look for your browser's confirmation of a secure connection (usually a green bar or lock icon near the site address or at the bottom of the screen). If there's no confirmation, assume that the site is compromised.
- Use NoScript (in Firefox) or ScriptNo (in Chrome). These tools prevent a web page from running anything unless you explicitly white-list every domain that's trying to get your computer to run its code. This is a nuisance for a month or two while you tell NoScript which parts of which sites you trust, but it's the only reasonably easy way to reliably prevent entire classes of online attacks.
- Use HTTPS-Everywhere to force the use of a secure connection for all sites that are capable of providing one.
- When browsing less trustworthy parts of the Internet, use a locked-down browser inside a Linux virtual machine.
If you are not paying for your email, who is paying for it? Odds are it's advertisers, and advertising is more profitable if it's targeted. That means Google, Yahoo and other free email providers have software that reads your email, picks out keywords and themes, and selects ads according to what it thinks you're talking about. This runs server-side, even if you block ads in your browser or use a traditional email client, and they're building a pretty detailed profile of you from it.
Many governments think that they can copy and read your email without a search or wiretap warrant. In some countries, like the USA, China and most of the Middle East, this is a major concern; it is perhaps less of an issue in Canada or western Europe.
- Treat email like a postcard (which anyone can read), not like a sealed letter. Don't put any passwords, credit card numbers, health information or other sensitive data in an email.
- Consider switching to an email service such as Fastmail that, for a small annual fee, removes the advertisers from the picture. If you are the paying customer, the provider's business model must necessarily treat your privacy and security as high priorities; a free email provider must necessarily violate your privacy to search for keywords to sell ads against. (You must still be extra cautious, though, when sending things to folks with "free" accounts at the big providers.)
- Digitally sign all your outgoing communications, and encrypt sensitive ones, using PGP/GnuPG or S/MIME. (Unless you are part of a corporate infrastructure with an established X.509 CA, I would recommend GnuPG.)
Building detailed digital profiles of millions of people is a rapidly growing, and very profitable, business. The business model relies on the ignorance of the general public, and the assumption that we'll turn a blind eye to 1984-style pervasive surveillance if we get free shiny stuff in return.
- If this worries you, complain to your government, and insist that your representatives put forward meaningful and strong enhancements to privacy laws.
- Set your Web browser to reject all third-party cookies and discard first-party cookies on shutdown.
- Don't put anything on a social network that you wouldn't put on a poster board outside your office.
- Be consciously aware that your online activities- and, with some smartphones, your real life activities- are being tracked.
- Mix up your digital identities, using different email accounts for friends, work and online stores. You're a much easier and more valuable target if all your service accounts are routed through one place- this is why Google and Facebook are trying so hard to be the "hub" to which you tie all your digital activities.
- Use tracker-blocking software such as NoScript and Adblock+. Some custom rules are often necessary to keep Facebook from following you around after you leave their site.
- When on an untrusted network, use a VPN to prevent the network owner from eavesdropping.
- Route anything you don't want profiled and logged through Tor, which bounces traffic around the world in a nearly untraceable way. If the ads say "Meet local girls in Anonymous Proxy", you're doing it right.
Why is __ missing?
Viruses aren't really a big thing anymore. Modern opeating systems (Mac OSX, all Linux/Unix, all Windows since 6.0/Vista) are pretty well hardened against malicious programs that try to hide and do their own thing, so modern malware tries to trick the user into intentionally giving it full administrative access- see "malicious websites" and "phishing scams" above. Windows users still need a virus scanner, but certainly don't need to pay annual fees for one (Microsoft's own free MSSE is quite sufficient unless you're on a complex corporate network).
Botnets are the scourge of the modern Internet, and fighting them is a full-time job for thousands of people far more talented than I. Your role, as an individual, is to not let your computer become part of one- so watch out for those email scams and malicious websites, because that's where this crap comes from.
APTs, or advanced persistent threats, are carefully targeted attacks intended for a specific company or government agency. As an individual, you probably don't have any of the high-value data these guys are looking for; infecting a single machine isn't worth the effort for them.
RATs, or remote access tools, can be used for many things- some of them malicious, like stealing bank logins or watching your webcam. They're a possible consequence of falling victim to a phishing attack or a malicious website, and taking precautions against those should protect you from the scumbags who run these. (And turn your webcam off- with a lens cap- when you're not using it.)
Wi-Fi security is omitted because my site surveys for the last two years say that just about everyone is already securing their Wi-Fi.
Hackers, in the Hollywood sense, are a myth. Most information security failures are due to someone doing something stupid, like copying 10,000 medical files onto an unencrypted USB key, or using "12345" as the password to an email account that has password reset authority on their Paypal account. Targeted hacking takes skill, and that skill tends to be focused on high-value targets- not on individual home computers. Your home PC is, to the bad guys, just another machine that their automated botnet tools could make use of, and if you're careful enough to not install their programs, they'll probably leave you alone.
Anything else? Chime in below....