6 tips for staying safe online

2 things are true of modern computing:

1. A motivated attacker can break into almost any system with enough time and resources.
2. Following a handful of best practices is going to give you greater protection than the vast hoards of exposed and vulnerable internet users and servers in the vast online wilderness.

2 Factor Authentication

It sounds scary but 2 factor authentication (2FA) is actually really simple and one of the most effective security practices you can implement.

2FA is available in many web applications as an added layer of security when you login.

In a nutshell, 2FA is a way of authenticating yourself with something you know (your password), and something you have (your phone).

After entering your regular password, you will be prompted to open up an app on your phone – virtually all sites utilise either Google Authenticator or Authy – and type in the generated random numbers for the site in question. You can generally also ask the site to remember your computer for 30 days to spare the effort of typing a 2FA code every time.

Some services may alternatively send you a code via SMS although this has proven shortfalls, for example if someone steals your mobile number.

2FA means that even if your password falls into the wrong hands, your account is still safe from unauthorised access, because the attacker does not have physical possession of your phone to access the 2FA app. If they do have physical possession of your phone, they don’t know the passcode for your phone that you definitely setup, right?

As a rule of thumb, when websites offer 2FA authentication you should take it; especially when sensitive information is involved.

If nothing else, at least setup 2FA on your email account; your email account provides the keys to the palace and should be the most closely guarded online service you used.

Resources:

• Gmail 2 factor authentication
• Google Authenticator
• Authy

Password Management

Everyone knows not to use dictionary word passwords, and some services are so good as to enforce the use of strong passwords.

What websites can’t protect you from is human nature, and our fundamental inability to retain long combinations of letters and numbers in our memories.

Even when we think we have the game beat with a strong, virtually uncrackable password, we then go and use it on every service, making it only as strong as the weakest link.

Personal Computers get hacked, servers get hacked. You are not safe.

The solution is really simple; use a password manager which generates and encrypts strong random passwords for you, and then autofills your login details on your favourite websites.

There is absolutely no reason why you can’t have extremely strong password protection on every website you use, each using a completely unique password that is not used on any other of your services.

You then only have to remember one password – and don’t forget to setup 2FA for your password manager!

Resources

• Lastpass

SSL

SSL encryption in practical terms means that the website address you are visiting starts with https, and a green colour indicates that the security certificate is valid and all material on the page is being served to you securely.

What you may not realise, is that without that extra “s” in the address, everything you send to the server is sent in plain text and visible to anyone who is interested in looking at it. Motivated attackers can intercept this information. That can include passwords, credit card numbers and the cookies that identify you to the site; all of which can be stolen and used for bad things.

Aside from some widely publicised exploits in recent times, SSL is still regarded as highly secure, and you can be pretty confident that your communication with the server is indecipherable to any 3rd party.

Gone are the days when SSL was expensive and difficult to implement, nowadays it can be free for the web developer to implement.

What this means for the 95% of the population who have no idea how cryptography actually works is this: don’t use websites that don’t have SSL encryption.

This may sound a little drastic – once upon a time SSL was considered essential only on login and payment pages – but nowadays, with cheap computing and cheap or free SSL encryption available, there is literally no excuse.

Encrypted Storage

Use encryption tools on your workstation so that all of your internal and external hard drives are securely encrypted. Encryption tools are now built in and freely available in modern operating systems and computers are so powerful that the extra processing power required is negligible.

Encryption protects you in the event of someone physically stealing your computer. Unless they know your master password (that you absolutely should require to login to your computer), the data is mumbo-jumbo to them.

Sure, they can bin your hard drive and install a new one, but at least they can’t steal your identify and secrets while they are it.

Software Updates

Take it from a software developer; no code is perfect, bugs happen, and we have good reasons for asking you to apply updates. Sometimes updates are fixing little (or big) irritations, but in other cases they are patching  security holes in software.

Once exploits are known, unpatched users should expect to be targetted en-masse by attackers.

Stay on top of software updates across all your devices, and discontinue use of any software that has reached End-Of-Life whereby the creators are no longer supporting or patching the software.

Backup

Always prepare for the worst case, like if a meteorite lands on your house and wipes out both your computer and attached backup drive.

For all the files that you can’t live without, use a service like Google Drive or Dropbox. It means that at least you have two geographically diverse backups – and in the worst case you can restore to a new / repaired computer.

Resources

• Google Drive

Take a couple of hours to implement these 6 recommendations and you can pretty well sit back and rest assured that you are doing more than most to protect yourself.

Stay informed and stay safe online!