For any webmasters out there who are interested in giving their site some added protection, look into getting a website security audit. Remember, online security works both ways.
The recent publication of confidential twitter documents by TechCrunch has been drawing a lot of attention. These documents were leaked by a hacker who managed to break into personal accounts of multiple Twitter employees including Evan Williams (CEO, Twitter).
Earlier this week TechCrunch explored the inherent security flaws in the current ecosystem and analysed how the hacker exploited them. Most of the hackers aren’t super nerds who posses out of the world programming skills. Instead they are simply curious and patient human beings who use tools available to all of us (like Google Search) to systematically discover and exploit weaknesses present in the security chain.
Hacker Croll (as the twitter hacker likes to call himself) wouldn’t have been able to penetrate twitter without the callousness of Twitter employees. Unfortunately, most of us are extremely casual about online security and don’t follow even the most basic security practices Here are five essential security tips that will help you avert potential disasters:
i) Be wise about passwords: Don’t use dictionary words as passwords. Don’t use obvious stuff like your name, your lover’s name, your parent’s name etc as passwords.
I don’t use completely random characters as they are impossible to remember. Instead, I often use random phrases which are easier to remember while not being vulnerable to Dictionary Attacks. For example ‘singingcat’ (which is the first phrase that came to my mind). It is always better to use alphabets, numbers and symbols in passwords. One easy technique is to use leet (133t) language. Thus ‘singing cat’ would become s1ng1ng(47.
ii) Use Unique Passwords: Try to use unique passwords. If you find it impossible to remember all the passwords use a service like LastPass.
If you are using a software to remember passwords make sure that it is secure. I have seen people using Firefox to store passwords without realising that anyone with momentary access to their computer can check out their passwords (it’s as easy as going to Tools–>Options–>Security–>Saved Passwords–>Show Passwords). I also found multiple products to crack passwords stored in Opera’s Wand, although I don’t know if they still work (Opera recently restructured the wand.dat file).
Always use a master password when you are using password managers. And at all costs have unique passwords for all your email and online banking accounts.
iii) Be Very Careful About Security Questions: Almost all critical services (like e-mail) offer a security question which they use to validate your identity in case you forget the password. It is one of the most ignored aspect of online security and is often the weakest link in one’s security chain. Don’t use security questions whose answers your friends may be aware of.
Some of particularly bad choices are: What is your birth city? What is your mother’s maiden name? What is your pet’s name?
iv) Be extra careful about e-mail accounts: E-mails are the hub of our online activity. Most other services use our email id for authentication. Most services readily send you your password (or provide a reset password link) to your email. Hence, you must be extra careful about your email-ids. Hacker Croll managed to break into twitter because one of its employees had an inactive hotmail account listed as secondary e-mail in his Gmail profile. The hacker simply registered the inactive id himself and requested the ‘reset password’ link to gain access to the victim’s Gmail account.
The moral of the story: don’t be casual about your secondary e-mail account. Make sure it is secure and above all make sure it is still active.
v) Don’t Fall for Phishing Scams : Don’t click on links you receive in your inbox unless you have explicitly requested them. Almost all banking and online transaction services have stopped providing direct login links via e-mail. Check the URL in the addressbar along with security certificates before loggin into any website.
The latest version of all popular browsers including Opera, Firefox, Chrome, Safari and Internet Explorer have inbuilt phishing protection measures. Don’t disable these services. You can also use WebOfTrust to add an extra layer of protection.
v) Fortify Your PC: Use a decent antivirus software and ensure that your PC doesn’t have keyloggers and other malwares. Be weary while surfing from cybercafés. Use on-screen keyboards when entering password in a public terminal. Do not use the Windows on-screen keyboard. It’s worthless. Instead use a utility like Neo’s SafeKeys 2008. Also be careful while surfing using unencrypted Wi-Fi hotspots. If the website doesn’t support encryption then recording your login information is a child’s play.
All the aspects that I have discussed in this article are pretty basic. You may be aware of most of them. But, how many of them do you follow? Most of us think that nothing can happen to us and tend to be sloppy when it comes to online security. Wake up now if you don’t want to become the next easy target of hackers.
well, i thought of a post on secure surfing..nice to see it coming from you. Too many things to learn.
Another thing is for those casual surfers who use cyber-cafes without checking for the presence of any keylogger or any malicious softwares. Atleast, let an antivitus be a must if you are accessing your accounts anywhere else than home. You can also take portable scanners, some of them are good at detecting most keyloggers.
.-= chinmoy´s last blog ..Increase Buffering Speed Of Streaming Videos =-.
Thanks for the comment.
Carrying an AV has many limitations. The biggest being that often the cyber-cafe’s use Guest accounts (low privilege accounts) and many AVs won’t work properly.
The other issue is that it takes time to run a scan. Even a quick scan will take some time. And god help you if the machine is a sluggish one (as most of them are in Indian cybercafes due to poor maintainence). ANd finally, there are new keloggers coming out every day. So you AV may very well miss it. The kernel based keyloggers can be difficult to detect.
Lots of good Points.
Heard a story about a cleaner who put a keylogger in an office the next day they rang saying they where from the bank and there was a problem with there account. A few second later the employee logged into their online account to check and their password was captured, very sneaky!!
.-= Graham G´s last blog ..Promotional Gifts are the perfect sales tools =-.
Online security is very important when our system is connected with internet because our most of the hackers try to leak of our documents. Some of the essential tips of protecting system and documents from hackers are: we should use password which contains alphabets, number and symbols and the password should be unique and it should not allow software to remember it. We should be careful about security question better write our own question in it.
Hacker managed to break into your inactive hot mail account listed as secondary e-mail in his Gmail profile. So don’t be casual about your secondary e-mail account. We should use am updated anti virus so that our PC doesn’t have any male ware. We should make it hard for the hacker to hack you system.
[…] to its dangers. In an earlier post, I had outlined some basic steps you can take to enhance your online security. However, if you want to be more proactive about protecting yourself, you will probably like the […]