The recent publication of confidential twitter documents by TechCrunch has been drawing a lot of attention. These documents were leaked by a hacker who managed to break into personal accounts of multiple Twitter employees including Evan Williams (CEO, Twitter).
Earlier this week TechCrunch explored the inherent security flaws in the current ecosystem and analysed how the hacker exploited them. Most of the hackers aren’t super nerds who posses out of the world programming skills. Instead they are simply curious and patient human beings who use tools available to all of us (like Google Search) to systematically discover and exploit weaknesses present in the security chain.
Hacker Croll (as the twitter hacker likes to call himself) wouldn’t have been able to penetrate twitter without the callousness of Twitter employees. Unfortunately, most of us are extremely casual about online security and don’t follow even the most basic security practices Here are five essential security tips that will help you avert potential disasters:
i) Be wise about passwords: Don’t use dictionary words as passwords. Don’t use obvious stuff like your name, your lover’s name, your parent’s name etc as passwords.
I don’t use completely random characters as they are impossible to remember. Instead, I often use random phrases which are easier to remember while not being vulnerable to Dictionary Attacks. For example ‘singingcat’ (which is the first phrase that came to my mind). It is always better to use alphabets, numbers and symbols in passwords. One easy technique is to use leet (133t) language. Thus ‘singing cat’ would become s1ng1ng(47.
ii) Use Unique Passwords: Try to use unique passwords. If you find it impossible to remember all the passwords use a service like LastPass.
If you are using a software to remember passwords make sure that it is secure. I have seen people using Firefox to store passwords without realising that anyone with momentary access to their computer can check out their passwords (it’s as easy as going to Tools–>Options–>Security–>Saved Passwords–>Show Passwords). I also found multiple products to crack passwords stored in Opera’s Wand, although I don’t know if they still work (Opera recently restructured the wand.dat file).
Always use a master password when you are using password managers. And at all costs have unique passwords for all your email and online banking accounts.
iii) Be Very Careful About Security Questions: Almost all critical services (like e-mail) offer a security question which they use to validate your identity in case you forget the password. It is one of the most ignored aspect of online security and is often the weakest link in one’s security chain. Don’t use security questions whose answers your friends may be aware of.
Some of particularly bad choices are: What is your birth city? What is your mother’s maiden name? What is your pet’s name?
iv) Be extra careful about e-mail accounts: E-mails are the hub of our online activity. Most other services use our email id for authentication. Most services readily send you your password (or provide a reset password link) to your email. Hence, you must be extra careful about your email-ids. Hacker Croll managed to break into twitter because one of its employees had an inactive hotmail account listed as secondary e-mail in his Gmail profile. The hacker simply registered the inactive id himself and requested the ‘reset password’ link to gain access to the victim’s Gmail account.
The moral of the story: don’t be casual about your secondary e-mail account. Make sure it is secure and above all make sure it is still active.
v) Don’t Fall for Phishing Scams : Don’t click on links you receive in your inbox unless you have explicitly requested them. Almost all banking and online transaction services have stopped providing direct login links via e-mail. Check the URL in the addressbar along with security certificates before loggin into any website.
The latest version of all popular browsers including Opera, Firefox, Chrome, Safari and Internet Explorer have inbuilt phishing protection measures. Don’t disable these services. You can also use WebOfTrust to add an extra layer of protection.
v) Fortify Your PC: Use a decent antivirus software and ensure that your PC doesn’t have keyloggers and other malwares. Be weary while surfing from cybercafÃ©s. Use on-screen keyboards when entering password in a public terminal. Do not use the Windows on-screen keyboard. It’s worthless. Instead use a utility like Neo’s SafeKeys 2008. Also be careful while surfing using unencrypted Wi-Fi hotspots. If the website doesn’t support encryption then recording your login information is a child’s play.
All the aspects that I have discussed in this article are pretty basic. You may be aware of most of them. But, how many of them do you follow? Most of us think that nothing can happen to us and tend to be sloppy when it comes to online security. Wake up now if you don’t want to become the next easy target of hackers.