I’m a security professional by trade, with two certifications. I’m not responsible for defending your computer networks, but I want your networks to be secure. There’s a really simple reason for that. If your computer and your network is secure, then it isn’t attacking mine. Or anyone else’s.
Several fellow subscribers to a train-related interest group that I like got hacked recently, and have been sending out spam messages. They’ve received a lot of advice in the hours since. Some of it has been good, and some not as good. So I tried to think of some things that people could do in about 30 minutes to keep the crooks at bay.
Incidentally, the computer crooks won’t be going away. Computer crime happens because the criminals can make more money doing that than doing something legal. The only way to make it stop is to make it too hard, so that getting a real job becomes more profitable. You won’t solve that problem in 30 minutes, but if we all take that single step down that road, we’ll make the world that much safer. So, with that, let’s roll up our sleeves.Change your password. Earlier this year, The hacking group Anonymous infiltrated e-mail accounts belonging to Syrian cabinet members and other high-ranking officials, then revealed they were using 12345 as passwords. That’s not good enough, no matter who you are.
A good password is 9 characters long or longer, with at least one upper case letter, one lowercase letter, one number, and one special character. (I get asked this question at literally every job interview.) That’s harder to remember than 12345, or your favorite snack, or your dog’s name, but good security is never easy.
But here’s a reasonably good password: 556Caboose$5. And most of my train buddies won’t have any trouble remembering that.
If you’re a baseball card fan, here’s another: T206Wagner$1m. It’s a reference to the most valuable baseball card of all–the T-206 series Honus Wagner, from 1909 or 1910, which really is worth a cool million in nice enough condition.
My formula? Any object that you can describe in numbers and letters, mashed together with its price. You can still remember it, and it gets you out past 8 characters, and way past pure alphabetic passwords, making your passwords an order or two in magnitude harder to guess. Feel free to use my formula, but better yet, change it a little.
Don’t recycle your passwords. I know, once you come up with a good password, you want to use it for everything. But don’t. The reason is that sometimes password files get stolen and decrypted, like what happened to Zappos.com a few months ago. If I’m a bad guy looking at that database, and I see that your password is 12345 and your e-mail address is firstname.lastname@example.org, then the first thing I’m going to do is try to log in to that hotmail account with that password. And then I’m going to try that same combination on Amazon, on Ebay, every major bank, and everywhere else I can think of. And then I’m going to cause all sorts of trouble for you.
I’d really rather you didn’t use T206Wagner$1mFB on Facebook, and T206Wagner$1mHM on Hotmail, and T206Wagner$1mAZ on Amazon, but that’s better than using T206Wagner$1m everywhere. If the bad guy is using a computer program to try usernames and passwords, a formula like that is good enough. If a human being actually looks at the password, it’s obvious you have a formula.
What I’d rather you do is cycle through a product line, or through your collection, and write down hints and memorize them. If you jot down hints in your wallet that your Yahoo account is related to a caboose and your Amazon account is related to a boxcar and your Ebay account is related to a gondola, you’ll be able to figure out the rest but someone who steals your wallet won’t. And someone who steals and decrypts someone’s password file won’t be able to infer the others from the one he gets.
If you don’t know what it is, don’t open it. Don’t open unexpected attachments. Just don’t. My employer won’t allow me to send an attachment unless I digitally sign the e-mail, present an ID card to the computer, and enter a PIN. It’s a real pain. That way, my coworkers can be pretty sure I meant to send it.
I probably miss some good jokes this way, but I can assure you I miss out on a lot more bad ones. But it’s worth it. You see, it’s trivially easy to attach a keylogger or some other undesirable software to almost any kind of attachment, and if I can coerce you to open it, now I can see everything you type. Odds are your antivirus program won’t see it right away, and if it does ever catch it, it’s too late.
So I never open unexpected e-mail attachments, even from people I know. And if it’s not business-related, I still don’t open it even if I know the sender sent it intentionally.
Use antivirus software. Microsoft Security Essentials isn’t the best antivirus program out there, but it’s free and not annoying and doesn’t slow your computer down too badly, so if you install it you’ll probably continue to use it. Maybe it’s 93% effective like the last claim I saw. Maybe it’s 75% effective like a claim someone else told me he saw. Guess what? Even 75% is a lot better than zero. If you have something better, that’s great. Use it instead. If you don’t have anything, or you’re sick of paying for antivirus software, use the Microsoft freebie.
If everyone with expired antivirus software upgraded to the Microsoft freebie, the world would be a much better place. I’m not kidding.
Secure your firewall/router. A well-meaning member of the group told people not to rely on software firewalls and get a hardware firewall. And that’s not necessarily bad advice… Except that a poorly configured wireless router can introduce additional vulnerabilities to your system. Another member observed that he has two neighbors with passwordless wireless networks, and strange cars will park in front of their houses. That’s bad. And since roughly half of wireless routers are configured badly, I’m loathe to make a blanket statement that people should go and buy a router and plug it in–because someone with a Windows XP, Vista, or 7 computer with the built-in firewall turned on has a 50% chance of being better off as-is.
Securing a router takes 30 minutes. The short version: Turn on WPA2, turn off WPA and WEP, use a 63-character password (you only have to type it once), and turn off WPS (wifi protected setup, which has serious security issues–remember, security and ease of use usually don’t mix).
My train buddy says his neighbors think they have nothing of value on their computer so there’s no problem if other people use their network. I told him that his neighbors don’t know what those people are doing. They could be doing something illegal, and while you’re not liable if you prove it wasn’t you, it’s time-consuming and expensive to prove it wasn’t you. If you want a price tag, $2,000 would be getting off pretty easy. It’s a lot cheaper and easier to turn on WPA2, turn off WPS, and be done with it.
Is one firewall better than another? Sure, a third-generation firewall is a lot better than a cheap first-generation firewall. But good luck finding something on a store shelf that tells you if that firewall is a third-generation application-layer firewall with deep packet inspection. (Yes, that’s material I had to know for my certification tests. No, I didn’t remember it off the top of my head.) If any of the consumer-grade products out there are anything more than a first-generation firewall with a few marketing-friendly features bolted on, I sure can’t find any information about it.
You may very well have special needs, and know why you’re using the particular product you’re using. That’s great. But if you don’t know if you need something special, the firewall included with Windows is probably good enough.
Apply your security patches. Microsoft releases security patches every month. By default your computer installs them automatically. Other software updates itself periodically too. Allow it. These updates close security holes that your firewall, antivirus software, and other security measures might not effectively mitigate.
Firewalls, antivirus, and antispyware programs aren’t one in the same. Some so-called “security suites” bundle all three together, but the products aren’t interchangeable. Some antivirus programs try to do both antivirus and antispyware. No product catches all known spyware, but it’s been a long time since spyware was the big issue that made it hard for me to sleep at night. Using something like Spybot Search and Destroy in addition to whatever else you’re using is a good idea, but if you’re careful about what software you’re installing, it’s not something you have to run religiously.
It’s OK to use Hotmail. I don’t really like Hotmail, but when I thought about it, the only reason I could think of is because an old girlfriend I’d really rather forget used Hotmail. That’s not a good technical reason. I have Yahoo and Gmail accounts and I use them.
Some people believe an account straight from your Internet provider is more secure, but they aren’t. It’s just as easy to steal an e-mail account from an ISP as it is from Gmail or Hotmail or Yahoo or anything else like it. I prefer something like Yahoo or Gmail because the e-mail always stays on their servers. It gives me an extra layer of antivirus protection that way.