Tuesday, July 28, 2015

Stay safe online and enjoy the Internet

Secure your online accounts, your network and yourself with our complete guide to identifying – and avoiding – potential threats

We’ve all learned to think before we click. Will we really end up where the URL implies? Does that address look a bit suspicious? Is this form safe to complete? They’re all questions we’ve become accustomed to asking whenever we’re browsing the web, checking our mail or scrolling through a column of tweets. Yet the threats we face in our daily online lives are many and varied, and it’s all too easy for one or two to pass beneath the radar.

As the world’s most widely used desktop operating system, every new version of Windows has seen massive improvements where security is concerned, much of it built in at the core. At the same time, add-ons such as Microsoft Security Essentials, phishing detection for Internet Explorer and an improved permissions system (which alerts you whenever a download is trying to execute a potentially harmful action on your PC) have done much to ameliorate the most potent dangers. Even so, there’s still plenty more you can do to keep yourself safe.

Over the next few pages we’ll explain the risks we all face, whether that‘s through our browsers, inboxes or messaging clients. We’ll reveal the true scale of international phishing, what proportion of global email traffic is made up of spam, and the clever ways in which social networking can be used to make you click a false link. We’ll explain how to verify whether an email really is from the sender it claims to be, identify when the site you think you’re browsing is actually hosted on an unfriendly third-party server, and show you how to enable two-step authentication to protect sensitive data and online accounts

Some of the steps will require that you re-think the way you work and play online, but none of them need any third-party software or tools. They won’t cost you a penny, either, but in the long run they could save you pounds by protecting your most sensitive data and, in the process, repay the effort of putting them into practice many times over.

How to avoid online phishing

Phishing has a hook and a bait (often a large sum of cash) but the trouble is, you’re the prey

We’ve all seen them, and we’ve all probably received one. The so-called 419 scam – named after the article of the Nigerian penal code that deals with fraud – is perhaps the most infamous of all phishing scams. It offers the recipient untold wealth, if only they’d allow an even larger sum of money to rest in their bank account temporarily on its route out of a distant nation – oh, and of course, to wire over a small amount to cover the sender’s expenses. It might sound tempting, but the reality is that no one, not even a desperate prince, is going to give you money for nothing.

Phishing example

PhishTank, a collaborative clearing house for information about phishing on the internet operated by OpenDNS, had registered 1,198,703 verified phishing sites at the time of writing, of which 12,143 were still active. Google is going one step further and actively flagging suspected phishing sites in users’ browsers. “We’re currently flagging up to 10,000 sites a day, "wrote Lucas Ballard, Google Software Engineer in June 2013, “and because we share this technology with other browsers, there are about 1 billion users we can help keep safe."

Far from the real deal

Increased public awareness means that phishers have to resort to subtlety. As recently as May 2013, the US Internal Revenue Service (IRS) was posting advisories to its website warning American taxpayers that scammers, passing themselves off as the IRS were hooking recipients with phony tax cuts and rebates. IRS Commissioner Doug Shulman called it "a disgraceful effort by scam artists to take advantage of people by giving them false hopes of a nonexistent refund."

Phishers often go to great lengths to make their emails look like the real deal. Don’t be fooled into thinking that just because an email includes logos from HMRC, your bank or PayPal that it’s been anywhere near those organizations' servers. Watch out for clues, like spelling mistakes or grammatical errors that would less likely be made by a native speaker, as these too could indicate that the message might have originated from overseas.

Be wary of emails that are too familiar (tax authorities and credit card companies are unlikely to open an email with "Greetings" or sign off with "God bless" ), or ask for too much information. Online banks will never ask you to provide your password or username, sensitive data such as maiden names or other login credentials. They usually confine sensitive communications to secure messaging areas within the account management screens that can only be accessed after logging in with a username and password, so don’t trust emails that appear to include a lot of sensitive financial data.

Sponsored Products Related To This Article

Be wary of emails purporting to come from your bank that incites you to click a link to access its site; phishers use this tactic to present an apparently genuine login page, which they use to harvest your access credentials. Even if you believe the email is genuine, open a new browser window, type your bank’s URL and follow the links to find the page you need.

Not all phishing scams immediately look like they’re after money or credit card details – some are simply designed to win your custom without you realizing that you’re leaving an existing supplier. Less reputable domain registration agents are among those who might write to the owners of domains approaching expiry, inducing them to click a link and renew their online property. Rarely do they explain in anything but the smallest print that doing so will shift the domain away from your original registrar to themselves, leaving them free to apply new terms and conditions and potentially charge a higher price, either immediately or in the future.

It can take up to a month to transfer a domain from one registrar to another, so be suspicious of emails of this type that arrive well in advance of your current registration period expiring – it’s a sign that you’re not dealing with your existing host. If in doubt, log in to the domain management system of your existing provider and renew your domain there.

What to do next ?

First of all, don’t even think about clicking any links in a scam or phishing email. That’s the golden rule. Then, wherever possible, you should report it to any affected parties and in particular any organizations that its senders may be attempting to spoof. We live in a world now where most banks and other financial institutions have dedicated email addresses or websites to which you can report phishing scams. If you are in the US (https://www.us-cert.gov/report-phishing). If you are in the UK (http://www.actionfraud.police.uk/report_fraud). Type the organization’s name followed by phishing into Google, and the result you’re looking for will almost always be in the top spot. Forward the email in its entirety to the reporting address complete with its full headers, because these show the route that the message took to reach you, which can be useful digital forensic evidence. Most email clients suppress these for clarity by default, but you can usually expose them by clicking a small arrow near the subject line of the email.

Usefully, you can report phishing and spam emails directly in Gmail by picking those options from the Reply menu attached to each message.

Keep personal info private

Even apparently benign data is a valuable resource to identity thieves

We’d like to think that common sense kicks in when it comes to making personal information public knowledge online, such as never giving out any of your account’s password – after all, you wouldn’t divulge the code for your house alarm or allow a stranger to cut a copy of your door key now, would you? However, there is plenty of other information about you that, although it might appear totally benign to the innocent eye, should be treated with just as equal caution.

Many sites use specific personal information combined with a password to verify your ID. That means personal data such as your mother’s maiden name or your favorite color could be far more valuable than you think. As we’ll see later, pets’ names and favorite holiday destinations are also commonly used as passwords, so be careful when uploading pictures of either of these to social networks – and certainly think twice before adding tags or captions that could give the game away to prying eyes.

Treat them with equal caution when using them in social media apps, like those that work out things like your "pornstar name", for example (by combining the name of your first pet with your mother’s maiden name). While Fluffy Cleghorn might make for a hilarious wall post, it’s also gold dust to the potential identity thief who’ll do more than just "Like" it. Armed with this information, they can click the ‘forgotten password’ link on a webmail service and use it to "prove" that they’re you and reset your password. After all, who else would know that that’s what you called your first rabbit?

Selling an old device

Don’t fall into the trap of unwittingly passing on personal information when selling or scrapping an old computer, phone or tablet. Format your PC’s hard drive, or if you’re scrapping the device, remove and destroy the drive separately. Make sure all accounts are removed from mobile phones and tablets, and that wherever possible they’re returned to their factory state. On an iPhone, iPad or iPod Touch, open ‘Settings’ and tap ‘General > Reset > Erase all content and settings’. If you’ve logged in to any public networks, be sure to close any accounts associated with your device before selling it, because some use the unique device identifier to associate browsing by the phone’s new owner with your credentials.

Plan for the worst and set up your devices so that you can wipe all personal information from them remotely. On iOS devices, open ‘Settings > iCloud’ and make sure the slider beside Find my iPad or Find my iPhone is set to ‘On’. Whenever it’s in reach of a Wi-Fi or 3G signal you’ll be able to track your device through www.icloud.com/#find and, if necessary, remove your personal data remotely.


Tools that record every press of a key on your keyboard

Just imagine if someone could detect every single thing you typed on your keyboard. It’s certainly not something you would want hanging over your head from a security point of view. If a software keylogger is present on your system, it was almost certainly installed as a Trojan, bundled up with otherwise legitimate software. You can remove it using an anti-virus tool.

Hardware keyloggers are also available, so check for unfamiliar devices attached to your USB ports and remove any that you don’t recognize – particularly if they are connected to your keyboard cable. If you suspect that someone has installed an internal keylogger, use an on-screen keyboard instead of a physical device to enter sensitive info such as card details.

The on-screen keyboard

In Windows 7, you can access the on-screen keyboard by clicking ‘Start’, then selecting "All programs > Accessories > Ease of access > On-screen keyboard". You can then click the keys to type, and any keylogging software installed on your PC will be unable to record what you’re writing.

Cutting Spam

Most email traffic is spam – don’t let it dominate your inbox

Spam accounted for a colossal 70.7% of all email in the second quarter of this year, according to Kaspersky’s Securelist, with 2.3% of all emails containing a malicious attachment. Trustwave puts the spam proportion slightly lower at 68.5%. Most spams are merely a nuisance, promising lower bills, more impressive erections and under-the-counter meds – all of which we’d recommend you steer well clear of, naturally.

Enabling junk mail filtering is a good first defence. In Internet Explorer 10, click the Tools (cog) button, expand the Safety sub-menu and click ‘Turn on SmartScreen Filter’. You should also enable junk filtering at the ISP level if possible, and if you own a domain disable any catch-all email addresses so that only specifically addressed emails make it through.

Spammers often add tracts of white text to the end of a message to help convince spam filters that the email is genuine. Multi-national computer security company, Kaspersky, noted an increase in the number of spammers spoofing greetings cards from Hallmark through the early summer this year, while the company’s head of content analysis and research, Darya Gudovka, highlighted that emails with malicious attachments designed to look like automatic delivery failure notifications sent out by servers. Another common trick is to make malicious emails look like notifications from well-known online resources, and include links to malicious websites.

Hover over links

It’s not only online delivery failures that they’re spoofing, either. Take the above example, advising of a failed parcel delivery. Initially it looks quite convincing, but there are several problems. The US Postal Service logo uses the right colors, but the wrong font, and the address from which it was sent isn’t USPS.com. The body of the email is missing an apostrophe and includes a couple of grammatical mistakes. It’s also embedded as a graphic rather than plain text. The big give-away, though, is that hovering over the link to print a replacement delivery label shows that it leads not to usps.com, but a Russian investment site.

Always hover over links before clicking them so you can see where they lead, and don’t click them unless the destination is accurately described in the content of the email and matches the server from which the email was sent. If in doubt, open a fresh browser window and search for the page in question using Google. Whatever you do, don’t open any attachments, as these could infect your PC with a Trojan or virus. Even something as innocuous as a Word file could include executable code.

Resist the urge to use the ‘Unsubscribe’ links on the bottom of an email as this will verify that your inbox is open for business, increasing the likelihood that you’ll receive more junk in the future as the spammer sells on your confirmed details to the next malicious marketer down the line.

Remote images in emails

What they are and how to get your email client to block them suspicious image blocked

HTML-based spam often includes links to remotely hosted images that, when loaded by your email client, confirm to the sender not only that you’ve opened their message, but also that your address is valid. This lets them more effectively target you in the future. The spammer’s server effectively mail merges a unique image URL for each recipient into a standard message and sends it to everyone on its list. Your PC requests the image from the server, which sends it out and simultaneously makes a note against your name, confirming that your address works. To protect you from this kind of attack, Outlook.com blocks images in emails by default. If you want to unblock pictures for a particular message, click the info bar at the top of the message, then select "Show content".

Anatomy of a URL

The web’s address system is flexible, yet highly structured and logical

Understanding the URL – uniform resource locator – is key to keeping yourself safe online. More commonly known as a web address, the URL is the friendly, human-readable equivalent of the numeric location of every device, folder or file on the internet. The first part, running up to the first single slash or port number (see below), is converted to a string of digits by a domain name system (DNS) server and is entirely case insensitive. Everything else is handled by the host server, which, depending on its configuration, may be case sensitive. This could allow hackers who gain access to the server to insert a malicious file called, for example, INDEX.HTM alongside an existing index.htm. Being directed to the capitalized file by an email, instant message or another web page could open you up to attack.

Limit your exposure to scams by employing your browser’s phishing protection tools. In Chrome, visit chrome://settings, click "Show advanced settings…" and check the box beside "Enable phishing and malware protection". In Internet Explorer 10, click the "Tools" button, expand the "Safety" sub-menu and click "Turn on SmartScreen Filter". These tools compare your entered URLs against lists of malicious sites and pop up a warning if it finds a match.

Pick the right Password

A strong password is your first line of defense against data capture.

How many accounts do you have that require a password? Email, instant messaging, bank accounts, utility accounts, dating sites… the longer you sit and think about it, the longer the list will become. If you use the same password for even two accounts, miscreants who hack into one account get easy access to the other – and that’s a big risk when we have so many tasks online.

The average online people have over 10 online accounts – a number that’s set to increase, with most of us signing up to six or more new accounts every month. No wonder a quarter of us use the same password for each one, with the 10,000 most commonly used passwords likely to open 99.8 per cent of all online accounts – a disturbing and worrying statistic. –

It shouldn’t be any surprise, then, that even those of us who take better care of our online defenses often fall back on a rather predictable list. In the number one spot, according to August 2013 research conducted by Google Apps, is your current pet’s name, which considering how frequently cats and dogs pop up on Facebook and Instagram, shouldn’t be too hard for anyone else to uncover. The word ‘password’ sits in the 10th spot, with such staples as a place of birth, child’s name and favorite holiday destination in between – each of which is very likely to be within reach of an identity thief after a short trawl through your social networking history.

The answer is to pick a different password for each service – however, remembering each of them would quickly become an issue, and although writing them down would help solve that problem it leads to another one: anyone who finds your written list has all the keys they need to your whole digital world.

Get a password manager

Password manager applications can help. 1Password for Windows, Android, OS X and iOS not only stores passwords and other form data such as credit card numbers for any site but can also generate super-secure random passwords that mix characters, numbers and punctuation. They’re almost impossible to remember, but by delegating the task of storing and submitting them every time you need to log on, all you need to do is remember a single password to unlock the 1Password utility and it’ll take care of the rest.

The problem comes when you need to log in to an account away from the machine on which 1Password (or rival tools such as LastPass and KeePass) because you won’t have memorized any of your passwords. However, that also means that it isn’t always a suitable option, and it doesn’t get around the problem of dealing with randomly requested data, such as a single field that can change between login attempts to request different pieces of personal information, such as a place of birth, first school or mother’s maiden name. This is a tactic often employed by banks to keep your account secure.

The best advice, then, is to use a password manager for those services where it is an effective tool, and rely on traditional password selection methods in all other cases, perhaps employing a personal two-tier system with unique passwords for sensitive sites such as bank accounts, and half a dozen shared but personally memorable passwords for everything else.

Wherever possible, mix regular characters with digits and punctuation and, where permissible, spaces and underscores, to build up phrases or entire sentences. Don’t fall into the trap of believing that swapping out letters for numbers – such as 5 for S, 1 for I or L, and 9 for G – is an effective remedy. This is a well-known trick and one to which the crackers are entirely savvy.

Some sites require passwords to be constructed in a specific manner – for example, a minimum of eight characters comprising both letters and numbers – but where you’re given the freedom to define your own rules, go wild. If you’re a proficient typist it won’t take you much longer to tap out a whole sentence to gain access to your email account than it would a regular eight-character password, but will take a hacker much longer to crack it.

Confining yourself to eight characters would let you generate 6.1 quadrillion passwords.

Reporting on the Passwords^12 conference in Oslo for www.security ledger.com, Paul Roberts wrote that researchers running password-cracking software distributed across five servers were able to churn through a whopping 348 billion password combinations per second. At that rate, as conference organizer Per Thorsheim explained, a 14 character Windows XP password would fall in just six minutes.

If the futurists get their way, the problem of choosing and remembering passwords might well soon solve itself anyway as we move closer towards using biometric identifiers – such as the new fingerprint recognition we’ve seen announced for the Home button on the new iPhone 5s. IBM fellow and speech CTO David Nahamoo wrote on the IBM Research blog in December 2011, "Over the next five years, your unique biological identity and biometric data – facial definitions, iris scans, voice files, even your DNA – will become the key to safeguarding your personal identity and information and replace the current user ID and password system."

Most used passwords

As compiled by SplashData from lists of stolen passwords posted online by hackers, the most common passwords in 2012 were:

1 ..........................................password
2 ..........................................123456
3 ..........................................12345678
4 ..........................................abc123
5 ..........................................qwerty
6 ..........................................monkey
7 ..........................................letmein
8 ..........................................dragon
9 ..........................................111111
10 .........................................baseball
11 .........................................iloveyou
12 .........................................trustno1
13 .........................................1234567
14 .........................................sunshine
15 .........................................master
16 .........................................123123
17 .........................................welcome
18 .........................................shadow
19 .........................................ashley
20 .........................................football
21 .........................................jesus
22 .........................................michael

Secure networking

Once you’ve hardened your online apps and services, do the same to your home network

Safety begins at home, and nowhere in the digital world is there more truth in that statement than where your wireless network is concerned. A strong signal can pass well beyond your walls – particularly if you happen to live in a flat – and stray into neighboring properties or even out into the street, taking your network traffic with it. Unless you’ve secured the connection, it would be all too easy for a third party to interrogate that data and extract from it whatever they choose.

Start by enabling wireless encryption on your network. Most routers offer a range of options here, with WPA2-PSK (Wi-Fi Protected Access II Pre-Shared Key) the best option, and its predecessor, WPA, a viable fallback. Avoid using WEP, because this has been shown to have vulnerabilities. If this is the only option available on your router, however, it’s time to upgrade your hardware, either through a firmware patch or, if there isn’t one available, by replacing it altogether.

WPA and WPA2 employ a passphrase system to encrypt traffic on the network. This is commonly written on the side of the router if you haven’t changed the default, and is also the password you use to access the network when first making the connection. As such, you shouldn’t divulge this phrase to anyone who shouldn’t have access to the network or the stuff on it. If you’re choosing your own passphrase, then ideally it should be at least 13 characters long to minimize the chance of it being cracked using automated means.

Stay hidden

If your router allows it, hide the network name, also known as its SSID (service set identifier). It won’t then appear in lists of detected networks on Windows, OS X or mobile devices, even though a network sniffer will still be able to detect the presence of a Wi-Fi signal in its vicinity.

Don’t stop there either, or you’ll leave the job half-done. Router manufacturers routinely recycle network names, so there’s a fair chance you’re running a network called linksys, belkin54g, ZyXEL, NETGEAR or something else that’s fairly generic. So well known are these names that you can find a list of the most common Wi-Fi network names online. Unless you change your SSID to something unique, obscuring it will do nothing to prevent third parties cycling through the list until they find a match.

Next, turn your attention to the security guarding your router’s admin pages. These are routinely protected by a set of easily-guessed credentials. Many usernames are set to ‘admin’ or ‘user’, and the password is often ‘admin’ too, if not ‘password’ or ‘pass’. Once a third-party gains access to your network they’ll be able to detect the router address from their internet settings, and by referring back to the default network name, they’ll also be able to look up the default username and password and walk right in.

Router address

To change your login details, you first need to find your router address – you can do this in Windows 8 by opening ‘Network and Internet’ in Control Panel, following the link to ‘Network and Sharing Center’, and clicking the option ‘Change adapter settings’ in the sidebar. Double-click the active connection, then click the ‘Details’ button on the ‘dialog’. The router address is the four sets of digits beside ‘IPv4 Default Gateway’.

Typing this address in a browser will show you – or a hacker – the router login screen, allowing them potentially easy access if you haven’t yet switched away from the default settings. You need to log in yourself, navigate to the router settings and change the login details to avoid this. Most routers are set up so that client devices are automatically assigned a local address on the network using DHCP (Dynamic Host Control Protocol). This makes it easy for first time users of the network to start sending and receiving data straight away and also reduces the amount of work that the home user has to do to maintain their network. However, it also means that any rogue network interlopers will be assigned an address along with legitimate users. Put another barrier in their way by disabling DHCP, and making a note of the router address and subnet mask that applies to your network – from the router configuration pages – so that in the future you can enter them manually on each machine that needs to connect. Also make sure to implement your router’s MAC Authentication feature. This uses a list of unique identifiers associated with the network adapter on each machine to ensure that only those that have been specifically permitted are granted access.

You can find the MAC address of the network card in a PC by returning to the Network Connection Details panel from which we obtained the router address above and copying the six pairs of letters and digits beside Physical Address.

Once you’ve obtained your address, add it to the list of authorized clients on your router configuration screens.


If you aren’t using any wireless devices, then consider shutting off the router’s wireless connection altogether. Even if your desktop machines aren’t all in the same room as the router itself, it’s easy to pass data around your home without sending it through the air by turning your domestic electric cabling into a wired network.

Devices conforming to the Powerline networking standard can transfer data between machines and access points at up to 500Mbits/sec, which is plenty for online gaming and HD movie streaming, and because the signal won’t pass beyond your fuse box or a modern consumer unit it won’t leak out into the world.

Why you should use WPA2

Get stronger network protection

It’s easy to think of your network password as just that – a password to grant access – but it’s actually something far more important. All the data on your Wi-Fi network is encrypted using this phrase, meaning that even if someone could intercept ‘sniff’ the traffic, it would be unintelligible gobbledegook unless they also had this key with which to decrypt it.

WPA2 provides stronger network protection than WPA and WEP. It comes in two flavors: WPA2-Personal (sometimes denoted WPA2-PSK) – which uses a passphrase system to gain access to the network and encrypt traffic passing between the base station and its clients – and WPA2- Enterprise, which authenticates users with reference to a list maintained on a centralized server. Check for the Wi-Fi Alliance’s logo on any packaging or detail sheets when purchasing a new router.

WiFi Security logo

WATCH OUT Look for the Wi-Fi Alliance logo on the packaging of any new router to ensure it’s compliant with WPA2 encryption for extra security

By PCsecurity

Sponsored Products Related To This Article
PC matter, learn about your pc needs, software and peripheral devices
Share This
Subscribe Here


Post a Comment