Staying safe online

06 Dec 2009
Posted by Kiran
I recently wrote about the dangers posed by the Internet. From spam email clogging up your mailbox to malicious crooks trying to gain control of either your computer or your identity, threats can materialize in a variety of forms. Safety can never be over-emphasized when carrying out transactions online. However, in today's scenario staying safe is also complex and often difficult.

I have personally struggled with many of such issues, made many mistakes and also been gullible enough to fall prey to Cyber-thieves selling fictitious goods. However, I have learnt from these mistakes and, over time, have developed practices that have helped me be a little more secure. While I cannot guarantee that these steps will keep you safe all the time, they will certainly help:

 
1. Start with a clean slate

To begin ask yourself: "Is my computer already infected?" The usual complaints include slow performance, unwanted advertisements and generally unpredictable behavior. If you are facing such issues it would be best to get some support to clean up the mess.

There are several tools available online that can help you at various levels to clear viruses, Trojans, Spywares, Adwares and other such malware from your computer. If you haven't already got a reliable antivirus & anti-malware system installed on your machine, I highly recommend that you get yourself one.

Here are some suggestions for Anti-malware software:

Please note that these are not the only software available; there are others. The only reason those are not listed here is because I myself don't know much about them! Also, none of these tools are fool-proof and cannot guarantee absolute security from all kinds of threats. It is best to do some research of your own, read reviews and then decide which product provides the level of security you need at a price you are willing to pay.

2. Use a safer browser

I personally use the Mozilla Firefox browser with numerous security extensions installed, and would strongly recommend it to everyone. Firefox is a browser developed and maintained by a community of users & developers. While proprietary browsers have one organization looking after it, Firefox and other such open-source browsers have thousands of maintainers each contributing to and enhancing its security.

I have found Firefox to be very responsive to emerging threats. Mozilla, the organization responsible for centrally maintaining the Firefox code, provides regular updates to the browser ensuring that it remains secure against most day-to-day threats.

Firefox also boasts of a whole set of extensions that allow users to customize its functionality. This extensibility of Firefox allows users access to some very powerful tools not only for daily browsing convenience but also for enhanced security.

3. Make it a practice to Logout

Most sites today request you to create a user profile providing varying amounts of personal information. These sites can range from social networking sites such as Facebook, Orkut; or Web email sites such as GMail, Yahoo! Mail or Hotmail; or even B2C and Online Auction sites such as eBay or Amazon; they all have some degree of personal information about you.

Most sites set cookies on your computer when you logon. This cookie does not get deleted even when you close the browser. Hence, if you are operating out of a shared computer, others can get access to your profiles if you don't explicitly logout while ending your session.

A way of avoiding this often embrassing and at times hazardous situation is to make it a practice to explicitly click on Logout when you are finished using a site. Also, it can help if you set your browser to automatically delete cookies at the end of every session when you close your browser.

4. Firefox Security Extensions

As I mentioned earlier, Firefox provides a whole host of functionality-extending addons. My personal favorites are:

 

I would recommend that you consider using Firefox with the addons listed above installed. If you are interested, here is an article about addons that can help you improve security with Firefox.

5. Use "easy to remember" but "hard to guess" passwords

Coming up with strong passwords that are also easy-to-remember can be very difficult. Most of us use shortcuts here by using the name of a spouse, a child or even a pet to make up easy-to-remember passwords. The problem with that approach is that anyone who knows you, even slightly, can guess those passwords.

The importance of using a strong password is probably the most under-appreciated fact of using the Internet. I found a very interesting article on how a weak password may be hacked; read it!

An easy way to come up with a easy-to-remember but strong password is to use a pass-phrase instead of a password and then transform it by randomly adding numbers and symbols.

If we were to start with a pass-phrase "I stay in London", we could transform it to IstayinLondon and then to Istay1nL0ndon and then to I$tay1nL0nd#n, which would be a much more secure password when compared to, say, using my daugther's name, Savi, as a password. Read more on an approach used to come up with strong passwords here.

6. Use a password manager

Even if you were to use pass-phrases, these days there are hundreds of websites out there and all of them want you to signup to access some their features. It is humanly impossible to remember so many passwords. To tackle this problem you'd probably either reuse the same password on all websites or use the browser's remember password option. However, with either approach you could be risking your data being compromised.

If you use a common password everywhere, that one password is all an attacker needs to know if he/she needs to obtain access to all your accounts across the web. Using the browser to store passwords could cause problems if you forget to lock your computer or if your computer is shared with friends.

An effective solution is to use a password manager. There are many password managers that you could use; the one I use is Password Safe. It can be downloaded for free and uses the Twofish encryption algorithm to securely store passwords in an encrypted database and secured by one master password. The program is very convenient and provides a host of easy to use and very useful features that help users securely maintain many passwords and minimize risk of security incidents. It also locks down every 5 minutes, so chances are rare that all passwords will be compromised due to an unlocked or shared computer.

If Password Safe is not right for you, you can easily do some research to find a password manager that gives you the features that you need. Whatever password manager you use, it is definitely going to be more secure than reusing passwords or letting the browser remember all passwords for you.

7. Use Network filtering

Malicious sites can be hard to detect for the average user and many users find it difficult to differentiate between a genuine website and a malicious one.

Network filtering is a mechanism that prevents users from navigating to websites that have inappropriate or malicious content. These days all routers provide Firewall facilities where specific Domain Names or keywords can be blocked to implement network filtering.

However, maintaining a comprehensive list of harmful sites and filtering them at the router can be a task that isn't meant for the most of us. An easier alternative is to use DNS services such as OpenDNS. OpenDNS is a service which provides alternate DNS servers for your Network. You simply configure your router/computer to use the OpenDNS servers instead of the default DNS servers provided by your ISP.

OpenDNS have a community of moderators and users who constantly help classify websites into various categories such as Adult Content, Adware, News, Known Malware sites, etc. Over time they have built a huge list of sites and classified them under categories. You can choose to allow/disallow each category on your network. You also have the flexibility of blocking or allowing specific domains if you choose to.

By using OpenDNS, you can ensure that all users on your network are prevented from accidentally stumbling on malicious websites and getting infected with adware/spyware, etc. OpenDNS also helps protect users against Phishing attacks.

8. Get Involved! Actively report Malware sites.

Browsers such as Firefox and Google Chrome provide protection against malicious websites. For example, if you try to navigate to known malicious websites using the Firefox browser it will prevent you from browsing to it and give you a warning that it is a malicious website.

Try it:

The following is an example of a Phishing site. Firefox will immediately give you a warning. Similarly, Firefox will again give you a warning if you try to navigate to this example of an attack site.

These warnings are designed to prevent innocent users from being victimized by such known malicious sites. Firefox provides these warnings using lists of known malicious websites; the lists themselves are maintained by Google.

You can help Google keep these lists up to date by reporting any new malicious websites that you find that aren't being filtered by Google or Firefox. Such reports can be filed with Google using its Report Badware form.

9. Use common sense!

Scammers are able to victimize users thanks to the victim's own weaknesses — either it is the victim's gullibility, apathy or greed!

Allow me to ask you a few questions:

 
a. Do you accept all social networking invitations that you receive? I don't. I just don't see the point in being member of so many different networking sites and then connecting to the very same people everywhere. The more number of sites you are a member of, the more people there are out there who can potentially steal your personal details.

b. If you receive an email either congratulating you on winning a massive amount of money or seeking help in transferring massive amounts of money and promising huge rewards, would you fall for it? If you would, don't. Things that appear too good to be true usually are just that — too good to be true!

c. If you get a pop-up thrown on your face advising you that your computer is infected and asking you to purchase an antivirus program, what would be your move? If you would download the software and install it or pay for it, you would be asking for trouble.

These are ways scammers commonly use to scam you into parting with your hard earned cash or compromise the security of your computer. The best defense is to be wary of anything unexpected. The best defense is to simply use some common sense!

Stick with sites and products that you know can be trusted. Make it a practice to search for reviews of any product that you download from the internet. I wouldn't buy products even from known brands such as Norton or McAfee or ZoneAlarm without first verifying its review on trusted sites such as CNet.

Update (06-Dec-2011): As it turns out, CNet themselves have been accused multiple times[1][2] of wrapping their downloads with unwanted and unnecessary bloatware. However, CNet is not the only site out there for reviews of software. There are many others.

10. Stay legal, stay up-to-date, stay safe

I know this is a cliché. However, it is the truth. If you use pirated software, you are most probably exposing yourself to attacks. Even if you have obtained the most reputed anti-malware software there is, it will not be able to protect you against new malwares that come out almost daily, unless you also have an active subscription to the latest antivirus definitions and malware signatures.

Similarly, new vulnerabilities are routinely discovered in existing software. Software vendors constantly release updates that fix these issues. The way to stay protected is to stay up-to-date and the only way to get the updates is by having legitimate software.





All the steps mentioned above can be viewed as defences you put in place against crooks out there in the cyber world intent on causing you harm. It's akin to locking your door with a padlock and also ensuring that the windows are closed.

You wouldn't consider locking your door an excessive overkill, would you? Why then do most of us neglect to secure ourselves while online?


Disclaimer: The points mentioned in this blog are not the result of any research or analysis. They are opinions — my opinions. These opinions have been formed mostly from my own personal experiences, information gathered by reading various articles on the Internet and discussions and debates with friends.

I am not a security expert and what I have written in this blog should not be construed as security recommendations. These are simply steps that I have personally put to practice and found useful in reducing the risk of online security incidents to some degree. These steps do not guarantee protection. If you require fool-proof online security, you should consider hiring a qualified security professional.

I provide no guarantees and will accept no liability if you have a bad experience by using any of the products listed in my blog or encounter any kind of security incident as a result of or despite of following the steps I have laid out above.

Please use your discretion in implementing any changes to your current practices.