Fauxmccoy knows of what she speaks:
So … I Married a Hacker
This story is not quite as adventuresome as my first marriage, when at 19 “I Inadvertently Married a Much Older, Denture Wearing, Mentally Ill Drug Dealer”. Sadly, the only thing known at the time i said “I do” was the fact that he was older. The marriage did not last long and the divorce settlement (in which i received 200 hits of San Francisco LSD to distribute along Haight Street) was just as wacky, but I digress.
When I married my young hacker, we were both students and i routinely walked in on him doing nefarious computer deeds. This happened regularly until we had our first child, at which point, i became quite clear that from now on, if the police were to show up on our door, it would be because one of us called them and for no other reason. Out of love and respect, he left his hacking ways behind although he remains up to date on methods because that is how he earns his livelihood. He was able to parlay his skills into being a well compensated systems analyst who specializes in network security for organizations who depend on it, such as municipalities, the IRS, VISA, etc. Although considering these clients, i am hard pressed to say that he is now one of the ‘good guys’, but the work is certainly legal and above board.
In light of a number of us here experiencing internet security issues, I asked Fred if he would be interested in me resurrecting my tech writing career by presenting a “best practices” model for cruising the internet with relative security. In this article, I will detail a number of things which each of us can each do to beef up our internet presence, but will sum it up using my husband’s statement “do not be the low-hanging fruit”.
We know that some of us have been specifically targeted because of our work/statements in support of the Martin/Fulton families receiving justice for the loss of their son, Trayvon Martin. Some of this, while disconcerting, is relatively benign, such as having usernames and avatars stolen and used to spread vile, racist garbage on other sites. While this is unpleasant, there is next to nothing that will make this activity stop. My best advice is to not use personal pictures of your self, children, even pets as avatars which would cause you distress if used by the wrong hands.
Others here have experienced far more difficult scenarios in which email accounts have been hacked, doxing has occurred, family members have been accessed and harassed, and threats have been received. These things can be addressed, your success in avoiding being in this position depends upon your vigilance.
Basic Browsing Security
This is the level of security i would recommend on any trusted site, including this blog, the Huffington Post etc. I will give more stringent security tips below for visiting blogs which actively support the defendant because they represent greater risk.
1. Avoid revealing overly personal information. This can range from your actual name, city info, and age, up to posting pictures with identifying details in the background (for example, a photo in which a diploma in the background which can be blown up to determine your name).
2. Keep your computer system fully updated, including the operating system, anti-virus updates, and most especially updates from Flash, Java, and Adobe Reader which are notorious malware vectors. THIS IS CRITICAL!
3. Install an anti-virus program. The husband highly recommends the free versions of AVG and Microsoft Security Essentials. MAC systems are no longer immune and there is a free app called ClamXav which i have used and like. Keep these current at all times.
4. Install a browser specific add on to block java script and flash. A malicious script hidden on any site can not only decipher your internet address, but can use code to bypass your firewall and at that point, all information on your home network is breached. I use No Script and Flash Block for Firefox, but you will have to determine the most appropriate for your browser.
5.Social engineering is one of the best known tricks for gaining access to your system. This includes fraudulent attempts to gain your passwords by sending out mass emails for people to change their Twitter password for example. Unfortunately, the link you press in the email may look exactly like Twitter, but it is not. Should you receive such an email, go directly to your account (not by provided links) and change your password. Social engineering also consists of embedded links posted on any site which can redirect your browser to a page which contains malicious script that appears blank. In other words, be careful of that which you click, shortened URLs can be especially dangerous (such as bit.ly or tiny url). There are servies such as unshorten.com which you can use to determine where the link redirects and decide in advance if you trust the site.
6. Passwords — not enough can be said about passwords as this is one of the easiest ways for a security breach to occur. NEVER re-use passwords. For important accounts, such as your bank or main email, you want to use the strongest password possible, this consists of a 12 character, randomly generated string which includes upper/lower case letters, numbers and symbols. Do not use ordinary words such as ‘deadbeat’ substituting 3s for e or 4 for a, such passwords are very simple to break. Obviously do not use your name or that of anyone in your immediate family, including your pet.
7. The best password system is to install a password vault add-on such as “LastPass” and I highly recommend doing so. LastPass is well regarded in the tech world and works across all platforms and browsers, there is even an android phone app available at minimal cost, but i do not like the interface, personally. LastPass will store personal data on its secure server (i even keep my credit card number stored there) to be used in filling out online forms; it can generate strong passwords for any site which requires registration, and then stores them so that you do not need to remember them. Always let LastPass generate the strongest possible password. LastPass will automatically log you into a website should you wish when you go to visit it and can run a security check on your passwords to identify weaknesses. When using LastPass, you will need a password to log into it, you want this to be a strong password. Although it sounds counter-intuitive, it is really OK to write down the few strong passwords you need (bank, email, LastPass) and keep it in your wallet.
8. Do not use your main email for registering on sites. For me, my gmail account is my main account for friends and business dealings. I use a yahoo account for registering for most sites which require one and I make sure that the yahoo account has no reference either in the account settings or contacts of my primary gmail account.
Browsing Questionable Sites
I know that many of us cannot help but to see what the CTH and its spin-offs are up to now. I consider doing so as a potential security risk. First of all, just by visiting the site, administrators have access to our IP addresses, I for one, do not want that. Secondly, I do not trust that there are no malicious codes embedded. We know that a few of us have had serious security breaches and unfortunately, we know that this crowd engages in unethical doxing behavior. If you feel that you absolutely must know what they are discussing, I advise using extra caution, including the following steps:
1. Browse Anonymously — I pay a small monthly fee to access a virtual private network (VPN) to mask my IP address at all times. VPNs are relatively inexpensive (some are free, but advertising driven and slow), easy to install, can be used on both your computer and smart phone, and provide the ultimate security of guarding your IP address any time you are online. VPNs also add a great level of security when using a laptop, especially in a public space. This article in LifeHacker details some of the best VPNs available and contrasts their services and pricing structure. http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs. Notice that I used the direct link in its full form so that you can see where you are going before you click. I think that as a service to each other, we should always do this. If a VPN is out of your price range, consider using an online anonymizer such as Anonymouse prior to viewing sites with questionable content.
2. Block Script and Flash — As stated above, I use NoScript and FlashBlock for firefox. Whatever browser you use will have some version available, search Lifehacker.com for browser specific recommendations. I cannot stress how important this is when browsing sites of questionable content.
3. Registration — if you must register at the site, use a throw-away email address at sites such as Spaminator or Mailinator and under no circumstances should you use the same password for registering that you use at any other site.
4. Posting — The best practice would be to not post at such sites, but if you do, do not use the same userID there that you would here or elsewhere.
A Note to Blog Owners
I know a number of you other than Fred maintain your own blogs, please remember that our virtual security is in your hands. You have access to our IP addresses and emails. Keeping your blog secure with strong passwords is critical.
In conclusion, I hope that this helps us all to become more aware of the security of our online presence and provides the tools necessary to become secure. I am open to any further suggestions and hope that comments generate some. Also, for the tech savvy amongst us who use different browsers or alternate services, please feel free to share what works for you. I am working on a follow up to this on what you can do once you know your security is breached and hope that Fred will be kind enough to post. Obviously if you have had a security issue and are receiving any type of threat or harassment, please report to your local authorities.
Happy browsing, stay safe, and enjoy capital letters in a post from me 🙂