How to protect your digital life from hackers and viruses

What would you lose if hackers got access to your mobile phone, email and online shopping details? In Mat Honan’s case it was years of contacts, emails, messages and photos of his daughter’s first year.

Hackers took control of his Apple ID after fooling customer service reps, which allowed them to login to his Gmail. From there they made their way to their ultimate target: his Twitter account. Along the way they deleted his Google account and remotely wiped his MacBook and iPhone.

In a post on Wired Honan placed much of the blame at Apple’s door, whose lax security permitted entry in the first place, but also admitted that he could, and should have, done a lot more to protect his digital identity.

One of the hackers contacted him and admitted that they didn’t target him because they wanted his credit card details, or to read his private emails...it was because they liked his Twitter handle.

If this could happen to a technology journalist over a three letter Twitter username, it can happen to anyone, and as cloud storage and online accounts become more vital to our day to day lives it’s important that we all take some precautions.

Practice basic computer security

It wasn’t used in Honan’s case, but one technique utilised by hackers going after a specific person is placing a trojan virus on a target system. Hackers can then record keypresses to grab passwords and download whatever data they desire.

Anti-virus will help prevent such attacks. You don’t need to pay for the software either, our first choice for free AV is Avast!, but also consider Microsoft Security Essentials and AVG. These freebies perform as well, sometimes better, than premium packages like Norton and McAfee. In fact these two might be best avoided anyway as they have a reputation for being bloated and overpriced. If you want to pay try the excellent Kaspersky or Panda Anti-virus.

It’s also a good idea not to just go clicking on any file attachments that come through email, even if they’re seemingly coming from someone you trust. Run an anti-virus scan on those things first as otherwise you could come down with a nasty case of the trojans. The super-paranoid can make use of Sandboxie, a smart application that isolates programs to prevent them affecting the rest of the system, allowing you to safely check a file before letting it loose.

As well as an anti-virus package you should install some anti-malware protection. While any virus is technically malware there is a difference between anti-virus and anti-malware applications (and they can safely be run together while operating two AV packages will lead to issues). Anti-malware is designed to pick up different kinds of threats which aren't always detected by AV tools, and they're also very good at clearing out existing infections. Our top choice is the excellent Malwarebytes Anti-Spyware.

Secure passwords

I think we all know by now that ‘password’ is not an acceptable password, yeah? Good.

If your password is too simple, or easy to guess from information that someone could easily obtain (pets, football teams and so on), then you’re just doing a hacker’s job for them.

A mix of numbers, letters and characters is much better but as this StackExchange post explains, and XKCD has illustrated, they’re still not perfect and could be cracked in a reasonable amount of time.

Longer is always better when it comes to passwords. Link together several memorable words into a nonsense phrase and it will be effectively impossible to guess or crack. A great way to do this is use Diceware, which constructs random phrases from the roll of a dice.

It’s also incredibly important that you don’t use the same password across every site, because then a single hack or security leak could open up all your accounts.

To save having to remember all your individual passwords for every site we highly, highly recommend LastPass or another password management tool. These will store all your logins within a securely encrypted container, then you don't need to make the passwords memorable as the software will fill in login forms for you. They can all be unique and extremely complex then you only ever need to remember the one master password to open the container.

Backup, backup, backup

No matter how much Honan blames Apple’s loose-lipped customer service, the fact is his sunken ship could have been salvaged if he’d had an up to date copy of important data.

At the very least you should keep copies of vital files in at least one other location, preferably several (follow the 3-2-1 rule). Grab an external hard drive and use it for offline backup. They’re not expensive (1TB external drives are cheap on Amazon) and you can automate the process with any number of free tools.

Be extremely cautious when using any kind of cloud storage system such as Dropbox or iCloud. Not only could this be wiped by an attacker, but you cannot fully trust them for important data. Anything stored here can be accessed from any location with the right permissions, so you might not realise you've been compromised until it's too late. And as we found out from Edward Snowden's NSA leaks there's no telling who can see your files. At the very least governments probably have access, but employees might be able to get in there too. If you do use cloud storage you should encrypt sensitive info before uploading so it's useless without the password.

Two factor authentication

Anti-virus, decent passwords and backups are basic stuff, they’re things we should all be doing anyway as a general rule. But they won’t protect against smart and/or lucky hackers, for that we need to look at more advanced security features.

Something which will stop many hack attempts dead in their tracks is two factor authentication (2FA). Sounds scary and technical but it’s actually dead simple, and most of us use it on regular basis already.

Normally to login to your email you just enter a username and password and you’re done, but 2FA means there’s a secondary layer of protection which must be passed before you’re allowed entry.

This is really common on bank accounts where you’ll have to slot your credit/debit card into a little keypad card reader thing, which spits out an ID code that must be entered in addition to your online banking password.

Google offers this, and all you need is a mobile phone to receive text messages. 

Go to the Security section of your Google Account and follow the instructions to enable 2FA. It won’t take long and it means that to login to your account someone would need both your password and your mobile phone. You can also download the Google Authenticator app to an Android phone so it can be used even when there’s no signal.

Two factor is showing up on a lot more services so if it’s available, use it. For instance, LastPass now offers two factor (and you absolutely should use it here, if nowhere else) and the digital download service Steam has a feature called SteamGuard which requires verification every time you connect from a new computer.

Pack a digital emergency recovery kit

If the worst happens you want to be like the Scouts and always be prepared, so put together a digital disaster kit.

Recovery disk/flash drive

If your PC gets ravaged by a virus or someone even manages to take control and wreck your hard disk you’ll want to get it up and running as quickly as possible. For that reason you should prepare a recovery CD or flash drive.

It’s not been updated in a while but the Ultimate Boot CD is a free download which, when burnt to a disc, offers a huge range of useful tools to recover a downed PC, including data recovery, secure file deletion and anti-virus.

Also helpful to have a copy of free Linux OS Ubuntu on a USB memory stick. Provided your PC is setup to boot from USB it can provide a fully-functional modern operating system in minutes, no installation required.

Secondary email address

To recover a forgotten password it’s typical to have a password reset emailed to a secondary address, but this is often an avenue used by hackers as they’ll simply break into the email and from there gain access to all your secrets.

For this reason you should create and maintain an email address that is entirely separate from any other account and only used for password recovery. Make sure it has a long, secure password and that the username and/or address is unlike any of your other emails or nicknames.

One last thing - if you go for a free service it may expire if not used regularly, so remember to login occasionally and check it’s still working. This is particularly important when a deleted address can be registered by someone else.

Portable app toolkit

USB sticks are endlessly useful, not only can they be used to store files or boot operating systems you can also stuff them with portable apps which will allow you to carry on working on any computer.

Head over to portableapps.com to download portable editions of a huge number of common tools such as Firefox and Dropbox. Grab whatever you need, load it on a USB stick and you can run the software without installation.

Hugely useful for quick and easy access to familiar applications when using other people’s systems and avoids downtime if your PC is busted. If you want extra security pick up a neat biometric USB stick with fingerprint scanner.



Comments

  • happy

    by Lazerus at 17:03 on 13 Sep 2012

    I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. It would be nice to see more of the leading companies in their respective verticals start giving their users the perfect balance between security and user experience. I know some will claim that 2FA makes things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I'm hoping that more companies start to offer this awesome functionality. To me this should be a prerequisite to any system that wants to promote itself as being secure.

    Report abuse

Add your comment now

Please leave a comment
Please describe your emotions in making this comment:

Powered by reCAPTCHA