Skip to content

Security and The Net

In an era where people are dependant on Computers, Mobiles and Tablets, one needs to stop being complacent about access to it, and I'm not talking about physical access. Far too many people assume things are safe by default, or are of the mindset that It'll never happen to them, well, wake up and smell the coffee, because things are not always as well as you would want to believe, and often because of the simplest reasons, opening an email from a friend who has had their PC infected and sending out malware, getting a strange MMS or SMS ringtone, downloading torrents, using a trojaned program, phone or tablet app, forgetting to change a devices default password, or not applying security on that brand new, or just reset WiFi device, as you see, most of these are user faults, and yes, it gets worse for the user faults.

Then there are times I think there should be a licence to use The Internet, especially when you repeatedly here of the same horror stories of people constantly being scammed, really, you've won millions from a lotto in another country you never entered? Overnight millionare from some long lost relative being told by plain email yet they want you to supply your details? really? The groups committing these crimes have been doing this for over ten years, they are masters of the art, most are highly intelligent, discreet, well organised, and highly resourced, their capabilities may be the envy of many a spook.

It's not however, only scams where you send them money, all some of these scam artists want is as much information as possible about you, that all leads to an ever increasing identity theft database for the fraudsters, who don't have to be international crime gangs, they can be someone in your local area, mostly where free public access WiFi is available.

The Internet is not however as bad as some make out, and it certainly is nowhere near as bad as scaremongering clueless idiots, like techo-weenie politicians and some religious groups like the Australian Christian Lunatics Lobby (incidentally, I'm yet to meet a Christian who says the ACL speaks for them), who all in having absolutely no idea themselves, make out the Internet is the anti-christ, thankfully most people have a higher IQ than those peoples shoe sizes, and can see them for the fear and scaremongering clueless uninformed morons that they really are. There are far more deviant people in the real world with far greater access to most things than online, but, just as in the real (offline) world, you need to take precautions.

It is actually easy to protect yourself online, and no you don't need to hire an army of armed guards, so much of it starts with plain 'ol common sense, after all, you don't go out whilst leaving your doors and windows at home wide open or unlocked do you? You don't give out your personal details to someone who just walks up to you in the street do you? Certainly in the later not without proof of who they are and represent (yeah I too hate those hawkers, good thing we have a Rottweiler ;-) )

The simple things to remember...

Never give out any of your personal or financial details to anyone you do not know!

In the case of phone calls, where you did not initiate the call to a recognised organisation on a publicly listed and recognised telephone number - this means no last names (if they address you as Mr and ask for your first name, politely decline as well), no addresses, no other phone numbers, and certainly no dates of birth or drivers licences, no, any company you do business with will not call or email you asking you to confirm your details!

By the way, computer techies are not mind readers, nor do they have ESP, if your "windows" has a virus or is broken, I think you would know before them, wouldn't you say? You would be calling a known local tech firm, not someone from India calling you :-) Not even someone claiming to be from Microsoft, and if they claim to be from your ISP, thank them then just hang up, now you call your ISP yourself, don't ask them for any number, use the ISP's publicly advertised number.

Nor should you ever send that information to anyone, even a recognised organisation, by Email, if a business you wish to do business with wants that information, and, of course you called them, that's a different story, but again, do not Email them any of it, I've never come across a business that wont take your details on the phone, but if they need it in hard form, ask for them to send you an application, they can email it to you, but again, don't reply with it, print it out, and mail it to them, sometimes you can sign up and buy online, this is usually safe if the web address they give is a valid secure socket, commonly referred to as SSL or https, once you load the online application form, ensure there are no warnings, ensure you are on a https:// web site with a green bar, or padlock (depending on your browser), and ensure the certificate is valid, if the website presents an unknown or invalid certificate, quit the site immediately and go elsewhere, SSL certificates cost very little, some are free, if they can't be bothered setting your peace of mind at ease, then why should you bother sending them your custom.

If you receive unusual email from a friend or colleauge seeking money, or an otherwise out of character message content, be aware that the persons email may have been hijacked and is being operated by some criminal group. Contact the person by phone or talk to them in person to confirm the communication prior to responding. It is important you do not respond to strange or unknown senders. This is also important with regards to an email from any organisation you deal with, be it a bank, your phone provider, Ebay, paypal or facebook, there are many emails out there impersonating such organisations that look very real, but the link they embed is to a site designed to collect your identity or login information, these are called phishing sites.

Email and social networking profiles are regularly targeted and compromised by criminal groups for the purpose of committing fraud and other illicit purposes including intelligence gathering for identity theft. Facebook is a prime example of this, people often make comments on unprotected pages that they are out for the night or going away on holidays, might seem innocent enough, but you really are easy prey in doing this, crime gangs are not the usual druggies on the street doing anything for a quick fix, these gangs are highly sophisticated and patient, if they get your details from somewhere, or decide to target you, they will stalk you on facebook, twitter, myspace, and so on looking for every little slip up you make in their intelligence gathering, given enough time they could know as much about you as your real friends, maybe even more.

So, be mindful of what you post on social networking sites in relation to personal information.

With regards to facebook, the site itself has little regard for your privacy, ensure you have the highest privacy settings, be careful on what you put in the about you, and your hobbies, activities etc as these can not be hidden, nor can your profile picture, the place has more privacy invading holes than a block of swiss cheese! If you are concerned, open up a separate browser, make sure you are not signed in and have stored/flushed web cookies, try viewing your profile, so you'll then see, what people you don't know see. And most importantly, don't blindly add people you don't know, because you never know what their reasons are or who they are.

If you want to know how much Facebook keeps on you, take a look at this U.S. government order for users details.

If you want to chat to other people and make new friends, do it how we used to before facebook - use IRC (Internet Relay Chat), it's much safer as well, if you're new to IRC try getting used to it by using a small quiet server, once familiar you can move on to a larger network such as Undernet.


With passwords, common sense rule number one - NEVER give your password out to anyone!

Always use different passwords for each different website. Never, re-use the same password.

Don't use guessable passwords - never use names, dates of birth, phone numbers, favourite places, family or pet names or variants of - as your password. Never use common words or phrases, it is recommended that passwords be at least 8 characters in length and comprise of an assortment of upper and lower case letters, numbers and other characters. If you're terrible at remembering passwords, a good way is to use character substitution, for example a password of lazyboys used on a site could be accessed by brute force in minutes, but lazyboys can easily become l4Z%8oYs a password that may take hours or days to find in a brute force, by which time many alarm bells should be ringing at the service provider where they can take action to block them.


The use of open WIFI facilities will make your online activity vulnerable to interception and you could therefore become a victim of identity theft. Any user names and passwords used, files sent and received are vulnerable, any files kept in shared folders on your PC or Mobile device may be compromised. Ensure any use of public WiFi is encrypted, in other words, SSL and especially on your Email as these programs by default, send information in plain and clear text.

Regardless of the access method or device, configure your Email (and FTP) clients to use SSL, in particular, TLS for both POP3 and SMTP, this means they wont see your Emails you receive or send, nor will they see your login name or password! Some client examples can be found at kb.ausics.net

If you operate a wireless network at home or work, make sure that at the very least you are using WPA2 encryption. Never use WEP or leave the device unencrypted, therefore unprotected and open access, you could not only be at high risk of identity theft, but also open to other serious legal situations, you could be used by spammers, or worse, someone using your connection to download or operate a child pornography site, or even a terrorist cell. It will not be the hijacker who gets the doors kicked in, it will be your life turned upside down - despite your actual innocence. There are many wardrivers out there seeking out open access points for a myriad of reasons, and a fair percentage of them would involve illegal activities. This evenly applies to businesses as well as home users.

Ensure that the devices default user names and passwords are changed, and this goes for any router, be it WiFi, DSL, Cable, or WAN (for use on ethernet networks, including the eventual NBN etc), and make sure you have disabled remote access, this will stop anyone from accessing your routers administration from the Internet, but still allow you to from the LAN.

As you have likely gathered by now, I detest facebook (for many reasons) but your communications there can be snooped out as well, and if you're using https, don't be fooled, viewing the certificate, the warning appears that facebooks SSL is only a partial encryption, therefore I regard it as insecure, because it is not fully encrypted data sent to you. Twitter has a nice feature, go into your profile and select enforce SSL. The dangers are also very real for Webmail users, only use secure access methods (https://), never use Webmail in normal http mode, even if its a one off, all it takes is that one off time to be snooped.

If you use anyone else's computer, phone, or tablet, be it a work or friends machine, or public access (Internet Cafe) always clear all caches when you're done, clear the history, cookies, everything. If doing so, and, even if using your own device in any public space, be mindful of who is around, even if no one is apparently looking over your shoulder or at your screen, doesn't mean no-one is looking, especially when dealing with logins and passwords to any site you visit. For these reasons, it's also advisable to never do Internet Banking from those types of machines.

Remember, crime gangs are very, very, patient, they may have your facebook, email, router login details sitting in their collection for a rainy day, it has been reported they can have it for many many months before they use any of it, all unbeknown to you.

As for P2P, yes, be it a savior (yes AFACT, it does have legal uses) or evil protocol, many miscreants use P2P to infect machines with malware and viruses, in a perfect world, you would all be using Linux, but hey, the world is far from perfect isn't it, so, be fully aware that program you are downloading because your too cheap to buy, might look right, it may not be.

So ensure your machines (regardless of Operating System type) are patched and up to date, this can't be stressed enough for windows users, and make very certain your virus scanners definitions file is updated at least once daily.

One of the biggest mistakes people are also making today is that they do try hard to protect their home devices, but fail in applying the same security consideration for their phones or tablets, most of these devices even offer tethering, kinda of a wireless or USB mini access point, don't configure it if you don't need it, but if you do need it, only enable it when you need it. Only download apps from official app stores, this includes android market as well, read reviews before doing so, make sure its used by more than a few people and has excellent reviews, you never know what you're installing as this SMH report makes clear.


Lastly, I hope, heck this is ending up like War and Peace isn't it :-) - Firewalls!
At present most people are using IPv4, with NAT on their routers/modems, they are using what can be called an accidental firewall, relying on the NAT configuration to protect internal machines from outside users connecting to them, this is all about to end as IPv6 use becomes more common over the next few years as ISP's run dry on their IPv4 stockpiles. Start applying firewall rules on the router, denying everything inbound except what is wanted (home web server etc), and to what machine. It might take a bit of mucking around getting it right, but it is important to get it right, additionally, applying deny all firewall rules on each computer, phone and tablet on your LAN, in many cases these are default, but always check, never just assume.



If you suspect you've been a victim of identity theft, contact your local Police station.
If you suspect your banking details have been compromised, contact your banks 24hr hotline



  • Twitter
  • Google Bookmarks
  • Bookmark Security and The Net at YahooMyWeb
  • Bookmark Security and The Net at reddit.com
  • Bookmark using any bookmark manager!
  • Print this article!
  • E-mail this story to a friend!
  • Identi.ca

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

Shellie on :

Thnx for writing these details within your site.

Jared on :

I am regular visitor, how are you everybody? This article posted at this
web page is really pleasant.

Emmanuel on :

whoah this blog is excellent i like studying your articles.
Keep up the great work! You understand, a lot of persons are looking round for this information, you could
help them greatly.

Mildred on :

Very well written!

Shari on :

This is the second time I've been to your site. Thnx for explaining more details.

German on :

What's up to every body, it's my first visit of this weblog; this webpage contains awesome and truly fine material designed for visitors.

leia-shaw@gmail.com on :

I always spent my half an hour to read this website's posts all the time along with a mug of coffee.

refugiopalma@gmail.com on :

This is the first time I've been to your site. Thnx for providing more information.

anton_farr on :

A colleague referred me to your resource. Thanks for the details.

Edmund on :

Have you ever considered about adding a little bit more than just your articles?
I mean, what you say is valuable and everything.
But think of if you added some great photos or video clips
to give your posts more, "pop"! Your content is excellent but with pics and video clips, this site could certainly be one of the greatest in its field. Fantastic blog! I had this problem also in the past and i am so glad i got myself a cure...

tanya_carter on :

Awesome post.

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options

Submitted comments will be subject to moderation before being displayed.