It’s impossible to watch the news these days without hearing about hackers breaking into another corporate database, and making off with sensitive user information. It might feel to people that the Internet is becoming the Wild Wild West, where danger lurks on every corner and it isn’t safe to do anything online. But as I keep saying to everyone, being online is the same as being offline – you are safe as long as you take the proper precautions and not take any unnecessary risks.
I mean, would you go outside without locking your door and closing your windows? Would you walk around with a thick wad of banknotes in your shirt pocket? Would you walk down a dark alley at night wearing expensive clothes and a gold Rolex? No of course not, because common sense dictates otherwise. It’s the same with being online. Use your common sense, don’t be reckless with an “it will never happen to me” attitude, and you will be absolutely fine.
How NOT To Get Hacked – Courtesy Of TrendBlog
So if you are nervous about getting hacked, carry out the following options to lessen your chances. It would be disingenuous of me to say that this will GUARANTEE your safety from hackers, because there are no guarantees in life. But the following suggestions will definitely lessen the chance of it happening.
Use a Password Manager
The first lesson of computer security is ALWAYS good passwords. Unfortunately, not many people heed that advice. They may hear it, but then they say “meh” and switch their minds to something else. These are the people most likely to get hacked. The ones whose password is one of the following :
You will have heard this before, but it is always worth repeating. You MUST have a password which :
- is not connected to you in any way (names of family, friends, pets, YOU).
- has a minimum 15 characters. 25 characters is even more ideal.
- Those characters need to be a combination of upper-case letters, lower-case letters, numbers, and special characters (exclamation point, underscore, brackets, etc). So 12345 is absolutely terrible, but @[email protected]#<AqQ+53DvJmM_1Wx is absolutely ideal!
Some other password tips :
- Change the passwords on ALL your accounts every 30 days, regular as clockwork. Add it to your calendar as a recurring task on the 1st of the month. Yes, it will rapidly become a pain in the ass, but which is more of a pain? Changing the passwords or getting hacked? Take your time and think about it. I’ll wait.
- Make sure (if the online account supports it) that you are immediately notified either by email or SMS (preferably both) when the password is changed. All major email services offer this, as well as social media sites, and Paypal.
- Do NOT use the same password for more than one account. If a hacker gets one password, and you use it for everything, they can potentially access all your sites. By the same logic, use multiple email addresses and multiple usernames so hackers can’t Google you and find out your other online presences.
- In the password recovery options, put fake answers to the recovery questions. When Sarah Palin was running for US Vice-President in 2008, her personal Yahoo email account was hacked after the hacker accessed the recovery questions. He got the answers by checking Palin’s Wikipedia page. So make fake answers (and obviously remember them!). The famous former hacker, Kevin Mitnick, suggests that in response to “where were you born?”, you could say “in a hospital”. Or “what was your first address?”, the reply could be “a nice big house”. In other words, be creative. If you MUST use real answers, don’t have ANYTHING on your website or social media that can be used to guess the replies.
The main thing to remember is to use a password manager. I just told you that you shouldn’t use the same password more than once and that @[email protected]#<AqQ+53DvJmM_1Wx is really cool. But now you’re thinking “how am I supposed to remember a password like THAT?! 12345 is MUCH easier to remember!”. The solution is to use a password manager.
If you are not familiar with them, a password manager is an encrypted database, protected by a master password which is unrecoverable. So if you forget the master password, then you have lost the lot. The master password should be very difficult for someone else to figure out (and obviously don’t share the password with anyone).
Remember, this is the online equivalent of your front door key. Put a simple lock on it and someone can do the online equivalent of kicking the door down. Don’t do simple locks. Make that door cast-iron and impossible to break down.
There are quite a few password managers out there. Everyone seems to go crazy about LastPass, but to be frank, it didn’t exactly wow me when I tried it. I much prefer KeePass. It’s free (always good in my book), simple to use (even better), and it’s open-source (so the source code can be freely inspected).
I place the KeePass database in my Dropbox folder, so any changes are automatically synced across all my computers, smartphone, and tablet. There is also a portable version for Windows so you can carry it about on a USB stick. For Mac, Linux, Android, and iOS, there are various versions of KeePass, which are all compatible with one another. The program I use is called KeePassX (essentially the same thing). You can see the full list of KeePass versions by going here.
Use An 2-Factor Authenticator App, NOT SMS Messages With PIN Codes
As well as a kick-ass password, you also need to enable 2-Factor Authentication, also known as 2-Step Authentication or Multi-Factor Authentication (if the website in question supports it – more are getting on board all the time). All the major email services are on board, as well as big names such as Facebook, Twitter, Paypal, LinkedIn, WordPress, and more. You can even add it to your self-hosted WordPress site login page (see my website login page to see the Google Authenticator box).
2-Factor Authentication is not used by that many people, as there is the mistaken impression that it is “too technical”. But it is very simple to use (I will write a separate article on this subject very soon). To put it simply, 2FA is a second layer of defense, a second password if you will. Once you enter your regular password, 2FA ensures that a second layer of authorization is required before access is granted to the account.
This can take the form of many things. The usual method is an authenticator app such as Google Authenticator (there are others, but being naturally suspicious, I don’t trust them). You can also have the website send a SMS to your phone or you can use a U2F Security Key (this is the one I use). I like the security key, and the SMS message method is fine in a pinch.
I wouldn’t recommend the SMS message option as your default option though. Simply because some hackers are able to spoof your mobile phone number and intercept the SMS message. I admit to not knowing so much about this, but it has generally been accepted by many security experts that SMS codes are not secure in the slightest. You can mitigate the risk to a certain degree by not publicising your mobile number online.
So back to the authenticator app. I will cover this in more detail in my Two-Factor Authentication article out hopefully later this week, but suffice to say, here is the link for Android and iOS, and in the website you want to switch it on for, go to the settings and look for the 2FA setting (again, assuming they support it). My next article will go much more into detail on this subject.
In the meantime, here’s a nice man from Google explaining it to you (although, being 6 years old, it IS rather dated).
Use a Virtual Private Network Or Force-Encrypt All URLs
I make it a rule never to use open public wi-fi networks. I like free as much as the next person, but sometimes, free isn’t that good. In the case of wi-fi, that means some rather devious individuals using “sniffing” software to monitor unencrypted traffic for usernames and passwords.
Lifehacker has a superb rundown on the subject. I hate to link to a rival but I am not an expert in this topic AT ALL, but you DO need to know the basics of how network sniffing works. But before you start panicking about how you used your Starbucks wi-fi this morning to check your email, let me point out two methods you can use to defeat network sniffers.
The first is to use a browser extension, developed by the Electronic Frontier Foundation, called HTTPS Everywhere. It is available for Firefox, Chrome, Opera, and Android. As the name implies, it forces all sites you visit to go to the encrypted HTTPS version. This makes it impossible for a network sniffer to view the login details you enter into a site, as well as financial information such as credit card details.
To give yourself even more privacy, use a Virtual Private Network (which we will also be covering in more detail in an upcoming article). This hides your IP address and reroutes all your web traffic through the servers of the VPN company. You can make it look as if you are in another country, and the VPN company keeps no user logs whatsoever to guarantee your privacy.
The upshot is that if a hacker cannot get your IP address, they will find it extremely difficult to break into your computer.
There are many VPN services, some good, some bad (and we will compare them in the upcoming article). But here at Trendblog, we highly recommend Tunnelbear for its ease of use. There is a free version, but you are severely limited as to bandwidth. Paying $5 per month removes all the restrictions.
Set Up a Firewall, Virus Checker, & Malware Checker
To use the metaphor of the house again, now that you have your cast-iron impregnable door installed, how about now building a very high wall around the house? That high wall will help to keep the intruders out. Well, the online equivalent of that high wall is a firewall.
Firewalls can be rather difficult to set up to begin with, as all incoming and outgoing web traffic is stopped, and you have to make “rules” for each one. But in the long run, it is well worth it. MacOS users have a firewall automatically installed on their system (go to the “security” section in “settings” and switch it on), and it is easy to use. For Windows users, there is also a built-in one, but it seems to have a bit of a bad reputation. Two better alternatives are Comodo and ZoneAlarm.
And I cannot emphasize enough – scan your computer constantly (once a day is ideal), and always do a full scan (not the quickie version). And make sure the programs are always up-to-date. The security companies behind these programs are ALWAYS pushing out new virus definition updates.
To make sure a hacker has not already planted a virus in your system, you should also be continually scanning for viruses and malware. For this, a good antivirus scanner is AVG and a good malware scanner is MalwareBytes.
Check URL’s & Files Before Clicking On Them
When Hilary Clinton’s campaign emails were hacked last year, along with those of the Democratic Party, it turned out that they got access to the emails when Clinton’s campaign manager, John Podesta, was fooled by a phishing attack (pronounced “fishing”). This is when someone is duped into thinking an email is genuine when in fact it is not.
How many emails are currently in your spam folder, claiming to be from eBay, or Paypal, or Amazon? They will all attempt to look like real emails from these places, and they will ALL tell you that your details have been compromized, necessitating a password reset. And since they are such nice helpful people, here’s a password reset link for you to click on.
But that’s the rub. Podesta fell for the old password reset trick. Little did he know that he had just changed the password not on the real email service website, but on the hacker’s version of the site. Now the hackers had his new password. They could now log in and read all his emails (and download them) at leisure. The rest is history.
So some tips here :
- Do not, under any circumstances, click on links inside emails. Especially ones that ask for your password. If in doubt, open your browser, go directly to the website by typing the website name in, and log in that way. Do not assume that the email is safe, even if it comes from a friend. Their email address could have been spoofed by someone else.
- Do not click on short URLs (such as TinyURL and Goo.gl), as you have no idea where these links lead. If you HAVE to click on one of these links, run it through URL Expander first. It will tell you the real destination of the link.
- Before clicking on a link, mouse over it, then look in the bottom left corner of the browser where the link is displayed. Do both URLs match up?
The same goes for files. You should be very leery of downloading anything, as there could be a virus hiding inside the file.
- Be extra careful with files with the format exe, zip, rar, iso, or anything which is an operating system script. But other formats are not immune. It is possible, for example, to hide a virus in a JPG image file.
- Make sure “autorun” is disabled in Windows to stop USB stick viruses from auto-starting.
- If you absolutely have to download a file, run it through VirusTotal first. This scans files online, without having to download them first, using multiple antivirus services. It also checks URLs. You can upload already downloaded files, scan undownloaded ones by providing the URL, or email a suspicious file. The process is made even simpler by the use of browser extensions, so you can just right-click on the file link.
Shut Down All Inactive & Unneeded Online Accounts
As I said in the password section, once a hacker has your login details for one site, they will start to see what other sites you are on to see if the same login details work there too. As well as not reusing passwords, you should also shut down all online accounts you no longer need. This will reduce the chance that a hacker will access any of your sensitive information in an inactive account.
A lot of places make it extremely hard to shut down an account, some even impossible (Account Killer can tell you the degree of difficulty). But most provide a way to close the account. Just go to the settings and root around.
As I said, the above tips do not guarantee you would never be hacked, but they do make it harder for outlaws to gain access. But there is a school of thought that says that if you are not a famous personality, your chances of getting hacked is slim anyway. If that is true, why has there been 49,005 illegal attempts to break into my WordPress website?
What security measures do you take to reduce the chances of being hacked? Let us know in the comments.