There’s no question about it. The Internet has more than its share of scumbags, lowlifes, and general miscreants. And boy, do they get press.
The New York Times recently ran a story about a small Russian group that has collected the log-in credentials for 1.2 billion accounts at various sites and services online. There’s an app running around that promises to let you change the colors on your Facebook page, but really just loads malware onto your phone if you enable it. Target was hacked to the tune of 40 million customer credit cards. And Coco the WarKitteh is mapping vulnerable wifi systems in people’s homes.
We’ll get to that last one soon enough.
Some of these scares are exaggerated to attract media coverage. Others are highlighted to sell products.
For example, while I was writing this, I got an email with the subject line, “Malware Has Been Found on Your Site.”
(Ooops. Got a second copy – both spam – minutes later.)
As someone who’s seen a fair number of those about a server with domains I host for friends, I take that seriously. Turns out, it was a pitch for a piece of security software for websites.
I have no problem with pitching security software. It’s a valuable type of product, when it works. Certainly a good hedge against the damage a hack can do. I don’t object to scary subject lines, either, if they’re legit.
That one crossed over into deceptive, though. Hardly surprising for a spam, but still…
I have no doubt it got a lot of people to open the email. This is an area people are justly concerned about. And there are plenty of folks who are willing to exploit that.
Sometimes, though, the threat is less real than the fear.
The Target breach got plenty of press. Based on what I’ve read, they used “less than adequate” systems for protecting customer data. Fortunately, there are already safeguards in place to deal with that kind of problem. Gonna cost Target a bunch, but hey, when you’re that big, you need to always consider yourself a … well … a target.
Since no other personal info was involved, the damage per individual is mostly limited to $50 or less. The 1.2 billion username/password collection is much less clear.
The credentials were supposedly collected by hitting a ton of websites using a hack called SQL injection. It causes vulnerable systems to spit out the entire contents of the database being attacked. Out there in front of Dog and everybody, ripe for the picking.
The attacks appear to have been carried out by zombied machines. That is, computers used by innocent people who weren’t aware their hardware had turned criminal.
Maybe even yours.
The firm that discovered this database hasn’t revealed which sites were compromised. Seems they ran the gamut from very small systems to big companies. It’s also not clear what percentage of the passwords involved were unencrypted or easily decrypted.
The interesting question that should really concern you is, why would hackers bother with credentials for tiny mom-and-pop websites?
Two words: Password re-use.
It’s fairly common for people to use the same password for multiple log-ins. If the virtual snakes get hold of one, they’ve got them all. And believe it, it doesn’t take a lot of fancy programming to test those combos at banks, Paypal, Amazon, and other places you don’t want them getting into.
Even more of a problem… If they test the password on the email account you use for other accounts and it works, they can access anything connected to it by using the password reminder system.
At the moment, the crew that stole that batch is only known to be using them for spamming. That could change at any time. There’s a huge black market out there for that kind of data.
There is no way to guarantee you won’t be affected by something like this, but you can reduce the odds and the risk significantly. Try not to use the same email address for every account, and don’t ever use the same password for more than one site.
And use strong passwords.
This doesn’t have to be as big a problem as most people make it out to be. It can be easy to create strong passwords that are easily remembered. Consider the following sentence:
This blog is dedicated to my 1958 Chevy!
As a password, that translates into Tbidtm1958C!
12 characters, mixed case letters, numbers, and a punctuation mark. Very strong. And you could keep a file of those (or just handwritten notes), and no-one would be likely to guess the purpose.
Simple. And it works.
The phony Facebook app is no joke, either. That’s a straight out scam. Avoiding that one is largely a matter of not approving apps when you don’t know the source. Sort of like “Don’t download pirated software, since it’s often got hidden nasties buried in the code.”
But what about scares from known sources?
There was one hell of a hullabaloo recently about the permissions you need to give Facebook messenger. FB requires people on cellphones to download and use their new app in order to use FB messages from their phones, and that got a lot of people angry. The suggestion that the permissions could be used for spying made that a hotter topic than it already was.
The fact is, the permissions for that app are no different than any other app that lets you take and upload video, chat via text, or any of the other things Facebook Messenger does. They are required in order to give people the functions they want.
The scare was due in large part to one news source alleging potential government involvement.
Now, it’s not surprising a lot of folks don’t trust Facebook. Their reputation on privacy issues isn’t enviable. Yes, there are risks with anything that gives an app access to the camera, microphone, and GPS service on your phone. And obviously Facebook’s app would be the most attractive target, simply because of the number of people using it.
Still, there’s no reason to blast them for offering something that requires permissions that have to be there to do what you want.
There’s an opportunity there for an encrypted social chat app. Or you could switch to some other app, just to spread the data around. Or you could do what I do…
Don’t use Facebook from your phone.
Don’t kid yourself, kids. You aren’t going to become a social pariah if you stick to text messages and stop broadcasting everything you do to the whole world.
If that’s a problem, you need new friends.
Then there’s the ongoing concern about WordPress security. Given the number of blogs that get auto-hacked every day, it’s a valid issue.
Yes, added security is good. Yes, automated backups are good.
Here’s a simple 5-step formula that will eliminate most of the potential problems.
1. Back up your files and database regularly.
2. Keep text file backups of your posts.
3. Give your admin user a name that is unlikely to be guessed (NOT admin), and a strong password. Then never post using that account.
4. Create a separate account with Author or Contributor status, and only post using that account.
5. Install the Wordfence plugin.
Bang. Twenty minutes, tops. It ain’t bulletproof, but it’ll keep out most random roving hackers and the like. Unless you are specifically targeted by someone with skillz, it’s probably more than enough.
There’s a lot more you can do to protect a WP blog, but much of it needs to be done when the blog is being installed. These, you can do pretty much any time.
Oh yeah. If you’ve already been making public posts using your admin username, create another user and give that one admin privileges. Then demote the existing account to Editor.
And change the password.
And we come at last to Coco the Siamese WarKitteh.
Yes, that one is real. Dude put together a little gizmo with some common chips and hand-rolled code, and attached it to a family cat’s collar. As cute little Coco wandered the neighborhood, the unremarkable device collected data on wifi connections within range. Including 4 that used the easily hacked WEP protocol, and 4 more that were completely open.
Now, people could easily be suspicious of some guy sitting in a car with a wifi amplifier on the dashboard. Or even just a stranger walking around the neighborhood.
Who would suspect a stray cat of being a cyber-spy?
The potential problems from having strangers sending who-knows-what out over your connection are obvious. The real issue is the ease with which it can be done.
Attach a widget like that to a mail truck and pick it up the next day. Or spend a few more bucks making it possible to read the thing remotely. Hide it on the neighbor kid’s bike. Or just keep it in your pocket for your daily stroll.
Again, it’s easy to avoid most of this.
Make sure your wifi modem has a strong password (not the default, and not your address). If it doesn’t support at least WPA, get a new one. WPA2 is better. Your provider should have them available, or you can buy one at reasonable prices from any decent electronics store or local superstore.
Not rocket science.
These incursions aren’t limited to scary criminal strangers.
A friend of mine constantly complained about his Internet connection getting very slow at the same time every evening. It messed with his gaming, and he said some very unpleasant things about (and to) the customer service folks at his ISP.
I suggested he get a newer modem (WPA2 capable) and change his wifi password. Solved the problem. He later found out one of his neighbors was using a cheap wifi antenna to leech off his connection.
My buddy is lucky the guy wasn’t doing anything illegal on his evening surf…
So, should you be worried?
Maybe. You should certainly be careful. But the extreme levels of fear and paranoia that some people associate with the online world are not useful. Fear doesn’t stop bad things from happening.
Get good security software, and don’t let it lull you into a false sense of security. It won’t protect you from innocent mistakes like enabling a malicious app, or brilliant moves like sending money to a “Nigerian Prince.”
Do the basic things I just outlined, and you’ll eliminate, or at least minimize, a lot of the issues.
Worried about buying things online? See if your bank offers separate accounts for online use, so you can make sure you’re only at risk for what you knew you’d be spending. Most do, and the fees can be as low as $3 or $4 a month. A small price to pay for peace of mind. Or use pre-paid debit cards and only add what you need.
Don’t log in to online financial or shopping accounts by clicking on links in emails.
Simple stuff. Common sense.
The problem is, many people think they’re insulated from problems because they’re the only one in the room. They forget they’re sending data out into a world that’s rife with would-be spies.
Think of these steps as installing curtains on your digital windows.
Make no mistake, nothing is 100% protection against bad stuff happening. But, like looking both ways before crossing the street, a little attention can go a very long way.
Don’t be afraid. Be aware.
Good security advice! Might be an improvement if we stopped using Wifi routers too and went back to wired connections.
What? No comments? (That’s an inside joke.)
I like Wordfence a lot, but I also use iThemes Security and a couple others for my WP site. I love LastPass as a password manager. And never use the same password on multiple sites.
Great article Paul… hope the post comes through, just noticed your FB post saying that no comments are getting thru.
That’s the best password advice I’ve seen! Mine are always crazy with symbols. I write them down but I can’t remember the ones I use regularly in a hurry. I don’t have a chevy… but I might have something else and equally useful that helps solve this conundrum!
I went back to being wired rather than using wifi.
There is more I could be doing for wordpress, so I appreciated your list. I had recently heard about Wordfence. My brother really likes it.
For passwords, It may not be the best, but I use a physical address book – that way it is in one place and I don’t have to search for notes or have a senior moment. As time has gone on, I have made much stronger passwords, but still need to redo some old ones.
Would you share which virus checker/keyword logger/etc. you find is good?
Thanks Paul.
The address book actually sounds like a good idea. If the number of people with physical access to your computer is restricted, that may be safer than putting them in a password manager.
As far as security software, the main one is Norton 360. Norton used to be atrocious, but it’s now a pure joy. Sits in the background and does the job well. Very low resource usage.
I also do scans with MalwareBytes and Microsoft’s anti-malware tool. Haven’t caught anything yet that Norton missed, but a lot of people do. Nothing catches everything…
Groovy idea for generating a new password Paul. Do you have any thoughts on the effectiveness of using AVG for security?
Matt,
PC Mag doesn’t give it very good reviews.
http://www.pcmag.com/article2/0,2817,2369749,00.asp
Paul, this is excellent material and you present it in a format that the average business guy can follow easily. Too much stuff is too ‘geeky’ and unnecessarily complex. I have added you to my list of select bookmarks and visit regularly.
Hey Paul fantastic article. No I am not scared of this stuff too much. Like you said a lot of it is common sense. I never let my computer remember passwords either. Like a Jeannie Crabtree, I use an old address book for those. I started that a few months ago, after I downloaded the Elance tracker and ended up getting a lot of “adz by discount,” and the v9.com.
I couldn’t believe that elance had third party software included like these type of malware and pup crap. I un-installed the program several times to figure out how to remove just the adz. After the fourth try and and several screen shots latter, because I was writing an article about it my Toshiba had all she was going to take and over heated.
It pays to read before downloading. Got a good article out of it though, and a good lesson learned.