Digit FastTrack Secure Everything

VOLUME 11

|

ISSUE 10

To

Secure Everything

Why do I need cyber-security? cyber-security? The basics cyber-security basics of cyber-security Android phone security iPhone security Secure your Windows PC or laptop Methods to secure system secure your Linux system A 9. 9.9 Media Media Publi Publication cation

Securing Mac OSX Ways to secure social secure your social media accounts Secure your communication Secure your cloud clou d data cloud Secure your website

FAST TRACK to

SECURE EVERYTHING

powered by

CHAPTERS SECURE EVERYTHING

OCTOBER 2016

06 PAGE

12 PAGE

20 PAGE

29 PAGE

39 PAGE

k o o b s i h t d n i h e b e l p o e p e h T

S T I D E R C

Why do I need cyber-security? Millions of accounts hacked! User data leaked! Massive data breach! The need for cyber-security has never been greater. Need we say more?

The basics of cyber-security Here we list down some common sense best practices that’ll go a long way towards keeping you safe online

Android phone security The DOs and DON’Ts you need to follow to ensure the security of your beloved Android devices

iPhone security Yes your mighty iPhone is vulnerable. Learn how to secure your beloved iCompanion.

Secure your Windows PC or laptop Simply because of its popularity, Windows may be the least secure OS out there. But it’s also the easiest to secure.

EDITORIAL

Executive Editor Robert Sovereign-Smith Managing Editor Siddharth Parwatay Technical Editor Jayesh Shinde Senior Reviewer Mithun Mohandas

Writers Abhimanyu Mehta Dhinoj Dings Meghana Gupta Purusharth Sharma Sahil Dawka Swapnil Rastogi Copy editing Arnab Mukerjee Manish Rajesh

DESIGN

Sr. Art Director Anil VK Visualiser Baiju NV

3

CONTENTS

47 PAGE

58 PAGE

66 PAGE

74 PAGE

84 PAGE

91 PAGE

Methods to secure your Linux system Don’t let the reputation of Linux being more secure than other systems lull you into thinking it can’t be breached. These methods would help keep the system truly secure.

Securing Mac OSX Macs aren’t hacker-proof! Here’s how you can fortify your Macintosh

Ways to secure your social media accounts You spend a lot of time on social media sites. So do potential threats. See the ways for better security.

Secure your communication Be it email, voice, or instant messaging – we’ll show you how to keep all your communications away from prying eyes.

Secure your cloud data Though every service promises security of your data, this ‘security’ has far more facets than those which meet the eye

Secure your website Be it a blog started on a whim, or your business’ e-commerce website, if you haven’t secured your website, you’re taking a huge risk

VOLUME 11

© 9.9 Mediaworx Pvt. Ltd. Published by 9.9 Mediaworx No part of this book may be reproduced, stored, or transmitted in any form or by any means without the prior written permission of the publisher.

|

ISSUE 10

To

Secure Everything

1

October 2016 Free with Digit. If you have paid to buy this Fast Track from any source other than 9.9 Mediaworx Pvt. Ltd., please write to [email protected] with details

Custom publishing If you want us to create a customised Fast Track for you in order to demystify technology for your community, employees or students contact [email protected]

1

Why do I need cyber-security? The basics of cyber-security Android phone security iPhone security Secure your Windows PC or laptop laptop Methods to secure your Linux system system A 9.9Media Publication

SSecuring ecuring Mac OSX Ways to secure your social media accounts Secure your communication communication Secure your cloud data Secure your website

C O V E R D E S I G N : P E T E R S O N P J

4

INTRODUCTION

You’re not safe until you’ve read this

I

f you look at some of the hacks and leaks of recent times – the scale for some of them and the nature of the data in others – the popular saying that privacy is a myth in the 21st century won’t seem too

unbelievable. Be it leaked celebrity photos or corporate data, in each of these cases the effect has always been disastrous for the ones who were hacked. These hacks and attacks were carried out under the effective guise of anonymity that the internet provides. As an unfortunate consequence, the only way you can protect yourself against such threats is by securing yourself. Security itself is often overlooked and left to the experts. PC users leave it to their antivirus, website owners leave it to their CMS managers, a cloud users trusts the cloud provider and so on. Do you know that on average, about 37,000 websites are hacked every day in some form? And more than a 100 billion USD is spent every year to combat cybercrime? The interesting bit is – it’s not always the hackers fault – it’s yours! Of course, what they are doing is illegal and with mali cious intent. But do you really think that’s going to change? On the other ha nd, the absence of some basic security measures, or some silly oversights, make their work even easier. Some estimates suggest, it takes only 10 minutes to crack a lowercase password that is six characters long. Add two extra letters and a few uppercase characters and that now it takes three years. Adding one character to that and some numbers, symbols and the result will take 44,530 years to crack.

INTRODUCTION

5

While relying on experts isn’t entirely bad, it’s essential that you

take matters into your own hands. In the chapters to come, we tell you about securing everything, from your smartphone to your laptop, your website to your WiFi router and more. Once you’re done with this Fastrack, it would be easier to break into Alcatraz than to break into your devices. We hope!

6

CHAPTER #01

WHY DO I NEED CYBERSECURITY Millions of accounts hacked! User data leaked! Massive data breach! The need for cyber-security has never been greater than now

Why do I need cyber-security

I

7

t’s probably safe to say that our days begin and end with us peering at some digital screen or another. We wake up to alarms on our phone, check our emails on it, order groceries, services and various other items on them, pay for these utilities online, and capture and

store pictures and videos on them, more often of a personal nature than

not. We’ve practically given away huge chunks of our lives on the cloud, and it’s very rare for anyone to stop and think of the possibility of our data falling into the wrong hands. But it’s happening here and now, in front of our very own eyes. You’d have to be living under a rock if you don’t know about the massive data dumps that have been posted on the internet recently. Large amounts of confidential data, not limited to names and physical addresses, but also sensitive information such as credit card details and account passwords have

been compromised, and have generally stemmed from a security breach of a large corporation’s servers. And considering our increasing reliance on computer systems and “smart” devices, including smartphones, televisions and other electronic devices that are part of the Internet of Things, we’ve only started providing more ammo to hackers and cyber-terrorists, looking to create havoc and disrupt our routine. Such incidents only further emphasize the need to safeguard our data and proceed with caution when giving away personal details on the internet. For those who still are unable to fathom the gravity of the situation and the threat these cyber-criminals pose to our life, we’ll just take a look at some incidents of mass hacking that have had severe consequences for all parties involved. LinkedIn

If we look at the LinkedIn hack, back in 2012, passwords for nearly 6.5 million user accounts were stolen by Russian cyber-criminals, and many were unable to log into their accounts following the theft. A LinkedIn hack might not seem like such a big deal for those who don’t use the website regularly, but the theft in 2012 turned out to be worse than anyone anticipated. In May 2016, an additional 100 million email addresses and hashed passwords were leaked from the same 2012 breach. And soon after the leak, dozens of celebrity Twitter accounts were hacked, including that of Mark Zuckerberg. All signs pointed to the fact that Zuckerberg used the same LinkedIn password for his Twitter account, which is a pretty common mistake. Another problem that was highlighted after analysing the data dump was the lack of password etiquette, despite people being constantly told to keep different

8


passwords for different accounts. LeakedSource published a table about the most commonly used passwords on LinkedIn and it’s the stuff made of cyber-security nightmares. The most commonly used password is “123456”, second most common password was “linkedin” and then came “password”, at the third spot. It must be noted that the hack occurred in the first place because LinkedIn stored the pass-

words in SHA1 with no salting, which makes them extremely easy to crack.

The LinkedIn hack’s most common passwords

Apple iCloud There’s also the iCloud break-in of September 2014. Hackers stole a collection of almost 500 private pictures of various celebrities, mostly women, such as Jennifer Lawrence and Kate Upton from their iCloud accounts. The images were believed to have been obtained via a breach of iCloud but it later turned out that the hackers could have taken advantage of a security issue in the iCloud API which allowed them to make unlimited attempts at guessing the victims’ passwords. In this case, the blame rests with Apple and its security mechanisms. But it also serves as a vital lesson for us to avoid storing compromising and/or personal data on any public server.

Sony And who could possibly forget the infamous hacks on Sony servers, once in 2011 and another in 2014. While the 2011 attack led to seven million PlayStation Network and Sony Online Entertainment account details being stolen, including but not limited to credit and debit card information, but the 2014 hack reared its ugly head of economic loss.

Data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of then-unreleased Sony films, and other information. Millions of dollars were lost because of the leaked movies, and the studio was left worse for wear due to the loss in reputation. It might be worth noting that the 2014 attack was instigated by the release of Sony’s “The Interview”, which the hackers were against, because of


9

the fictional depiction of the North Korean president’s assassination. Seeing as how most fingers seemed to point towards North Korean government hackers, this incident could be classified as an act of cyber-terrorism

between countries.

Ashley Madison While most of the data leaked

from these dumps is recoverable and might not cause damage to one’s personal life,

the fallout from the Ashley Madison dump in July 2015

was another story. Ashley Madison is a website caters to people who are already in relationships but still want to date. Hackers allegedly

The movie that ignited the 2014 Sony hack

gained access to millions of the website’s customer information database and posted 10 GB of personal data of users, including their names and email addresses. Since the website didn’t ask for email verification for

the profile to be created, many fake profiles were created. And since the company required the owner of the email account to pay money to delete the profile, many people with fake profiles or misunderstood names did not bother getting their accounts shut. All in all, many people ended up having their personal details exposed, when they had not intended for the same to happen.

LastPass In another hack with slightly less devastating consequences, LastPass email addresses and encrypted master passwords were compromised in a breach in June 2015. Many password managers, such as LastPass, were created to address the issue that passwords are a notoriously poor form of security. They function by requiring you to remember one strong master

10


password, that would be used to access the manager’s encrypted vault. It would be this vault that would allow you to generate unique and tougher passwords for your other accounts and store them here for future use. Since people tend to use weak, easy-to-remember passwords, re-use passwords across a multitude of accounts, and forget to change their passwords often enough, this solution worked brilliantly for all parties involved. Unfortunately, this massive breach only proved that even the strongest of ideas to manage password securities can fail. But all these thefts were on a much larger scale, and more because of negligence on the part of the bigger corporation involved. Billions of internet users are the risk of having personal data stolen right from their laptops

because of hackers employing malicious software containing viruses, bots and malware. And the sheer number of people falling prey to these will astound you. Ransomware

The most current and popular form of virus is a Trojan Horse ransomware. Targeted towards Windows users and propagated through emails, this

The screen on a device affected by CryptoLocker


11

virus will encrypt certain files on the hard drive and any mounted storage connected to it with RSA public key cryptography. The original ransomware on the market was CryptoLocker, and the hackers would demand a ransom (hence, the name) in exchange for the decryption key. In June 2014, Operation Tovar took down Evgeniy Bogachev, the leader of the gang of hackers behind CryptoLocker, but many knockoffs are still running around in the market, though the affected user base is a much smaller one. CryptoLocker managed to affect around 500,000 users in its 100 days, and the hackers made off with upwards of $30 million with this heist.

Keyloggers and Viruses Then there are the multitude of viruses and malware that steal passwords and user account details by logging in keyboard strokes whenever the user visits any website. There’s the Gameover ZeuS trojan, which steals one’s login details on popular Web sites that involve monetary transactions. It works by detecting a login page, then proceeds to inject a malicious code into the page, keystroke logging the computer user’s details. Zeus was been created to steal private data from the infected systems, it’s still customisable to gather banking details in specific countries and by using various methods. But the worst of viruses, which is the first example of the potential of cyber-terrorism, is the Stuxnet computer worm, believed to have been created to sabotage Iran’s nuclear program. The virus is typically introduced to the target environment via an infected USB flash drive, which then introduces the infected root-kit into the system, modifying the codes and giving unexpected commands to the computer while returning a loop of normal operations system values feedback to the users. The aim of the worm was to fake industrial process control sensor signals so that the infected system does not shut down due to detected abnormal behaviour. While most attacks have been limited to computing systems like servers, desktops and laptops, hackers now focus on the IoT ecosystem and all its connected components. Large networks of IoT devices—like CCTV surveillance cameras, smart TVs, and home automation systems are prone to hacking, and the modern age thief will make use of these to carry out coordinated attacks against individuals and corporations. So unless we beef up our arsenal against these goons, they’ll move on to stealing biometric data and personal information that can be used to impersonate fully functioning individuals.

12

CHAPTER #02

THE BASICS OF CYBERSECURITY Here we list down some common sense best practices that’ll go a long way towards keeping you safe online

The basics of cyber-secu cyber-security rity

13

Y

ou might feel that protecting yourself against cyber attacks is a job only for specialists, but that isn’t really the case. Also, securing yourself isn’t about throwing money at the problem either. either. Sure you can choose to shell out a few bucks initially i nitially for

the sake of convenience you don’t really need to. Of anti-virus software and firewalls

The most basic step anyone could take is to install an anti-virus anti-virus software. For

a long period of time, the understanding was that only careless Windows users, who had no inkling about separating the fishy links from the legitimate ones, and who roamed the weird and unsafe corners of the internet, needed to have an anti-virus program. But in today’s age of zero-day vulnerabilities and large-scale hacking, this notion is a dangerous one to spread. A zero day vulnerability refers to a hole in software that is unknown to the vendor and has the potential to be exploited by hackers in the form

of infiltrating malware, spyware or illicit access to the software user’s personal details and information. Such security loopholes are exploited by hackers before the vendor is made aware of them, and has led to many zero-day attacks in the past. For example, in March 2013, Oracle discovered dis covered two zero-day vulnerabilities, of which one was actively used by hackers in targeted attacks. The vulnerability could be exploited remotely, without any form of authentication to kickstart it in affected machines. Since the risk applied to both Windows and Mac devices, the number of possibly affected devices could run into millions. There’s also the massive Elderwood project, a platform that has used, as researched and reported by Symantec, an “unlimited number of zero-day exploits, attacks on supply chain manufacturers who service the target organization, and shift to ‘watering hole’ attacks” on websites likely visited by the target organization”. Their biggest target was Google, back in An example of an anti-virus software 2012. Though no data was stolen or

14

The basics of of cyber-security cyber-security

compromised, these findings brought to light the increasingly sophisticated sophisticated techniques used by hackers to bring even the biggest corporations to their knees. So there’s no doubt that if a player as big as Google can be a target, then even the most careful of users are vulnerable to these loopholes, and the first and foremost step that anyone who owns a PC, laptop or smartphone should take is install anti-virus on their device. While choosing your anti-virus, its best to go for the big names. Windows has a built-in Windows Defender, though most security experts recommend

installing additional AV AV software. In its defence, since Widows Widows Defender is free and built-in to Windows Windows 10, 10, it doesn’t harass you with pop-ups and requests for money, and is lighter than some competing antivirus a ntivirus solutions – making it the preferred prefer red basic line of defence by a lot of people. Yet, if you’re you’ re constantly installing new software and engaging in high-risk behaviour, paid anti-viruses like Norton, McAfee and Kaspersky etc are known for their detection rates, and are considered safe bets. The same would go for Macs, and Linux is known to not require an anti-virus, though that largely depends on how technically informed the Linux user is, which a majority are. Free anti-virus solutions like Avast, Avira and AVG are just as good as the paid ones except you don’t get priority support. The core detection engines offered by free ones are the same as their paid versions in most cases. Though installing anti-virus software is the recommended way to go, enabling a Firewall on your device also goes a long way, though it can’t provide the same level of protection an anti-virus would. A software Firewall, just like a device-based hardw hardware are Firewall, would filter information coming through the Internet into your system. If an incoming packet of information is marked by the filters, it is not allowed through. In large corporate institutions or any business that has a small to large private network it wishes to protect from outside attacks, the main function of a Firewall Firewall is that it stops anyone on the outside from logging onto a computer in the internal network. Since most home networks would not be subject to such an invasion, a Firewall might not perform the exact way you’d you’ d expect it to. Nevertheless, when it comes to cyber-security, more is merrier, and you can never go wrong with a Firewall. ZoneAlarm and Comodo are two well known free solutions you might want to try tr y out.

Before you plug in that USB stick… There are several more precautions one can take to prevent malware from external sources. Making sure the software you install is from a verified

The basics of cyber-secu cyber-security rity

15

source goes a long way. A lot of malware is installed as a result of people not taking care about the kind of software they give permission to run on their systems. Whenever downloading any such thing, go to the verified site first, and avoid using any external links that redirect you to the “official” site. Even if you don’t don’t use the internet interne t much, viruses viruse s and malware now have a way of spreading through pen drives and external HDDs. This doesn’t need much effort from the hackers’ side - they’ll simply disguise the virus

as an executable having a recognisable recogni sable name; even if the virus might not be a software, the common trend in many infected disks is to create a shortcut that contains all your files that were previously visible in your external disk. When you try to open any of the folders, the virus automatically gets executed and infects your PC. The best and only way to get rid of such viruses is to get your anti-virus anti-virus to scan the infected drive drive and have it weed out the virus. The best way to go would be to scan s can any external drive that’s that’s inserted into your device, no matter how trusted the source is. Where’s Where’ s that free Wi-Fi?

One particularly particul arly prevalent and unavoidable unavoidable issue issu e is the use of public publ ic Wi-Fi Wi-Fi hotspots. The very convenience that makes public Wi-Fi Wi-Fi so attractive is what is probably its downside. downside. The fact f act that public networks require no authentication to establish a connection is i s what allows hacker hacker to get unrestricted and unlimited access to unsecured devices on the same network. Since there is no password or passphrase to encrypt the information being sent to and fro between the router and the device, any hacker hacker can use software to intercept those sign signals als at which point they can see everything everything on a fellow

Understanding how a VPN works

16

The basics of cyber-security

free WiFi user’s screen. Such “sniffer software” intercepts the traffic between the router and device to filter out important information. These unsecured networks can also be used to plant malware in another network user’s device if file-sharing has been enabled. Another popular method used by

hackers is to set up rogue Wi-Fi hotspots with generic names, hence fooling unassuming users into connecting to these networks, following which their information can easily be collected. Considering that necessity generally overrides such concerns many times, one can take certain basic and inexpensive steps to avoid any mishandling of personal information. If you find yourself needing to connect to public Wi-Fi networks frequently, it’ll be worthwhile to invest in a Virtual Private Network (VPN). A VPN is a private network that enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. A bonus is that VPNs will allow you to access blocked and filtered content, hence providing a better internet experience. Most trustworthy VPN services require a monthly subscription of a few hundred rupees, and are certainly worth the expenditure if you’re regularly using public networks. Some great VPNs in India are Private Internet Access, Torguard, CyberGhost VPN and TunnelBear, which cost between Rs. 400-800/month. If your usage of public networks is infrequent and you do not need to visit websites with confidential personal information, credit card data and important emails, enabling the “Always Use HTTPS” option, or simply installing browser add-ons like “ HTTPS Everywhere” is useful and does the trick. Another useful tip is to turn off device sharing on such networks, so that malicious devices cannot access yours, and enabling the Firewall, as discussed before.

“What happens if I click on this pop-up…” Once you’re on the internet, a lot of what happens to your computing device is in your hands. How you deal with spurious links, banners and pop-ups will determine the health of your device. It goes without saying that many of the banners, ads, pop-ups and emails that you view and receive on the internet are scams. Many of these popups, which look like legitimate posts coming from your email provider, favourite social media websites or e-commerce sites are generally spurious and fake versions. Many a times these pop-ups pretend to find viruses and malware on your device and “report” them. Entering your personal details while executing any kind of operations on these imposter websites


17

is only going to lead to hackers picking up your details, and you’ll have only yourself to blame. This process of tricking you into sharing your information is known as phishing. And software that engage in this kind of behaviour are known as scare-ware. If such software go a step further and demand money for making your system function properly again, they are known as ransomware. In a very common practice, many users receive mails from seemingly

trusted sources, stating that the said user has provided incorrect information for important documents, and that they will have to resend their information to revive a suspended account or some similar scare tactic. People will end up going to the imposter version the hacker wanted to redirect them to, and end up providing bank account and email account details willingly. In the case you’re looking to visit any such Beware of such pop-ups website, always visit the encrypted and original website by using a popular search engine to obtain the website details. Big providers like Google, Yahoo! and Bing always give correct and accurate results, and can be trusted to provide the original links for certified websites. In other methods, flashy banner ads on websites are created as sources of malware. Clicking on them automatically gives them permission to install the said malware onto your device. In most cases, the malware simply logs keystrokes and sends them to the hacker, allowing them to monitor your data and thus making it extremely easy to get access to your private information. While your anti-virus should help prevent the download and execution of such malicious software, it’s better to be safe than sorry and just not click on these banners.

Is your password “123456”? When it comes to how you store your confidential data, you need to take a hard, long look at your passwords for your various accounts. The dilemma

18


for most people is choosing between a weak password that is easy to remember and is easy for hackers to crack, or a strong password that is

hard to remember but much tougher for hackers to guess, even with their fancy-schmancy algorithms. We’ll assume you go with the latter, since no security conscious individual would ever choose the former. First and foremost, never lift passwords from a dictionary, even if they are multiple words one after another. Such passwords are easy for hackers to figure out using a dictionary as a source dump for a brute force attack. To further

secure your password, use special characters and a mixture of lowercase and uppercase letters, as well as numbers. In addition, longer passwords are better than shorter ones, since they become harder to crack with each character added. A rule of thumb is to keep a minimum length of 10 characters. Having said that a brute-force attack to guess the password will

always succeed if enough time and processing power was available to the attacker. So, it is always recommended to change the passwords often. Try to keep the timing between every 4-6 months. Then there’s the general guidelines. Avoid using standard and repetitive sequences, and absolutely NO personal information should be included. If the hacker happened to have your personal information, don’t make it easier for them to crack your password. And if you do happen to create a tough-to-remember and uncrackable password, make sure NOT to reuse it for any other account. As tempting as it sounds, it can have severe con-

sequences for you in case the hacker knows the details of one account. This does bring us to the point of remembering your passwords for ALL your accounts, which numbers runs into tens for those active on the interwebs. It’s considered smart to not write your details on paper, and instead use an encrypted password manager. As described in the previous chapter, a password manager requires you to remember only one master password, and the rest and generated and stored by the encrypted password vault itself. LastPass Premium and Dashlane are considered good alternatives for those willing to shell some money, while LastPass and LogMeOnce are available for those on a budget. Still, it’s recommended that you invest in a paid password manager. None of these will work if you’re giving out your password left, right and center. Avoid sharing your password, and even if you have to, please, for the love of glob, don’t email it to the other person. It’s unnecessary and you will have only yourself to blame for such an egregious error. In other etiquette, avoid leaving your accounts logged in on public terminals, and


19

LastPass Password Manager on a Mac

make sure no one’s watching when you’re typing your details. These

common and basic steps will go a long way in securing your cyber life. In case your password is hacked or leaked in a data theft, one way of being

notified of any incorrect access is if you’ve enabled multi-factor authentication, which is extra layers of security that require not only a password and username but also an external key that only the user has on them, with the key generally being some sort of physical token. In most cases, it’s a onetime password sent to your mobile phone, and in rare cases, another email ID (the latter is an unsafe choice in the eventuality that the second account has been compromised). While this method has its own drawbacks, it’s a good idea to have two-factor authentication enabled across your accounts. We mentioned zero-day vulnerabilities earlier, and talked about how anti-virus software is a great way to patch those up but be sure to keep your AV software up to date. Seeing as how many hackers might misuse the patch release notes to explore those vulnerabilities on unpatched machines, it’s important to install such software updates as soon as possible after they’re available. Browser plug-ins also form a huge part of the issue, and to be completely sure that you don’t have outdated browser plug-ins, visit your browser’s plug-in check website. A lot of these methods are basic common sense and no more. If you feel like you need a little more information for platform-specific devices, do read the following chapters to get a better idea.

20

CHAPTER #03

ANDROID PHONE SECURITY The do and do-nots to ensure the online and offline security of your beloved android devices

Android phone security

21

W

e now live in a world where not owning a smart phone is considered rural and ancient. Smart phones have taken the world by storm. And the harbinger of this revolution

is the popular and almost undisputed Operating System, Android. It’s open source and that is one of its biggest strengths. But we live in the times of Mr. Robot and NSA. To cut things short, it wouldn’t be wrong to say that anything and everything is accessible if the right tools are used. So in such a world, one must know how to protect themselves from the likes of hackers and those with malicious intent. One should not

underestimate the impact and magnitude of such attacks. For instance there was this case when a group of German Hackers hacked a country’s voting machines to tamper the election results. This is a where the world of hacking gets ugly and must be acknowledged as a real and constant threat. But we got you covered. We shall tell you about simple ways in which you can protect yourself from such attacks and the measures to be taken are surprisingly simple. Let us begin

Types of attacks Basically you could be subjected to intrusive danger in two ways, either physically ‘hacked’ in which a menacing agent might snoop into your privacy by breaking into your phone. E.g. knowing your password. Take for example a webpage opens up which is attached to some unknown application on your phone which downloads tonnes of malware that you never even asked for.

Protect you android phone from all kinds of attacks

22


Tips and tricks Passwords

We all have passwords on our phones. A password can protect your privacy

and keep all your important data private. Your phone stores passwords for various social accounts like Face book, Twitter, etc., and even more important stuff like passwords for your online wallets and internet banking portals. But the basic password system in almost all devices can bypassed, and all your personal information accessed. So here are some precautions you can take to make sure your phone and all your social accounts are ‘hack safe’. 1. Not Saving passwords It is as simple as it sounds. The next time a web page prompts you to store passwords, decline. Because your passwords can be stolen via simple phishing pages or even by accessing the cookies that the web page stores. Also, if you save passwords and if someone was to hack your phone or gain access to it, what’s to stop them from using all your social security codes and payment passwords to make transactions? A lot of people have fallen prey to such malicious attacks and have been robbed online. It might seem a little paranoid to some, to those people I say, better safe than sorry. 2. Use Strong Passwords Most of the websites that require you to save passwords will require you to have long alphanumeric passwords (at least 8-12 characters long). And it is a necessary practice. If you have simple passwords, they can be bypassed by social hackers or by using something as simple as permutations and combinations. A lot of people invest a lot of time in trying to figure out what people’s passwords will be. So it is much safer and better to have a password that is not predictable such as your birth date or wedding anniversary or your maiden name. We can’t stress upon how important it is to have a strong password. 3. Android built-in security Android OS knows how important your security is for you, so it comes with a strong secure built in security system. You might have noticed that in the ‘password’ section of your settings, there are various types of passwords that you can use ranked according to how secure they are. The most commonly used password type is probably the linked dots password which can be very easily broken into. There is an option for keeping an alphanumeric


23

Your phone is like a security locker for all your information that you wouldn’t want robbers getting into

password instead too. But we recommend you to use this security provision to the fullest. There are also options like facial recognition and even fingerprint scan in some devices. Use them, you cannot be secure enough. After all this is your phone we are talking about. You wouldn’t want your personal information accessed right? Hackers are very creative when it comes to such thievery.

Applications Google play store blew the world away. Suddenly, games like angry birds and

apps like Face book and Instagram were at your disposal. Google has always been a harbinger of the ‘free for all open source’ movement. It encourages developers to experiment and test their products out at a global level with much ease. However, this coin too has a flipside. Google Play store is the biggest online marketplace offering all kinds of services. However, it is not the only online marketplace for android. Although the usual android phone is factory set to NOT allow downloads from unknown sources, it is common practice as this setting can be easily changed. That being said, even Google Play store may not be safe enough as it might sometimes have malicious

24


apps cleverly designed to blend in as normal apps to an unsuspecting user. These apps can harm your well being and online security in innumerable ways. So here are certain necessary precautionary measures you must take

1. Backup Taking a secure backup is a smart practice because this way, even if your important files and folders are affected by some kind of malicious virus or worm or Trojan, you can always keep your data safe on the cloud. And there are several good services to do this. However don’t choose services that ask you to upload all your data without your constant permission or password protection. This way even if your phone were to get infected, you can reset it without the risk of having to lose your data. However, be careful as to what medium you use to take this backup. It should be a trusted source because you can’t trust anything and everything on the internet. Some good secure services are Idrive, Sugarsync, Crashplan etc. 2. Security options Use the security options if the app provides any. Even if someone broke into your phone and now has access to all the applications, you can have security passwords for your applications. Most apps come with an in built provision for this. Even if they don’t, there are certain apps like APPLOCK which gives you the provision to secure access to your applications using a security password. It is recommended to have multi security layers so that even if your phone gets lost or broken into, you don’t have to worry about anyone accessing your private stuff. Especially with apps with your bank account details such as an e-commerce application. 3. Google Play store Don’t just download from any source. We can’t stress enough on this. Most of the online app vendors don’t have a thorough safety checks and are loaded with advertisements and misdirection. Don’t download applications from unknown sources and don’t download applications which don’t have a lot of downloads. Even some apps on Google Play store are loaded with unwanted advertisement which might redirect you to unwanted pages or phishing site. Don’t give any important information in such applications. They might seem normal and suddenly alert you to an attack on your device. That is your cue. It is always wise to see the number of developers and comments of any app that you want to download. Certain apps you download might


25

There are a lot of people looking forward to break into your phone by using otherwise harmless looking applications

make your phone download more other apps without your consent. You don’t want that. Network

The internet is filled with opportunistic people who want to scam their way into your phone and get your personal information. It is simply not possible to not be on the internet too. It’s a coin with a flipside. However, if you take some easy subtle safety measures, you can secure the network you are on and thus, your android device. 1. Be on a secure network at all times

If you have a Wi-Fi service, make sure it is password protected. People can access your device if you are on an unprotected network. Also, avoid using unknown public Wi-Fi’s. Free Wi-Fi, as tempting as it might seem, comes with a lot of danger. The hacker can use simple applications and snippets of code to break into everyone on the same network as you if it’s not a protected network. There is a way to make sure this doesn’t happen. Use applications like HideNinja VPN to make sure your outgoing network is always encrypted with a digital signature, hence killing the chances of a compromise in security.

26


2. Don’t use just one account If you share a device with someone, e.g. a tablet or a phone, you have the option to create multiple accounts to make sure that your stuff stays exclusive to you. This can easily be done by going to SETTINGS and the USER section in your android device. This way you can easily share the device with other people and have separate password and preferences for the separate accounts. You can find apps on the play store to help you manage different accounts on your android device too. For example, SWITCHME or PARALLEL SPACE. There are even apps to create multiple social accounts on the same device for apps like WhatsApp and Facebook. If you are sharing your device with someone, you can make sure that your data stays truly private. 3. Security apps There might be many malicious apps out there but genuine apps that can save you from such applications exist too. The best example is probably AVG. It is a free bundle; there is a paid version too with some better features. It comes with basic security options like not letting you download stuff from unknown sources, tracking your phone in case it goes missing, etc. Also it keeps on doing thorough checks to see if any malware exists in the phone. There are several applications like this you can use. But be sure to use a trusted application for this purpose only. You don’t want to get infected by an application that meant to protect you in the first place. So here are some trusted applications that you can use Just be sure to download security apps from secure sources 1. AVG 2. AVIRA anti virus 3. Norton anti Virus 4. AVAST mobile security 5. CM Security

When you lose your Android device Everything is good until you lose your phone or it gets stolen. Our lives depend on our phones, our contacts, passwords, applications. And if your


27

phone is to get stolen, the whole world comes crashing down. What’s worse is the situation of your stolen device landing in unwanted hands. This is a big issue for all android and phone users in general. However, there are certain applications now that can help you retrieve your stolen phone using GPS SAT-NAV or even wipe off all your data remotely. Here are some measures you can take in case you lose your android device

1. Wipe your data In case your phone gets stolen and you are certain you are not getting it back, you must erase your data immediately using a remote data wipe mechanism. You can follow the following procedure as it is mentioned on the Google official forum: •

“Select Remote Wipe when a device is lost or stolen to

erase all data on the device and to do a factory reset. You can remote wipe an Android device with the Google Apps Device Policy app installed and any supported mobile device with Google Sync congured. All data is erased from the device (and SD card, if applicable), including email, calendar, contacts, photos, music, and a user’s personal les. •

Note that Remote Wipe erases the device’s internal

storage. Your user’s device must already have Device Policy (or Google Sync) congured. You cannot install Device Policy and run Remote Wipe retroactively. For Android 2.3+ devices, Remote Wipe also erases the device’s primary SD card”

Plus you don’t have to feel bad about having to erase all this priceless data, because you followed our advice and had taken online backup Data. A little bit of planning goes a long way.

2. Remote Track your Lost phone If you lose your phone and want to track it using some other android device, you can either use applications like AVG security system or you can download additional apps like ‘FIND MY PHONE’ for android to GPS track its location using satellite navigation. You can even do this without any extra application as well. You just need to have a Google account. Your android device must just be connected to internet. Your android device is equipped with a location tool called ADM (android device manager)

28


Be sure to diagnose any problem your phone and take measures in case it is acting up

If all the above conditions are met, then all you need is to Google “Where is my phone” and your phone’s location shall be displayed on Google maps.

It works most of the time, just be sure that ADM is activated in your device. Conclusion

Last but not the least, make sure your phone is always safe with you and stay away from pickpockets. Phones are inevitable parts of our livelihood and now you are equipped with the knowledge to fend off hackers and malicious attacks. Just remember to be cautious and follow all our steps and you shall be fine. Android does a good job at offering security options even though it is so widely use and subjected to constant attacks.

CHAPTER #04

iPhone security

29

iPHONE SECURITY How to secure your beloved icompanion

T

he iPhone is the world’s most selling item. Let that sink in. The Presidents of many countries use iPhones. They took the world by storm. Pretty much the vini vidi vici story. It was Steve Jobs’

brainchild not even a decade ago and the rest is history. However it is not impervious to attacks of all kinds. As a matter of fact, it is more of a challenge to the vicious hackers to break into this fort Knox and it has

happened many times. Apple gives a lot of stress on security and much of it is mainly because of Jobs’ desire of exclusivity. Complete exclusivity was a necessary price to pay for a ‘virus-free’ environment. However, if you own

30

iPhone security

an iPhone, nonetheless, there are a bunch of things you should do to ensure your complete and wholesome security. Your iPhone is a gateway to your world of personal information and details that should remain private at

all costs. And although you have a fingerprint lock on your iPhone, doesn’t mean that hackers won’t try just about anything to break into it. We are just saying that the fact that it can be done is reason enough for some people to try and do it. So follow these instructions religiously and the safety of your beloved iPhone is guaranteed.

Apple security policy Apple System security is designed so that both software and hardware are secure across all core components of every iOS device. This includes the boot-up process, software updates, and Secure Enclave. This architecture is central to security in iOS, and never gets in the way of device usability. Needless to say, Apple lays huge stress on securing the ‘world’s best phone’.

They were the first to popularize the use of the fingerprint scanner on their home button. And the feature works pretty seamlessly and has become a commonplace practice, giving the iPhone another layer of protection after the security password. Apple also has a separate ‘for Apple product owners only’ store called the iStore, which you can access with your Apple ID. And most of the better applications you find on Google Play Store, you are likely to find an even refined version here on iStore. Also, Apple has a very strict application

Apple likes to believe that they have built a Fort Knox when they sell their iPhones

iPhone security

31

monitoring policy and not just anyone with a malware app can upload it for the whole world to download on iStore (unlike on Google Play Store). And although this policy is debatable and is almost always argued upon, it works to some extent. However, as safe as this may sound, it is no surprise

that Apple iPhone’s security has been compromised from time to time and you should take precautionary measures nonetheless. We shall tell you about General settings that you should change to ensure that you secure your iPhone. Then we shall tell you about some applications that might come in handy to make sure your iPhone stays hack-free.

General settings 1. Keep your iPhone firmware updated Apple comes up with frequent updates for the iOS. Be sure to follow them carefully as with every new update, they tackle security issues present in the last one and deem that version almost redundant. Go to Settings>General>About. There you shall be shown the current version of the iOS firmware. Be sure that this is the latest firmware because if it is not, your version of the firmware is vulnerable to intrusive security breaching attacks.

2. Keyboard Cache This one is a little tricky. Your keystrokes are stored as a database in the iPhone directories as cached memory for up to a year. This database basically

includes all your typed words and the automated response of the phone via the phone’s keypad for them. A clever hacker can break into this database with ease and data mine this into finding out important details like your information or even your passwords. You should keep this cache cleared. This is not at all a paranoid practice. There have been reported instances of this feature being exploited. Navigate to General in Settings>Reset>Keyboard Dictionary. This should

reset your keyboard cache for you.

3. Disable features which can be accessed without pass code Your iPhone has several features on the home screen, even when the phone is locked, that can be accessed. And you have a say in them being accessible. For

example, turn the Voice Dial feature off by going to Settings and disabling it. Also, your messages can be previewed on your locked home screen as a prompt pop up. This is probably the simplest, most overlooked factor

32

iPhone security

in iPhone security. You must keep this feature disabled if you don’t want people reading your private conversations.

4. Secure passcode and auto timeout You must have a secure password for your device. Not just the four digit numeric password. That can easily be guessed by people or even judged from

the smudges on your phone (Mr. Robot much?). Try going for the fingerprint as well as the alphanumeric password option to keep a long secure password. Also, you can decide after how much time your phone locks itself. Be sure to enable this feature so that even if you forget to turn it on standby mode manually, your phone does it on it’s on. It can be easily decided and enabled in the Settings menu of your phone under the Auto-Lock option.

Be sure to use the fingerprint scanner feature of the iPhone

5. Erase Data setting Now this may seem a little harsh, but if you have secure online backup of your phone, and your phone security is very important for you, you can set the number of times that a wrong password is entered after which the data of your phone is erased.

iPhone security

33

Also, you might be aware of iPhone’s return policy. They exchange your phone in a time period of one year for all kinds of physical or software damage except water damage and give you a brand new iPhone in exchange for your old one. Be sure to erase all your data before doing this. Also if you are getting your iPhone repaired, you should make sure that it has no important data in it that might compromise your security and private information.

6. JailBreak you must be aware of the fact that you can have a hacked version of iOS on your iPhone. This process is called Jailbreaking the iPhone and compromises your iPhone security and warranty by doing it. Avoid Jailbreaking at

all costs. Unless you own an old model and want to use it for experimental purposes. Jailbreaking your new iPhone is not recommended at all. The reason is quite simple. After doing this, Apple no longer takes guarantee of the firmware of your phone and anyone could easily bypass the broken firmware. If you bought an iPhone, you must stick to exclusivity. (Or you know, buy an Android).

7. Safari Browser iPhone has the Safari browser and it is pretty good. You can change its settings so that it gives special attention to your privacy and security. Go to Settings>Safari options>disable cookies on untrusted sites. You can also disable password remembering which is a recommended practice. Also, there are a bunch of other options you can toggle. The Autofill Setting should be disabled Enable fraud warning Block pop-ups If you set all the above settings, you can be certain that your Safari browser is a safe workplace. •

•

•

8. iPhone Network Settings iPhone like any standard phone has a Bluetooth and Wi-Fi system. You should try to keep these services disabled when they are not in use. This keeps intrusive attacks from taking place in case you land up in an unsafe network. You should password protect the internet network that you are on to make sure it stays exclusive, and refrain from using Wifi that is free for anyone to use and not password protected.

34

iPhone security

You must never be on an untrusted network and use a VPN hider if you have no alternative

You can also make sure that your SSL setting is enabled while using email and Gmail. Go to Settings>Mail and calendars>Advanced>Toggle the SSL option ON. SSL stands for secure socket layer and this will make sure that your emails are transmitted securely.

9. Find My iPhone Apple has a special service called ‘Find My iPhone’ which is free of cost and helps you retrieve your stolen iPhone. You just need to add a ‘MobileMe’ account and then login to the account using your AppleID. Once connected, the Find app will be turned on and the location of your IPhone can be remotely detected. In addition to this, you can also get it to do a bunch of stuff like display messages, or make beeping sounds. The service works ONLY if the device is password protected. You can even use this service to ‘RemoteWipe’ all your data in case you are certain that your iPhone is beyond

retrieval. And then you can retain all the lost data from the cloud backup.

10. Restrictions You can set certain restrictions on all your apps by enabling certain options

in Settings. They are basically parental codes and would require a security passcode to be entered every time the user tries to access the applications. This is very important and useful feature as by using this feature, you can assure that your social apps stay exclusive to your use only, even if the first security level of the home lock screen is bypassed. You must use this

iPhone security 35

Always select an autolock timeout for your iPhone

feature to your advantage for you social networking apps, mail apps and online wallets. Basically anything that has your private and important information stored as cookies.

Applications In addition to these general settings which are common for all iPhones, you

can download applications from the generous variety offered by the iStore. These apps can help you keep your phone safe and sound. 1. Lookout

Lookout is basically a better version of Find my iPhone. It saves the last

location of the iPhone before its battery dies out and comes with some other clever features. The app also has a instant contact and data backup option and can be accessed via any web browser. Price: Free

2. Foscam Surveillance Pro

Now this is not a security app per se, but it is so cool we thought we would include it anyways. You can basically run a security camera service using this application and get LIVE feed from up to 6 cheap IP cameras. You can

even control the movement of some. If you don’t want to spend a tonne on a home security service or want a handy baby monitor, search no more. Plus it has a little DIY element for all you enthusiasts. Price: $4.99

36

iPhone security

You can basically make your iPhone into a security survellience device by using Foscam

3. mSecure If you are like me then you have a hard time keeping track of all those passwords.

Do not worry; MSecure is the perfect application to manage all your passwords. The procedures are very simplified and you can manage all your different accounts very easily. It is built while keeping the careless customer in mind so if you have the problem of forgetting or mismanaging passwords go for this. Price: $9.99

4. Private Photo Vault Your camera roll might be susceptible to intrusive attacks so you can make sure that all your precious photos are save in the secure Private Photo Vault. It gives a break in report if it is tried to be tampered with and is a good way to save your private media items. Price: Free

5. SurfEasy VPN In case you want to make sure that your browsing is safe and even if you

are uncertain about the security of the network you are on, you can use this application. This encrypts your outgoing signals and protects your phone from attacks by users of the same network. You must always use this app if your phone is mostly connected to a lot of other members on the network too. It is a safe practice. Price: Free

iPhone security

37

6. Norton Identity Safe Norton has been around for a long time. So this is a pretty good and wholesome app. It acts as a one point hub for all your security management options. It can be locked using a security code. It stores all your important information like passwords, credit card details, website cookies etc. It also has a password generator which you can store and use. The app is free of cost and you should definitely have this on your phone. Price: Free

7. Best Phone Security Pro Don’t judge an app by its name. This is a really good app. What it does is that whenever someone will try to open your device, an alarm will go off. Sounds fancy, doesn’t it? You can even record your own alarm to go off (my personal favourite is “Shame!” on repeat)

You should manage your passwords using secure apps to ensure you never lose your social accounts

The app also uses the front camera to take a picture of the intruder. And last time we checked, iPhones have a great front camera.

38

iPhone security

Conclusion

The iPhone is the world’s most selling item. You must ensure your iPhone’s security just for the sheer fact that so many people use it. Imagine if the

security of all the iPhone community members were to be compromised at once. Sounds like something straight out of Black Mirror, doesn’t it? The point of this is not to make you feel paranoid but to make you understand the ways in which your iPhone can be broken into. If you take all the information we have provided and put it to use, you can almost be certain that you will not fall prey to hackers. Also, make sure to utilize your phone’s replacement policy in case your iPhone is not behaving normally. You can always contact Apple customer care in case you are wondering about certain settings or unsure of a certain security clause. They like to take their customer care seriously I’ve heard.

Secure#05 your Windows PC or Laptop CHAPTER

39

SECURE YOUR WINDOWS PC OR LAPTOP Windows may not be the least secure OS out there, but you’re not safe yet!

A

recent security report published by GFI, a network and security solutions provider, stated that Apple’s Mac OS X, iOS and Linux Kernel are the top three most vulnerable operating

systems, beating the common misconception that Windows is the least secure OS out there. Microsoft is one of the biggest technology

40

Secure your Windows PC or Laptop

Learn how to secure your Windows account

companies in the world. It is always on its toes and is super fast in releasing critical patches and updates to make your computer more secure. This is not to say that Microsoft Windows has always been this way and is known to have a sad security history, but the company learned from its mistake and has been successful in making Windows 10 one of the most secure Windows versions ever,while also being the most targeted OS out there. If you think of it, the reason for this is simple. Imagine if you had a year to learn how to break into into Vault A, used by 80% of the banks, or Vault B, used by 20% of the banks, What would you choose? Windows dominates the PC and laptop OS market with a 52.02% share while Apple and Linux Kernel based OS have a 26.2 % and 21.7% share respectively. Chances of encountering a Windows machine on the internet are more than any other. And this is why hackers everywhere are religiously creating new viruses and malwares, and exploiting zero day vulnerabilities to get into your Windows machine. And it’s not just the ‘bad guys’ who are after you. The technology buzzword of last year was privacy and the ‘good guys’ (read: Microsoft) are after your data too. Worry not though. We are here to teach you how to secure your Windows machine, from both the good and bad guys.


41

Saving yourself from the ‘Bad guys’ The safest computer in the world is one that is turned off Over the years Windows users have seen some of the nastiest viruses. From

ransomwares to irritating autorun viruses, we have seen it all. Security has never been Microsoft’s strong suit but slowly and steadily it has built it up. Windows 10 is probably the most secure version till date. But no computer in the world is unhackable. If you want to completely secure your windows machine, the best bet is to start afresh with a new installation. But if you don’t want to lose all your installed software and saved data (which can be backed up anyways if you decide to do a fresh installation) follow these steps to scan and remove malware, and secure your PC: •

Disconnect from the internet

The first thing you need to do is disconnect your computer/ laptop from the internet. If your computer is hacked or infected with a virus/malware/ spyware, disconnecting from the internet will stop it from communicating with the hacker.

To get away from the bad guys first get away from the internet

42


• Update/ Install an antivirus, an antispyware and a rewall If you haven’t already installed an antivirus, an antispyware and a firewall, then download the latest version on a computer you are sure is safe and transfer it to your machine. There are a number of good free and paid antivirus, antispyware and firewalls that you can choose from, which are listed in the next section. Some viruses also stop the user from installing any new programs. If this is the case with your machine, then switch it off, boot into safe mode and install the programs. If you already have these software installed then update them before disconnecting from the internet.

• Boot into Safe Mode and run a full scan In Safe Mode, the OS loads only the necessary services and drivers which means that viruses and malwares who have added themselves to the startup

list of services won’t run. To boot into Safe mode in Windows 10, go to Start menu and click the Power button. While keeping the Shift key pressed, select Restart. Your computer will restart and present you with a couple of options. Select Troubleshoot> Advanced options > Startup settings. A new screen will notify you that you have to restart your Windows again to change Advanced boot options which include the Safe mode. Click Restart and select Enable Safe Mode by pressing the F4 key. Once into the Safe mode, open your antivirus and scan your whole computer. Do the same with the antispyware software. This can be quite a time consuming task and the scans could run for a couple of hours. You can go get some food and finish your other chores in the meantime.

• Clear browser cache, cookies, and other temporary les and folders, and remove unnecessary software. Clearing all these files and folders will not only remove any traces or infected files left behind by the viruses, but also give your computer a significant performance boost. You can either choose to manually clear all these places, or instead download a software like CCleaner to do the same. Download CCleaner off the official site and install it. The software clears a number of temporary folders and files by default, so go through the checklist once before running it. Once you have selected all that you want to clear, select ‘Run Cleaner’ and let it do its work. Once that is done, go to the Tools section and uninstall all the unnecessary software you don’t


43

need. Then go to Tools>Startup and disable all the unnecessary software and bloatware that you come across.

• Update your Windows and all other software, especially your browser According to data collected by

Kaspersky lab, one of the biggest antivirus vendors, almost a

CCleaner can do a number of things including clearing out your junk, uninstall programs and remove software from startup

million new threats are unleashed online every day which include viruses, malwares and zero day vulnerabilities. The best bet to protect yourself against these threats is to keep your operating system and software completely up to date. Set all your important software, especially your browsers, to automatically update. Also set your Windows to automatically download and install all new updates. Type ‘Update’ in the Start menu search box and select Windows update. Change settings to Install Updates Automatically (recommended) if it is not already selected. These steps should be enough to clear your computer of any threat, but if you want to be 100% sure about it, then do a fresh installation of it on your machine. To do so, follow these steps:

• Do a fresh installation of Windows Doing a fresh installation is the best way to go about securing your Windows PC. Even out of the box machines that come with pre-installed windows have extra junk and bloatware installed that slow down your computer.

• Update your browser and other important piece of software It’s not Windows who is always guilty. There are a number of popular software which are commonly used and known to have a history of security vulnerabilities. Software like Java, Adobe Flash, Adobe Acrobat Reader, Google Chrome, Mozilla Firefox are regular targets of hackers looking for weaknesses to exploit and break into your machine. So make sure all your software are updated regularly.

44


• Create a Clean Restore point The first thing that you should do after installing your OS is to create a Restore point. This makes sure that you don’t have to install Windows and start again afresh the next time you encounter a problem. Go to Control Panel > Recovery > Configure System Restore. Select the Create button and follow the onscreen wizard to create a System Restore point. If the Create button isn’t working, Click the ‘Configure’ button and check ‘Turn on system protection’ radio button.

• Install an Antivirus and Antispyware All Windows 10 computers come with Windows Defender, a built in antivirus which offers a baseline protection to your system. Though a solid antivirus, it’s not good enough and cannot stand against other industry leaders. There are a number of paid and free antiviruses in the market,

enough to boggle your mind. Though each has its own set of pros and cons, one cannot go wrong with Kaspersky’s security suite if you want the best paid protection. Avast and Avira are two good free antiviruses. Most paid security suites have their own anti spyware but if you are using a free version, chances are you’ll have to install another program to protect your machine from spyware. MalwareBytes Anti-Malware and SpyBot Search and Destroy are two good free options available.

• Keep UAC turned on User Account Control, a built in feature of windows, provides an additional layer of security to your computer by notifying you whenever a suspicious program tries to make changes to the system. The UAC is turned on by default. You can change its intensity by going to Control Panel > User Accounts > User Account Control Setting and then moving the slider. If you followed the above steps, then your machine is completely virus free and secure – as of now. But if you want to keep it this way you need to use common sense and be proactive. Keep in mind the following things to keep your Windows machine safe and secure: Only download files from trusted sources and scan them before opening. Ignore Unknown, Spam or shady emails telling you about the money your great great grandfather left you or an all expense paid trip to Spain you won. Scan every external storage device you connect to the computer before accessing it. •

•

•

Secure your Windows PC or Laptop •

•

45

Use a limited account to browse the internet and stay away from shady websites Don’t click on suspicious links and advertisements online

Saving yourself from the ‘Good guys’ It’s been a long time since it became common knowledge that privacy is a myth. The government is tracking everything you do. Facebook doesn’t delete your personal information even after you delete your account. Microsoft collects tons of personal data about you. All the ‘Good guys’ are wolves in sheep’s clothing and we are here to protect you from them. You would think that saying this is a stretch but once you look at all the

information Microsoft’s latest OS, Windows 10, collects you will realize that maybe this is something you should be worried about. Everything from your address book, GPS locations, credit card numbers to your audio and video messages are collected by Microsoft. And guess who gave them the permission to do so? YOU. The terms of service agreement you skipped reading (we know, we all did) said that you allow Microsoft to do all this and much more. Well wouldn’t it be scary if one day Cortana wakes you up with the nickname only your mom calls you by? Read on to find out what you can do to stop Microsoft from invading your privacy and secure your computer.

• Turn off tracking in the privacy menu The fine print in Microsoft’s privacy statement says that company uses

your data in 3 ways. “To operate their business and provide, improve and personalize the services they offer”, “ To send communication, including Promotional communication”, “To display advertising”. And to do this

Microsoft collects tons of your personal data. To view and change these settings, open your Start menu and type “privacy”. After opening your privacy settings you can see a list of permissions for various things including your location, access to camera and microphone and much more. Once selected, you can either completely turn off the data collection or do it for individual applications for each of these. Also, go to ‘General’ and change the ‘Send your device data to Microsoft’ setting to Basic.

• Don’t Create/ Disconnect your Microsoft Account Windows 10 asks you to create a Microsoft account by default. You can use this to log into your computer. It also comes with a built in 2 factor

46


authentication making it more secure. But it has its own tradeoffs too. Your Microsoft account connects your computer to your account and starts storing

a lot of personal data which you might not be comfortable with. So don’t create a Microsoft Account when you are prompted to do so and instead select “local account” instead. If you have already made and are using one, follow these steps to disconnect your machine from it: Open Start Menu and Type ‘Account’, then select ‘Manage your account’ •

•

•

•

•

Click on ‘Sign in with a local account instead’ Create a new username and a secure password Log out and log in again using the new account. Again go to the ‘Manage your account’ setting and remove your older account from under the ‘Other accounts you use’ tab. You will lose out on some features including Cortana if you use a local

account but that is the price you pay for securing your privacy and data on a Windows machine.

• Stay away from Cortana Cortana is one of the most talked about feature of Windows 10 and one step towards a future where everyone will have their own J.A.R.V.I.S. Cortana

gathers information and learns about you from your location, contacts, speech data and much more, to create a more personalised experience for you. But to do this, it access loads of personal and sensitive information some of which you may not be comfortable sharing with Microsoft. If you want to disable Cortana, Go to ‘Privacy’ settings, Select “Speech, inking and typing” from the left menu and change the setting to “Stop getting to know me” and you are done. If you have had Cortana enabled for a while, you would also want to delete all the information it has stored already. To view and delete it, go to https://www.bing.com/account/personalization. Once logged in, clear all data including “interests” and “Speech, Inking and Typing” information.

Methods#06 to secure your Linux system CHAPTER

METHODS TO SECURE YOUR LINUX SYSTEM Don’t let the reputation of Linux being more secure than other systems lull you into thinking it can’t be breached. These methods would help keep the system truly secure.

47

48

Methods to secure your Linux system

O

ne main advantage that Linux brings to the table (or the desk, if you prefer it that way) is the better security that if offers. Sometimes, the case is such that an antivirus is more orna-

mentation than utilitarian. But that’s not to say that Linux is an impenetrable fortress within which you can reside safely- a digital cocoon where you needn’t fear any malicious element from entering. Such optimal scenarios are only possible in fantasies-possibly realized with CG made using computers that run on open source. But there’s no reason to fret. You are by no means a hapless damsel in distress. There are certain measures you can adopt to further secure your Linux system. Let’s start with looking at some basic tricks you can use:

Basic tips Choose Full Disk Encryption Regardless of the operating system that you use, it’s always advisable to encrypt the entire hard disk. In the event that your laptop is lost or stolen, a login password won’t probably be enough protection. For instance, one can easily boot into Linux from a USB key and read all the data on the system without using the password. By encrypting, it won’t be possible to read anything without using the FDE password. While encrypting only your home folder and the files contained in it is a possibility, FDE has a significant advantage - you won’t have to worry

Go all the way, choose it fully!


49

about breach of temporary files, swap files and other directories where significant files may lie. And unless the computer is pre-historic, the slowdown due to encrypting everything on it is barely perceptible. In many Linux distros including Ubuntu and Fedora, full disk encryption can be done during installation itself. You just have to select the “Encrypt the new Ubuntu installation for security” option.

Keep the software updated Keeping software up-to-date is so not an exercise in vanity like keeping abreast of the latest trends in fashion without really knowing if they actually suit you or not. Regardless of the OS, you should always keep the OS

Update, secure.

and other applications-including but not limited to web browsers, PDF readers and video players- updated.

And it’s easy to perform on most Linux distros. On Ubuntu, for instance, the security updates are automatically installed. To make this happen, just make sure that the “Important security updates” option is turned on by going to System Settings->Software & Updates->Updates

Make use of Linux Firewall The Linux kernel comes embedded with a Firewall component called ipfire.

50


Stay secure within the wall

This offers a pretty effective tool to manage network traffic and also to check different types of cyberattacks. In Ubuntu you will find the application called Uncomplicated Firewall(UFW) which is a frontend program which simplifies setting up iptables. UFW would be disabled by default. To turn it on, you can bring up the command prompt and type the following on it: •

$ sudoufw enable

A graphical configuration tool like GUFW or UFW Frontends could be a good tool to learn more about ipfire and more relevant - what it can do for you. Fedora comes with the alternative firewall management toolkit calleFire-

wallD. It’s enabled by default, so you can chill. A graphical user interface is also available for FirewallD. Called firewall-config, you can install it from the command prompt using: •

$ yum install frewall-confg

Improve browser security It’s important to have the browser secured as much as possible since the browser provides the way in for many contemporary cyber attacks. This is true whether you use Google Chrome, Mozilla Firefox, Opera or any other browser for that matter, so no point pointing the finger at any particular one.

However, to improve browser security- and your privacy, multiple free extensions are available. Some of the most effective options include


51

HTTPS-Everywhere, Adblock Plus,

NoScript, Ghostery and Disconnect. Use an anti-virus software

Those who are super-confident of the security provisions that

Linux naturally brings to the picture(and you’ll be surprised Close the chink in the browser! by how many there are) may say that an anti-virus on a Linux system is totally unwanted. One reason why they say so is that most malware detected on a Linux system will be for Windows. But that doesn’t mean that its not a part of your problem. For instance, what if you pass a corrupted file to someone else. And while it’s a fact that malware on Linux desktops is rare compared to other systems, that still doesn’t mean that they don’t exist. It also doesn’t mean that you are completely immune to attack. After all, rare doesn’t mean zero. Don’t be anti anti-virus! Most secure distros Tails

One of the more widely recommended distros is Tails, and for good reasons. Tails is actually the short form for The Amnesic Incognito Live System. What makes Tails extremely recommendable is that it’s user-friendly while having

significant stress on security. Instead of just focusing on a secure OS, it also ensures that whatever you do on the system also remains secure-at least as much as possible from the get go. Tails is based on ‘s stable branch, so you can put your heart at ease since it’s known for the great stability and security. Also, Tails runs in a live environment alone which is actually a smart

security feature-given how it wipes out completely any trace of use on the system once it’s shut down or restart. Talk about being security conscious from the very beginning! Offers great stability and security

52


Just about every need you may encounter is addressed with one software or the other with which Tails come. A customized browser that uses the Tor network is a case in point. Also, in Tails Firefox includes other extensions to make browsing extra-secure with HTTPS Everywhere and NoScript . LPS

Lightweight Portable Security or LPS is another feasible option. The distribution, in fact, is maintained by the American Air Force. LPS is also kind of unique for the fact that it has a very minimalistic approach. The hardened code aside, it has a lightweight desktop environment which is akin to Windows XP. The environment includes Firefox and some additional tools. You also get to use what’s called as an “Encryption Wizard” that will help you gain more privacy and security, and which is easy to use. As with Tails, LPS too runs only in a live environment. And yes, it doesn’t leave traces once you shut down or restart.

Minimal but secure

The common Ubuntu distribution

Just because something is all too common doesn’t necessarily mean that


53

it’s bad. It’s not enough to give you an allencompassing secure environment like Tails but the OS would be enough to secure your system, as long as your security

Common, but uncommonly secure!

requirements are regular. You will need to keep the OS updated with available patches using the distribution’s Update manager. Also, you can make things more secure by adding programs like OpenPGP or Tor.

Make use of Security-Enhanced Linux(SELinux) There exists a Linux Kernel security module called Security-Enhanced Linux or SELinux. It provides a means by which you can assign security

policies for different software, limiting how much data they can access and the functions they can perform. The users and roles in SELinux needn’t be related to the actual system users and roles. For each current user of process, SELinux will assign a three string context which contains a username, role and domain. Usually, most of the actual users will share the same SELinux username while all access control is managed via the third tag- the domain. You can use the command ‘runcon’ to launch a process into a clearly specified context(user, role and domain). However, SELinux may deny the transition if it hasn’t been approved by policy. Separate measures to protect system integrity (basically the domain type) and data confidentiality is one of the key features of SELinux. SELinux comes as a part of RHEL Verison 4 and subsequent releases. The supported policy in RHEL4 is not that restrictive, since a key objective is to bring in the maximum ease of use.

Methods for securing the Linux server Encrypt data communication It’s common knowledge that any data transmitted over a network can be monitored. However, it’s unfortunately not a common enough practice to encrypt the transmitted data using passwords or keys/certificates. You shouldn’t make the same mistake. Encrypt data communication whenever it’s needed or possible. You can use ssh, scp, rsync or sftp to transfer files. It’s also possible to mount remote server file system or a home directory with the aid of special sshfs

54


and fuse tools. GnuPG is also something you can use-it allows you to encrypt and sign data and communication and also has a versatile

key management system and access modules for all types of public key directories.

Talk safely!

Use only the software that you actually want We live in an age of choices-especially if you are a netizen. But that doesn’t really mean that you need all those web services installed in the system, does

it? If you don’t install unnecessary software, you are by default bringing down the system’s vulnerabilities. You can use an RPM package manager

Keep it simple, keep only those you want!

like yum to review the installed software packages on the system. That will give you a good idea of which packages are actually utilized and which are just taking up the space. Remove the latter.

Make a rule of running just one network service per system It’s always advisable to run different network services on separate servers. This is so that the number of other services which could be compromised can be limited. For instance, if a hacker successfully exploits a software


55

like Apache Flow, then that person gets access to the entire server including other services like e-mail server and MySQL.

Disable root login It’s never a good idea to login as the root user. Root level commands Let’s call it the power of one! can be executed, as and when required using sudo. Without sharing root password with other users and admins, sudo enhances the security of the system. It also gives some simple auditing and tracking features as well.

Ensure security of the physical server if you have one That’s cutting off the root of a problem! It must be ensured that the Linux server’s physical console access is protected. To this end, configure the BIOS and also disable booting from external devices like DVDs and USB drives. To protect these settings, set BIODS and grub boot loader password. Make sure that all production boxes are locked in Internet Data Centers. Also that everyone should pass through some security measure before they can access the server.

Delete X Windows Don’t forget what’s in the brick-and-mortar world!

X Windows on a server is not exactly necessary.

No reason exists for you to run X Windows on your dedicated mail and Apache web server. X Windows can be disabled and removed to improve server security and performance. Edit/etc/inittab following which set the run level to 3. To remove X Windows system, use the following command: •

# yumgroupremove “X Window System”

56


Turn off IPv6 The Internet Protocol version 6(IPv6) brings in a new internet layer of the TCP/IP protocol suite which not only replaces IPv4 but also provides multiple benefits. There exist no decent tools at present with which you

can check a system over network for seeking out IPv6 security issues. IPv6 protocol is set as default by most Linux distros. And bad traffic can be sent by crackers via IPv6 since most admins don’t monitor it. Unless it’s required for the network configuration, either disable IPv6 or set up Linux IPv6 firewall.

Disable unwanted SUID and SGID Binaries If the SUID/SGID executable faces a security issue or a bug any SEID/SGID enabled file could be misused. Also, any local or remote user could make use of such a file. Finding all such files is then highly recommended. You can use the following command for the same: •

#See all set user id les:

•

nd/ -perm +4000

•

# See all group id les

•

nd/ -perm +2000

•

# Or combine both in a single command

•

nd / $ -perm -4000 –o –perm -2000 $ –print

•

nd / -path –prune –o –type f –perm +6000 –ls

Use a centralized authentication service Unless there’s a centralized authentication system, user authentication data will become inconsistent. This could lead to out-of-date credentials as well as forgotten accounts that ought to have been deleted. With a centralized authentication service, you can maintain central control over LINUX/ UNIX

account and also authentication data. It will also be possible for you to keep authentic data synchronized between multiple servers. Instead of using the NIS service, go for OpenLDAP for clients and servers, if you want to have centralized authentication.

Secure OpenSSH Server For remote login and file transfer, the SSH protocol is highly effective. But SSH is vulnerable to many type of attacks. So you better make sure that the OpenSSH server is secure.


57

Install and make use of Intrusion Detection System A Network intrusion detection system (NIDS) is a useful ally in your fight for better system protection. As the name makes it clear, the NIDS is a system that detects intrusions-more precisely malicious activities like denial of service attacks, port scans and attempts to breach into a computer by

observing network traffic. You will do good to deploy an integrity checking software before the

system goes online. If at all possible, you should install AIDE software prior to the system getting connected to a network. For those who don’t know, AIDE is actually a host-based intrusion detection system(HIDS) which could both monitor and analyze a computing system. In the journey of securing your Linux system, the methods mentioned here will help you go a long way. And those who may wish to breach into your system will always fall short.

58

CHAPTER #07

SECURING MAC OSX Macs aren’t hacker-proof! Here’s how you can fortify your Macintosh Introduction

The Mac operating system has long since been associated with an aura of user-friendliness and immunity to viruses and other malware. In fact, it is true that there are almost no viruses (in the sense of malware that can saliently infiltrate a computer without any user interaction) that affect a Mac OS (thanks to their file permission system). However there do exist vulnerabilities, as exemplified by the Rootpipe fiasco, which was patched

Securing Mac OSX

59

after a whopping 6 months in April 2015 (exclusive to Yosemite and not for older versions), only to be exposed as an inadequate fix a few days later. There are also quite a few trojans, which usu-

ally piggyback on other software like video plugins. Their installation however, requires tricking the user into authenticating it. Of course, it is true that the Mac Even the best Apples can have bugs operating system is comparatively immune to malware, but that is only because most malware targets Windows operating systems, and malware written for Microsoft Windows will not run on an Apple Macintosh. If you compare it with the number of different malware written for Windows, malware that targets Mac operating systems are a drop in a pond, but that is only because so many more people use the Windows operating system. So like it or not, Macs can and do get affected by malware and vulnerabilities, and are a far cry from being completely ‘secure’. Yet how many Mac users use anti-virus software? This anti-antivirus usage on Macs also means that even if there are malwares common on the Mac OS, hardly any of them get reported and as a result, carry on their infiltration without raising any flags. After all, an evil genius would design his/her malicious software to be as silent and unobtrusive as possible, in order to be detected as late as possible, post infiltration. Other than malware, security breaches on a Mac are also possible via third-party software like a browser. In particular, Adobe Flash and Java have been notoriously popular with malicious hackers thanks to their many holes and bugs, some of which allow the applet to gain access to the filesystem of the computer (if granted permission) but they are not the only culprits. Now that you have an idea of the potential threats to your system, here are some ways you can fortify your Mac:

Setting Up Safely Whether you’re setting up your new Mac or upgrading your OS, there are certain steps you can take the first time you start up the operating system

60

Securing Mac OSX

that ensure minimal susceptibility to malware. There must exist at least one admin account and if you’re the sole user, as is mostly the case, that will be you. It is a good idea to create an unprivileged non-admin account in addition to this, to use for your everyday activities. Doing this will greatly reduce the amount of risk that you are exposed to, and even if something malicious gets in, it won’t be able to accomplish much. Other than a com-

promise of privacy, the main purpose of security is that you don’t lose your files, so backups are also a basic step for prevention of data loss. Take them regularly, and take them often. Use your secondary account for your daily technology chores like reading manga or downloading songs. You can store your files without hassle and if ever you need to install something, you’ll be asked for the admin login details. On the one hand this does mean many more popup dialogues to enter credentials if you have relationship issues with software, but on the other, it gives you the freedom of being more exploratory while wandering the web. Also, set up your login screen to prompt for the password often if you leave your Macbook lying around.

Prevent a passerby peeping

Getting a Complete Firewall Apple includes a firewall built in to the Macintosh, however that is an incomplete firewall because it blocks incoming connections but has no check for outgoing connections, which is what malware writers use for stealing data. A good two way firewall is one of the first pieces of software that one should

Securing Mac OSX

61

install before wandering on the web. Sometimes software that you never suspected may be connecting to the internet without your knowledge, and without an outbound firewall, you will not know, nor be able to do anything

about it. Software like Little Snitch 3 and Intego Net Barrier overcomes this limitation, allowing you to monitor and filter outgoing connections as well as incoming connections.

Purchasing Privately The urge to shop is a powerful one, it can rival almost any addiction. Retail therapy is ever more accessible thanks to the modern ability to shop online

and purchase with a few clicks. If ever this urge strikes you when you are using a public connection, like an airport or coffee house wifi network, your precious transaction data can be sniffed by an enterprising lurker. After all, what can be more lucrative information than credit/debit card numbers and passwords. Fortunately, Make yourself anonymous, use a VPN most online transactions are secured by additional protocols so it is not super risky to order your groceries online before you board your flight. Besides making sure your connection is encrypted using https, you can use a virtual private network (VPN) to ensure that extra level of safety. VPNs offer an added layer of encryption and anonymity on the internet no matter when your entry node is physically located. Carrying out transactions and other sensitive communication over a VPN is sure to foil any attempts of sabotage from sniffed information.

Logging in Manually By default, Macs are set to login automatically on boot, which makes things especially easy if you are the sole user of your system. While this is a great feature for the perpetually lazy, it is a potential security hazard for people whose system resides in a high traffic area and can be easily physically stolen. Once someone else picks up your precious Mac, all they have to do is open the screen and they are in. To disable this double-edged feature, open System Preferences, and inside Users & Groups you will find Login Options. Here

62

Securing Mac OSX you can set up your system to ask you to enter your user account manually every time

you boot or open your Mac.

Encrypting the entire hard disk In the event that your Mac lies in the hands of thieves, a surefire way to protect your Enable FileVault to secure your data

sensitive data is by having it encrypted from the start. Apple’s FileVault is their proprietary software that encrypts all that you tell it to with the XTS-AES 128 algorithm. To turn it on head to System Preferences > Security and Privacy > FileVault

and after unlatching the lock in the bottom left corner, click on Turn On FileVault. Your

account will need to have a password which you will Make sure the bad guys don’t know where you are

enter to unlock your hard

drive everytime you start up your Mac, which ties in to the previous point. However, in addition, every time you power down your Macintosh it will encrypt the entire hard disk

making your precious data securely inaccessible to the prying penetrator.

Auditing your Security and Privacy settings Under System Preferences > Security and Privacy > General, it is a good idea to set your computer to allow the installation of apps only from the App Store and Identified Developers. In the odd case that you need to install

some software that doesn’t have Apple’s verified developer signature, you will be asked to enter your admin password to authorize the one-off case. This step greatly reduces your chances of being affected by rogue malware, unless you blindly accept every exception request of course.

Securing Mac OSX

63

Also if you head to the Privacy tab on the same System Preferences page and selection Location Services on the left, the right hand pane will show you all the apps that are allowed to access your inbuilt location services and also the apps that have utilised this service in the last 24 hours. Keep a lookout for software that should have no business knowing where you are, it may be broadcasting your location to a malicious data merchant.

Regularly Updating your Software Another very basic precaution that can prevent being the target of malware attack is regularly updating software as most known Mac vulnerabilities and holes target flaws on older versions of Mac’s OSX and other software. Security patches and fixes are rolled out officially in updates from the authoring company and so it is highly recommended to keep your operating

system and all third party software up to date. This may sound obvious but

Keeping your Mac up to date

many people skip updates out of data usage concerns or sometimes even pure laziness. While not always a must-have, software updates are almost always a good idea. Apple Store’s Software Update is the place where you can handle it all.

Staying away from Warez Warez is a popular term for illegal peer to peer file sharing software that

allows users to download and share pirated songs, movies, etc for free over

64

Securing Mac OSX

the peer to peer network. Unfortunately, what most people don’t realize is that the drawback of this whole free file sharing system is that it compromises your identity online. Moreover, since it is illegal, the software will obviously not be verified and therefore it is a prime candidate for piggybacking malware or other malicious code. Other than the warez software itself, malicious code is often also added to the content files themselves, which unsuspecting users are in such a hurry to download. If you are a hardcore (or part-time) pirate who does not believe in contributing to the mega-corps, a safer (but still ‘illegal’) alternative is to use a bit torrent client over a VPN to ensure anonymity and encryption.

Installing ‘trusted’ and ‘reputed’ Antivirus software Antivirus software is the single most effective solution against viruses, other than common sense safe browsing practices. It is important to note that life often offers u-turn plot twists for the unsuspecting wayfarer, such as the Setting up ClamXav for Mac ‘trusted’ and ‘reputed’ antivirus software itself being the malware or adware. The problem is that even genuine antivirus softwares can only promote themselves and convey their capabilities so much via web content and marketing, and someone who isn’t in touch in the industry may not be able to discern the difference. Genuine players carve out their reputation over time so any good antivirus software will most likely be from a company which has been around for long and knows the field. Unfortunately, many unsuspecting users have fallen prey to software like MacKeeper, MacSweeper, MACDefender, and others. The common tactic is to scare users with annoying and unnecessarily exaggerated popups and ‘security warnings’ that are designed to make well-meaning but non-tech-savvy people download their software. While there are almost no strict viruses that can wreck havoc in the Mac ecosystem (as of now) it is still a good idea to have an antivirus software like ClamXav to look over your files, especially those that are frequently

Securing Mac OSX

65

exchanged with others. Even though a virus for Windows will not affect a Mac, it can certainly pass

through, and ClamXav (or your favourite Mac antivirus) can detect and delete it for you. Conclusion

It is well and good to take

precautions but at the end of the day, the funda-

mental piece of the security puzzle is the user. A lot of

Good or bad, technology aids every business

trouble can be avoided with common sense and safe browsing practices. Congratulations! By choosing

to use a Mac you have already dodged 99% of the malware out there. Thanks to statistics, along with the above mentioned steps, you may yet remain protected as you surf the wide web. A cliché worth repeating, better safe than sorry.

66

CHAPTER #08

WAYS TO SECURE YOUR SOCIAL MEDIA ACCOUNTS You spend a lot of time on social media sites. So do potential threats. Here’s how you can better secure yourself.

Ways to secure your social media accounts

S

67

ocial media is where it’s all at right now. The most happening places on the Internet are social media sites. So it comes as no surprise that for most of us, social media sites are pretty much our second

homes. So naturally, when so much is happening on one platform, it’s very likely that someone or the other would take this opportunity to snag some sensitive information out of you, and in most cases you won’t event realise you’ve lost that sensitive info which could result in financial losses for you, among other things. In order to prevent such a thing from happening, you would do well to adopt certain methods to secure your social media accounts. Here’s what you need to know to do that. Enable two-factor authentication

Two-factor authentication has been around for a while but it’s only been of late that folks seem to have woken up to its use. Well, better late than never, we say. Simply put, it asks you to enter a secondary bit of information so that you can access your account. This means that even if a password or PIN is stolen, your data security isn’t compromised. In fact, two-factor authentication is way more secure than passwords.

As per experts, many a high-profile hack, including the one where Twitter accounts of many media accounts in the US were hacked in 2015 wouldn’t have happened if a two-factor authentication was in place. The reason is that even if a malware is placed on a system and the password is stolen, a breach is still not possible.

Two-factor doubles the security

68


Make use of a password manager Coming up with a super-secure password is not our niche. This makes using a password manager a rather good idea since they have the feature with which you can generate secure passwords. Lastpass is one such service. Once you have signed up for it, you can alter the password manually and then make use of the password manager’s secure password generator. A secure password does make your social accounts way more secure. But that doesn’t mean they become impenetrable. However, the safety quotient certainly goes up with harderto-guess passwords.

As much as possible, use a separate email address for social accounts While it’s the case that many people are

lousy at coming up with strong passwords it’s also true that people often reuse the same password on multiple accounts. This can be a huge issue since if a hacker can access your social profile, they won’t just stick to your social profiles. To be more clear, they are gonna try the password on multiple platforms. Possibly the most sensitive digital data regarding yourself is to be found in your email account and you can be sure that the hacker’s gonna try the password there as well. If you are part of what we suspect to be the majority, you would have used the same password everywhere. The better alternative is to have a distinct email account for your social profiles. Make sure that the email you are using isn’t the one that has financial or other personal data attached to it. That way, even if someone gets into one of your social profiles and figure out the email id, your main account remains out of reach. A simple but effective method by all means. Manager for a secure environment

As a recovery option, add your phone number

Keep it separate, keep things safe

There are many social platforms, and most of them allow you - the user - to add a phone number as an emergency recovery option. The merit of such


69

a move is that even if the account is compromised you can get the social profile to call the phone number and provide you the option to recover your account. Almost all the major social networks have this feature. It’s well worth your time to go through the account settings and enable the function.

Make use of the privacy options on the social network One of the simplest ways in which a hacker can access recovery info on you is by, well, looking at your profile. For instance, in Facebook one of the recovery questions is about the colour of your dog. Now assume that you

A number, so that recovery is always an option

have posted a dog’s picture on your profile. Since it’s posted publicly anyone can see the picture. This holds true for other bits of information like the relatives’ maiden names etc.

So, unless you’re a celeb who wishes to flaunt each and every move that he or she makes in the course of a day, it’s probably a good idea to reassess the privacy settings on all social profiles and alter them according to your requirements.

Be wary of suspicious links The social media platform you are on may be cent percent reliable. But that’s not the case with all the people who use the platform, and one may not be sure that the folks who appear there are in fact who they claim to be.

Benefit from the built-in options

70


That’s why being wary of opening links shared on the platforms – particularly if they’re shortened links is not a paranoid reaction but an intelligent strategy to stay secure. Another thing you need to be cautious about is any link that’s embedded in an email message which supposedly arose from a social network provider, or some other trusted source. If at all you fin d yourself on a page which doesn’t feel right, close the browser tab making

sure that you don’t click on

If it doesn’t look right, it probably won’t click right!

any buttons on the page itself – so that you don’t end up the victim of clickjacking attacks etc. You can instead try connecting directly to the site instead by typing the URL on the address bar.

Check your email for suspicious login attempts Good social platforms improve their information security practices more or less continually, Facebook and Twitter are particularly effective with their improvement strategies. Whenever there’s suspicious activity with regards to your account, you will be alerted. So, do check your email for such

One of the rare times when a mail not from a friend/family may be worth it!

mails, and take appropriate action if necessary. Most of the social media accounts not only block suspicious login attempts, they will promptly ask you to change the password as well. If such is the case, you should by all means change the password asap to

minimize the chance of a malicious agent laying his digital hand on your personal info.

Be conscious of the type of info you’re putting out there This may sound kind of obvious – saying that you shouldn’t put up sensitive


71

information for anyone to see. But the thing is, we all get carried away at times and end up putting up info – about others or ourselves which would be better off remaining private.

And sometimes the info you share without realising might have been private for someone else. For instance, if you’re mentioning the names of your friend’s kids online, you should be sure that they are okay with thatyounger people are always the most vulnerable on an online platform. As for your own privacy Draw the line on what you put on the page settings, you should do a double-check since your page may be visible to all viewers, regardless of whether they are a friend or not. Such public info, if it falls in the wrong hands may be used for nefarious activities like identity fraud.

Make use of good security controls There exist good network security products that enable you to provide application control on FB and Twitter. A dedicated SSL application for decrypting SSL traffic or a

next-generation firewall are examples. Some of these products would also scale based on the network performance requirements.

Avoid unnecessary add-ons and apps Quite frequently, you see games and apps that are proBring in an ally, in this case a good security control moted through social media. Well it does make sense, since almost everyone spends more time on here than in the real world these days. But the problem is not just that there might be an overwhelming number of

72


such ‘utilities’ that are promoted, there may also be those that are promoted with malicious intents by crooks. These apps may be promoted as things that

enhance the functionalities of your social network or something similar but which in reality will be intended only for getting your sensitive information.

Be very sceptical about too-good-to-be-true offers The social media is where you learn that your favourite nephew got a special certificate for participating in the school’s annual dance competition. It’s also where you learn that you can earn a hundred million dollars if only you would follow the shared link and give certain information. Information

Avoid the unwanted, avoid a whole lotta headaches!

of the latter kind is most definitely bound to be a spam. Sometimes, such updates come from sources that appear to be from reliable sources, like,

say the Coca-Cola company maybe? The bottom-line is that whenever there’s an offer than promises way more than what your intuition tells you an offer should, or can offer, you should be wary of it. Clicking on the link could compromise your internet security. And be doubly careful if they ask for such sensitive information as your bank account details. Before taking any action check the website of the

Ways to secure your social media accounts company from which the offer supposedly originated and verify if they have launched such an offer/campaign. With these measures in place, you social life online ought to be safe and secure. Enjoy the updates, respond

with emojis – even the tongue out variety, and have no worries! Yeah, that’s life, at least when there’s no work to do.

Too good is not always for the good

73

74

CHAPTER #09

SECURE YOUR COMMUNICATION Be it email, voice, or instant messaging – we’ll show you how to keep all your communications away from prying eyes.

T

ill about a couple of years ago, security, especially for normal folks, was not a big concern. But the Edward Snowden exposé revealed to the public for the first time, the extent to which our own governments are snooping on us and collecting our data.

Secure your communication

75

As if this wasn’t enough, there are also bad guys out there trying to break into our private channels of communication. So what do we do? There are many points of vulnerabilities when you are communicating with someone, be it email, phone calls, or whatsapp. This guide will teach you how to plug all these holes and secure all your means of communication. Internet

• Wi-Fi router settings Your Wi-Fi is your gateway to the vast internet. It is also what makes you the

most vulnerable. No matter what you do, a badly set-up router will remain a big potential source of leaks. Follow these steps to secure your router: 1. Change the default admin password and the SSID of the router. Go to 192.168.1.1 and login using the default username and password you’ll find in the manual (or try combinations of ‘admin’ and ‘administrator). If you want to go a step ahead, turn off “Wireless Web Access” too. This will make sure that only people inside your house with physical access via a LAN cable can change these settings. 2. Change the ‘Security mode’ under ‘Wireless Security’ to WPA2 Personal

and use a strong password that doesn’t have any dictionary words, and has a good combination of alphabets, numbers and special character. WEP is old and relatively easy to crack. 3. Update your firmware regularly. New vulnerabilities keep popping up and new patches and updates are regularly released. You can

do this either by going to your manufacturer’s site and looking for updates for your specific model or alternatively, checking for updates under ‘advanced’ or administration settings tab in your router’s

control panel. 4. Go a step further and install custom open source Firmware like DD-WRT

or Tomato. Most of the stock firmware on routers is clunky and includes many undocumented features and setting that can be exploited. There are many guides available online that teach you how to install custom firmware on your router. Link:http://dgit.in/DIYHckRtr

• TOR It’s ironic that a project that was started by the US navy has grown into

something that is used by everyone from whistleblowers, to activists and privacy enthusiasts, to protect themselves and their identities from both the bad guys and the snooping government. TOR, short for The Onion Router,

76

Secure your communication is right now being developed

by a non-profit organisation dedicated to developing online privacy tools. How TOR works and why it is so secure, is because it encrypts your data and sends it through random nodes on the network to TOR is the best bet to secure all your communicathe destination. This makes sure tion going in and out of your machine that anyone who is monitoring the traffic cannot trace any data back to its source or destination. To use TOR, follow these steps: 1. The easiest and quickest way to use TOR is to download the TOR browser for your operating system which is basically a modified version of Firefox with add ons and features that connect it directly to the TOR network. 2. Download and install the software from the project’s official site only. 3. Open “start TOR Browser.exe” and a new window pops up asking if you want to connect directly to the internet over TOR or want to configure the settings. 4. Novice users should select ‘Connect’ directly instead of trying to configure the browser manually. 5. Check your IP address from both ,your normal browser and the TOR browser, by going to www.whatismyip.com. If the IP addresses displayed are both different then you are all set to go. Browse the internet anonymously. •

VPN

A VPN (or Virtual Private Network), tunnels your entire internet connection

through a virtual local network. What this means is that all the data leaving

your computer is encrypted and goes through a network of computers protecting your privacy from people trying to snoop on you. VPNs are a good choice if you are connected to the internet over some public Wi-Fi . There a number of free and paid VPN services out there which let are easy to download, install and use. Some of the good ones are: 1. OpenVPN server (free) 2. CyberGhost 5 (free) 3. Hotspot Shield (paid) 4. NordVPN (paid) 5. PureVPN (paid)


77

• Web browser proxies Web browser proxies don’t encrypt

your complete internet connection but only whatever goes in and out of your Web browser. There are a number of websites online that keep a list of active proxy servers which you can use with your browser. Hidemyass and ProxyNova are two such sites which have a long dedicated list of active proxy servers, with each proxy’s PureVPN ranks among the best paid speed, level of anonymity and proxy services. It is also one of the fastcountry of origin listed. Choose est and most secure VPNs out there. one from these and set up your browser to use the same. To use a Web browser proxy, do the following in your browser: Firefox: Tools> Options > Advanced > Network > Connection > Settings Google Chrome: Options > Settings >advanced settings > change proxy settings Internet explorer: Tools > internet options > Connections tab > LAN settings > Use a proxy server Once there, enter the port number and the IP address of the proxy server •

•

•

ProxyNova has a comprehensive list of proxies categorised according to countries

78


you are going to use. If the proxy requires a SOCKS connection, go to the advanced option and enter the settings.

Cloud storage Looking for the most secure way to share your files over the internet?

There are a number of cloud services available in the market. Almost all of them provide its users with some free storage. But which one do you choose when you not only want to protect your data from hackers but also be sure that not only hackers but also the company that is offering you the service doesn’t rat you out? SpiderOak and Wuaka are your top two choices. SpiderOak offers you 2GB free after which you can buy each additional 100GB for $10 a month while Wuaka gives you 5GB for free after which

SpiderOak prides itself in having “Zero Knowledge” about your data

you can get 100GB for $12 per month. What these services offer and their more popular counterparts – Google Drive and Dropbox – don’t is, that they locally encrypt your file and then upload them. This makes sure that even the companies and their employees themselves cannot access the files they have stored on their servers. You can also add an extra layer of security by encrypting the files before uploading and sharing them. There are a number of software out there which can do this like 7-Zip. Follow these steps to encrypt your files using 7-Zip: 1. Download and install the software from its official site (www.7-zip.org). 2. Select the file(s) you want to encrypt and right click


79

3. Go to 7-Zip > Add to Archive 4. Set the Encryption method to AES-256 and enter a strong password that is long and a good mix of alphabets, numbers and special characters 5. Click on OK and Voila your encrypted archive is created. Now share the file over cloud storage and share the password over some other medium like email or IM. Email

Email is one of the most used means of communication over the internet, specially for important and sensitive information. Unfortunately, it is also one of the most vulnerable ones. Email accounts are regularly hacked and emails are routinely intercepted. Your email provider keeps a record of all

SecureMail for Gmail is an extension that lets you encrypt and decrypt emails right from your browser window

your emails, which they have to handover to government agencies in many cases. So what can you do to secure your email account? Read on to find out. The emails you send don’t only contain the text and attached files. They also have a lot of metadata like your IP address. Email service providers such as Yahoo and hotmail don’t hide this information which make you more vulnerable. Gmail on the other hand hides your IP address and unlike the former two, also encrypts the content of the mail. But it still keeps a record of them. However, you can use the ‘Secure mail for Gmail’ chrome extension to encrypt and decrypt emails from right within your browser window.

80


If you want to go a step further use an email provider like RiseUp. https://mail. riseup.net provides free email and is aimed at activists who need a secure and

anonymous means of communication. The company uses a secure connection for both logging in and sending emails just like Gmail, and also has very strict policies in place to protect their customer’s privacy. But the thing with Riseup is that you need ‘two invite codes’ from existing users to signup. There are a number of other secure web services like Rmail, Sendinc and Hushmail which provided a free limited account and fully featured paid account. Infoencrypt is a website that lets you encrypt the text of your email. All you have to do is enter the text and a strong encryption password and it will encrypt the text using a strong encryption algorithm. Copy paste the text into your email, and share the key separately with your recipient.

Instant Messenger Instant Messengers are the quickest form of communication used in today’s world. There are a number of secure instant messaging applications and services out there. The best options if you want to secure your IM conversation are WhatsApp, the world’s most popular instant messaging service currently owned by Facebook, added end to end encryption to its application a few months ago. What this means is that the messages sent by you are automatically encrypted and decrypted only by the receiver. This makes it almost impossible for anyone snooping on your conversation to intercept and understand the messages. Even the company itself can’t decrypt your messages. WhatsApp offers more than enough basic security for the privacy conscious out there but it still lacks in places. The company still keeps a backup of your messages on its servers and maybe even logs your whole activity. Which means it is stored somewhere on a computer. And if the data is stored somewhere it can be hacked. Switch over to some other application if you want more security and privacy otherwise WhatsApp does just fine. Download and use Pidgin: The application supports a number of existing messaging protocol, letting you use your existing accounts with it easily. Though the main feature is the end to end encryption which is activated only after the Off-the-Record plugin is added. Chatsecure is another free application for both iOS and Android that helps you keep your messages private. It does this by using various open source cryptographic libraries along with OTR and Tor. •

•

•

Secure your communication •

•

•

81

Silent Text is one half of the Silent Circle software package that lets you send secure , encrypted voice, video and text communication. The software comes at a price of $12 per month and is one of the best in the market TextSecure for android and Signal for iOS are a pair of secure SMS / IM applications by the company WhisperSystems. TextSecure integrates with your default android messaging application and automatically encrypts the message you send to another TextSecure user. Signal, the iOS application, does not integrate with the system like its android counterpart does, but works the exact same way . Also the two apps can be used to securely communicate with each other. Both the applications are freely available on Google play Store and iOS app store. Telegram is another good option for people looking to securely communicate with their friends and families. The creator of the application describes it as “AhatsApp but encrypted, cloud based and faster”. The application has also the features that a good IM app has like sharing media, and messaging upto 200 people at once, but it is its security features that set it apart. The application not only uses end to end encryption making your communication safe and secure, but also has a secret chats feature that leaves no trace of your communication on the Telegram servers. You can also set a time for automatic deletion of your messages.

Call

The Edward Snowden leak brought NSA’s infamous PRISM program to the limelight, making the world realise the extent of invasion of privacy that governments have been involved in. So how does one make a phone call without being afraid that each and every word that you are saying isn’t being recorded somewhere? Simple. Use one of the following applications: •

•

Redphone (Android only) - An application by the same WhisperSystems who developed TextSecure and Signal, Redphone let’s make you

free encrypted calls through your android phone over the internet. The application encrypts everything from your data to the metadata attached to your call, shutting out everyone trying to eavesdrop on the conversation, be it the government or a hacker. Silent Phone (iOS and Android) - The paid application lets you make secure and encrypted phone calls between android and iOS too. Also,

82

•

Secure your communication the Silent Phone user can call non-users with it, where only one side of the conversation will be encrypted. Ostel (iOS and android) - Another paid application, Ostel uses Open Secure Telephony Network to make encrypted calls across platforms. All you have to do is create an account on Ostel.co and download the application for your device (CSipSimple for Android, Groundwire for

Ostel lets you make secure and encrypted phone calls between android and iOS

iOS and PrivateGSM for Blackberry and Nokia for those who still use them). Once downloaded you are all set to make secure encrypted calls to other Ostel users.

Video conferencing Microsoft’s Microsoft’s Skype and Google hangout, two of the most used video conferencing tools, both encrypt your communication making it safe from prying hackers. But your whole communication goes through the servers of the companies where they are also logged and stored. This information in some cases could be revealed to the government government agencies.

The best and most secure video conferencing tool out there right now is Bitmessage – a complete email suite. Based in part on the ‘bitcoin principle’, the service encrypts all its communication data and metadata, and can also a lso


83

Even though Skype encrypts your communication, it still stores the data and logs on their servers making you and your data vulnerable

be used with TOR. T OR. You can download it’s official client called PyBitmessage with a built in video conferencing tool. Facetime, the competitor by Apple provides end to end encryption, but the company is known to regularly comply to court orders and govern-

ment agencies. Also, there are a number of paid software out there like OmniJoin and BlueJeans that provide safe and secure cloud based b ased video service.

84

CHAPTER #10

SECURE YOUR CLOUD DATA Though every every service promises security of your data, this ‘security’ ‘security’ has far far more facets than those which meet the eye

R

emember one of your friends’ birthday when you planted facefirst on the giant pizza and your best friend took a snap of that moment? Well you did ask your friend to put it safe on the cloud, so it should be fine, right? Or not?

Cloud storage and online backup have now become household terms. We use it to save our important documents which we want to make avail-

Secure your cloud data

85

able everywhere or simply share our favourite moments with others. Cloud-first has also become a primary part of a lot of businesses strategies. The productivity ease and versatile storage capabilities make it a lucrative technology to invest in. But even with such widespread acclaim, most of

us fail to consider the underlying truth about internet. Nothing is safe. Or at least not safe forever. In the light of this revelation, encryption becomes a guardian for everyone. But the trouble is, encryption and online security have many layers to it and therefore it’s easy to get fooled into believing that your data is being kept ‘secure’. This ‘security’ could mean any level of security. Most of the

popular services such as Dropbox lack substantial security measures to

truly make your data private. Plus, the lack of HIPAA compliance which protects your medical information from being openly available is also not given much importance. But there is always a silver lining on the internet. Here are some services which actually provide security to your data. pCloud is a Swiss service which inherently means extreme privacy. To

increase the confidence of people, they even hosted a challenge to hack their system within 6 months. Interestingly no one was able to take the

prize of $100,000 home. Next thing you notice is the generous amount of free storage the service provides. 20GB! Sharing the files is just a right-click

86


away. But the service lacks a ‘View only’ feature and the ability to allow multiple users to edit the files simultaneously. Also instead of creating shared folders similar to what other services do, pCloud sends upload links to all

users. There is also a nifty Facebook and Instagram data backup feature if you’re into it. The business plan offers storage space to every member of the team along with a coming soon feature which’ll enable custom branding.

Pricing: •

•

•

•

Free - 20 GB Premium - US $3.99/Month - 500GB Premium Plus - US $7.99/Month - 2TB Business - From US $50/Month - From 5TB (multiple users)

Sync.com is an excellent choice in almost everything. Incredible security,

easy to use, superior control of file sharing permissions and great transfer speeds. The service works in a common manner. Create an account, download the client, drop files into the unique folder and the service does the rest. The ability to set expiry dates for folders, put download limits, wipe accounts


87

remotely, save audit logs, have access to unlimited versions and HIPAA compliance make it a wonderful choice for businesses as well. Although only the latter two are available in the free account. Downsides? The desktop client poses limitations in sharing options and often requests opening of the web version. The single sign-on helps considerably in this matter though. Also mobile app and web version lack the ability to upload folders.

Pricing: •

•

•

Starter - Free - 5GB Business Pro - US $49.00/Year - 500GB Business Pro - US $89.00/Year - 2TB

E-box is a service which is best kept for businesses. Everything from com-

plexity of the features to pricing modules says it all. E-box boasts of a web interface which is simple an able to run on all interfaces, plus there are no software installations required. The experience here is actually a mix. There is also a robust grouping system. This allows some really great permissions and file sharing customization. There is also an extremely detailed auditing system, which records every single action performed by every single user with timestamps. The security is almost impossible to crack, but giving the ability to manage keys personally would have been a more powerful option. Sharing files or folders require the other user to have an E-box account, there is no way to share public links. The interface doesn’t provide any preview or a quick access menu. This coupled with a complicated UI, especially during initial setups can be a major setback. Although there is an interactive wizard to help you around a bit. E-box might lack a huge deal in terms of user interface, but it fills that void with its richly detailed features which allow an exponential amount of customization.

Pricing: •

•

Business - £5/Month/User - 1TB/User (multiple users) Private Cloud - From £1,000/month - Customized

SpiderOak One sacrifices usability for extreme security. This one’s for

people who don’t care much about anything other than security and privacy. SpiderOak calls this Zero-Knowledge Guarantee where the user owns the

encryption keys. Every file is locally encrypted on the user’s computer before being sent to the server, making it nearly impossible for anyone to

88


peak in. Along with a highly secure storage service, one also provides a

backup service, which while being highly secure is a bit complicated. There is no actual ‘Restore’ button, instead you’re forced to download the files and folders to a location of your choice. An ability to automatically download to the original location is missing. Also there are no step-by-step wizards to

guide you along the way. From the perspective of user interface the service leaves a lot to desire. But as mentioned before, this one’s a mighty contender for security. Unlike most sync services, one doesn’t require you to create a separate folder, instead you can choose any of your existing folders to be enabled for syncing.

Pricing: •

•

•

•

2GB - Free - 60-Day trial 30GB - $7/Month or $79/Year 1TB - $12/Month or $129/Year 5TB - $25/Month or $279/Year

Now sometimes for some reasons you cannot leave your existing service. Maybe you have your work ecosystem setup or you’re not ready to leave


89

the interface of your comfort. For such scenarios we have the following services which add local encryption to your files while you upload. Boxcryptor encrypts files or folders and turns them into a .bc format which

then can be easily either uploaded or synced using any cloud storage service. Boxcryptor works wonderfully with any service that uses WebDAV. While

you setup the client, Boxcryptor needs to be specified a safe folder which is basically your existing cloud syncing folder. To view an encrypted .bc file, boxcryptor needs to be mounted on a drive. Paid versions allow filename encryptions as well. The company package provides the master key and allows enforcement of policies.

Pricing: •

•

•

Basic Features - Free Unlimited Personal - US $48/Year Unlimited Business - US $96/Year (multiple users)

Viivo is

similar to Boxcryptor, it locally encrypts the files. A

little advantage here is that during installation, Viivo recognizes installed storage services and sets them up respectively. Instead of mounting a drive, a folder is created. The Pro version also includes multifactor authentication.

Pricing: •

•

Personal - Free Business - US $4.99/Month (multiple users)

Finally, cloud backup services. Cloud backup is a little different from cloud

storage. Where in storage you pick out files and folders to be put on the cloud to access later, in backup essentially a copy of your whole computer (excluding the OS) gets backed up on the cloud. Yep, these are the big boys of the town.

90


IDrive although doesn’t provide unlimited backup, but it does come with

extensive amount of features and customization, though they might become too confusing at times. It also allows creation of backup sets to ease manage-

ment of your backups. IDrive allows automatic sync and even file sharing.

Pricing: •

•

•

•

•

Free - $0.00/Year - 5GB Personal - US $69.50/Year - 1TB Personal - US $139.00/2 Years - 1TB Personal - US $499.50/Year - 10TB Personal - US $749.25/2 Years - 10TB

Crashplan provides unlimited cloud backup. In fact, it’s considered truly

unlimited. Apart from all the data, it backs up every version and even every deleted file. It supports hardware backups like from a NAS. You are

also given full control of your keys. The only major setback is the transfer speeds, for large scale backups, the service takes hours to both upload and restore the data. A point to be noted here is that free service only allows managing of local and offsite backup with 30-day trial of online backup.

Pricing: •

•

•

•

Free - US $0.00/Month Individual - US $5.00/Month Family - US $12.50/Month (multiple users) Work - Customizable (multiple users)

Storage has been an integral part of our society since we learned to procure things. Now we can even make digital copies of almost everything. The advancement of internet has truly boosted our ways of storing information. Although with this advancement came the risk of cyber thefts, thankfully we’re not hopelessly vulnerable. Prevention, another integral part of us, gave rise to encryption and other forms of digital security. It’s time we embrace them.

CHAPTER #11

Secure your website

91

SECURE YOUR WEBSITE Be it a blog started on a whim, or your business’ e-commerce website, if you haven’t secured your website, you’re taking a huge risk

92

Secure your website

B

usinesses are increasingly moving online and we are already at a point in time where established physical stores and offices are shutting down to give way to online businesses. And on the other hand, due to the ease of setting up a website with one-click

solutions, small businesses and individuals are using the power of the internet to maximise this reach. But this ease comes at the cost of website security, which is often overlooked or left to the vendor. We are not saying that the vendors cannot provide security, but there is a catch. Take popular website CMS platform Wordpress. Every hacker worth his money knows the default settings, usernames, login URLs, directory structures and more about Wordpress. So leaving security entirely to the CMS or website vendor

is not exactly brilliant. There are quite a few things you need to take care of to ensure that months of hard work from your side to set up the website does not go in vain.

The hiding part From the early days of war and espionage until today, the importance of hiding your presence and details has always been a crucial tactic. Just think about it - how does one take something down when they don’t know what it is in the first place? The same effectiveness is completely applicable when it comes to the details of the content management system at the backend of your website. As mentioned earlier, the default details about most popular CMS options are very well known to hackers, and without additional protection, they are quite easy to hack into using standard well known methods. By just retaining the default folder structure, you would be handing over the access to your login URL on a plate. Nowadays most popular CMS

providers allow renaming the default folder structure, including the administrator folders. And the best thing to do with that freedom is to go crazy and name them something that only you (and the other people with the authority) can guess. For the very same reason, also change the default username. This is not what is going to stop all the hackers out there, but it might be just enough to discourage the impatient ones.

Use a web firewall Most of our digital devices are now secured with some kind of digital protec-

tion - mainly antiviruses and firewalls - like our PC, Laptop, Smartphone

Secure your website

93

etc. because we are more aware of the possibility of an attack on those

devices. What we often overlook is the fact that our website is also stored on a physical server somewhere, be it a dedicated server that you have set up, or the standard server provided by your CMS vendor. In both cases, setting up a firewall is not only good, it is essential.

A typical WAF layout

A web application firewall (WAF) is a server plugin or a physical device

that sits in between all incoming traffic and your server. Its most basic job is to monitor all the traffic that tries to reach your server. There is a certain set of rules that each WAF follows to allow or block traffic at the checkpoint. It is especially good with HTTP traffic and can detect XSS (Cross-site scripting) and SQL injection attacks quite well and can also be configured to deal with additional, more sophisticated types of attacks. As we said earlier, this can be deployed at both the physical as well as online level. There are quite a few vendors with competitive offerings, and we suggest you check Amazon’s AWS offering. Check file extensions

This might feel insignificant until you understand the true possibilities. If your website allows files to be uploaded, then there is most probably a way to use that process to gain control of your backend. For example, if your website requires the user to upload an image (for profile pictures, document verification etc) and renames the file using the user ID, then the user

94

Secure your website

can check the URLs of a few consecutive image uploads to figure out the directory address and naming pattern that the upload follows. Then, instead of uploading an image, the same user can upload a shell file (think of it like a backdoor access to servers; somewhat like a cPanel within a PHP file). Now, when the user hits that URL, instead of getting the image he would get a control panel that would let him take multiple actions that could create a lot of chaos at the very least. A simple way to make sure this does not happen is to enforce a check for filetypes being uploaded. To reduce the overhead, the check should ALLOW only certain file types and block everything else. Also, this block should not happen on the user end, as then it can be easily detected and worked around by looking at the source of any page. On the other hand, in no situation should the file be brought to the back end.

Transport Layer security vs Secure Socket layer If the two terms above seem alien to you, just look at their abbreviations TLS and SSL, the two protocols used for establishing secure and verified connections between websites, apps and web servers. And you clearly need to choose one over the other.

SSL is the precursor to TLS and although it is more widespread, it is definitely less secure. Recently, the POODLE vulnerability in SSL 3.0 has been exposed that allows access to sensitive information like passwords, cookies and more. This has caused a widespread shift to TLS and this one time, you should follow the crowd. The exchange involved in a TLS authentication When setting up your website, make sure that you manually configure your webserver, especially you are going to deal with sensitive information like the ones mentioned above. And when you do, definitely go for TLS 1.2 even if it comes at an added premium.

Secure your website

95

Request validation Some of the simplest website (and account) hacks have been done through request alterations, even directly in the URL. Quite recently, someone exploited a YouTube vulnerability that involved request alteration. Before we go further, let us make it clear that request here is the method used by HTTP to communicate with the server/backend (the intricate details about the workings of HTTP are best left for another Fast Track). What the person did was quite simple. When he tried to delete his own video, he simply altered the POST request generated at that point by replacing his video’s ID with a target video ID. This caused the target video to be deleted and understandably created a lot of panic among youtubers. Something very similar could be easily executed on your website. There are extensions and browser plugins that allow you to tamper with POST (and other) requests, like ‘Tamper Data’ for Firefox and ‘Postman’ for Chrome. Hence it is quite easy to exploit most websites using this method. To avoid this, simply associate a random value to the user’s session when they log in (brownie points for you if you make this value hard to guess). Store a copy of this value on the server side too. WIth every POST request, include this value for validation, and reject any request where the two don’t match. With that, you’ve just made your website a lot safer.

SQL Injection For any poorly coded website, SQL injection is the easiest way to play havoc with their work. For most such websites, login information is handled in an

SQL query. A normal user would enter their credentials which would be consequently authenticated. But a hacker could enter a very specific string that would change the logic of your authentication code to grant him access to the the first account of the database, which is usually the administrator. Take the following code for example. •

SELECT id FROM users WHERE username = $username AND

password = $pwd;

If the hacker enters username as “1 OR 1=1; --” and any password, the statement is executed as •

SELECT id FROM users WHERE username = 1 OR 1=1;-- AND

password = any password;

The double dashes indicate the beginning of a comment, hence the password statement is ignored, and the user gets logged into someone

else’s account.

96

Secure your website

To avoid this, you should use “mysql_real_escape_string()” function (for PHP version < 5.0) or start using ‘mysqli’ (for PHP version >5.0). Both of them will filter out the unwanted characters and stop the hacker from exploiting the vulnerability.

Backup - Always! Not all security involves building the strongest walls and the biggest turrets. A strategy for when the enemy does get through the gates is equally important. And when The example on a login screen it comes to your website, backups are your best friends. On the rare chance that you actually lose your website, re-building it from day zero might be daunting enough to make you give up. To avoid that, go for regular backups. Use some reliable FTP tool like FileZilla to backup your entire website directory (folders, subfolders, files and everything in there) and put this backup somewhere safe online like Google Drive or Dropbox. And if you have any database associated with your website, backup that as well. All of this will be on top of the regular server side backups that your CMS provider takes. When in doubt, backup again.

Digit FastTrack Secure Everything

Recommend Documents