Hiveword Blog

Technology and Writers

Archives

You are currently browsing the archives for September, 2010.

Sep

4

A Writer’s Guide to Online Computer Security

By Mike Fleming (@hiveword) on September 4, 2010 7:48 pm

Safe

Computer security and protecting yourself online are huge issues which will only get worse in the future. As technology and network effects get more and more compelling to the masses the attractiveness to scammers and hackers also skyrockets. Ownership of your computer and identity are at risk without a working knowledge of computer security and appropriate online behavior.

In this post I will highlight the main areas of computer security so that you can take proactive steps to protect yourself. While most of these issues affect everyone with a computer I will pay particular attention to the effects on an aspiring writer. Why the distinction? Because an aspiring writer (and other creatives such as musicians) are not only users of computers and the internet but also unusually active participants as they market their work to the world.

Given the stakes let’s get started on this survey of computer security topics. This post is a long one and you have stories to write so if you’re pressed for time just slide down to the bottom where I’ve extracted most of the tips. You can then dig deeper into a particular topic if you’d like.

Here’s the high-level view of what will be covered:

  • Passwords!
  • Hardware
  • Software/Websites
  • Identity Protection

First up, passwords…

Passwords

Don’t you just hate that everything wants a username and password? What’s a harried writer to do given all the accounts that must be tracked: email, bank, Facebook, Twitter, blog, FeedBurner, and you name it? What people typically do is re-use passwords or make weak ones.

Reuse

Reusing passwords sure is easy. I’ve been guilty of that myself. The risk is that exposure of one password puts your other accounts at risk. It’s far better to write down your passwords then to duplicate them. If you do write them down try to use a cryptic notation that you will understand and (hopefully!) not forget.

Strength

Most of the time, weak passwords are far worse than reusing them. Using passwords such as “password,” “abc123,” your pet’s name, or your account name is an open invitation to be hacked. Besides being guessable they are also weak and fall quickly to automated password-guessing programs.

The fix? Be strong like your main characters. Strong passwords are at least 8 characters long and combine upper and lowercase letters, digits, and special characters (such as %). By using more than just lowercase letters you drastically increase the search space for password crackers and make it nearly impossible for a human to guess your password.

Luckily, many websites now provide password strength meters as you type your password. These indicators are basing the strength on the techniques I described above. So, a password like “jD8jf_6EE” will be considered strong. Your passwords don’t have to be quite so unmemorizable — do what’s easy for you while keeping the spirit like “jImmy_bonD007.”

Sharing

What’s worse than weak or reused passwords? Sharing them, of course! Don’t, don’t, don’t do that. Just don’t. Not with your friends. Not with Aunt Tilly. And definitely not with other applications like Facebook or applications within it.

Oh, but you’ll be tempted to give SkyNet your email account info so it can scarf up your contacts. Mighty convenient and highly coveted by SkyNet, of course. So, if you must do that, allow the application to get what it wants and then change your password so it can’t go back to that well for another drink later.

Hardware

Your computer hardware plays a significant role in your computer security posture. The hardware I’ll talk about includes you computer, of course, as well as your router which is likely WiFi-enabled.

Computer

The surface area for exploits against your computer is huge. Your operating system (OS) may be Windows or Apple’s OS X but either way it has millions of lines of code. Hackers try to find flaws anywhere in that massive codebase which will enable them to get a foothold on your computer and take it over. No computer will ever be completely secure but let’s make it harder for them.

NOTE: Lest you think that because you use Apple products you are more secure you should think again. Like any computer, Macs can be exploited but Windows’ large installed base keeps most hacker attention there. As Macs get more market share you’ll see that the hackers will follow.

User Accounts

Has your computer ever run incredibly slow or spewed pop ups like a cheesy late night TV ad? You’ve got malware! Using the correct type of user account will help prevent that in the future.

While not commonly known among Windows users, you should not use an administrator (“root” in Unix variants like Apple’s OS X) account for day to day work. Instead, set up a separate non-admin user account and use that one most of the time. Doing this will help prevent malware from taking hold since it’s difficult for a program to get installed surreptitiously in a non-administrator account.

Operating System

As mentioned above, operating systems are complex. Hackers or the OS developer will discover a vulnerability and then the OS vendor will usually fix it so that the vulnerability cannot be exploited. These patches are included in the updates to the OS which are both regularly scheduled and on-demand when the situation warrants. As your OS falls farther and farther behind on these patches your system becomes more and more vulnerable. Moral: Stay up to date with your patches.

Antivirus

If you’re anything like me, antivirus programs rank right up there with having a nice case of toe nail fungus. I’ve never had that personally but I can imagine…

Anyway, antivirus programs often cost money, they slow you down, and they’re needy (Look at me, look at me!). Regardless, pick one and keep it updated. With antivirus programs staying current means you get regular antivirus definition updates AND updates to the antivirus program itself.

No antivirus program will catch all threats. In fact, they won’t even catch 50% of the threats but some prevention is better than none.

Router/Wi-Fi

Chances are you have a Wi-Fi router between your computer and modem. The router functionality allows you to hook multiple computers to an internal network for file sharing or internet access. It also hides the computers behind the router from being easily discovered by seedy folks on the internet who would love to break into your computer. Thus the router is serving as a firewall.

The Wi-Fi component allows a machine to connect to that internal network wirelessly. Mighty nice, yes?

By definition, Wi-Fi is wireless so the area of access is wider than the few feet around your router. If you don’t secure your Wi-Fi access you might find that the punk kid down the street is mooching off of your internet access. Not a big deal? That same kid is on your internal network because you allowed him in. Guess what? He just found the Quicken file you shared so that your spouse could view it on her laptop. Or maybe you shared your directory of fiction writing. I sure hope that kid doesn’t delete everything…

Perhaps I’m being overly dramatic but the scenarios above are easily possible. Luckily, the fix is easy:

  • Change the router’s default password
  • Enable the strongest security standard your router supports
  • Don’t broadcast your SSID
  • Avoid punching holes (aka opening ports) in your router for the Wii or other devices

Wi-Fi Hot Spots

Wi-Fi hot spots can be found in many places frequented by writers. Starbucks anyone? Airports, hotels, your neighbor’s unsecured Wi-Fi…

Be aware that when you join a network via an open access point you are taking a risk. Just like the punk kid scenario above, all computers attached to the access point are connected on the internal network and share the same risks as above.

If you must connect to an open access point ensure that you are running a software firewall to help detect any inbound connection attempts.

Software

The software category is quite vast. For example, I discussed operating systems under Hardware above but clearly it is software. For purposes of this article, though, I’m going to consider software to be browsers, web sites, email clients, and document-oriented software such as Word and Adobe Reader.

Browsers and Web Sites

Web browsers and the web sites they interact with are so intertwined I’m just going to treat them as a unit. Like operating systems, browsers attract a lot of hacker attention. They’ll look for a vulnerability that they can then exploit by getting you to go to a particular web site, for example.

On the other end of the connection you have web sites. The popular ones like Facebook also attract a lot of hacker attention. Hackers will try to find ways a trusted website like Facebook can be turned against its users. Website vulnerabilities can occur because of the web server software it’s using or coding mistakes on the website developers’ part.

Consider this: Your operating system runs a browser. The browser contacts a web server which processes the browser’s request. The browser then renders the response from the server. All of these components and interactions are subject to exploitation.

There’s no way that you can know or even guard against every possible attack vector so the only thing you can really do is practice proper digital hygiene. Being safe online largely requires behavioral changes assuming the basics from above are already in place. For example, antivirus software is useful when surfing the net since downloads (even those that you didn’t request!) would get checked.

Maintaining a posture of security while online mostly involves awareness. Without going into a lot of detail I’ll highlight things you should do to stay as safe as possible.

Browser Updates

Malware authors love when people use ancient browsers since there likely many known exploits against them. Always keep your browser current. Updates not only fix bugs but close security holes. Configure your browser to automatically update and you won’t have to think about it.

Scripting, Active Content, and Browser Plugins

Today’s websites rely on JavaScript (and other scripting languages) for many things from essential functionality to cool effects. It’s also one of the things that makes the web unsafe because hackers can use it against you since the script runs in the browser and thus on your computer. A similar problem occurs with browser plugins such as Flash and PDF viewers which also run on your computer and are often exploited.

Because many websites rely on these technologies its often difficult to simply disable them even though that is the safest option. So, if you’re going to a new website you might consider turning off scripting until you determine that the site seems safe. Obviously, this method isn’t foolproof and it sure is painful but it’s almost a necessity especially if you’re surfing the seedier side of the web. Another way of doing this is to use a custom browser plugin that only allows scripting on sites that you specify. You could also have a different browser from your normal one configured without scripting and use that for general web surfing.

Finally, like browser updates you should also keep your browser plugins current for the same reasons.

Logging Out

Isn’t tabbed browsing great? There’s a great temptation to stay logged into a website in one tab while surfing in another. It’s very handy but that convenience lends itself to a particular security problem. Surfing in one tab while another tab is logged into your bank’s site (for example) can cause you to lose your latte money. Or your mortgage money.

If you care about the way this attack works you can have a look at the Wikipedia article on CSRF. Website developers can help prevent this problem but an easy behavioral fix is to ALWAYS log out of a website when you’re done with it but especially when you’re doing other surfing.

By the way, it’s not just browser tabs which cause this problem but I believe that they almost encourage the dangerous behavior. However, the same problem can occur with multiple browser windows or even one browser window. Moral of the story: Always log out.

URL Shorteners

URL shorteners such as the ones you see on Twitter are a ne’er-do-well’s best friend. I hate them. Pretty strong, huh? 😉 The problem with them is that you can’t tell where they’re ultimately going and a cleverly crafted URL could make your life miserable if you get sent to a malware site.

The big boys such as bit.ly go to great lengths to help prevent abuse and even provide tools to help you see where the link goes. If you don’t use one of these tools before clicking you might want to consider turning off scripting in your browser before you follow the link.

(Update: Twitter just announced their new forthcoming URL shortener called t.co which is designed to alleviate the drawbacks of other shorteners. You can see where you’re going and it will check if there’s malware at that site. Pretty nifty.)

Cookies

I love ’em! Especially with milk.

Most people seem to fear website cookies but they are generally harmless. They can be used to track you but they are very useful for a website so that it can personalize your experience.

Personally, I usually don’t worry about cookies. If you do you can turn them off or only allow certain websites to use them by configuring your browser settings.

Social Networking

“I’m doing laundry.”

Who cares! The signal-to-noise ratio on social networking sites like Facebook and Twitter is incredibly low. However, the risk of personal data exposure is high. Facebook, for example, is notorious for exposing (on purpose, even) data that you add to their site. Add in the element of location awareness such as FourSquare, Facebook Places, or Twitter’s location feature and you’ve now told too many people where you are. Or, perhaps, where you aren’t.

Of course a writer needs social networking to spread the word. So, use the tools but be careful. Watch what you say and don’t use the location features if that makes you uncomfortable. Avoid giving your username/password to applications that will then sign in as you to grab data. The most common example of this is Facebook (and third-party applications) which love to snatch your email contacts. If you’ve done this already I recommend immediately changing your password.

Finally, you may have a “friend request” from a scantily clad female that you don’t know. These “friends” are usually best avoided, unfortunately. Sorry, but don’t view their profile, either.

Email

The two main things I want to talk about regarding email is attachments and phishing.

Attachments

Most people know by now that attachments can be infected with malware. Powerpoint, Word docs, PDF files, and especially executable files could all be bad news. Avoid opening attachments from people you don’t know. Also avoid opening attachments from people you DO know if you weren’t expecting the file. (The reason is that your friend’s computer may be infected and sending emails on his behalf.)

Gmail has a nice feature where you can view the attachment in Google Docs. I sometimes do that to be safe.

Phishing

The concept of phishing is also getting to be better known now. If you’ve ever gotten an email supposedly from your bank that prompts you to login and even conveniently provides a link then you know what phishing is. The link is not to your bank’s website (even though it may look exactly the same) and they are just trying to collect your username and password.

Even if you think the email is legit you should not click the link. Instead, go directly to the site in your browser and login there.

Your Personal Safety

As someone in the public eye, you face special challenges as a writer since you might be singled out due to your fame. Whackos might try to acquire your home address or get you to open an infected file or web page. You can reduce your risk by securing your computer and watching what you do online as described above.

As a writer using the internet to market your work you probably have domains and at least one email list. Each can expose your home address.

When you sign up for a domain you must supply your address. Using a PO box or a service like Domains By Proxy will keep your home address private.

Regarding email, if you live in the United States you must comply with the CAN-SPAM act. The CAN-SPAM act requires you to provide your “valid physical postal address” when sending commercial emails. Using a PO box here would also prevent your home address from being exposed.

So, to summarize, secure your computer to the best of your ability. Refrain from risky online behavior and learn how to spot questionable emails, URLs, and web pages. Avoid giving out location information and if you must, make sure it just regional and not lat/long coordinates! Even a regional location could give a stalker enough information to narrow a search in public databases.

Finally, remember that every little piece of information you provide online can be used against you. Think before you post.

Summary of security tips:

  • Use strong passwords
  • Don’t share or reuse passwords
  • Keep your OS updated
  • Use a non-admin account
  • Use an antivirus program and keep it updated
  • Keep your browser and its plugins updated
  • Wi-Fi/Router:
    • Change the default password
    • Enable the strongest security standard your router supports
    • Don’t broadcast your SSID
    • Avoid opening ports
    • Run a software firewall when using a Wi-Fi Hot Spot
  • Avoid providing location data or your home address
  • Beware of scripting in the browser
  • Always log out of a web site
  • Think twice about clicking shortened links
  • Beware of email attachments and phishing attempts

Please feel free to comment on anything in this post or discuss how you’ve addressed online security in your marketing efforts. I’d love to hear from you.