/ 9 October 2012

How to beat the hackers

When Mat Honan's life was electronically dismantled
When Mat Honan's life was electronically dismantled

On August 3, Mat Honan's digital life was utterly destroyed. In a matter of minutes while he watched power-lessly, hackers took over his email and social media accounts, deleting irreplaceable emails, documents and, most tragically, a year's worth of pictures of his infant daughter. The attackers even remote-wiped his Apple devices (an iPad and a Macbook computer), erasing all his data. Their goal? Not fraud. Not identity theft. They wanted temporary access to his Twitter account, because it had a cool nickname.

Many column inches have been written about Honan's experience, some by Mat himself. He is, after all, a journalist who writes for Wired magazine and, ironically, knows full well the online risks and the security techniques that could minimise them. (The technical details really don't matter much, but google "The hacking of @mat" if you're curious.)

More important is the point that if you're a target for hackers, no matter how trivial the reason, you can suffer immeasurable harm with no warning or recourse. Honan's case was unusual: there was a reason for him to be targeted. More commonly, each victim is merely one of millions of users exposed to untargeted email-borne viruses or infected websites. Malicious software then attempts to capture bank details or turn the victim's PC into a "zombie", under control of the attacker to send spam or conduct other attacks. Networks of zombies can number hundreds of thousands of infected machines, and they make big money for the hackers.

Oh, you have antivirus software? Good for you. But here's a reality check: the past 12 months have seen unprecedented self-flagellation by the security industry we thought could protect us. After the Flame virus was discovered to have been active and undetected for several years, Mikko Hyponnen, chief technical officer of antivirus firm F-Secure, described it as a "spectacular failure for the antivirus industry" and noted that "consumer-grade antivirus products can't protect against targeted malware."

Not only is your PC under attack, the web services you use are under daily assault too. Sites like Google, Facebook, Twitter, Dropbox and more are constantly targeted by attackers. Unfortunately, those services also frequently expose their users' data. Every week we see announcements of sites that have leaked passwords or been hacked, either through clever attacks or, more frequently, through simple incompetence.

So now what? Turn off the PC, ditch the iPad and swear off smartphones? Not so fast. A few good practices and you can enormously reduce the risk and pain of a hack attack. It might still happen: like hard-drive crashes, it's not a question of  whether, just a question of when. But take our advice, and you'll come through unscathed.

Antivirus
The obvious one first: antivirus software has its limitations, but you do still need it. Yes, even you on an Apple – it's a myth that there are no Apple viruses. There are plenty of good antivirus programmes out there, many of them free if you don't need extra features. Even if you just install Microsoft's free Security Essentials package, that'll help.

Back it up
Back up your data. Who cares if your PC is deleted or if the social media site you use goes bankrupt and takes your photos with it? Make sure every-thing you value is backed up as frequently as possible. External hard drives are cheap; there's no excuse. The converse should apply: anything you don't back up is not important and you don't mind losing it.

Mat Honan's most agonising loss in his hack was the pictures of his baby girl – even the copies on his PC were erased. Backing up is cheap and easy. Get into the habit of doing it and you won't suffer the same fate.

Trust no one
Never ever trust anyone who approaches you directly. No reputable service will ever email you and ask you for a password or any other identifying data. An increasingly popular scam involves a phone call in which a "service agent" claims to be working with Microsoft and to have detected malware on your PC. They ask you to visit a website to show you the infection and, before you know it, your PC is trashed and they're demanding money for "support". Don't fall for that. Anyone who contacts you directly is almost certainly a criminal.

That distrust should extend to any site you visit, in particular any site on which you create an account. And these days we all have dozens of accounts on all sorts of sites. It's rare for a week to go by without some news of a web site or social media service being hacked or leaking user details and passwords.

The unfortunate reality is that a lot of sites are really bad about security. In the rush to get services to market, companies cut corners and security is often one of the casualties. And it's not just the small upstarts that skimp on security. Big names like Sony and Dropbox have leaked their share of user data in recent history.

As a user, you have no way of knowing whether a site is secure or not. That ubiquitous padlock icon is meaningless (it's important that it's there, but it's no guarantee: it may just indicate secure access to an insecure service).

The only option is to assume that any service you use online, no matter how trustworthy it seems, is insecure and will give up your personal data and your password without putting up much of a fight. Tar them all with the same brush. While you're assuming the worst, also assume that the service is likely to go out of business and disappear without warning, -taking all your data with it and giving- you no opportunity to recover anything. (And that's okay, because you're backing up, right?)

A word about P4ssw0rds
We all know the mantras: Long passwords. Mixed case. Special characters. Yeah, whatever. It's a pain and no one does it.  

When Mat Honan's life was electronically dismantled, none of his passwords were cracked. Attackers can exploit other weaknesses to take over accounts, and everything else in this article is just as important as a horribly complicated password.

It's also helpful to know that in passwords length is more important than complexity. Choosing a password that's easy to remember but long to type is far better than a shorter one full of weird symbols. Pick the first line of a favourite song or something.

Although you should try to choose long passwords, you definitely should not reuse them. Online services leak passwords like colanders and if you use the same password everywhere, you're dead in the water. Only share passwords among sites that you really don't care having hacked because they probably will be.

Rather than remember dozens of passwords, you could use handy software like 1Password or LastPass, which generate strong passwords for sites and then remember them for you. If all else fails, write your passwords down and keep them in your wallet. Yes, I'm serious. You look after your wallet, don't you? There you go.

Harden Gmail

Now let's toughen up Gmail a bit. The vast majority of people have Google accounts these days, usually for Gmail. And we use Gmail to sign up for other sites (Facebook, Twitter, Amazon … an endless list), which means that if an attacker can take over your Gmail account, they can request password resets for those other services too. Lose that one password and you are comprehensively screwed. So tighten up. Even if you use another webmail service, make sure that – no matter how lame your other passwords are – your mail password is unique and as strong as you can manage.

Two-factor = good
If you use Gmail, go and turn on Google's two-factor authentication services right away. That will go a long way towards protecting your Gmail account from attack: Google will phone or SMS you when an unknown PC tries to access your account and demand a one-time passcode as well as your regular password. This is probably the single most effective thing you can do today to keep your account safe. (Click on your account name, then go to "account", then "security" and follow the prompts.)

Other services also offer two-factor authentication and you should always take advantage of it when they do. All our local banks, for example, use technology to provide a second factor when you add a bene-ficiary or transact in online banking. Game company Blizzard offers a two-factor smartphone app to secure game accounts for World of Warcraft. (It may sound trivial, until you've seen the agony of a player with thousands of hours invested in an online game losing everything to a hacker.)

Google has opened its authenticator app to third parties. You can, for example, secure access to your Dropbox account using the same Google app. Two-factor authentication makes signing in slower and you have to ensure you have the second factor to hand, but it's worth it every time.

Adapt or die
If you've put any of that into practice, you're in much better shape. You're more secure, more aware and you can weather even a successful attack.

Of course, all this will mean some discomfort. You're growing out of your online short pants into the equivalent of a boilersuit, and it's going to chafe at first. Of course it is much simpler not to care and just to use a single simple password for every website you visit. It's very easy to trust that web services will remain secure and never lose your data. But that's a dream world, built on wishful thinking.

A more cautious approach requires some changes in habits. Backing up is one, and you have to be diligent about it. Using more secure passwords and two-factor authentication are others, and they will definitely annoy you at first. But you'll get used to it. And when you're targeted by a hacker or become one of thousands of usernames exposed by the latest social network hack, you'll be able to bounce back with confidence.

Stay safe out there.

<hr />

<h2>Useful tools</h2>

Antivirus
Microsoft Security Essentials

windows.microsoft.com/mse

AVG  free.avg.com

Avast!  avast.com

BitDefender  bitdefender.com

Backup
SyncBack

2brightsparks.com

Passwords
1Password
agilebits.com/onepassword

LastPass
lastpass.com

Two-factor authentication

Google Authenticator
support.google.com/a/bin/answer.py?hl=en&answer= 1037451

Blizzard Authenticator

blizzard.com
Jon Tullett is ITWeb's senior editor, news analysis