With IT taking on more roles in our finances, security is getting tighter and pushing the world’s best hackers into higher sophistication. If a virus on a single school computer is a small rash, then a DNS attack like those on presently is the HIV of the internet. According to Kaminsky 52% of DNS servers are still at risk.

A website doesn’t really have a name, facebook isn’t really at facebook.com, it’s really at  69.63.178.11, Zakomedia.com is at 79.170.40.33

These numbers (known as IP) make no sense to a human, could you imagine it printed on your business card? The domain name was born. If your house were a website, it’s longitudal and latitudal coordinates would be the IP address and the domain name would be your postal address.

So when you type ‘facebook.com’ into the address bar, your computer sends this request to your ISP’s DNS. (In my case, Virgin Media) Virgin’s DNS server has a list and checks facebook in this list to determine it’s IP. If it can’t find it, it forwards the request to the next nearest DNS and this can go on. Eventually they will come back with the correct IP and send you to the correct website.

The security flaw affects just over 1/2 of these DNS servers and would enable someone to add a false IP to a name. This means a request to ‘www.natwest.com’ could give a false IP reading and send you to another site made up to look like the original and ask you to log in with your bank details… www.natwest.com would still appear in the address bar and you would be none the wiser until every penny was drained from your account to an unnamed Swiss account holder.

The truth is that DNS owners have known about this problem for about 2 weeks and many have still done nothing about them! This puts us, the consumers at a serious risk! 52% of the world could be lead to the wrong banking site to input their details… that’s not a gamble I’m willing to take!

So without trying to scaremonger, there is a way of testing whether or not you are likely to be affected. Go to http://www.doxpara.com/ and use the ‘Check DNS’ button on the right. Ignore the messages below, but read the text which appears. It doesn’t say you ARE affected, it simply tells you if your local DNS is at risk or patched to avoid this threat. If it is at risk, avoid sending sensitive data online. (i.e. banks, logins etc.) Reading the news, weather, and checking mail with outlook or outlook express should be fine. You can resume normal activity when a new test confirms you are ok. If you’re DNS comes out with the message:

xx.xx.xx.xx has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.

Then you can be happy and relax in the knowledge that your ISP (whether it’s BT, AOL, Virgin etc) has it’s customers in mind and is keeping you secure.

Identity theft is big business! With the information sharing age upon us, should we take steps to start the information restriction age to protect our online identities from theft? More and more of our business and personal practices are online. We make payments online, transfer and recieve large quantities of money online. Our banks are online. Facebook, Linkedin, Bebo, Ecademy, Twitter users have much of their personalities online. Websites simply aren’t protecting our online identities the way they should be, and the law doesn’t want to know, so we have to take matters into our own hands!

This is by no means a definitive list so please do add ideas into the comments if there’s anything you feel should be added.

Basic steps to protect your identity online:

Passwords:

First and easiest route for online identity theft is the human element; passwords. I can access my business bank account with a single username and password and that scares me, but it doesn’t have to. To obtain this information, an identity thief can use 3 methods:

1. Know what I like and try to guess the password based on my interests, relationships, date of birth. (all of which can be obtained through facebook!)SOLUTION: Do not choose easily guessable passwords (and no S1m0n isn’t much more secure than Simon when using real words)
2. If I use the same password for more than one service, someone gets hold of the password for one system and can access another. This can happen by signing in to an untrusted website where they’re not asking for money but you do need to register. It can happen by a legitimate website being hacked or it could even be overheard or abused when you’re in a hotel foyer, calling home directing your friend or PA into your email to get your booking details.
   
   SOLUTION: Use a different password for different websites.Alternatively use one secure password for the secure sites and lesser passwords for lesser sites. i.e. my business and personal banks have the same password. My hotmail account (used for junk only) and facebook account use another.
3. The Brute Force or dictionary attack uses random characters or known words with and without numbers to keep guessing. This is done automatically and can guess around 10,000 possible combinations in an day. If your password happens to be in a dictionary with or without numbers no matter how obscure, the password will be guessed within a few hours. If you had a long random list of numbers and letters, it could take weeks or even months. Some websites lock out after a few guesses to try and prevent it, but most don’t.SOLUTION: Choose passwords as randomly as possible but it needs to be memorable!

   One tip I’ve heard for helping to keep passwords obscure for both computers and humans is to anacronym it. For example, I could have the password: MWCFMAICFMK based on the phrase: “My wife comes from Mauritius and I come from Milton Keynes” It makes it random but memorable for someone who knows this keyphrase. Add some numbers in there to increase randomness and you’re laughing. The common way is to change similar letters and numbers. (for example the letter i becomes the number one) This can help but don’t rely on it 100%.

   Finished Password: mwcfm41cfmk (12 characters)

Forgotten Passwords

Ok my password is secure. The second route into less secure sites is hitting the ‘Forgotten password’ button. Some ask simple information (mothers maiden name, date of birth etc.) before emailing them to the account in your profile, some just email, some will allow a complete password reset and only email to confirm giving immediate but limited access. You therefore need to protect your mother’s maiden name, and your date of birth. The trouble is that this information isn’t all that hard to get hold of!

Solutions? When you’re asked for your date of birth and mother’s maiden name on non-trusted sites and where lying isn’t going to be called fraud, lie. Use a date of birth and name which means nothing realistically to you but which only you know as being your backup details. This way people who know your real DOB won’t be able to gain access.  Obviously when applying for credit, insurance etc. you have a legal obligation to provide your real details but these tend to be more secure.

Post-it Notes

One of the biggest no-goes in the history of computers! Never, under any circumstances, at all, ever write down your passwords on a post-it note and stick it to your monitor! The back of your desk diary is the second most common place to write it. This can be as helpful as sending a mass email with all your passwords to your friends, IT repairman, next door neighbour’s son who helps you every time you get a virus etc etc etc…

If you need to write your access details down at any point, you need to keep this as secure as the original information. Don’t label it ‘Passwords’ don’t leave it within easy and obvious access from the PC. write the actual password element backwards. Anyone who tried it the normal way will assume it’s out of date and give up. My sheet with the password above would read:

Hotmail:
simon@hotmail.com
kmfc14mfcwm

The Computer :

While we’re working in the office, the next thing to keep secure is the computer. Make sure you have a good anti-virus. AVG is one of the best I’ve ever used in the last 10 years, and they do have a free version for domestic use (http://free.avg.com/) How will this help?

Some of the worse virus’ and programs you can have on your PC are the ones that don’t do anything visibly. Some can sit there logging everything you type (usernames, letters, passwords, emails, credit card numbers) and send them off to the originator to decode. A good virus scan should keep these out and keep you safe.

Some people also recommend lavasoft’s adaware too to run every so often. This helps catch things which aren’t specifically classed as virus’s but can be damaging. Don’t be alarmed when you see the number of things it will find, to be on the safe side, it removes everything which could track what you’re doing including internet cookies which are very limited and don’t really do anything bad besides help record that you’re logged into a site but doesn’t give away passwords. Their free version is here: http://lavasoft.com/products/ad_aware_free.php

The websites

The websites themselves can also be quite weak. When you sign up with a site or make a payment, it’s illegal for the website owner to store your credit card details and certain others without a minimum level of security… but who enforces laws on the internet? Only use trusted websites with a proven track record to give your more private details to.  If you don’t trust them or there’s doubt, signup for a free hotmail or yahoo email address and use that for these sites only. If you’re likely to get one email and nothing more, consider using Temporary Inbox

Facebook

Facebook and other social networking sites can cause a real threat. Just this week, a security threat lead to users details being exposed. (read about the latest facebook security hole here)

The truth is that most data handed out has to have been given in the first place. Try using your secondary date of birth, mother’s maiden name etc. and ONLY put information on the world wide web which you want everyone on the world wide web to see! It doesn’t matter that people can or can’t see your date of birth as all someone has to do is scan through your wall or public messages and look for the abundance of ‘Happy Birthday’ messages from your friends and family and look at the date of posting!

Scam and Spam

Occasionally you will probably receive notifications of account closures or emails requesting you to click a link and log in. DON’T! If there is a doubt, go to the website in question manually, do not use the links provided if you then have to insert your password details. This is known as Phishing. They can divert you to their own website made to look like your bank, paypal etc encouraging you to log in. If you get an email from Natwest requesting that you log in, open your browser, go to www.natwest.com and log in there. According to Sophos, only 1 in 28 emails are actually legitimite.

Making Payments

Many of my clients want to take payments online and always scoff at the idea of offering paypal payments. Paypal is a good system with the buyer in mind.They do have higher than average charges but personally I feel you get value for money. They are at the end of the day, just another website, but they are big enough and their whole purpose of being is around security. Without that, the whole business would collapse overnight!

As I said at the beginning, this is not a definitive list but contains all the most relevent and basic things to know about putting your information online. It’s a lawless society which is slowly dominating our lives and should be treated with care!

I run my business from a single Laptop. I have insurance in place to replace the laptop it it gets lost or stolen, and I have funds in place to almost instantly replace the laptop or components if for any reason it fails.

My laptop goes everywhere with me, client meetings, sales meetings, holidays, everywhere. There’s no better way to demonstrate the simplicity of my software than to have a working copy right there.

But I’m a pessimist; everytime I leave the house, I assume that someone is going to offer not to stab me in exchange for my laptop. Everytime I go to the toilet, I assume that someone is going to break into my home and steal my laptop, everytime I turn away from my laptop, I assume that the harddrive will make a loud crunching noise as it grinds my data into sawdust. Everytime I leave my hotel room for breakfast, I assume the cleaner is going to run off with my laptop.

If any of this does happen, I’ll have a maximum of three phone calls: Police, Insurance Company, PC World.

I won’t have to change my client’s passwords
I won’t have to report my credit card or anyone elses card as stolen
I won’t have to phone my clients to notify them of the loss
I won’t have to inform my clients to change the passwords they have entrusted me with
I won’t have to scare my clients into changing their bank accounts
I won’t have to ask for copy invoices from suppliers
I won’t have to look up my suppliers and clients details anywhere
I won’t have to inform my bank of the loss
I won’t have to change my internet banking details
I won’t have to scrutinise every transaction in my future bank statements for 6 months
I won’t have to lose the trust and faith my contacts have in me
I won’t have to worry about getting family photos back
I won’t have to find my iTunes invoices and re-download all my tracks
I won’t have to worry about losing days of work, or even hours.
I won’t have to worry about who has access to the data on the laptop and what they can do with it.
I won’t have to worry about lost phone numbers or emails of my biggest clients, or even my smallest ones

In fact if my home and office burn down tonight and I narrowly escape with a single pair of jeans, T-shirt and naturally my wife. I can have my business backup and running as if nothing happened in a couple of hours.

I am entrusted with very sensitive data, I regularly have enough information about my clients to take loans out in their names, open bank accounts or on some occasions even obtain a passport.

But I can live without worrying? And I don’t resort to ignorance like so many [government officials]

Everything I value is backed up.
It is backed up on an external harddrive (£60) in my office, encrypted, secured and locked in a safe.
It is backed up on an external harddrive (£60) at home, encrypted, secured, and locked in a safe.
It is backed up online (£40pcm, part of my reseller web hosting, but can be bought through any good IT or backup company, I can recommend a few)
I make it a policy to not store sensitive information I don’t need.
If I do need it, I use a simple encryption software and hide the encrypted volume so noone even knows to look for it, let alone how to get into it. Once finished, all information is deleted. (open-source software truecrypt £free)
I have £1000 stored in a completely separate bank account for instant laptop replacement (will increase to cover other office-related costs)

This system is simple, reliable, it takes me 10 minutes a day waiting while it updates my Hard drive backups, and costs me £600 per year + £1000 replacement fees (variable for what you need to replace to operate.)

When I go to bed, my laptop stays downstairs packed and ready for the office tomorrow. It’s easy to pick up as I run through the door, not hidden, not locked in a safe, and yet I can sleep soundly.

I don’t offer this as a service, but if you haven’t got something setup, talk to your IT contact, I can recommend a few, it will be one of the most relaxing phone calls you’ll make.

How much information can you afford to lose and where is it going?

We’ve all had them at one point or another, and they’re so easy to get hold of. When you do get them, they can be a nightmare to remove and could destroy months, years or all your data.

What steps should you take to avoid them completely?

1. Backup your data regularly and often. If you can’t afford to lose a full day’s worth of data, then arrange some automated backup procedures to go on throughout the day. Don’t know how? Give me a call and I’ll put you in touch with a backup and IT security specialist
2. Install an antivirus. Personally, I don’t recommend the commercial ones, Norton tends to slow my machine right down and McAfee has let virus’s through. The best anti-virus I have ever used is AVG (http://free.grisoft.com/) It’s free for personal use (and a small fee for business) but has never let me down in the years of use.
3. Don’t download programs from the internet. Even trusted sites can be hacked discretely.
4. Don’t run software from free magazine CD’s. Though checked, they can be replaced with malicious code between the distributor and the store.
5. Don’t run programs or open attachments in emails unless you know EXACTLY what is in them. If friends send you pictures, ask them to send them as images not as ZIP files. DEFINITELY AVOID FILES ENDING WITH .EXE, .BAT, .COM, .SCR even if embedded within a ZIP file.
6. When opening files downloaded or unzipped. Right click the file and force a virus check. Usually this is done automatically but this is just to make sure.
7. When you run a program from any of these sources, if nothing seems to happen, or the file disappears, consult your IT specialist as soon as possible.

Always keep your virus scan updated, most do this automatically, do not disable it.

Always allow scheduled full system scans to run. If they set to an awkward time, change it to something more helpful, again don’t disable it.

If you follow all of the above steps, you too should be happy and virus-free.