Don’t use an easy password; don’t use the same password for all your accounts; don’t use unknown USB devices; don’t download from strange sites; don’t, don’t, don’t….The list of things we must not do online is endless—and is repeated as often. The result is depressing. Most people use ludicrously easy passwords (date of birth, pet’s name, child’s name, spouse’s name, and so on); others unthinkingly share one-time passwords with strangers claiming to be bank officials on the phone. When accounts are hacked and money lost, of course, there’s an outcry about lax security systems. To repeat what you already know, online security starts with you. We ask Sahir Hidayatullah, CEO of cybersecurity firm Smokescreen Technologies, and an ethical hacker, to reiterate some of the basics of safe online behaviour. Edited excerpts in the first of a two-part series:
Any tips on how to stay secure online?
Keep your software and web browser updated as it will stop you from becoming the victim of ransomware. Further, don't download dodgy stuff off the web; you will be amazed at how many people do this. Even savvy CEOs who have everything encrypted have been victims. In many cases it has turned out that when the guy was hacked, he was on a porn site and downloaded something from there.
Most people get hacked by clicking on a link in an e-mail. In India, the highest success ratio for targeting people is when hackers send you an attachment with your ‘income tax refund challan’. This is not a technical hack, it’s a virus.
What are the biggest threats to a person’s digital life?
The No. 1 threat to your information is availability [it’s available too easily in too many places]. For instance, if your laptop were to crash right now, you will lose a lot of information. However, making copies in your USB or hard disc is not a prudent backup system. A good system automatically backs up your data. There is a software called CrashPlan that will backup the data on your system every hour. The data is backed up, encrypted, and stored in three data centres [a local drive, a computer, the CrashPlan cloud, or all three].
The second threat is to confidentiality. To protect your digital life you should never reuse your password. Use a password manager [if you find it difficult remembering multiple passwords]. This software will generate a new random password for every website, and you just have to remember one password to unlock the manager. This will limit your exposure if one of the sites gets hacked.
Are bootable browsers any good in maintaining security?
If your operating system has been compromised, the virus will remain in your system where it can monitor whatever you are doing. If you are working on something sensitive, you should do it from a safe, secure, and clean environment. This is where a bootable browser comes in handy. It will boot your computer into a read-only media where even the USB or CDs used will be read-only. Once you reboot your computer, whatever you have done on the CD or USB will be erased. Every time you boot up, you are getting a clean environment because nothing can infect the system in read-only mode.
Are paid e-mail services more secure than free services?
It is assumed that since most people use Gmail, that's the only option available. However, there are enough and more horror stories of people who have had their Gmail accounts shut down because of policy violations; they have lost access to everything. This is because when you browse a website, you reset your password using your e-mail account, and if you lose access to that account there is no way of proving your identity. You have basically left this [proving your identity] in the hands of a company that does it for free. They are able to do this because they have a contract which says that they will be running ads based on what is in your e-mail and can make money off what is mined from it.
Most people don’t know that there are paid e-mail services such as FastMail and Rackspace which are more secure. The advantage of registering your own domain and having an email account on it is that you are not locked in and nobody can ever take it away from you. Owning your own domain name is like claiming your own little space of the Internet, and as long as you keep paying it will be yours to keep. This makes your e-mail address safe for life.
How can e-mails be encrypted?
Currently, the PGP [Pretty Good Privacy] or GPG [GNU Privacy Guard] systems allow for strong encryption of e-mail where you can even digitally sign your e-mails. The problem, however, with GPG is that for me to actually exchange an encrypted e-mail with you, both of us [sender and receiver] have to exchange a public key. There is a private key you keep for yourself, and a public key which I can use to verify that you have actually sent the e-mail, after which I can use it to encrypt the e-mail. This can be done by downloading a software which can be set up in your e-mail plan. Once you download it, you will get an option in your mail to encrypt or sign your e-mail. You will have to find other people who think the subject matter in the e-mail is important enough to be encrypted, and exchange your key with them.