Bill Nussey's Notes

It started with an email from a friend of mine.

The message said, “check out this article” and had a normal looking link to nbcnews.com. Just as I was about to click on the link,  I spotted something. I picked up the phone and called my friend. “Buddy, you’ve been hacked”.

My friend had clicked on a link in a message from one of his friends. The link took him to a seemingly normal web site that invisibly attacked his web browser’s security. The attack took over his yahoo email account and re-blasted the same spam to a few hundred people in his address book. He had no idea.

This kind of hack happens thousands of times a day and almost everyone has experienced it at some level. As the unofficial neighborhood tech support guy, I often get a call when something goes wrong. I’ve picked up a few good ideas along the way that I thought were worth posting.

What can you do to protect yourself?

Start by understanding what the bad guys are trying to do and how they are trying to do it. My post My Virus Checker Will Keep Me Safe, and Other Internet Security Myths offers a quick primer.

The next step is to understand the place where most attacks are starting these days: your inbox. Read more about Spotting Malicious Emails in my previous post.

Even the most sophisticated security professionals can be fooled, so a few simple practices can reduce your chances of being hacked and help minimize the impact if you do get hacked.

• Rule #1: Create tough-to-guess passwords – avoid simple words, dates and names, especially things that bad guys can find in your Facebook and LinkedIn accounts. Password tricks like replacing “S” with “$” or “L” with “!” don’t really help much, either. The best passwords are a dozen or two random characters. Unfortunately, these are impossible to remember. A somewhat more practical approach to secure and memorable passwords is to string together multiple words (or parts of words). For example, “22MyNeighborMichaelLovesGolf” is actually a great password. It’s long, mixed case and contains numbers (and it’s also possible to remember it). Even better would be, “22MyNeiMicLovGol” because it contains few words that you can find in a dictionary.
• Rule #2: Never, ever use the same password across different accounts – this is particularly true for critical accounts like online banking or your main email – if a bad guy hacks your favorite recipe site and gets your password, do you want to make it easy for them to login to your online banking account?
• Rule #3 Change your critical passwords every 12 months – experts disagree on the importance of frequent password changes so I recommend something pretty basic: change your most important passwords (banks, primary email account, online trading, etc) at least once a year.
• Rule #4 Never let your browser remember your passwords for you – one of the most common hacks is to steal the password storage from your browser. In one easy move, bad guys can get every password you’ve ever saved on your browser. It’s also a good idea to avoid checking the “Remember me” option on websites just to be safe.
• Use a password manager – keeping up with rules #1 – #4 requires help. Password managers not only keep track of passwords, they automatically enter them when prompted. They truly make life safer and easier. Keepass is the most popular free option. My personal favorite is 1Password.
• Never, ever download software from places you don’t know or trust – once you’ve installed a piece of software on your computer, you’ve given it unrestricted access to everything: passwords, files, browsing, everything. For legitimate software, this is fine. For malicious software, you could be in a lot of trouble. Whenever possible, get your software from safe sources like the Apple App Store. And always avoid downloading software that from security advertisements claiming you’ve been hacked.
• Keep your software up to date – bad guys hack computers by exploiting tiny mistakes in Microsoft Windows, Apple OSX, Adobe Flash and your browsers. These software providers regularly update their software to fix these mistakes. If your software is a year or more out of date, the bad guys have literally thousands of ways to hack you at their fingertips.
• Run at least two virus checkers – there are lots of great security software packages, many of which are even free. McAfee, Webroot and Norton are great. My favorite is Malwarebytes and AVG (free) for the PC and Sophos (free) for the Apple Mac.
• Backup your computer – this is so basic it shouldn’t even be mentioned in a security post but I’m always stunned by how often people fail to do this. Back ups are key if a virus wipes your your computer, if you get hit with ransomware or if you need to retrieve a file before it got infected. Apple computers make backing up easy with Time Machine. There are also countless excellent (and frequently free) third party solutions including CrashPlan, Carbonite and Dropbox.
• Buy a credit alerting solution – Experian and Equifax both have good offerings (their low end packages are usually more than sufficient). I’m not a fan of the LifeLock variety of credit protection only because some people’s experiences suggest they create more headaches than they prevent.

For those of you like me that want the peace of mind that comes from going that extra mile, there are a few more mac-daddy security solutions to consider:

• Use two-factor authentication – the security geeks refer to a password as a single factor authentication – one piece of data and you are logged in. Two-factor authentication requires a second piece of data before you can login. The most common form of two-factor authentication enlists your cell-phone to confirm who you are: a site will send a text to your phone which you then enter along with your password. The bad guys won’t have your phone and they won’t know that second piece of information so they can’t login as you. Very cool. Google, Dropbox and others offer great two-factor solutions at no extra charge.
• Use a safe-browsing plug-in – modern browsers are pretty smart about keeping you off bad sites and catching bad guys when they try to hack your browser (did I mention how important it is to have the most recent updates installed at all times?). But my security expert friends tell me that nothing is safer than using the Firefox browser with the NoScript plug-in. This combination of technologies stops virtually every hacking attempt at the front door – the bad guys don’t even have a chance to try and pick the lock (so to speak). But, this level of security comes at a price. By disabling web scripting (JavaScript), a lot of sites look very ugly and some don’t work at all. For me, NoScript is used when I’m visiting a site that I’m not absolutely confident in but otherwise I depend on the built-in browser security.
• Use a dedicated computer for your online banking – a security expert friend recommends that you buy an inexpensive computer that you use solely for online banking and other financial matters. Keep the patches up to date and don’t surf other sites or download other software. 

What do you do if you get hacked?

Hacks come in many forms and each type requires a different response. But there are a few universal things you should do if you are one of the unlucky ones like my friend.

• Change your passwords – not only for the accounts that got hacked but also any critical accounts like your main email and online banking – better safe than sorry
• Change your secret questions – many online accounts allow you create answers to secret questions like “your childhood best friend” to validate you are who you say you are. Sometimes, when bad guys gain access to your account, they’ll change these to something they know. If you don’t reset them, it’s easy for the bad guys to get back into your account anytime they like
• Run a manual virus check – this is a great time to confirm your virus program is up to date and run a manual scan. It’s also a great time to consider installing a second or third checker.

There is only one way to be absolutely sure you removed any virus or malware that is on your computer – start over again. Reformat your computer to its factory settings or just buy a new computer outright. Obviously, this can be time consuming, expensive or both but if you are overdue for an upgrade or if your computer could stand to be cleaned from top to bottom, it’s the best way to level the battlefield against the bad guys.

Staying secure online isn’t easy. It can even seem like a distraction. But I can assure you that people who have gotten hacked feel very differently.

As for my friend, he ended up just fine – he changed his passwords and, after a week or so, decided to get a new computer. Fortunately, he had recent backups of all his files so setting up his new computer wasn’t a big deal. And, best of all, I shared the malicious link in his message with a security expert friend of mine who said it was no longer active – no one down the email chain could get infected. For stories like my friend’s, this is as close as it comes to a happy ending.