The mammoth security breach that exposed in the neighborhood of 6.5 million LinkedIn user passwords should be a wakeup call for end-users everywhere. We should all practice due dilligence and ask the companies we deal with questions about how they deal with security.
Here are 10 things you can do to safeguard yourself online:
1. Does the site's logon page have an HTTPS in front of their URL? If it doesn't have "https" preceding the URL when you reach the logon page or pages requesting personal information, it is not a good sign. They do not have even the most basic security measures in place and probably don't care. What do you think they will do to protect your data when they don't even care enough to protect their intellectual property (their website)? Probably nada, zippola, nothing. This is a tell tale sign that you should walk away no matter how alluring the site claims to be. Just walk away.
2. Read the disclaimer and data sharing policy. Many companies sell your data to "partners" which usually means they are partners with anyone that will buy the data. Many C-level executives only care about bottom line revenue. They don't think, "Oh what will happen to my customers data?" Again, walk far, far away. While the company site you sign up for may be somewhat secure, their "partners" may not care so much. Remember offers of "free stuff if you just sign up now" are not really free.
3. Ask security minded questions. Contact the company's customer service line or helpdesk if they have one and ask what kind of security they have in place for accounts and passwords. Ask the company point blank if they encrypt passwords and how. If they say "no," chances are good you do not want to have an account with them. They should mentioning things like RC4 ciphers and 256-bit AES encryption! If the company is confident in their security they should tell you they use firewalls, IDS, anti-virus and all kinds of other great tools. Knowledge is power, so search the web for things like "is AES secure." It is incredible what you can find with a simple search like this. But remember, just because customer service says the site is secure doesn't guarantee it is.
4. Look at what kind of data the site is asking for. Sites today want your birth date, Social Security number, address, height and weight, eye color, and this is all for a monthly coupon site that is sending me deals in my local area? This is all very fishy (or should I say phishy). Instinct is a great tool. You wouldn't buy merchandise off a sketchy individual you just met on the street, would you? Then why would you do business with a company equally as sketchy. Just because the website looks legit doesn't mean the people running it are. Hackers want to blend in, they want you to think that they are legit so by the time you figure it out it is too late.
5. Change passwords frequently. We cannot stress enough the importance of changing your passwords frequently. If you feel it is a burden to change them think of what a burden it will be to have your identity stolen or your accounts hacked and emails sent out to colleagues that cost you business or damage your reputation.
6. Don't use the dog's name. Many people do everything right, choose different emails, don't sign up for many email lists, are very cautious, and then choose a password like MyCompany#1, or MikeyandSarah. Don't use common words or phrases for your passwords. Hackers know you do this and have created lists of these passwords used to hack accounts. Pick things that only your most intimate friends and family will know about. Pick the place you went on your honeymoon, for instance, or a random word like hippo. Now add them together to create SAfricaHippo. Believe it or not this is still easy to guess so now change common letters to numbers that look similar. Zero will substitute for an O, seven for the letter T, four for A, and so on. Now you will have S4fric4Hipp0. You can now take it to the next level and substitute a letter for a special character that looks similar: dollar sign ($) for an S, or the at symbol (@) for an A. Now you have $4fric4Hipp0 which is easy to remember, not a standard word and is not easy to guess even for people that know you well.
7. Have multiple passwords. If you cannot change your password because it is just too difficult, then at least have multiple passwords for your accounts. Don't use the same password for your junk email account that you do for your bank account. Think of it like a set of keys. What are the keys for? Do they go to your house, your car, that empty suitcase? Now think who you let have those keys. The same holds true for passwords, why would you want to use the same password for your junk email hosted in another country with different laws then you do for your bank access?
8. The answer you seek is yourself. As time goes by search engines like Google, Bing and Yahoo possess more and more data for the information seekers. This includes personal data about you. A good way to see if you are a victim or how great your overall risk is to Google yourself. You will be unpleasantly surprised to find what is actually out on the web about you. With the unfortunate invention of things like public information it has become relatively easy for companies to harvest personal information and sell it to the highest bidder, which then sells to the highest bidder, and so on. Sites like Pipl.Com require a membership to get access, but don't really appear to validate who you really are.
9. Use multiple email accounts. One final thing you can do to protect yourself is use different email accounts for different things. It is not uncommon for people these days to have multiple phone numbers. They have one for work, one for home, another for their cell. You forward calls to each number for different reasons. Why wouldn't you do the same for your email? Have one email address for work, one for personal important business like banking, and one for everything else? This will limit what data the hackers will get in the event of a breach. Remember companies make money off selling email and personal marketing data. This way if your junk email gets out of control you can get a new one and start over without a big issue.
10. Tell a white lie. A final note that doesn't really have anything to do so much with accounts but does help you in the long run is, when a site asks for data like your birthday or address, pick a fake location that you can easily remember and use that address. Pick a fake birthday as well and only use a first initial or a fake first name. This way in the event your data is sold or even stolen, who cares? They only got bogus info. This only works for mailing lists and other spam like sites. You would not want to do this to a site like IRS.gov that deals with your taxes.
Following these 10 tips won't guarantee you'll never have a problem because there is no such thing as absolute security, but you will maximize your personal security and minimize your overall risk footprint. The key is to make it infinitely difficult for hackers to get the data and, if they do, it will be of no real benefit and the hackers will move on to a more palatable target.
Firewall Experts, based in the greater Boston area, provides security services and solutions around regulatory compliance. This includes security infrastructure design and implementation as well as penetration testing, security training and documentation services. For more information visit www.firewallexperts.com.
Read more about wide area network in Network World's Wide Area Network section.