Online Security is a myth: 4 useful tips.

Lamia Moghnie — Mon, 13 Jun 2011 21:00:00 +0000

image from https://www.cyber-arabs.com/?p=8157

Fatima Saad

Online security is almost a myth but what you can do is make it really hard for someone to hack your account or at least catch them while doing so.

Below are some security tips that don’t include “choose a hard password” – “don’t use an easy password like your name or phone number” and so on – I am pretty sure that almost everybody has heard those tips and yet fails to apply them.

Tip 1 : Securing you email

1- Most of your accounts, blogs, online transactions, chat logs, contacts, “forget my password” forms end up in your email… so it is really basic to take extra measures to secure your account. The good news is that hacking Gmail/Hotmail is not that easy anymore – hackers have to rely on hacking “you” – they usually do so by guessing your password, installing a software on your computer that saves the keys you type, including your password or by sending you fake online login form (phishing), viewing your saved passwords in your browser and so on.
Some common sense applied and you will not be victim of those attacks, but since this is a security tutorial, it is a must to assume that at some point, your password is compromised so you must :

a. Make sure you can recover/prove you identity and recover your password

b. Add a second layer of security

Here are some step by step instructions on how to do on your gmail account ( It will be too much doing the same tutorial for all the email providers, it is the same logic, just different screens, I believe many people are using gmail anyhow )

go to https://www.google.com/accounts/ManageAccount
You will find a nice screen – on the top , there is the security settings

The first thing to do is have your password recovery procedure covered. You can set a secondary email, specify a security question or you can specify your phone number and a SMS will be sent to you (It is bit creepy to tell google you phone number – but sometimes you have to choose the lesser evil )

Step 2 : assuming things got worse and your account was compromised. You can add a second layer of security – this is called “two factor authentication” – it relies on – surprise – 2 factors :

a – that you know your username/password.

b – it relies on your ownership of something physical – in this case your cell phone
The username and password part is easy and it was covered how to protect them, now here is how you can bring in your phone to the equation.

After entering your password, a verification code is sent to your mobile phone via SMS, voice calls, or generated on an application you can install on your Android, BlackBerry or iPhone device. This makes it much more likely that you’re the only one accessing your data: even if someone has stolen your password, they’ll need more than that to access your account. You can also indicate when you’re using a computer you trust and don’t want to be asked for a verification code from that machine in the future ( ease of use )

Now that you have updated your account with a secure password, built a recovery procedure and have a second layer of authentication that can work in the background – you are probably more secure.
However those are additional steps you can take to make sure no one has access to your account :

1- check what apps/3rd parties have access to your account : with OpenID, some applications use your already existing gmail/hotmail/twitter/facebook account to login to the site. While they don’t have access to your password, they may have reading/writing abilities to your account – you can check this in your gmail by visiting https://www.google.com/accounts/IssuedAuthSubTokens?hl=en
Revoke access to site that you don’t use anymore.

2- from time to time, check who accessed your gmail account and from where , to do so, scroll to the bottom of the page in gmail , click details :
You will be able to view a list of the IPs/Countries that accessed your account – if anything is suspicious, you can “log out” all the other people who are signed in and needless to say, change your password

if you click “sign out all other session” – everyone logged in will be signed out – you can also set an alert for “unusual
3- check your autoforwarders list and mail rules : https://mail.google.com/mail/?shva=1#settings/fwdandpop
the first thing a smart hacker would do, is not changing your password, but adding an auto-forwarder so they can read your mail and collect more data about you. So check there are no forwarders and rules you are not aware of.

4 – don’t leave out your phone unlocked – hanging around with access to your email

5 – Never use your company mail for personal stuff : IT people have a access to the mail server and can read out your emails, many mail servers that belong to a company are also silently aggregated. Also emails exchanged using your company address are not your property.

Tip 2 : figuring out / investigating the people you are with

Sometimes personal trust is all you have to communicate and willingly share details. Building this trust is a human process that usually comes after endless hours of chat and facebooking and blog reading.
However there are some basic steps you can take to verify the online identity of someone.

1 – find them on social networks : they must have a blog, they must be subscribed to linked in, they must have posted somewhere on a forum etc… and ultimately – you could ask them to video chat , have a skype voice call etc… not finding anything on them is “fishy” enough for you not to trust them …. (trust is a 2 way process, so don’t share details if they are not)

2- Verify their websites/blog : if you are dealing with a blogger, chances are that they have a .com /.info / .net (domain name ) – if they do, you can check out to whom this belongs.

You can do so using whois.net

here is an example of the info of “who is behind” nasawiya http://www.whois.net/whois/nasawiya.org

this info is used to process credit card transaction to buy the domain name and is highly accurate.

Some people however, but not everyone, protects this info by paying to the hosting company an extra fee, here is for example sawtalneswa site info http://www.whois.net/whois/sawtalniswa.com
it pretty much tells nothing ;p

If someone protected their info, you can always wonder and ask why they did so

Tip 3 : https everywhere
there is a nasty little firefox extension called https everywhere, this little thing will encrypt all your browsing traffic whenever possible, making it impossible for people to intercept this traffic and hack into it.
You can install https and read about it from here http://www.eff.org/https-everywhere

Tip 4 : stay tuned to security news

in the security world, there is always endless updates – the way to stay protected is to stay updated on what is going around – for activists i’d recommend to subscribe to Electronic Frontier Foundation Newsletter – it is reffered to as “the first line of defense” and it earned this reputation.
They have pretty nice newsletter to keep you posted somehow on the tech and security world ( it is not a pure newsletter ) – also the EFF have some pretty nice logos and their web address is pretty short and easy to remember https://www.eff.org

Hope this turned out useful, if you have questions, don’t hesitate to leave them here.
If you are interested more into security, please send a request to nasawiya geeks in take back the tech to host a workshop on online security.

Publisher:

Sawt al' Niswa

Section:

Resources

Category:

Activism

Tags:

Featured:

Sawt al Niswa | صوت النسوة - skills

Online Security is a myth: 4 useful tips.

Publisher: