Earlier this month, we gave a presentation for the Illinois Valley Area Chamber of Commerce on cyber security basics. Above is the video and below is a transcript of our presentation, including audience questions. Enjoy!
Today we are going to share with you some tips to keep you a little bit safer. These include proper passwords use, security of physical devices, anti-virus software, avoiding risky behavior, and website security. So we have a presentation over here. And I want to start with talking about passwords. And what actually makes a good password.
I know people tend to hate passwords because they’re difficult to manage and remember. But fortunately there are a few things you can do to make this easier. If you sign up for any new accounts you’ve probably been forced to create a password that has uppercase letters, numbers, all sorts of symbols, and things like that. But that’s actually counter-intuitive to making a good password. So if you look at this comic strip up here, a lot of sites want you to create a password like the upper top corner you can see there’s a zero used for an “o” or a four used for an a, an & symbol and all sorts of stuff. Complicated, hard for you to remember and things like.
Below that, there’s another example of a password, which is just four random common words. This one is “correct horse battery staple.” And in the first example that only accounts for 28 bits of entropy, which if a computer were guessing at a rate of 1,000 guesses per second, it would only take it 3 days for a computer to crack that password. Where as the bottom password, “correct horse batter staple” is 44 bits of entropy. It would take a computer 550 years at 1,000 guesses per second to guess that password. So the moral of the story here is longer is better, not more complicated.
In addition to making better passwords, you also shouldn’t repeat passwords. So if you tend to use the same password over and over again for many different accounts, whether it’s your email or your bank or Facebook, etc.; you really should have a unique password for every account. And to make this easier on you to remember you can use a standard naming convention.
So let’s say you have a basic password you wanted to use. In this example, you can see down at the bottom I have “snowwhite&the7dwarfs.”
So you can add a unique identifier, let’s say to the end of your password that identifies the website you’re using it for. So in this example I’m just taking the first letter of the company and the last letter of the company. So my password for Google becomes “snowwhite&the7dwarfsge.” For Amazon it would be “snowwhite&the7dwarfsan.” And Yahoo “y-o” at the end. So you can see using a pattern like that will help you easily remember a basic password, you’ll only have to remember the last few characters at the end of the service your using.
Another way to do this would be to insert the whole word in there. As you can see I have “snowwhite&the7Googledwarfs,” “snowwhite&the7Amazondwarfs,” which are the tallest dwarfs you will ever see. “Snowwhite&the7Yahoodwarfs,” so there’s a couple of different ways.
Ok, so having a unique password for every site might seem like a nightmare, but you can actually keep this under control using a password vault. If you’ve never heard of a password vault, it’s just a program that stores all of your passwords and you access it with one master password. So you don’t have to mesmerize your passwords for 1,000 different sites. Your passwords for individual sites can actually just be randomly generated or however you want to do it.
A couple of examples of password vaults are KeePass and LastPass. These are two pretty big companies that do password vaults. The difference here is KeePass will be a software you install on your computer and it will hold all of your passwords and you can use it for anything on your computer. Whether you’re logging into a program on your computer, or something in your browser, etc. But it’s only good for your computer. LastPass on the other hand you can share across multiple devices. So you can keep your passwords on your computer, your tablet, your phone, etc. But it’s only browser based, so it’s only going to help you with logging into things on the internet, not actual programs on your device. So those are two examples that you guys can consider. LastPass is pretty affordable. I think about $12 a year or something like that. It’s usually worth the hassle. And there are other options out there, but those are two pretty reputable companies.
Alright, so now that you have some good password tips, make sure you’re using passwords on your devices. This is pretty much a no-brainer if you’re using a shared device or are in a public space and stuff like that. But many people often feel like you don’t need a password on your home computer. And I would urge you to reconsider that, because if someone broke into your house and stole your computer, they would have access to all of your information on that computer. However, some random person robbing your house, probably isn’t also going to be a hacker. So a password on your computer can be just enough of a deterrent and most likely they would end up selling your computer for parts or completely wiping it and your information could potentially stay secure. It could be just enough of a deterrent for a criminal to not want to bother with it.
Make sure you’re using passwords on all of your devices too. If you guys have phones and tablets, there’s a lot of different options for securing those now, where you don’t have to remember a password. A lot of phones, you can just draw a pattern, some phones have fingerprint scanners on them. So check with your device and see what kind of security options you have on there and figure out something that is going to work for you that you are going to want to remember and hopefully not lock yourself out of your own device.
Before we move on here to Anti-virus software, let me just talk a little bit about wireless networks too. Since you secure your devices, make sure you secure your wireless network. In addition to using a long password, there’s other things you can do too. Such as turning on WPA2 encryption, changing your SS ID name, test and enable your wireless routers firewall, and turn off the admin via wireless features on your router.
If you just Google tips for securing your home network, you’ll get a lot of great informational articles that will give you more information on that. Just like I said before, if someone breaks into your house to steal your computer, you’re probably going to notice it. You’re probably not going to notice if someone breaks into your WIFI connection because you’re usually not monitoring that. So take the steps upfront to have security before ten of your neighbors start stealing your internet or accessing your network.
Ok, so limiting access to your devices and network will keep you physically safe. The next step is to make sure there’s some protection while you’re connected to the internet, which means anti-virus software. I can’t tell you how many times a friend or family member has called me to help them get a virus off of their computer. For less web savvy people like my mom, who’s on Facebook playing games all of the time, I’m constantly cleaning her computer. But even smart savvy web browsers like me, I know what to stay away from on the internet and stuff like that. Even I’ve gotten computer viruses. It’s really easy to get infected out there, because cyber criminals just keep getting more and more cunning. Which is why everyone should have some type of protection. Then the question comes how do you choose a good anti-virus program, because you know there are millions out there.
Luckily, I’ve done the research for you and I have a couple of good recommendations. It pains me to say this a little bit, but some of the best protection out there is from providers you are already familiar with, like Norton and McAfee. I find both of those to be a bit clunky and irritating. They are always asking you things, popping up on your computer. But they are both highly rated by independent testing companies and users for their effectiveness. So if you are already using Norton or McAfee, you are good on those. If you are looking for some type of robust anti-virus, that’s a little less intrusive, consider WebRoot. It’s a PC magazine nineteen-time winner and it boasts NextGen Cyber Security. It’s available for PC and Mac, along with your mobile devices and at some competitive pricing. It’s about the same price as Norton. Another great program to look into is Malwarebytes, especially if you already think you are infected with malware on your computer. A lot of times if I’m helping someone get a virus off their computer, I’ll look up what the virus is and find how-to articles on how to remove it, and usually the first step on all of those is to install Malwarebytes and run it on your computer. So this is a really reliable program. I recommend that everyone use this. Some other highly rated programs include Persky Antivirus, Bit Defender, and Trend Micro Internet Security 2017.
Our next topic here is software updates. This is a huge factor in staying secure. Just keeping your system up to date. All of those updates aren’t just for new features, they fix security vulnerabilities. Mac users don’t usually have a big problem with this because you guys are used to automatic updates. However PC users are horrible at updating. So if you are still clinging onto Windows XP, you’ve got to give it up. You’ve just got to come to terms that it’s no longer supported, it’s a security nightmare, and get yourself updated to Windows 8.1 or Windows 10. I mean, if you are using an outdated system like that, you’re using something that hackers have had 10 or fifteen years to investigate and find all of the holes and everything and like I said, it’s not supported by Microsoft. So you are not going to get any security fixes or anything for it.
While we are talking about Windows, let’s move on to Internet Explorer, not my favorite browser because I’m a web developer. But it is one of the most popular browsers. Again if you are using Windows XP, you cannot update past Internet Explorer 8, which is pretty out of date, causing you another security risk. If you are stuck on Windows XP because your employer won’t upgrade your computers or something like that, you could download Chrome or Firefox as a safer browsing option. If you are on a newer version of Windows, make sure you are using IE 11 or Edge. No exceptions, there’s no reason to be on an older version of Internet Explorer. Using out of date browsers is a huge security risk, so if possible, if it’s not already, make sure you set your browser to automatically update. That’s the best option. So using outdated software is risky, but there are also other risky behaviors that you should avoid while online.
Now you’re not likely to stumble on anything in the dark underbelly of the internet, like the deep web or something like that. Unless you go looking for it, but that doesn’t mean that there’s other places that you will find yourself where you could get into a little bit of trouble. So here’s some things you need to stay away from. The first one is peer-to-peer file sharing. You guys remember Napster? Way back in the day? Napster brought the concept of peer-to-peer file sharing kind of to the public eye and made it a household name. It’s the predecessor to all sort of programs like Bearshare, Limewire, Bit Torrent, the kind of things kids use to download music and stuff like that. In addition to the legal implications of using those types of programs and services, it’s like leaving your front door open and turning your porch light on for malware. You’re voluntarily downloading files from some person you don’t know on the internet and hoping it is what it says. Also stay away from questionable downloads and entertainment. Nowadays this includes things like Pirate Bay and online video streaming sites. If you’re using the internet for things you shouldn’t talk about in public, chances are you are engaging in some risky behavior. We don’t encourage any illegal behavior, but even if what you are doing is legal but a little bit shady, get a computer you don’t care about and dedicate it to that and do not hook it up to your network.
So secure shopping is our next topic, a much safer topic. This is our area of expertise. As you guys know, we’re web developers with great websites and we specialize in ecommerce websites; websites that sell products or services to customers. So if you are shopping online, as a lot of people who shop online now, always make sure that you are using a secure checkout. Look for that security icon in your browser. Never ever give your pin information over an unsecure connection and that includes email. Do not email your personal information because email is not secure. If you yourself are running an online store, you are going to want to have an SSL certificate. That is the handy thing that gives your customers that security lock and secures your checkout. It may cost you a little bit of money, but if you are subject to PCI compliance laws, it’s something you have to have.
As a side benefit to having an SSL certificate, it tends to have positive effects on your conversions and it can also give you a bit of an SEO boost. So it might increase your search engine rankings. If you are running an informational site, statistically speaking you are probably on WordPress, which is one of the most popular Content Management Systems in the world. And for good reason. It’s really easy to use. Chances are you’ve probably had some interaction with WordPress powered sites. We’ve done many local WordPress sites. You can see some examples up there, Jalapenos, Amia Boutique, John’s North Star, Gunsmoke Grill.
About 1/6th of all content management websites are on WordPress right now. So if you have a back end to run your website, there’s a really good chance you are on WordPress. Unfortunately with popularity comes vulnerability. Hackers love to target large platforms because of the possible payout is much larger when the target pool is so much bigger. That’s why WordPress is often the target of attacks. But fortunately there are easy ways to keep your WordPress site secure too. This includes installing security plugins, keep your installation up to date, use strong passwords like we already talked about, if you’re using FTP to access your site at all, make sure it’s Secure FTP. Keep all of your plugins up to date, and make sure they are from trusted suppliers.
The great part about WordPress is there are literally thousands and thousands of developers developing free tools you can use on your website. Just because they are free doesn’t mean they are safe. So on WordPress.org, you can always look up plugin and see what it is rated by other consumers and get more information about it and do your research before you install it on your website. You can also use Cloudbase Firewalls. These next couple of things are things that a security plugin might do for you, and that’s renaming your admin account, make frequent backups, filter out your spam comments, logging and monitoring tools, lock down your file permissions, which you can do via your secure FTP access. And make sure you pick a quality web hosting provider. Not all web hosting providers are equal.
Our last security tip is “Stop Spambots.” You probably have a general idea of what a spambot is. It’s some variation of an automated program designed to do something in mass. Usually something annoying or malicious. This can cause problems in many forms. It could be a denial of service attack where bots just keep trying to access your site so many times, it uses up all of your system resources and so your website goes down. Or this could be, you know, sending you a billion spam emails through the forms on your website. Or if you have an ecommerce website, trying to submit tons of fraudulent orders. One of the best things you can do, the first thing you should do, is use your providers built in security risk tools. So for example, we work with Yahoo Small Business, they have some risk tools like Recaptcha and stuff like that you can enable, that tries to help identify real customers from bots.
A lot of times, your provider will have tools. On top of that, you can use third party that can help the spam traffic before it gets to your website. Services like Cloudflare Security, Imperva Incapsula, these are services you can pay for. So when traffic comes to your website, it hits this service first, they determine whether or not it’s legitimate traffic and if it’s not, they block it, if it is legitimate traffic, they let it through your site. So filtering that traffic before it gets to your site is ideal to help you avoid any outages or things like that. So those are all of our tips. I hope you found them helpful.
Just to review, we went over using proper passwords, securing your physical devices, make sure you are using anti-virus software, avoid risky behavior, and secure your website. If you have any questions, feel free to contact us. I’m available, Brandee is available. You can also contact us with our contact information up there or stop by our office in Oglesby. And we give presentations like this on all sorts of topics all of the time. They are free workshops if you are interested in any of those, you can sign up to learn more on our website.
We actually have a workshop coming up on March 29th, which is going to be talking on the topic of local SEO. So if you have a website and you have ever wondered how do I get my website boosted in Google organically when someone searches roofing contractor in La Salle, Illinois; how do I get my website to show up for that. That’s some tips that we’re going to be going over. So that’s going to be going over March 29th, at our office if you are interested, just feel free to contact us.
(Questions for Stephanie)
*Audience Question* I just wanted to give All Web Promotion and in particular Stephanie and Brandee a plug for developing a regional enrichment and they’ve just been awesome. And I really can’t say enough good about them. *Brandee* Thanks, Pat!
*Audience Question* Can we get a copy of your Power Point presentation? *Stephanie* Sure! If you just want to give us your contact information and email we can send that all over to you.
*Audience Question* I saw a guy on TV who had been selling “white list” security instead of Norton or McAfe… PC Man… you didn’t mention that kind of product at all. *Stephanie* I’m not familiar with that one, but I could research that and let you know. It is something you always want to research with anti-virus, because a big thing is there are a lot of programs out there that claim to be anti-virus programs, but are actually malware and trojans and malicious software for your computer. So, I haven’t seen the ad. If it’s a legitimate commercial, it might be something worth looking into. If it was an infomercial, I probably wouldn’t download that. *Brandee* It kind of like reminds me of those pop-up ads that you get on your computer. It’ll say like you have ten viruses, download this now to take care of it, which is a complete trap. So it’s better to be careful. *Audience Question* Is there any way to block that? *Brandee* The pop ups?
*Audience Question* Yeah. *Stephanie* Chrome and Firefox have some ad-ons that you can put on there that will block ads in general. Probably some simple advice on that. That’s a good thing to watch out for too, I didn’t mention. If you’re downloading an anti-virus or stuff, make sure you are on the actual manufacturer’s website; the official site to get it because a lot of places will make it look like you are downloading that product and you are not and it’s a bad program and things like that. Especially, even sites where you can get legitimate downloads, a lot of time there are ads that look like download buttons and you’re just all like “there’s 10 download buttons, what do I click?” So you’ve gotta be really vigilant about that. *Brandee* Yeah and those pop-up ads, so they try to trick you sometimes. And they’ll say like a big “X” button that says like close or something in the middle of the ad, which is probably actually a download button. So always close out those pop-ups by the actual X button that’s in that top right-hand corner. Yeah, they will try to like trick you in other ways to download it.
*Audience Question* Is really the end-game for people to spend that much time to try to be nefarious and do things with your computer, just to get information to make money from it? I mean, what other motivation is there for somebody to do that? *Stephanie* It’s all money-based. So, at the end of the day, whether they’re installing a key logger on your computer to get your passwords or anything like that, they’re trying to get your personal identification, to get your banking information, or to steal your identity and things like that. And you might think it’s a lot of effort, but actually I just read a blog post from Yahoo that referenced another dudes article and low-wage workers like in Bangladesh, India and stuff like that; people will actually pay them, it averages from $.80 to $1.20 to try to get past 1,000 Captcha forms. So there are people in these other countries willing to work very cheap to do all of this stuff in mass. So it is worth the effort for some people. They are creative. They are outsourcing their own nefarious business. And that happens a lot. Just like when you hear about, if you get rid of your computer you should always destroy your hard drive and stuff like that. When computers get recycled, they get all of these hard drives and sell these hard drives; they usually end up in West Africa. Usually in places like Kenya, Ghana, and stuff like that.That is where a lot of internet fraud comes from. Especially if they are getting your credit card information, off of your site. Like Nikki mentioned in my introduction, I used to work for a large ecommerce retailer. And I ran the live chat department, and with the chat software you could actually see where people were chatting from. And we’d look late at night, at 3am and stuff like that, you could see that there were people from Russia just constantly going through the checkout trying different credit card numbers. So it’s very interesting, but the end game is yes, to get your financial information, to steal your identity, and to make money off of you.
*Audience Question* Part 2 of that is, how do you, how do we just in the home wipe out the machine when we are ready to get rid of it? *Stephanie* There are a couple of different, like military-grade wiping programs that you can use. If you want to give us your contact information I can send you a link. Another thing is a lot of people just physically destroy your hard drive. *Brandee* Yeah, if you are done with the computer and you are not passing it along to anyone else, you can just take your hard drive out and we just drill a hole through it. You just want to make sure that you actually get the disk. If you break that disk inside the hard drive, you’ll be good. But there are actually software tools, that if you like, restore or wipe the hard drive, that sometimes it’s not always gone. There are tools that they could go back and recover some of your information. So we just recommend that when you’re actually done with that computer, it’s old, you’re going to throw it out, take the hard drive out and destroy it; whether with a hammer or a drill. *Stephanie* If you are passing it on, like I said, get a quality program. These are not something that’s going to be something light. They will go through, if you run this, it will take like 2 days and it will just continue to write over your hard drive like a zillion times until any information on it is not readable anymore.
*Host* Anymore questions today? Ok, thank you ladies. *Applause*