Home » Online security

Online security

This page has absolutely nothing to do with the Happy Valley! It has everything to do with helping all online users better manage their security and avoid becoming a hacking statistic. I don’t like the hassle of security any more than you. I do have the advantage over most people of …

  1. Knowing what the threats are,
  2. Knowing what the risks are, and
  3. Knowing how to protect myself.

I have spent about 40 years of my life working on the subject so I have learnt a bit about it. In this page I want to provide you with a list of the simplest possible actions that can save your online life.

The threats we all face

There was a time, in the late 1980s, early 1990s, when the only technical threat we had to worry about was picking up a computer virus. They were a huge nuisance if you got one, and cleaning up after an attack could take all day, especially if you wanted to save your data. They were randomly spread on floppy disks (remember those!). The answer was to never put a floppy in your PC without having first scanned it.

Today the threats come from huge numbers of techniques and methods of spread. Most are incredibly devious, developed by very good programmers who often hail from Russia, China, and other far Eastern countries. Most of these threats depend on finding weaknesses in computer systems in order to gain access to carry out their nasty activities. Here are some of the nasties …

  • Viruses – wide variety of damage,
  • Malware – theft of or damage to data, including encrypting for ransom,
  • Silent use of your machine as a (ro)’bot’ – remote controlled to be used for other forms of attack.

What is the risk of being attacked

Very high indeed. Most networks, such as your router, are being polled (approached from outside) hundreds or thousands of times every day. Any access obtained provides an opportunity to attack the systems on those networks. Most systems have security weaknesses which the hackers will often know about before you do.

Every email you receive is a potential attacker. I get several dozen emails every day – at least 50% of those pose some form of attack, mostly carrying links to what are known as malware web sites. Click on one of these links and your computer – PC, laptop, tablet, smart phone – will be loaded with software that will be doing you no good.

There exists a database of stolen email addresses together with their passwords (in plain text). The latest version (02/2019) contains about 2.2 billion email addresses! Yours is almost certainly in there. Some of mine are. Further down I show you how to find out if yours is there.

If you use the same password for more than one purpose you increase your risk level enormously – once your password is exposed on one service the hackers will test it on all other services that interest them. The process is entirely automated and takes a few milliseconds (thousandths of a second) to test your email and password on thousands of services.

Many web sites are highly dubious. These days most sites collect personal information. Much information is automatically transmitted by the simple act of requesting a web page. Some sites download program code with the page you asked for. This code can do a multitude of undesirable things, but all try to scavenge information from your system. The worst kind will leave code running in your system long after you have finished with the original page, sending anything it considers useful back to base. The most useful are bank details, other financial information, your contacts list with all their details, etc.

Help! How do I protect myself?

There are a number of things to do. They are all straight forward, relatively simple to carry out. If you are presently poor at security, doing just these things will very dramatically improve your security.

  1. Stop sharing passwords on more than one service. You don’t have to remember dozens of passwords! Install a password manager. There are several available and the three main ones are all rated as good: LastPass, KeePass, and 1Password. I use LastPass which is generally considered to be the best of the bunch. The name refers to the fact that you will in future need only one password – just one password to remember! How easy is that?! But it does need to be a good one. LastPass will work across all your systems, PC, Mac, iPad, smart phones. It shares one very secure database of passwords across all your systems.
  2. Use a good virus checker. One of the oldest computer security tools, and still very essential, they protect you from a lot more than viruses. Set it to automatically update. Most of the good ones update their test codes every day in order to ensure that they are checking for the latest threats. There are several available, from the heavily marketed to the less well known but still very good ones. More on this below.
  3. Update your systems. Most computer system providers, Microsoft, Apple, etc., publish updates monthly. I follow what Microsoft and Apple are updating, and every month without fail there are patches to security problems. These are often weaknesses that have not been previously published (so hopefully the hackers didn’t know about them), but often they include weaknesses that are already being exploited by the criminals. I recommend that you update your system three or four days after the update become available. If you set your system to update automatically it will save you having to remember and intervene, and it’ll probably be a few days before the automatic system gets round to you anyway.
  4. Use Two Factor Authentication (2FA). Sometimes known by other names such as Two Step Authentication. Many services now provide this as an option. On some banking services it is a requirement. The idea is that you use a password followed by an additional method of confirming your authenticity, such as by entering a code that has been sent to you in a message, or your finger impression on the finger print reader on your phone. It means that a password cannot be used without you having (usually) your phone with you – it means your stolen password is useless in the hands of others because they don’t have your phone (or other device) to hand. My bank supplies its own one time code device – I enter a PIN number and it gives me a six digit code to type in on the PC, but this may just as easily be done for other services using your phone.
  5. Secure your router. This could be the most tricky item in this list. It is crucially important. If you have a fairly modern router it is almost certainly secure by default. If you have an old router, then it may not be secure if you didn’t set it up secure when you installed it. Frankly, if it’s old enough to fall into the latter category, then don’t bother trying to secure it – get a modern router. If you use BT or Virgin as your broadband supplier they may well send you the latest model free on request.
    Your router not only controls access to your wired network, but also to your WiFi service. It is essential that your private WiFi is protected from those who are not supposed to be using it. Your WiFi may be good in the house, in which case it will also be good outside the house – you don’t want Joe Soap either using your WiFi service or listening in to what you are doing online! Make sure it is password protected.
    Public WiFi services in public buildings, pubs and shops often don’t require a password, or widely publicise their obvious password. Such systems are often being listened too by miscreants trying to steal personal information and passwords and these systems should not be used for banking or other sensitive services.

Useful links …

Has your email and password been exposed to hackers? There are a couple of web sites that will tell you the bad (or maybe good) news:

  • Have I Been Pwned. No that’s not a spelling mistake! It’s the computer trade and their silly words! Pwned is pronounced ‘powned’ (rhymes with ‘owned’) and it means broken into, owned. They will tell you whether your email and password are available to all-comers. If yes, change your email password now, and make it a good one! (see password manager above).
  • Identity Leak Checker (HPI). This will send you an email containing the result of your check, and usefully, it will also tell you which original service your email address was stolen from. Immediately change your passwords on all the services listed!

Improve your password security …

  • How to pick a proper password [text and VIDEO]
  • 5 minute fix – How to use a Password Manager. For a short description on password managers written by a respected security professional have a look at this Sophos page. This is your big opportunity to increase your password length to at least 32 characters with a random mix of a-z, A-Z, 0-9 and £$%^&*()_+:@~#! And you don’t have to remember any of it! Length and mix are variable to accommodate web sites that can’t yet cope with the ideal password.

Don’t forget the virus checker …

  • A good free virus checker. The Sophos Home virus checker is a domestic version of a corporate product – it is slim and doesn’t hog your machine, you always know it’s there, but it doesn’t keep popping up without good reason, it doesn’t try to sell you anything, and it is very effective. If you have multiple devices you can put it on them all and manage them all from one. There is a more advanced version for a competitive annual cost.

And Finally …

Don’t forget to take special care of your children and their use of online technology …

And if you really don’t want to use a password manager, then at least ensure that you are using quality passwords, and a different one for every service! You might like to watch this video to help you …

Many of the links lead to Sophos Ltd pages and products. While I have known this company for about 30 years, and always considered their advice and products to be excellent, I must assure you that I have no personal or commercial connection with the company other than that I use the paid for version of Sophos Home.

Tim Boddington, the author of this page, now retired, had a career in information security with one of the UKs largest companies. His security standards were used as the basis for the British Standard for Information Security which was itself used as the basis for the relevant ISO standard. He contributed to the original UK Data Protection Act and the UK Computer Misuse Act.