Home » Online security

Online security

This page has absolutely nothing to do with the Happy Valley! It has everything to do with helping all online users better manage their security and avoid becoming a hacking statistic. I don’t like the hassle of security any more than you. I do have the advantage over most people of …

  1. Having an understanding of what the threats are,
  2. Knowing how to evaluate the risks, and
  3. Knowing how to protect myself.

I have spent about 40 years of my life working on the subject so I have learnt a bit about it. In this page I want to provide you with a list of the simplest possible actions that can save your online life.

Internet Safety Guide for Kids*

* This excellent Internet Safety Guide for Kids is an American website. The Happy Valley website and its administrators have no personal interest in the site.

The threats we all face

There was a time, in the late 1980s, early 1990s, when the only technical threat we had to worry about was picking up a computer virus. They were a huge nuisance if you got one, and cleaning up after an attack could take all day, especially if you wanted to save your data. They were randomly spread on floppy disks (remember those!). The answer was to never put a floppy in your PC without having first scanned it.

Today the threats come from huge numbers of techniques and methods of spread. Most are incredibly devious, developed by very good programmers who often hail from Russia, China, and other far Eastern countries. Most of these threats depend on finding weaknesses in computer systems in order to gain access to carry out their nasty activities. Here are some of the nasties …

  • Viruses – wide variety of damage;
  • Malware – theft of or damage to data, including encrypting for ransom;
  • Silent use of your machine as a (ro)’bot’ – remote controlled to be used for other forms of attack;
  • Data loss – deleted, corrupted or stolen.

Of course, the greatest weakness of all is you, the online user! This is especially true when it comes to emails – often the easiest way for criminals to get into your IT system is by sending an email designed to trick the recipient into clicking on a link to a rogue web site, or getting the reader to enter data such as their logon and password. The crook records this and then uses it to make his own entry into the system in order to steal or abuse data. Going to a rogue web site can result in an innocuous looking page that carries unseen within it program code, known as malware, that can now access data within your system.

What is the risk of being attacked

Very high indeed. Most networks, such as your router, are being polled (approached from outside) hundreds or thousands of times every day. Any access obtained provides an opportunity to attack the systems on those networks. Most systems have security weaknesses which the hackers will often know about before you do.

Every email you receive is a potential attacker. I get several dozen emails every day – at least 50% of those pose some form of attack, mostly carrying links to what are known as malware web sites. Click on one of these links and your computer – PC, laptop, tablet, smart phone – will be loaded with software that will be doing you no good.

There exists a database of stolen email addresses together with their passwords (in plain text). The version at time of writing this (02/2019) contains about 2.2 billion email addresses! Yours is almost certainly in there. Some of mine are. Further down I show you how to find out if yours is there.

If you use the same password for more than one purpose you increase your risk level enormously – once your password is exposed on one service the hackers will test it on all other services that interest them. The process is entirely automated and takes a few milliseconds (thousandths of a second) to test your email and password on thousands of services.

Many web sites are highly dubious. These days most sites collect personal information. Much information is automatically transmitted by the simple act of requesting a web page. Some sites download program code with the page you asked for. This code can do a multitude of undesirable things, but all try to scavenge information from your system. The worst kind will leave code running in your system long after you have finished with the original page, sending anything it considers useful back to base. The most useful are bank details, other financial information, your contacts list with all their details, etc.

Help! How do I protect myself?

There are a number of things to do. They are all straight forward, relatively simple to carry out. If you are presently poor at security, doing just these things will very dramatically improve your security.

  1. Stop sharing passwords on more than one service. You don’t have to remember dozens of passwords! Install a password manager. There are several available and the four main ones are all rated as good: LastPass, KeePass, 1Password and Apple’s Keychain. I have used LastPass which is generally considered to be the best of the bunch. I have previously described it here. However, then it was a free program, but now it is only free if you restrict its use to one class of devices such as PCs or mobiles. If you have both classes you certainly need it to work across them both in which case they require you to subscribe and it’s not cheap. I am looking for another product. Apple’s Keychain was limited to use on Apple products, but they have developed it to also encompass Windows machines – your phone or tablet must be iPhone or iPad. This product was launched in January 2021, but unfortunately withdrawn in February 2021. I await a re-launch. I am now using Bitwarden and while it doesn’t have all the features of LastPass, it is very adequate and I am very happy with it. It was very easy to implement and could take over the password vault from LastPass.
  2. Use a good virus scanner. One of the oldest computer security tools, and still very essential, they protect you from a lot more than viruses. Set it to automatically update. Most of the good ones update their test codes every day in order to ensure that they are checking for the latest threats. There are several available, from the heavily marketed to the less well known but still very good ones. More on this below.
  3. Update your systems. Most computer system providers, Microsoft, Apple, Google, etc., publish updates monthly. I follow what Microsoft and Apple are updating, and every month without fail there are patches to security problems. These are often weaknesses that have not been previously published (so hopefully the hackers didn’t know about them), but often they include weaknesses that are already being exploited by the criminals. I recommend that you update your system three or four days after the update becomes available. If you set your system to update automatically it will save you having to remember and intervene, and it’ll probably be a few days before the automatic system gets round to you anyway.
  4. Use Two Factor Authentication (2FA). Sometimes known by other names such as Two Step Authentication. Many services now provide this as an option. On some banking services it is a requirement. The idea is that you use a password followed by an additional method of confirming your authenticity, such as by entering a code that has been sent to you in a message, or your finger impression on the finger print reader on your phone. It means that a password cannot be used without you having (usually) your phone with you – it means your stolen password is useless in the hands of others because they don’t have your phone (or other device) to hand. My bank supplies a phone app to generate a one time code – I use my fingerprint on the app and it gives me a six digit code to type in on the PC, but this may just as easily be done for other services using a separate device.
  5. Secure your router. This could be the most tricky item in this list. It is crucially important. If you have a fairly modern router it is almost certainly secure by default. If you have an old router, then it may not be secure if you didn’t set it up secure when you installed it. Frankly, if it’s old enough to fall into the latter category, then don’t bother trying to secure it – get a modern router. If you use BT, Virgin or Sky as your broadband supplier they may well send you the latest model free on request. BT will do so by default if you upgrade any aspect of your broadband or phone service.
    Your router not only controls access to your wired network, but also to your WiFi service. It is essential that your private WiFi is protected from those who are not supposed to be using it. Your WiFi may be good in the house, in which case it will also be good outside the house – you don’t want Joe Soap or John Doe either using your WiFi service or listening in to what you are doing online! Make sure it is password protected.
    Public WiFi services in public buildings, pubs and shops often don’t require a password, or widely publicise their obvious password. Such systems are often being listened too by miscreants trying to steal personal information and passwords and these systems should not be used for banking or other sensitive services.
    Related to your router is the configuration of your Ethernet network – that’s the connection between your router and the PC. There is a page describing a simple configuration change to provide additional DNS protection – Quad9.
  6. Encrypt your data. It is a simple matter to maintain all your data in encrypted form. This is especially important if you are running a business – in fact it is pretty well mandatory under GDPR Data Protection regulations for some types of business and very good practice for all others as well as for all personal data. You need the confidence that should your device get broken into or stolen by criminals, they cannot read and misuse any of your data.
    Most systems* provide a simple process for switching on encryption after which encryption and decryption are entirely automatic without intervention from you the user. It is however ESSENTIAL to remember the encryption code (needs to be totally different from any logon password and not stored in the password manager!) It is good practice to store a written copy of the code in a secure place which is generally not accessible to others. Encrypted data cannot ever be decrypted without the correct code! Lose the code, you’ve lost the data.

    * It may be necessary to buy a more advanced version of your system to obtain encryption functionality. Windows 10, for instance, only provides this with the Pro version, which is not usually supplied with domestic PCs.

  7. Back up your data! It is heartbreaking to read of people who have crashed a disk, had their laptop stolen, or lost a smartphone, and suddenly realise they have lost all their data files, those irreplaceable pictures, and in the worst cases their entire business information! And this agony could all be avoided by setting up a regime of backing up the device.
    The old way – which is still perfectly valid – is to run a backup program every day or week to copy your data to a separate disk drive, one that is used only for backup purposes. A full backup will copy all your data in one go. You need to do this to get your backup regime going, and on a big system it may take some time. You can then run incremental backups that only copy new files or files that have been updated since the previous backup – much quicker. Only ever connect your backup disk to the computer while a backup is taking place. Never leave it connected between backups otherwise you run the risk of it being tampered with if a nasty gets into your machine.

    The new way – use a cloud service. There are many services available so you need to choose one that suits your needs. You probably already have access to a free cloud service that will take up to 5GB and offer you additional space for a fairly low fee. Amongst the services that may already be available to you for free include Microsoft, Apple, Google, and Amazon. For example, iPhones come with access to Apple’s iCloud service. The free space is unlikely to be enough for long, especially if you take many pictures, but they offer a substantial upgrade for as little as 70p per month.

    The cloud services normally perform dynamic uploads – you don’t have to remember to run a program, they just upload every file when it is created or updated. Beware of blowing your data allowance on a phone or tablet, especially if you are maintaining large files! Your data will be encrypted before it is transmitted, and stored encrypted. If you later have to download it, the data will be decrypted for you.

    Windows 10 has a facility to maintain data history. You need a separate (probably freestanding) disk which will be dedicated to the history files. It records every version of files that you create and update, so if you damage or inadvertently delete a file you can go and retrieve it or an older version in seconds. I use a 2TB disk for the history device. It will fill up with multiple versions of active files, and when it does so, the oldest versions will be automatically deleted to free up space.

Useful links …

Has your email and password been exposed to hackers? Are you getting scam emails leading you to give away information that can result in an empty bank account? There are a some web sites that can help you:

  • Which? Scams Protection Toolkit. This page provides lots of useful information on how to spot online scams, together with a list of other useful links and support bodies. You can also register for the Which? Scams Alert service.
  • Have I Been Pwned. No that’s not a spelling mistake! It’s the computer trade and their silly words! Pwned is pronounced ‘powned’ (rhymes with ‘owned’) and it means broken into, owned. They will tell you whether your email and password are available to all-comers. If yes, change your email password now, and make it a good one! (see password manager above).
  • Identity Leak Checker (HPI). This will send you an email containing the result of your check, and usefully, it will also tell you which original service your email address was stolen from. Immediately change your passwords on all the services listed!

Improve your password security …

  • How to pick a proper password [text and VIDEO]. If you use a password manager, it will create a high quality password for you.
  • 5 minute fix – How to use a Password Manager. For a short description on password managers written by a respected security professional have a look at this Sophos page. This is your big opportunity to increase your password length to at least 32 characters with a random mix of a-z, A-Z, 0-9 and £$%^&*()_+:@~#! And you don’t have to remember any of it! Length and mix are variable to accommodate web sites that can’t yet cope with the ideal password.

Don’t forget the virus checker …

  • A good free virus checker. The Sophos Home virus checker is a domestic version of a corporate product – it is slim and doesn’t hog your machine, you always know it’s there, but it doesn’t keep popping up without good reason, it doesn’t try to sell you anything, and it is very effective. If you have multiple PCs you can put it on them all and manage them all from one. There is a more advanced version for a competitive annual cost.

And Finally …

Don’t forget to take special care of your children and their use of online technology …

And if you really don’t want to use a password manager, then at least ensure that you are using quality passwords, and a different one for every service! You might like to watch this video to help you …

Many of the links lead to Sophos Ltd pages and products. While I have known this company for more than 30 years, and always considered their advice and products to be excellent, I must assure you that I have no personal or commercial connection with the company other than that I use the paid for version of Sophos Home on my Windows 10 PCs and Apple products, indeed, is now available for Macs, iPads, iPhones and Android.

Tim Boddington, the author of this page, now retired, had a career in information security with one of the UK’s largest companies. His security standards were used as the basis for the British Standard for Information Security which was itself used as the basis for the relevant ISO standard. He contributed to the original UK Data Protection Act and the UK Computer Misuse Act. He was awarded Fellowship of the British Computer Society in recognition of his contribution to information security.