Home » Online security

Online security

This page has absolutely nothing to do with the Happy Valley! It has everything to do with helping all online users better manage their security and avoid becoming a hacking statistic. I don’t like the hassle of security any more than you. I do have the advantage over most people of …

  1. Having an understanding of what the threats are,
  2. Knowing how to evaluate the risks, and
  3. Knowing how to protect myself.

I have spent 40+ years of my life working on the subject so I have learnt a bit about it. In this page I want to provide you with a list of the simplest possible actions that can save your online life.

Internet Safety Guide for Kids*

* This excellent Internet Safety Guide for Kids is an American website. The Happy Valley website and its administrators have no personal interest in the site.

The threats we all face

There was a time, in the late 1980s, early 1990s, when the only technical threat we had to worry about was picking up a computer virus. They were a huge nuisance if you got one, and cleaning up after an attack could take all day, especially if you wanted to save your data. They were randomly spread on floppy disks (remember those!). The answer was to never put a floppy in your PC without having first scanned it.

Today the threats come from huge numbers of techniques and methods of spread. Most are incredibly devious, developed by very good programmers who often hail from Russia, China, and other far Eastern countries. Most of these threats depend on finding weaknesses in computer systems in order to gain access to carry out their nasty activities. Here are some of the nasties …

  • Viruses – wide variety of damage, but more often today linked to …
  • Malware – theft of or damage to data, including encrypting for ransom;
  • Silent use of your machine as a (ro)’bot’ – remote controlled to be used for other forms of attack;
  • Data loss – deleted, corrupted or stolen, theft of intellectual property, theft of banking info and access;
  • Fraud – deceiving you into parting with financial information.

Of course, the greatest weakness of all is you, the online user! This is especially true when it comes to emails – often the easiest way for criminals to get into your IT system is by sending an email designed to trick the recipient into clicking on a link to a rogue web site, or getting the reader to enter data such as their logon and password. The crook records this and then uses it to make his own entry into the system in order to steal or abuse data. Going to a rogue web site can result in an innocuous looking page that carries unseen within it program code, known as malware, that can now access data within your system.

What is the risk of being attacked

Very high indeed. Most networks, such as your router, are being polled (approached from outside) hundreds or thousands of times every day. Any access obtained provides an opportunity to attack the systems on those networks. Most systems have security weaknesses which the hackers will often know about before you do.

Every email you receive is a potential attacker. I get several dozen emails every day – many pose some form of attack, mostly carrying links to what are known as malware web sites. Click on one of these links and your computer – PC, laptop, tablet, smart phone – will be loaded with software that will be doing you no good.

There exists a database of stolen email addresses together with their passwords (in plain text). This contains well over 2 billion email addresses! Yours is almost certainly in there. Some of mine are. Further down I show you how to find out if yours is there.

If you use the same password for more than one purpose you increase your risk level enormously – once your password is exposed on one service the hackers will test it on all other services that interest them. The process is entirely automated and takes a few milliseconds (thousandths of a second) to test your email address and password on thousands of services.

Many web sites are highly dubious. These days most sites collect personal information. Much information is automatically transmitted by the simple act of requesting a web page. Some sites download program code with the page you asked for. This code can do a multitude of undesirable things, but all try to scavenge information from your system. The worst kind will leave code running in your system long after you have finished with the original page, sending anything it considers useful back to base. The most useful are bank details, other financial information, your contacts list with all their details, etc.

Help! How do I protect myself?

There are a number of things to do. They are all straight forward, relatively simple to carry out. If you are presently poor at security, doing just these things will very dramatically improve your security.

  1. Stop sharing passwords on more than one service. You don’t have to remember dozens of passwords! Install a password manager, or use the password saving facility on your browser. There are several proprietary password managers available and the four main ones are all rated as good: LastPass, KeePass, 1Password and Apple’s Keychain. Apple’s Keychain was limited to use on Apple products, but they have developed it to also encompass Windows machines – your phone or tablet must be iPhone or iPad. This product was launched in January 2021, but unfortunately withdrawn in February 2021. It will no doubt be available again. I am now using Bitwarden and while it doesn’t have all the features of LastPass, it is very adequate and I am very happy with it. It was very easy to implement. The leading browsers also now provide password saving facilities, but before using check that the browser is available of all your devices and provides password synchronisation across devices, and that you are happy to use that browser on each of your devices, try it out and if OK set it as the default on each device.
     
  2. Use a good virus scanner. One of the oldest computer security tools, and still very essential, they protect you from a lot more than viruses. Set it to automatically update. Most of the good ones update their test codes every day in order to ensure that they are checking for the latest threats. There are several available, from the heavily marketed to the less well known but still very good ones. More on this below.
     
  3. Update your systems. Most computer system providers, Microsoft, Apple, Google, etc., publish updates monthly. I follow what Microsoft and Apple are updating, and every month without fail there are patches to security problems. These are often weaknesses that have not been previously published (so hopefully the hackers didn’t know about them), but often they include weaknesses that are already being exploited by the criminals. If you set your system to update automatically it will save you having to remember and intervene. Nowadays I manually update my systems as soon as I hear of the availability of a update.
     
  4. Use Two Factor Authentication (2FA). Sometimes known by other names such as Two Step Authentication, or Two Step Verification – they’re all the same thing. Many services now provide this as an option. On some banking services it is a requirement. The idea is that you use a password followed by an additional method of confirming your authenticity, such as by entering a code that has been sent to you in a message, or your finger impression on the finger print reader on your phone. It means that a password cannot be used without you having (usually) your phone with you – it means your stolen password is useless in the hands of others because they don’t have your phone (or other device) to hand. My bank supplies a phone app to generate a one time code – I use my fingerprint on the app and it gives me a six digit code to type in on the PC, but this may just as easily be done for other services using a separate device.
     
  5. Secure your router. This could be the most tricky item in this list. It is crucially important. If you have a fairly modern router it is almost certainly secure by default. If you have an old router, then it may not be secure if you didn’t set it up secure when you installed it. Frankly, if it’s old enough to fall into the latter category, then don’t bother trying to secure it – get a modern router. If you use BT, Virgin or Sky as your broadband supplier they may well send you the latest model free on request. BT will do so by default if you upgrade any aspect of your broadband or phone service.
     
    Your router not only controls access to your wired network, but also to your WiFi service. It is essential that your private WiFi is protected from those who are not supposed to be using it. Your WiFi may be good in the house, in which case it will also be good outside the house – you don’t want Joe Soap or John Doe either using your WiFi service or listening in to what you are doing online! Make sure it is password protected.
     
    Public WiFi services in public buildings, pubs and shops often don’t require a password, or widely publicise their obvious password. Such systems are often being listened too by miscreants trying to steal personal information and passwords and these systems should not be used for banking or other sensitive services.
     
  6. Encrypt your data. It is a simple matter to maintain all your data in encrypted form. This is especially important if you are running a business – in fact it is pretty well mandatory under GDPR Data Protection regulations for some types of business and very good practice for all others as well as for all personal data. You need the confidence that should your device get broken into or stolen by criminals, they cannot read and misuse any of your data.
     
    Most systems* provide a simple process for switching on encryption after which encryption and decryption are entirely automatic without intervention from you the user. It is however ESSENTIAL to remember the encryption code (needs to be totally different from any logon password and not stored in the password manager!) It is good practice to store a written copy of the code in a secure place which is generally not accessible to others. Encrypted data cannot ever be decrypted without the correct code! Lose the code, you’ve lost the data.

    * It may be necessary to buy a more advanced version of your system to obtain encryption functionality. Windows 10, for instance, only provides this with the Pro version, which is not usually supplied with domestic PCs.
     

  7. Back up your data! It is heartbreaking to read of people who have crashed a disk, had their laptop stolen, or lost a smartphone, and suddenly realise they have lost all their data files, those irreplaceable pictures, and in the worst cases their entire business information! And this agony could all be avoided by setting up a regime of backing up the device.
     
    The old way – which is still perfectly valid – is to run a backup program every day or week to copy your data to a separate disk drive, one that is used only for backup purposes. A full backup will copy all your data in one go. You need to do this to get your backup regime going, and on a big system it may take some time. You can then run incremental backups that only copy new files or files that have been updated since the previous backup – much quicker. Only ever connect your backup disk to the computer while a backup is taking place. Never leave it connected between backups otherwise you run the risk of it being tampered with if a nasty gets into your machine.

    The new way – use a cloud service. There are many services available so you need to choose one that suits your needs. You probably already have access to a free cloud service that will take up to 5GB and offer you additional space for a fairly low fee. Amongst the services that may already be available to you for free include Microsoft, Apple, Google, and Amazon. For example, iPhones come with access to Apple’s iCloud service. The free space is unlikely to be enough for long, especially if you take many pictures, but they offer a substantial upgrade for as little as 70p per month.

    The cloud services normally perform dynamic uploads – you don’t have to remember to run a program, they just upload every file when it is created or updated. Beware of blowing your data allowance on a phone or tablet, especially if you are maintaining large files! Your data will be encrypted before it is transmitted, and stored encrypted. If you later have to download it, the data will be decrypted for you.

    Windows 10 has a facility to maintain data history. You need a separate (probably freestanding) disk which will be dedicated to the history files. It records every version of files that you create and update, so if you damage or inadvertently delete a file you can go and retrieve it or an older version in seconds. I use a 2TB disk for the history device. It will fill up with multiple versions of active files, and when it does so, the oldest versions will be automatically deleted to free up space.

Online shopping

Be very sure that you are shopping on a reputable website. Many popular sites are being spoofed and they will appear high up in a search. You go to them and they look just like the real website for that shop but they are designed to unwittingly extract personal information from you, such as name, email address, password, banking information including your CVS code. Some of this can be used in seconds to defraud you. Always check that the website address at the top of the screen really is the place you want to be. Avoid this risk by keeping all your regular website links in a text document such as a Word document, then you will know that you will always be going to the correct site.

Get yourself a PayPal or similar account with which to make payments online. This will avoid you having to provide your banking details to each online shop. If a crook tries to shop with your PayPal account you will get a screen on your phone/PC requesting confirmation of the purchase. If it’s not you buying then you can stop the transaction right there. Only in some circumstances do some banks and credit card issuers ask for confirmation.

Useful links …

Has your email and password been exposed to hackers? Are you getting scam emails leading you to give away information that can result in an empty bank account? There are a some web sites that can help you:

  • Which? Scams Protection Toolkit. This page provides lots of useful information on how to spot online scams, together with a list of other useful links and support bodies. You can also register for the Which? Scams Alert service.
  • Have I Been Pwned. No that’s not a spelling mistake! It’s the computer trade and their silly words! Pwned is pronounced ‘powned’ (rhymes with ‘owned’) and it means broken into, owned. They will tell you whether your email and password are available to all-comers. If yes, change your email password now, and make it a good one! (see password manager above).
  • Identity Leak Checker (HPI). This will send you an email containing the result of your check, and usefully, it will also tell you which original service your email address was stolen from. Immediately change your passwords on all the services listed!

Improve your password security …

  • Which? How to create secure passwords. If you use a password manager, it will create a high quality password for you.
  • National Cyber Security Centre – Password Administration. One of the very best sources of all kinds of information security advice and guidance.
  • There is a move (2023) to do away with passwords (hooray!) and replace them with Passkeys. These are undoubtedly safer, easier to use and un-hackable! Two Factor Authentication (2FA) is very secure, but it goes together with a password and can make logging on very laborious. Passkeys eliminate the tedium while improving the security and avoid the necessity of remembering or managing passwords. For you to use them, the system you are logging on to has to be configured to accept them. In 2023 their use is not yet widespread, but over the coming year we can expect them to become the default on most commercial services. 
    Passkeys work by using the security of your mobile phone – you use your finger print, face or PIN to tell your target service that your ID is verified. Some services (at least one bank that I use) already provide a code on the phone to be typed in, but the better users of Passkeys (such as Starling Bank and the NHS app) don’t require anything to be typed, and this will certainly become the standard over the next year or two.

Don’t forget the virus checker …

  • A good free virus checker. The Sophos Home virus checker is a domestic version of a corporate product – it is slim and doesn’t hog your machine, you always know it’s there, but it doesn’t keep popping up without good reason, it doesn’t try to sell you anything, and it is very effective. If you have multiple PCs you can put it on them all and manage them all from one. There is a more advanced version for a competitive annual cost.

And Finally …

Don’t forget to take special care of your children and their use of online technology …

And a final finally …

A single page like this cannot possibly cover all aspects of information security, neither could I provide and maintain additional pages to cover a wider range of security information. However, there are countless websites containing very good information and sound advice. To gain a wider knowledge I recommend you have a look at any or all of the following sites …

… and when you get a scammer’s email please forward it to phishing (report@phishing.gov.uk). This site collects examples of bad emails and seeks out and has removed tens of thousands of scamming web sites, thereby reducing the risk for us all.


Tim Boddington, the author of this page, now retired, had a career in information security with one of the UK’s largest companies. His security standards were used as the basis for the British Standard for Information Security which was itself used as the basis for the relevant ISO standard. He contributed to the original UK Data Protection Act and the UK Computer Misuse Act. He was awarded Fellowship of the British Computer Society in recognition of his contribution to information security.