Thursday, 25 July 2013

Security Tips #1 : Making your online presence safe




Here is my first blog article on security.It has been much of a question nowadays that what is the amount of security that is needed to prevent attackers/hackers.There is no answer to this question since absolutely security cannot be guaranteed.But,below are some measures that we can take to protect us from obvious risks


1) Having a strong password and changing it frequently


This has been suggested for the past many years and a very controversial one.But this might be a little outdated.


Following is a research paper from microsoft which outlies all these in an excellent manner.


http://research.microsoft.com/pubs/74162/hotsec07.pdf


Considering the attacks done on hacking user accounts having strong passwords alone does not much accomplish anything and also being a burden on the user to remember the password.Instead we can focus on having a password that we can remember and being a little different from obvious passwords such as 'password' or having your phone number as a password,which is vulnerable for guessing attacks.


In addition to this,many systems have a 'Three Strike' rule,when you enter your password wrong,security system activates and it comes up with a captcha,which prevents automatic scripts from performing brute force attacks.Facebook and most others usually send the user an e-mail notifying them that there has been recent attempts to access your account with failures and shall we help with your password reset.


But there are some sites which do not offer any kind of protection agains brute force,i.e no captcha or other security measures are provided,in such a case a strong password does help in a very great manner.

2)Reviewing recent login information


In addition to passwords, reviewing recent account activity is a great way to keep your account safe.Some like facebook offer real time login information to your mobiles through ways of an SMS and in GMail you can actually view which systems accessed your account by means of IP address and locations.This can help us keep track of who is logging in and when.


Some hacking mechanisms actually involve stealing your login cookie rather than knowing your password,so when you encounter suspicious activity in your account you change your password and it would void the cookie so that the supposed attackers cannot login anymore using the same cookie.Of course it depends on the application's architecture you are using,but most popular sites tend to have this built in.The more quicker we do this,the more damage we prevent.


3) Using modern browsers


IE6 is probably the worst browser you can use in terms of Usability and Security.It has many security related issues and many companies such as Google have dropped support for this browser.If you are using this version of IE,its high time you update your browser to either IE 8 or later if you are very specific with Internet Explorer,if not any latest version of Firefox or Chrome is good.


Basically the idea is to use something latest and well supported,and fixes in Chrome,Firefox are lot quicker.But that does not mean you do not have to use IE,we can always use it as long as it is updated with the latest patches/updates. 


4) Using HTTPS for sites


Many popular web platforms that we use such as Gmail,Yahoo,Facebook have options to enable HTTPS for all sessions/actions.HTTPS prevents people from Sniffing your traffic,most vulnerable when you are browsing over a public Wi-fi.


Gmail has HTTPS enabled by default.Yahoo mail does not have it by default but we can change that by a simple configuration change in account settings.Same goes for Facebook and LinkedIn and many other sites.It offers security against basic Man in the middle attack(MITM),there are many other sophisticated attacks that can be performed to break/bypass HTTPS,but as a user enabling HTTPS elevates the security to a considerable level.


Points to note in an HTTPS Session :     

    (i) Making sure that the HTTPS is not broken is a good thing.Most browsers have a lock symbol indicating this.If you do not have a lock symbol and the URL is still HTTPS,then you have a broken HTTPS session,we should avoid doing critical transactions in a broken session.

    (ii) Certificate Authority (CA) is a certificate issued by a trusted third party to verify the site's identity.Each browser has their own list.Some of them are listed below,although it is difficult to validate each and every CA,its a good practice just to check who has verified the site.In case of something fishy,you can always look up your browser list for the CA or google it,if you don't find them then probably you are using a manually enforced/installed certificate or possibilities are there that the HTTPS session is compromised.

Chrome and  IE's root CA list : http://support.microsoft.com/kb/931125

Firefox root CA list : http://www.mozilla.org/projects/security/certs/included/

Apple's root CA list : http://www.apple.com/certificateauthority/

The following link will help us understand why SSL certficates are required and what they are used for

http://security.stackexchange.com/questions/6737/what-is-an-ssl-certificate-intended-to-prove-and-how-does-it-do-it



5) Two-factor Authentication


Two-factor authentication is the process of adding another system into the picture to enhance security,i.e you have two levels of security,one is obviously your machine and the next can be something like security tokens.They are basically of two types Hard and Soft tokens.But we are concerned with Soft tokens.


Gmail,Yahoo,Facebook all have facilities for Two-factor authentication which will be turned off by default.But we can enable them using the help of our mobile phones.Whenever we login we get a Soft token in the form of an SMS,this is apart from the password authentication and it is usually a One Time Password(OTP).


This makes things difficult for hackers,even if they know your password they have to know the OTP to take over your account,which is in general very difficult.


Caveat : Make sure you have backup codes noted somewhere safe in case you lose your phone,without which it is very difficult access/recover your account.


These security tips are the ones that most users are not aware of,and it applies across many sites in a generic manner.It can be thought of some kind of a must have.But,of course the best place you can get more security tips are from the web site help pages themselves.

Gmail : http://www.google.co.in/goodtoknow/online-safety/


Facebook : https://www.facebook.com/help/ and then navigate to security


Yahoo : http://security.yahoo.com/ 


Linkedin : http://help.linkedin.com/app/answers/detail/a_id/267


and the list goes on.


Note : The above links might change,so make sure you google it if it is broken or something.

Do follow up with latest security practices on any sites that you are using.







No comments:

Post a Comment