Академический Документы
Профессиональный Документы
Культура Документы
TECHNOLOGY
YOUR HANDY GUIDE TO EVERYDAY
To
Secure
Everything
secure
everything
powered by
chapters
secure everything
OCTOBER 2016
12PAGE
The basics of cyber-security
Here we list down some common sense best practices thatll go a
long way towards keeping you safe online
20PAGE
Android phone security
The DOs and DONTs you need to follow to ensure the security of
your beloved Android devices
29 iPhone security
Yes your mighty iPhone is vulnerable. Learn how to secure your
beloved iCompanion.
PAGE
editorial Writers
Credits
The people behind this book
Volume 11 | Issue 10
TECHNOLOGY
YOUR HANDY GUIDE TO EVERYDAY
Secure
october 2016
October 2016
Free with Digit. If you have paid to buy this Fast Track from any
source other than 9.9 Mediaworx Pvt. Ltd., please write to
editor@digit.in with details
Free With Digit october 2016
demystify technology for your community, employees or students contact Secure your Windows PC or laptop
Methods to secure your Linux system
Secure your cloud data
Secure your website
editor@digit.in
10 A 9.9 media Publication
4 INTRODUCTION
Youre not
safe until youve
read this
I
f you look at some of the hacks and leaks of recent times the scale
for some of them and the nature of the data in others the popular
saying that privacy is a myth in the 21st century wont seem too
unbelievable. Be it leaked celebrity photos or corporate data, in
each of these cases the effect has always been disastrous for the ones
who were hacked. These hacks and attacks were carried out under the
effective guise of anonymity that the internet provides. As an unfortu-
nate consequence, the only way you can protect yourself against such
threats is by securing yourself.
Security itself is often overlooked and left to the experts. PC users
leave it to their antivirus, website owners leave it to their CMS managers,
a cloud users trusts the cloud provider and so on. Do you know that on
average, about 37,000 websites are hacked every day in some form? And
more than a 100 billion USD is spent every year to combat cybercrime?
The interesting bit is its not always the hackers fault its yours! Of
course, what they are doing is illegal and with malicious intent. But do
you really think thats going to change? On the other hand, the absence
of some basic security measures, or some silly oversights, make their
work even easier. Some estimates suggest, it takes only 10 minutes to
crack a lowercase password that is six characters long. Add two extra
letters and a few uppercase characters and that now it takes three years.
Adding one character to that and some numbers, symbols and the result
will take 44,530 years to crack.
INTRODUCTION 5
While relying on experts isnt entirely bad, its essential that you
take matters into your own hands. In the chapters to come, we tell you
about securing everything, from your smartphone to your laptop, your
website to your WiFi router and more. Once youre done with this Fas-
track, it would be easier to break into Alcatraz than to break into your
devices. We hope!
6 Chapter #01
WHY DO I
NEED CYBER-
SECURITY
Millions of accounts hacked! User
data leaked! Massive data breach! The
need for cyber-security has never been
greater than now
Why do I need cyber-security 7
I
ts probably safe to say that our days begin and end with us peering
at some digital screen or another. We wake up to alarms on our
phone, check our emails on it, order groceries, services and various
other items on them, pay for these utilities online, and capture and
store pictures and videos on them, more often of a personal nature than
not. Weve practically given away huge chunks of our lives on the cloud,
and its very rare for anyone to stop and think of the possibility of our data
falling into the wrong hands.
But its happening here and now, in front of our very own eyes. Youd
have to be living under a rock if you dont know about the massive data
dumps that have been posted on the internet recently. Large amounts of
confidential data, not limited to names and physical addresses, but also sen-
sitive information such as credit card details and account passwords have
been compromised, and have generally stemmed from a security breach of
a large corporations servers. And considering our increasing reliance on
computer systems and smart devices, including smartphones, televisions
and other electronic devices that are part of the Internet of Things, weve
only started providing more ammo to hackers and cyber-terrorists, looking
to create havoc and disrupt our routine.
Such incidents only further emphasize the need to safeguard our data and
proceed with caution when giving away personal details on the internet. For
those who still are unable to fathom the gravity of the situation and the threat
these cyber-criminals pose to our life, well just take a look at some incidents
of mass hacking that have had severe consequences for all parties involved.
LinkedIn
If we look at the LinkedIn hack, back in 2012, passwords for nearly 6.5 mil-
lion user accounts were stolen by Russian cyber-criminals, and many were
unable to log into their accounts following the theft. A LinkedIn hack might
not seem like such a big deal for those who dont use the website regularly,
but the theft in 2012 turned out to be worse than anyone anticipated. In May
2016, an additional 100 million email addresses and hashed passwords
were leaked from the same 2012 breach. And soon after the leak, dozens of
celebrity Twitter accounts were hacked, including that of Mark Zuckerberg.
All signs pointed to the fact that Zuckerberg used the same LinkedIn pass-
word for his Twitter account, which is a pretty common mistake. Another
problem that was highlighted after analysing the data dump was the lack
of password etiquette, despite people being constantly told to keep different
8 Why do I need cyber-security
Sony
And who could possibly forget the infamous hacks on Sony servers,
once in 2011 and another in 2014. While the 2011 attack led to seven
million PlayStation Network and Sony Online Entertainment account
details being stolen, including but not limited to credit and debit card
information, but the 2014 hack reared its ugly head of economic loss.
Data included personal information about Sony Pictures employees and
their families, e-mails between employees, information about executive
salaries at the company, copies of then-unreleased Sony films, and other
information. Millions of dollars were lost because of the leaked movies,
and the studio was left worse for wear due to the loss in reputation. It
might be worth noting that the 2014 attack was instigated by the release
of Sonys The Interview, which the hackers were against, because of
Why do I need cyber-security 9
Ashley Madison
While most of the data leaked
from these dumps is recov-
erable and might not cause
damage to ones personal life,
the fallout from the Ashley
Madison dump in July 2015
was another story. Ashley
Madison is a website caters
to people who are already in The movie that ignited the 2014
relationships but still want Sony hack
to date. Hackers allegedly
gained access to millions of the websites customer information database
and posted 10 GB of personal data of users, including their names and
email addresses. Since the website didnt ask for email verification for
the profile to be created, many fake profiles were created. And since the
company required the owner of the email account to pay money to delete
the profile, many people with fake profiles or misunderstood names did
not bother getting their accounts shut. All in all, many people ended up
having their personal details exposed, when they had not intended for
the same to happen.
LastPass
In another hack with slightly less devastating consequences, LastPass
email addresses and encrypted master passwords were compromised in
a breach in June 2015. Many password managers, such as LastPass, were
created to address the issue that passwords are a notoriously poor form of
security. They function by requiring you to remember one strong master
10 Why do I need cyber-security
Ransomware
The most current and popular form of virus is a Trojan Horse ransomware.
Targeted towards Windows users and propagated through emails, this
virus will encrypt certain files on the hard drive and any mounted storage
connected to it with RSA public key cryptography. The original ransomware
on the market was CryptoLocker, and the hackers would demand a ransom
(hence, the name) in exchange for the decryption key. In June 2014, Opera-
tion Tovar took down Evgeniy Bogachev, the leader of the gang of hackers
behind CryptoLocker, but many knockoffs are still running around in the
market, though the affected user base is a much smaller one. CryptoLocker
managed to affect around 500,000 users in its 100 days, and the hackers
made off with upwards of $30 million with this heist.
THE BASICS
OF CYBER-
SECURITY
Here we list down some common sense
best practices thatll go a long way
towards keeping you safe online
The basics of cyber-security 13
Y
ou might feel that protecting yourself against cyber attacks
is a job only for specialists, but that isnt really the case. Also,
securing yourself isnt about throwing money at the problem
either. Sure you can choose to shell out a few bucks initially for
the sake of convenience you dont really need to.
free WiFi users screen. Such sniffer software intercepts the traffic between
the router and device to filter out important information. These unsecured
networks can also be used to plant malware in another network users
device if file-sharing has been enabled. Another popular method used by
hackers is to set up rogue Wi-Fi hotspots with generic names, hence fooling
unassuming users into connecting to these networks, following which their
information can easily be collected.
Considering that necessity generally overrides such concerns many
times, one can take certain basic and inexpensive steps to avoid any mis-
handling of personal information. If you find yourself needing to connect
to public Wi-Fi networks frequently, itll be worthwhile to invest in a
Virtual Private Network (VPN). A VPN is a private network that enables
users to send and receive data across shared or public networks as if their
computing devices were directly connected to the private network. A bonus
is that VPNs will allow you to access blocked and filtered content, hence
providing a better internet experience. Most trustworthy VPN services
require a monthly subscription of a few hundred rupees, and are certainly
worth the expenditure if youre regularly using public networks. Some great
VPNs in India are Private Internet Access, Torguard, CyberGhost VPN
and TunnelBear, which cost between Rs. 400-800/month. If your usage
of public networks is infrequent and you do not need to visit websites with
confidential personal information, credit card data and important emails,
enabling the Always Use HTTPS option, or simply installing browser
add-ons like HTTPS Everywhere is useful and does the trick. Another
useful tip is to turn off device sharing on such networks, so that malicious
devices cannot access yours, and enabling the Firewall, as discussed before.
is only going to lead to hackers picking up your details, and youll have
only yourself to blame. This process of tricking you into sharing your
information is known as phishing. And software that engage in this kind
of behaviour are known as scare-ware. If such software go a step further
and demand money for making your system function properly again, they
are known as ransomware.
In a very common practice, many users receive mails from seemingly
trusted sources, stating that the said user has provided incorrect infor-
mation for important documents, and that they will have to resend their
information to revive
a suspended account
or some similar scare
tactic. People will end
up going to the imposter
version the hacker
wanted to redirect them
to, and end up providing
bank account and email
account details will-
ingly. In the case youre
looking to visit any such Beware of such pop-ups
website, always visit the
encrypted and original website by using a popular search engine to obtain
the website details. Big providers like Google, Yahoo! and Bing always give
correct and accurate results, and can be trusted to provide the original links
for certified websites.
In other methods, flashy banner ads on websites are created as sources of
malware. Clicking on them automatically gives them permission to install
the said malware onto your device. In most cases, the malware simply
logs keystrokes and sends them to the hacker, allowing them to monitor
your data and thus making it extremely easy to get access to your private
information. While your anti-virus should help prevent the download and
execution of such malicious software, its better to be safe than sorry and
just not click on these banners.
make sure no ones watching when youre typing your details. These
common and basic steps will go a long way in securing your cyber life.
In case your password is hacked or leaked in a data theft, one way of being
notified of any incorrect access is if youve enabled multi-factor authentica-
tion, which is extra layers of security that require not only a password and
username but also an external key that only the user has on them, with the
key generally being some sort of physical token. In most cases, its a one-
time password sent to your mobile phone, and in rare cases, another email
ID (the latter is an unsafe choice in the eventuality that the second account
has been compromised). While this method has its own drawbacks, its a
good idea to have two-factor authentication enabled across your accounts.
We mentioned zero-day vulnerabilities earlier, and talked about how
anti-virus software is a great way to patch those up but be sure to keep your
AV software up to date. Seeing as how many hackers might misuse the patch
release notes to explore those vulnerabilities on unpatched machines, its
important to install such software updates as soon as possible after theyre
available. Browser plug-ins also form a huge part of the issue, and to be
completely sure that you dont have outdated browser plug-ins, visit your
browsers plug-in check website.
A lot of these methods are basic common sense and no more. If you feel
like you need a little more information for platform-specific devices, do read
the following chapters to get a better idea.
20 Chapter #03
ANDROID
PHONE
SECURITY
The do and do-nots to ensure the online
and offline security of your beloved
android devices
Android phone security 21
W
e now live in a world where not owning a smart phone is
considered rural and ancient. Smart phones have taken
the world by storm. And the harbinger of this revolution
is the popular and almost undisputed Operating System,
Android. Its open source and that is one of its biggest strengths. But we
live in the times of Mr. Robot and NSA. To cut things short, it wouldnt be
wrong to say that anything and everything is accessible if the right tools
are used. So in such a world, one must know how to protect themselves
from the likes of hackers and those with malicious intent. One should not
underestimate the impact and magnitude of such attacks. For instance
there was this case when a group of German Hackers hacked a countrys
voting machines to tamper the election results. This is a where the world of
hacking gets ugly and must be acknowledged as a real and constant threat.
But we got you covered. We shall tell you about simple ways in which
you can protect yourself from such attacks and the measures to be taken
are surprisingly simple. Let us begin
Types of attacks
Basically you could be subjected to intrusive danger in two ways, either
physically hacked in which a menacing agent might snoop into your
privacy by breaking into your phone. E.g. knowing your password. Take
for example a webpage opens up which is attached to some unknown
application on your phone which downloads tonnes of malware that you
never even asked for.
Your phone is like a security locker for all your information that you
wouldnt want robbers getting into
password instead too. But we recommend you to use this security provi-
sion to the fullest. There are also options like facial recognition and even
fingerprint scan in some devices. Use them, you cannot be secure enough.
After all this is your phone we are talking about. You wouldnt want your
personal information accessed right? Hackers are very creative when it
comes to such thievery.
Applications
Google play store blew the world away. Suddenly, games like angry birds and
apps like Face book and Instagram were at your disposal. Google has always
been a harbinger of the free for all open source movement. It encourages
developers to experiment and test their products out at a global level with
much ease. However, this coin too has a flipside. Google Play store is the
biggest online marketplace offering all kinds of services. However, it is not
the only online marketplace for android. Although the usual android phone
is factory set to NOT allow downloads from unknown sources, it is common
practice as this setting can be easily changed. That being said, even Google
Play store may not be safe enough as it might sometimes have malicious
24 Android phone security
1. Backup
Taking a secure backup is a smart practice because this way, even if your
important files and folders are affected by some kind of malicious virus or
worm or Trojan, you can always keep your data safe on the cloud. And there
are several good services to do this. However dont choose services that ask
you to upload all your data without your constant permission or password
protection. This way even if your phone were to get infected, you can reset it
without the risk of having to lose your data. However, be careful as to what
medium you use to take this backup. It should be a trusted source because
you cant trust anything and everything on the internet. Some good secure
services are Idrive, Sugarsync, Crashplan etc.
2. Security options
Use the security options if the app provides any. Even if someone broke
into your phone and now has access to all the applications, you can have
security passwords for your applications. Most apps come with an in built
provision for this. Even if they dont, there are certain apps like APPLOCK
which gives you the provision to secure access to your applications using a
security password. It is recommended to have multi security layers so that
even if your phone gets lost or broken into, you dont have to worry about
anyone accessing your private stuff. Especially with apps with your bank
account details such as an e-commerce application.
There are a lot of people looking forward to break into your phone by
using otherwise harmless looking applications
make your phone download more other apps without your consent. You
dont want that.
Network
The internet is filled with opportunistic people who want to scam their way
into your phone and get your personal information. It is simply not possible
to not be on the internet too. Its a coin with a flipside. However, if you take
some easy subtle safety measures, you can secure the network you are on
and thus, your android device.
3. Security apps
There might be many malicious apps out there but genuine apps that can
save you from such applications exist too. The best example is probably AVG.
It is a free bundle; there is a paid version too with some better features. It
comes with basic security options like not letting you download stuff from
unknown sources, tracking your phone in case it goes missing, etc. Also
it keeps on doing thorough
checks to see if any malware
exists in the phone. There are
several applications like this
you can use. But be sure to use a
trusted application for this pur-
pose only. You dont want to get
infected by an application that
meant to protect you in the first
place. So here are some trusted
applications that you can use Just be sure to download security apps
1. AVG from secure sources
2. AVIRA anti virus
3. Norton anti Virus
4. AVAST mobile security
5. CM Security
phone is to get stolen, the whole world comes crashing down. Whats worse
is the situation of your stolen device landing in unwanted hands. This is
a big issue for all android and phone users in general. However, there are
certain applications now that can help you retrieve your stolen phone using
GPS SAT-NAV or even wipe off all your data remotely. Here are some
measures you can take in case you lose your android device
Plus you dont have to feel bad about having to erase all this priceless
data, because you followed our advice and had taken online backup Data.
A little bit of planning goes a long way.
Be sure to diagnose any problem your phone and take measures in case it is acting up
If all the above conditions are met, then all you need is to Google Where
is my phone and your phones location shall be displayed on Google maps.
It works most of the time, just be sure that ADM is activated in your device.
Conclusion
Last but not the least, make sure your phone is always safe with you and
stay away from pickpockets. Phones are inevitable parts of our livelihood
and now you are equipped with the knowledge to fend off hackers and
malicious attacks. Just remember to be cautious and follow all our steps
and you shall be fine. Android does a good job at offering security options
even though it is so widely use and subjected to constant attacks.
Chapter #04 iPhone security 29
iPhone
SeCURITY
How to secure your beloved icompanion
T
he iPhone is the worlds most selling item. Let that sink in. The
Presidents of many countries use iPhones. They took the world
by storm. Pretty much the vini vidi vici story. It was Steve Jobs
brainchild not even a decade ago and the rest is history. However
it is not impervious to attacks of all kinds. As a matter of fact, it is more of
a challenge to the vicious hackers to break into this fort Knox and it has
happened many times. Apple gives a lot of stress on security and much of it
is mainly because of Jobs desire of exclusivity. Complete exclusivity was a
necessary price to pay for a virus-free environment. However, if you own
30 iPhone security
Apple likes to believe that they have built a Fort Knox when they sell their iPhones
iPhone security 31
monitoring policy and not just anyone with a malware app can upload it
for the whole world to download on iStore (unlike on Google Play Store).
And although this policy is debatable and is almost always argued upon, it
works to some extent. However, as safe as this may sound, it is no surprise
that Apple iPhones security has been compromised from time to time and
you should take precautionary measures nonetheless.
We shall tell you about General settings that you should change to
ensure that you secure your iPhone.
Then we shall tell you about some applications that might come in handy
to make sure your iPhone stays hack-free.
General settings
1. Keep your iPhone firmware updated
Apple comes up with frequent updates for the iOS. Be sure to follow
them carefully as with every new update, they tackle security issues
present in the last one and deem that version almost redundant. Go to
Settings>General>About. There you shall be shown the current version of the
iOS firmware. Be sure that this is the latest firmware because if it is not, your
version of the firmware is vulnerable to intrusive security breaching attacks.
2. Keyboard Cache
This one is a little tricky. Your keystrokes are stored as a database in the
iPhone directories as cached memory for up to a year. This database basically
includes all your typed words and the automated response of the phone via
the phones keypad for them. A clever hacker can break into this database
with ease and data mine this into finding out important details like your
information or even your passwords. You should keep this cache cleared.
This is not at all a paranoid practice. There have been reported instances
of this feature being exploited.
Navigate to General in Settings>Reset>Keyboard Dictionary. This should
reset your keyboard cache for you.
in iPhone security. You must keep this feature disabled if you dont want
people reading your private conversations.
6. JailBreak
you must be aware of the fact that you can have a hacked version of iOS on
your iPhone. This process is called Jailbreaking the iPhone and compro-
mises your iPhone security and warranty by doing it. Avoid Jailbreaking at
all costs. Unless you own an old model and want to use it for experimental
purposes. Jailbreaking your new iPhone is not recommended at all. The
reason is quite simple. After doing this, Apple no longer takes guarantee
of the firmware of your phone and anyone could easily bypass the broken
firmware. If you bought an iPhone, you must stick to exclusivity. (Or you
know, buy an Android).
7. Safari Browser
iPhone has the Safari browser and it is pretty good. You can change its
settings so that it gives special attention to your privacy and security. Go
to Settings>Safari options>disable cookies on untrusted sites. You can also
disable password remembering which is a recommended practice. Also,
there are a bunch of other options you can toggle.
The Autofill Setting should be disabled
Enable fraud warning
Block pop-ups
If you set all the above settings, you can be certain that your Safari
browser is a safe workplace.
You must never be on an untrusted network and use a VPN hider if you have no alternative
You can also make sure that your SSL setting is enabled while using
email and Gmail. Go to Settings>Mail and calendars>Advanced>Toggle the
SSL option ON. SSL stands for secure socket layer and this will make sure
that your emails are transmitted securely.
9. Find My iPhone
Apple has a special service called Find My iPhone which is free of cost and
helps you retrieve your stolen iPhone. You just need to add a MobileMe
account and then login to the account using your AppleID. Once con-
nected, the Find app will be turned on and the location of your IPhone can
be remotely detected. In addition to this, you can also get it to do a bunch
of stuff like display messages, or make beeping sounds. The service works
ONLY if the device is password protected. You can even use this service to
RemoteWipe all your data in case you are certain that your iPhone is beyond
retrieval. And then you can retain all the lost data from the cloud backup.
10. Restrictions
You can set certain restrictions on all your apps by enabling certain options
in Settings. They are basically parental codes and would require a security
passcode to be entered every time the user tries to access the applications.
This is very important and useful feature as by using this feature, you can
assure that your social apps stay exclusive to your use only, even if the
first security level of the home lock screen is bypassed. You must use this
iPhone security 35
feature to your advantage for you social networking apps, mail apps and
online wallets. Basically anything that has your private and important
information stored as cookies.
Applications
In addition to these general settings which are common for all iPhones, you
can download applications from the generous variety offered by the iStore.
These apps can help you keep your phone safe and sound.
1. Lookout
Lookout is basically a better version of Find my iPhone. It saves the last
location of the iPhone before its battery dies out and comes with some other
clever features. The app also has a instant contact and data backup option
and can be accessed via any web browser.
Price: Free
You can basically make your iPhone into a security survellience device by using Foscam
3. mSecure
If you are like me then you have a hard time keeping track of all those passwords.
Do not worry; MSecure is the perfect application to manage all your passwords.
The procedures are very simplified and you can manage all your different
accounts very easily. It is built while keeping the careless customer in mind so
if you have the problem of forgetting or mismanaging passwords go for this.
Price: $9.99
5. SurfEasy VPN
In case you want to make sure that your browsing is safe and even if you
are uncertain about the security of the network you are on, you can use this
application. This encrypts your outgoing signals and protects your phone
from attacks by users of the same network. You must always use this app
if your phone is mostly connected to a lot of other members on the network
too. It is a safe practice.
Price: Free
iPhone security 37
You should manage your passwords using secure apps to ensure you never
lose your social accounts
The app also uses the front camera to take a picture of the intruder. And
last time we checked, iPhones have a great front camera.
38 iPhone security
Conclusion
The iPhone is the worlds most selling item. You must ensure your iPhones
security just for the sheer fact that so many people use it. Imagine if the
security of all the iPhone community members were to be compromised at
once. Sounds like something straight out of Black Mirror, doesnt it? The
point of this is not to make you feel paranoid but to make you understand
the ways in which your iPhone can be broken into. If you take all the infor-
mation we have provided and put it to use, you can almost be certain that
you will not fall prey to hackers. Also, make sure to utilize your phones
replacement policy in case your iPhone is not behaving normally. You
can always contact Apple customer care in case you are wondering about
certain settings or unsure of a certain security clause. They like to take their
customer care seriously Ive heard.
Chapter
Secure#05
your Windows PC or Laptop 39
Secure Your
WindoWS Pc
or LaPtoP
Windows may not be the least secure OS
out there, but youre not safe yet!
A
recent security report published by GFI, a network and secu-
rity solutions provider, stated that Apples Mac OS X, iOS
and Linux Kernel are the top three most vulnerable operating
systems, beating the common misconception that Windows
is the least secure OS out there. Microsoft is one of the biggest technology
40 Secure your Windows PC or Laptop
companies in the world. It is always on its toes and is super fast in releasing
critical patches and updates to make your computer more secure. This is
not to say that Microsoft Windows has always been this way and is known
to have a sad security history, but the company learned from its mistake
and has been successful in making Windows 10 one of the most secure
Windows versions ever,while also being the most targeted OS out there.
If you think of it, the reason for this is simple. Imagine if you had a year
to learn how to break into into Vault A, used by 80% of the banks, or Vault
B, used by 20% of the banks, What would you choose?
Windows dominates the PC and laptop OS market with a 52.02% share
while Apple and Linux Kernel based OS have a 26.2 % and 21.7% share
respectively. Chances of encountering a Windows machine on the internet
are more than any other. And this is why hackers everywhere are religiously
creating new viruses and malwares, and exploiting zero day vulnerabilities
to get into your Windows machine. And its not just the bad guys who are
after you. The technology buzzword of last year was privacy and the good
guys (read: Microsoft) are after your data too.
Worry not though. We are here to teach you how to secure your Windows
machine, from both the good and bad guys.
Secure your Windows PC or Laptop 41
To get away from the bad guys first get away from the internet
42 Secure your Windows PC or Laptop
Use a limited account to browse the internet and stay away from
shady websites
Dont click on suspicious links and advertisements online
authentication making it more secure. But it has its own tradeoffs too. Your
Microsoft account connects your computer to your account and starts storing
a lot of personal data which you might not be comfortable with.
So dont create a Microsoft Account when you are prompted to do so
and instead select local account instead. If you have already made and are
using one, follow these steps to disconnect your machine from it:
Open Start Menu and Type Account, then select Manage your account
Click on Sign in with a local account instead
Create a new username and a secure password
Log out and log in again using the new account.
Again go to the Manage your account setting and remove your older
account from under the Other accounts you use tab.
You will lose out on some features including Cortana if you use a local
account but that is the price you pay for securing your privacy and data
on a Windows machine.
Methods to
secure your
Linux systeM
Dont let the reputation of Linux being
more secure than other systems lull you
into thinking it cant be breached. These
methods would help keep the system
truly secure.
48 Methods to secure your Linux system
O
ne main advantage that Linux brings to the table (or the desk,
if you prefer it that way) is the better security that if offers.
Sometimes, the case is such that an antivirus is more orna-
mentation than utilitarian. But thats not to say that Linux
is an impenetrable fortress within which you can reside safely- a digital
cocoon where you neednt fear any malicious element from entering. Such
optimal scenarios are only possible in fantasies-possibly realized with CG
made using computers that run on open source.
But theres no reason to fret. You are by no means a hapless damsel in distress.
There are certain measures you can adopt to further secure your Linux system.
Lets start with looking at some basic tricks you can use:
Basic tips
Choose Full Disk Encryption
Regardless of the operating system that you use, its always advisable to
encrypt the entire hard disk. In the event that your laptop is lost or stolen, a
login password wont probably be enough protection. For instance, one can
easily boot into Linux from a USB key and read all the data on the system
without using the password. By encrypting, it wont be possible to read
anything without using the FDE password.
While encrypting only your home folder and the files contained in it is
a possibility, FDE has a significant advantage - you wont have to worry
about breach of temporary files, swap files and other directories where
significant files may lie.
And unless the computer is pre-historic, the slowdown due to encrypting
everything on it is barely perceptible. In many Linux distros including
Ubuntu and Fedora, full disk encryption can be done during installation
itself. You just have to select the Encrypt the new Ubuntu installation for
security option.
Update, secure.
This offers a pretty effective tool to manage network traffic and also to check
different types of cyberattacks. In Ubuntu you will find the application
called Uncomplicated Firewall(UFW) which is a frontend program which
simplifies setting up iptables.
UFW would be disabled by default. To turn it on, you can bring up the
command prompt and type the following on it:
$ sudoufw enable
A graphical configuration tool like GUFW or UFW Frontends could
be a good tool to learn more about ipfire and more relevant - what it can
do for you.
Fedora comes with the alternative firewall management toolkit calleFire-
wallD. Its enabled by default, so you can chill. A graphical user interface is
also available for FirewallD. Called firewall-config, you can install it from
the command prompt using:
$ yum install firewall-config
Just about every need you may encounter is addressed with one software
or the other with which Tails come. A customized browser that uses the
Tor network is a case in point. Also, in Tails Firefox includes other exten-
sions to make browsing extra-secure with HTTPS Everywhere and NoScript.
LPS
Lightweight Portable Security or LPS is another feasible option. The distri-
bution, in fact, is maintained by the American Air Force. LPS is also kind of
unique for the fact that it has a very minimalistic approach. The hardened
code aside, it has a lightweight desktop environment which is akin to Win-
dows XP. The environment includes Firefox and some additional tools. You
also get to use whats called as an Encryption Wizard that will help you
gain more privacy and security, and which is easy to use.
As with Tails, LPS too runs only in a live environment. And yes, it
doesnt leave traces once you shut down or restart.
like yum to review the installed software packages on the system. That will
give you a good idea of which packages are actually utilized and which are
just taking up the space. Remove the latter.
Delete X Windows
X Windows on a server is not exactly necessary.
Dont forget whats in the
brick-and-mortar world! No reason exists for you to run X Windows on
your dedicated mail and Apache web server.
X Windows can be disabled and removed to improve server security and
performance. Edit/etc/inittab following which set the run level to 3. To
remove X Windows system, use the following command:
# yumgroupremove X Window System
56 Methods to secure your Linux system
Securing
Mac OSX
Macs arent hacker-proof! Heres how you
can fortify your Macintosh
introduction
The Mac operating system has long since been associated with an aura of
user-friendliness and immunity to viruses and other malware. In fact, it
is true that there are almost no viruses (in the sense of malware that can
saliently infiltrate a computer without any user interaction) that affect a
Mac OS (thanks to their file permission system). However there do exist
vulnerabilities, as exemplified by the Rootpipe fiasco, which was patched
Securing Mac OSX 59
Setting up Safely
Whether youre setting up your new Mac or upgrading your OS, there are
certain steps you can take the first time you start up the operating system
60 Securing Mac OSX
install before wandering on the web. Sometimes software that you never
suspected may be connecting to the internet without your knowledge, and
without an outbound firewall, you will not know, nor be able to do anything
about it. Software like Little Snitch 3 and Intego Net Barrier overcomes this
limitation, allowing you to monitor and filter outgoing connections as well
as incoming connections.
Purchasing Privately
The urge to shop is a powerful one, it
can rival almost any addiction. Retail
therapy is ever more accessible thanks
to the modern ability to shop online
and purchase with a few clicks. If
ever this urge strikes you when you
are using a public connection, like an
airport or coffee house wifi network,
your precious transaction data can
be sniffed by an enterprising lurker.
After all, what can be more lucrative
information than credit/debit card
numbers and passwords. Fortunately, Make yourself anonymous, use a VPN
most online transactions are secured
by additional protocols so it is not super risky to order your groceries
online before you board your flight. Besides making sure your connection
is encrypted using https, you can use a virtual private network (VPN) to
ensure that extra level of safety. VPNs offer an added layer of encryption
and anonymity on the internet no matter when your entry node is physically
located. Carrying out transactions and other sensitive communication over
a VPN is sure to foil any attempts of sabotage from sniffed information.
Logging in Manually
By default, Macs are set to login automatically on boot, which makes things
especially easy if you are the sole user of your system. While this is a great
feature for the perpetually lazy, it is a potential security hazard for people
whose system resides in a high traffic area and can be easily physically stolen.
Once someone else picks up your precious Mac, all they have to do is open
the screen and they are in. To disable this double-edged feature, open System
Preferences, and inside Users & Groups you will find Login Options. Here
62 Securing Mac OSX
Also if you head to the Privacy tab on the same System Preferences page
and selection Location Services on the left, the right hand pane will show
you all the apps that are allowed to access your inbuilt location services
and also the apps that have utilised this service in the last 24 hours. Keep
a lookout for software that should have no business knowing where you
are, it may be broadcasting your location to a malicious data merchant.
many people skip updates out of data usage concerns or sometimes even
pure laziness. While not always a must-have, software updates are almost
always a good idea. Apple Stores Software Update is the place where you
can handle it all.
the peer to peer network. Unfortunately, what most people dont realize is
that the drawback of this whole free file sharing system is that it compro-
mises your identity online. Moreover, since it is illegal, the software will
obviously not be verified and therefore it is a prime candidate for piggy-
backing malware or other malicious code. Other than the warez software
itself, malicious code is often also added to the content files themselves,
which unsuspecting users are in such a hurry to download. If you are a
hardcore (or part-time) pirate who does not believe in contributing to the
mega-corps, a safer (but still illegal) alternative is to use a bit torrent client
over a VPN to ensure anonymity and encryption.
installing trusted
and reputed
antivirus software
Antivirus software is the
single most effective solu-
tion against viruses, other
than common sense safe
browsing practices. It is
important to note that life
often offers u-turn plot
twists for the unsuspecting
Setting up ClamXav for Mac wayfarer, such as the
trusted and reputed anti-
virus software itself being the malware or adware. The problem is that even
genuine antivirus softwares can only promote themselves and convey their
capabilities so much via web content and marketing, and someone who isnt
in touch in the industry may not be able to discern the difference. Genuine
players carve out their reputation over time so any good antivirus software
will most likely be from a company which has been around for long and
knows the field. Unfortunately, many unsuspecting users have fallen prey
to software like MacKeeper, MacSweeper, MACDefender, and others. The
common tactic is to scare users with annoying and unnecessarily exagger-
ated popups and security warnings that are designed to make well-meaning
but non-tech-savvy people download their software.
While there are almost no strict viruses that can wreck havoc in the Mac
ecosystem (as of now) it is still a good idea to have an antivirus software
like ClamXav to look over your files, especially those that are frequently
Securing Mac OSX 65
conclusion
It is well and good to take
precautions but at the
end of the day, the funda-
mental piece of the security
puzzle is the user. A lot of Good or bad, technology aids every business
trouble can be avoided with
common sense and safe browsing practices. Congratulations! By choosing
to use a Mac you have already dodged 99% of the malware out there. Thanks
to statistics, along with the above mentioned steps, you may yet remain
protected as you surf the wide web. A clich worth repeating, better safe
than sorry.
66 Chapter #08
Ways to
secure your
social media
accounts
You spend a lot of time on social media
sites. So do potential threats. Heres how
you can better secure yourself.
Ways to secure your social media accounts 67
S
ocial media is where its all at right now. The most happening places
on the Internet are social media sites. So it comes as no surprise
that for most of us, social media sites are pretty much our second
homes. So naturally, when so much is happening on one platform,
its very likely that someone or the other would take this opportunity to
snag some sensitive information out of you, and in most cases you wont
event realise youve lost that sensitive info which could result in financial
losses for you, among other things.
In order to prevent such a thing from happening, you would do well to
adopt certain methods to secure your social media accounts. Heres what
you need to know to do that.
a move is that even if the account is compromised you can get the social
profile to call the phone number and provide you the option to recover your
account. Almost all the major social networks have this feature. Its well
worth your time to go through the account settings and enable the function.
have posted a dogs picture on your profile. Since its posted publicly anyone
can see the picture. This holds true for other bits of information like the
relatives maiden names etc.
So, unless youre a celeb who wishes to flaunt each and every move
that he or she makes in the course of a day, its probably a good idea to re-
assess the privacy settings on all social profiles and alter them according
to your requirements.
Be wary of suspicious
links
The social media platform
you are on may be cent per-
cent reliable. But thats not
the case with all the people
who use the platform, and
one may not be sure that the
folks who appear there are
in fact who they claim to be. Benefit from the built-in options
70 Ways to secure your social media accounts
Thats why being wary of opening links shared on the platforms particu-
larly if theyre shortened links is not a paranoid reaction but an intelligent
strategy to stay secure.
Another thing you need to be cautious about is any link thats
embedded in an email message which supposedly arose from a social
network provider, or some other trusted source. If at all you find your-
self on a page which doesnt feel right, close the browser tab making
sure that you dont click on
any buttons on the page itself
so that you dont end up the
victim of clickjacking attacks
etc.
You can instead try con-
necting directly to the site
instead by typing the URL
If it doesnt look right, it probably wont click right! on the address bar.
information for anyone to see. But the thing is, we all get carried away at
times and end up putting up info about others or ourselves which would
be better off remaining private.
And sometimes the info
you share without realising
might have been private for
someone else. For instance, if
youre mentioning the names
of your friends kids online,
you should be sure that
they are okay with that-
younger people are always
the most vulnerable on an
online platform.
As for your own privacy Draw the line on what you put on the page
settings, you should do a
double-check since your page may be visible to all viewers, regardless of
whether they are a friend or not. Such public info, if it falls in the wrong
hands may be used for nefarious activities like identity fraud.
avoid unnecessary
add-ons and apps
Quite frequently, you see
games and apps that are pro-
moted through social media. Bring in an ally, in this case a good security control
Well it does make sense, since
almost everyone spends more time on here than in the real world these days.
But the problem is not just that there might be an overwhelming number of
72 Ways to secure your social media accounts
such utilities that are promoted, there may also be those that are promoted
with malicious intents by crooks. These apps may be promoted as things that
enhance the functionalities of your social network or something similar but
which in reality will be intended only for getting your sensitive information.
Secure your
communication
Be it email, voice, or instant messaging
well show you how to keep all your
communications away from prying eyes.
T
ill about a couple of years ago, security, especially for normal
folks, was not a big concern. But the Edward Snowden expos
revealed to the public for the first time, the extent to which our
own governments are snooping on us and collecting our data.
Secure your communication 75
As if this wasnt enough, there are also bad guys out there trying to break
into our private channels of communication. So what do we do?
There are many points of vulnerabilities when you are communicating
with someone, be it email, phone calls, or whatsapp. This guide will teach
you how to plug all these holes and secure all your means of communication.
internet
Wi-Fi router settings
Your Wi-Fi is your gateway to the vast internet. It is also what makes you the
most vulnerable. No matter what you do, a badly set-up router will remain
a big potential source of leaks. Follow these steps to secure your router:
1. Change the default admin password and the SSID of the router. Go to
192.168.1.1 and login using the default username and password youll
find in the manual (or try combinations of admin and administrator).
If you want to go a step ahead, turn off Wireless Web Access too. This
will make sure that only people inside your house with physical access
via a LAN cable can change these settings.
2. Change the Security mode under Wireless Security to WPA2 Personal
and use a strong password that doesnt have any dictionary words, and
has a good combination of alphabets, numbers and special character.
WEP is old and relatively easy to crack.
3. Update your firmware regularly. New vulnerabilities keep popping
up and new patches and updates are regularly released. You can
do this either by going to your manufacturers site and looking for
updates for your specific model or alternatively, checking for updates
under advanced or administration settings tab in your routers
control panel.
4. Go a step further and install custom open source Firmware like DD-WRT
or Tomato. Most of the stock firmware on routers is clunky and includes
many undocumented features and setting that can be exploited. There
are many guides available online that teach you how to install custom
firmware on your router. Link:http://dgit.in/DIYHckRtr
TOR
Its ironic that a project that was started by the US navy has grown into
something that is used by everyone from whistleblowers, to activists and
privacy enthusiasts, to protect themselves and their identities from both the
bad guys and the snooping government. TOR, short for The Onion Router,
76 Secure your communication
VPN
A VPN (or Virtual Private Network), tunnels your entire internet connection
through a virtual local network. What this means is that all the data leaving
your computer is encrypted and goes through a network of computers
protecting your privacy from people trying to snoop on you. VPNs are a
good choice if you are connected to the internet over some public Wi-Fi .
There a number of free and paid VPN services out there which let are easy
to download, install and use. Some of the good ones are:
1. OpenVPN server (free)
2. CyberGhost 5 (free)
3. Hotspot Shield (paid)
4. NordVPN (paid)
5. PureVPN (paid)
Secure your communication 77
you are going to use. If the proxy requires a SOCKS connection, go to the
advanced option and enter the settings.
cloud storage
Looking for the most secure way to share your files over the internet?
There are a number of cloud services available in the market. Almost all
of them provide its users with some free storage. But which one do you
choose when you not only want to protect your data from hackers but also
be sure that not only hackers but also the company that is offering you the
service doesnt rat you out? SpiderOak and Wuaka are your top two choices.
SpiderOak offers you 2GB free after which you can buy each additional
100GB for $10 a month while Wuaka gives you 5GB for free after which
you can get 100GB for $12 per month. What these services offer and their
more popular counterparts Google Drive and Dropbox dont is, that
they locally encrypt your file and then upload them. This makes sure that
even the companies and their employees themselves cannot access the files
they have stored on their servers.
You can also add an extra layer of security by encrypting the files before
uploading and sharing them. There are a number of software out there which
can do this like 7-Zip. Follow these steps to encrypt your files using 7-Zip:
1. Download and install the software from its official site (www.7-zip.org).
2. Select the file(s) you want to encrypt and right click
Secure your communication 79
email
Email is one of the most used means of communication over the internet,
specially for important and sensitive information. Unfortunately, it is also
one of the most vulnerable ones. Email accounts are regularly hacked and
emails are routinely intercepted. Your email provider keeps a record of all
SecureMail for Gmail is an extension that lets you encrypt and decrypt emails right
from your browser window
If you want to go a step further use an email provider like RiseUp. https://mail.
riseup.net provides free email and is aimed at activists who need a secure and
anonymous means of communication. The company uses a secure connection
for both logging in and sending emails just like Gmail, and also has very strict
policies in place to protect their customers privacy. But the thing with Riseup
is that you need two invite codes from existing users to signup. There are a
number of other secure web services like Rmail, Sendinc and Hushmail which
provided a free limited account and fully featured paid account.
Infoencrypt is a website that lets you encrypt the text of your email.
All you have to do is enter the text and a strong encryption password and
it will encrypt the text using a strong encryption algorithm. Copy paste
the text into your email, and share the key separately with your recipient.
instant messenger
Instant Messengers are the quickest form of communication used in
todays world. There are a number of secure instant messaging applica-
tions and services out there. The best options if you want to secure your
IM conversation are
WhatsApp, the worlds most popular instant messaging service cur-
rently owned by Facebook, added end to end encryption to its application
a few months ago. What this means is that the messages sent by you
are automatically encrypted and decrypted only by the receiver. This
makes it almost impossible for anyone snooping on your conversation
to intercept and understand the messages. Even the company itself cant
decrypt your messages. WhatsApp offers more than enough basic secu-
rity for the privacy conscious out there but it still lacks in places. The
company still keeps a backup of your messages on its servers and maybe
even logs your whole activity. Which means it is stored somewhere on a
computer. And if the data is stored somewhere it can be hacked. Switch
over to some other application if you want more security and privacy
otherwise WhatsApp does just fine.
Download and use Pidgin: The application supports a number of existing
messaging protocol, letting you use your existing accounts with it easily.
Though the main feature is the end to end encryption which is activated
only after the Off-the-Record plugin is added.
Chatsecure is another free application for both iOS and Android that
helps you keep your messages private. It does this by using various open
source cryptographic libraries along with OTR and Tor.
Secure your communication 81
Silent Text is one half of the Silent Circle software package that lets
you send secure , encrypted voice, video and text communication. The
software comes at a price of $12 per month and is one of the best in
the market
TextSecure for android and Signal for iOS are a pair of secure SMS / IM
applications by the company WhisperSystems. TextSecure integrates
with your default android messaging application and automatically
encrypts the message you send to another TextSecure user. Signal,
the iOS application, does not integrate with the system like its android
counterpart does, but works the exact same way . Also the two apps can
be used to securely communicate with each other. Both the applications
are freely available on Google play Store and iOS app store.
Telegram is another good option for people looking to securely com-
municate with their friends and families. The creator of the application
describes it as AhatsApp but encrypted, cloud based and faster. The
application has also the features that a good IM app has like sharing
media, and messaging upto 200 people at once, but it is its security
features that set it apart. The application not only uses end to end
encryption making your communication safe and secure, but also has
a secret chats feature that leaves no trace of your communication on
the Telegram servers. You can also set a time for automatic deletion
of your messages.
call
The Edward Snowden leak brought NSAs infamous PRISM program
to the limelight, making the world realise the extent of invasion of pri-
vacy that governments have been involved in. So how does one make a
phone call without being afraid that each and every word that you are
saying isnt being recorded somewhere? Simple. Use one of the following
applications:
Redphone (Android only) - An application by the same WhisperSys-
tems who developed TextSecure and Signal, Redphone lets make you
free encrypted calls through your android phone over the internet.
The application encrypts everything from your data to the metadata
attached to your call, shutting out everyone trying to eavesdrop on the
conversation, be it the government or a hacker.
Silent Phone (iOS and Android) - The paid application lets you make
secure and encrypted phone calls between android and iOS too. Also,
82 Secure your communication
the Silent Phone user can call non-users with it, where only one side
of the conversation will be encrypted.
Ostel (iOS and android) - Another paid application, Ostel uses Open
Secure Telephony Network to make encrypted calls across platforms.
All you have to do is create an account on Ostel.co and download the
application for your device (CSipSimple for Android, Groundwire for
Ostel lets you make secure and encrypted phone calls between android and iOS
iOS and PrivateGSM for Blackberry and Nokia for those who still use
them). Once downloaded you are all set to make secure encrypted calls
to other Ostel users.
Video conferencing
Microsofts Skype and Google hangout, two of the most used video confer-
encing tools, both encrypt your communication making it safe from prying
hackers. But your whole communication goes through the servers of the
companies where they are also logged and stored. This information in some
cases could be revealed to the government agencies.
The best and most secure video conferencing tool out there right now is
Bitmessage a complete email suite. Based in part on the bitcoin principle,
the service encrypts all its communication data and metadata, and can also
Secure your communication 83
Even though Skype encrypts your communication, it still stores the data and logs on their
servers making you and your data vulnerable
be used with TOR. You can download its official client called PyBitmessage
with a built in video conferencing tool.
Facetime, the competitor by Apple provides end to end encryption, but
the company is known to regularly comply to court orders and govern-
ment agencies.
Also, there are a number of paid software out there like OmniJoin and
BlueJeans that provide safe and secure cloud based video service.
84 Chapter #10
Secure your
cloud data
Though every service promises security
of your data, this security has far more
facets than those which meet the eye
R
emember one of your friends birthday when you planted face-
first on the giant pizza and your best friend took a snap of that
moment? Well you did ask your friend to put it safe on the cloud,
so it should be fine, right? Or not?
Cloud storage and online backup have now become household terms.
We use it to save our important documents which we want to make avail-
Secure your cloud data 85
away. But the service lacks a View only feature and the ability to allow mul-
tiple users to edit the files simultaneously. Also instead of creating shared
folders similar to what other services do, pCloud sends upload links to all
users. There is also a nifty Facebook and Instagram data backup feature if
youre into it. The business plan offers storage space to every member of the
team along with a coming soon feature whichll enable custom branding.
Pricing:
Free - 20 GB
Premium - US $3.99/Month - 500GB
Premium Plus - US $7.99/Month - 2TB
Business - From US $50/Month - From 5TB (multiple users)
remotely, save audit logs, have access to unlimited versions and HIPAA
compliance make it a wonderful choice for businesses as well. Although
only the latter two are available in the free account. Downsides? The desktop
client poses limitations in sharing options and often requests opening of the
web version. The single sign-on helps considerably in this matter though.
Also mobile app and web version lack the ability to upload folders.
Pricing:
Starter - Free - 5GB
Business Pro - US $49.00/Year - 500GB
Business Pro - US $89.00/Year - 2TB
E-box is a service which is best kept for businesses. Everything from com-
plexity of the features to pricing modules says it all. E-box boasts of a web
interface which is simple an able to run on all interfaces, plus there are no
software installations required. The experience here is actually a mix. There
is also a robust grouping system. This allows some really great permissions
and file sharing customization. There is also an extremely detailed auditing
system, which records every single action performed by every single user
with timestamps. The security is almost impossible to crack, but giving
the ability to manage keys personally would have been a more powerful
option. Sharing files or folders require the other user to have an E-box
account, there is no way to share public links. The interface doesnt provide
any preview or a quick access menu. This coupled with a complicated UI,
especially during initial setups can be a major setback. Although there is
an interactive wizard to help you around a bit. E-box might lack a huge
deal in terms of user interface, but it fills that void with its richly detailed
features which allow an exponential amount of customization.
Pricing:
Business - 5/Month/User - 1TB/User (multiple users)
Private Cloud - From 1,000/month - Customized
SpiderOak One sacrifices usability for extreme security. This ones for
people who dont care much about anything other than security and privacy.
SpiderOak calls this Zero-Knowledge Guarantee where the user owns the
encryption keys. Every file is locally encrypted on the users computer
before being sent to the server, making it nearly impossible for anyone to
88 Secure your cloud data
peak in. Along with a highly secure storage service, one also provides a
backup service, which while being highly secure is a bit complicated. There
is no actual Restore button, instead youre forced to download the files and
folders to a location of your choice. An ability to automatically download to
the original location is missing. Also there are no step-by-step wizards to
guide you along the way. From the perspective of user interface the service
leaves a lot to desire. But as mentioned before, this ones a mighty contender
for security. Unlike most sync services, one doesnt require you to create
a separate folder, instead you can choose any of your existing folders to be
enabled for syncing.
Pricing:
2GB - Free - 60-Day trial
30GB - $7/Month or $79/Year
1TB - $12/Month or $129/Year
5TB - $25/Month or $279/Year
Now sometimes for some reasons you cannot leave your existing service.
Maybe you have your work ecosystem setup or youre not ready to leave
Secure your cloud data 89
the interface of your comfort. For such scenarios we have the following
services which add local encryption to your files while you upload.
Boxcryptor encrypts files or folders and turns them into a .bc format which
then can be easily either uploaded or synced using any cloud storage service.
Boxcryptor works wonderfully with any service that uses WebDAV. While
you setup the client, Boxcryptor needs to be specified a safe folder which is
basically your existing cloud syncing folder. To view an encrypted .bc file,
boxcryptor needs to be mounted on a drive. Paid versions allow filename
encryptions as well. The company package provides the master key and
allows enforcement of policies.
Pricing:
Basic Features - Free
Unlimited Personal - US $48/Year
Unlimited Business - US
$96/Year (multiple users)
Pricing:
Personal - Free
Business - US $4.99/Month (multiple users)
Finally, cloud backup services. Cloud backup is a little different from cloud
storage. Where in storage you pick out files and folders to be put on the
cloud to access later, in backup essentially a copy of your whole computer
(excluding the OS) gets backed up on the cloud. Yep, these are the big boys
of the town.
90 Secure your cloud data
IDrive although doesnt provide unlimited backup, but it does come with
extensive amount of features and customization, though they might become
too confusing at times. It also allows creation of backup sets to ease manage-
ment of your backups. IDrive allows automatic sync and even file sharing.
Pricing:
Free - $0.00/Year - 5GB
Personal - US $69.50/Year - 1TB
Personal - US $139.00/2 Years - 1TB
Personal - US $499.50/Year - 10TB
Personal - US $749.25/2 Years - 10TB
Pricing:
Free - US $0.00/Month
Individual - US $5.00/Month
Family - US $12.50/Month (multiple users)
Work - Customizable (multiple users)
Storage has been an integral part of our society since we learned to procure
things. Now we can even make digital copies of almost everything. The
advancement of internet has truly boosted our ways of storing information.
Although with this advancement came the risk of cyber thefts, thankfully
were not hopelessly vulnerable. Prevention, another integral part of us,
gave rise to encryption and other forms of digital security. Its time we
embrace them.
Chapter #11 Secure your website 91
Secure
your webSite
Be it a blog started on a whim, or your
business e-commerce website, if you
havent secured your website, youre
taking a huge risk
92 Secure your website
B
usinesses are increasingly moving online and we are already
at a point in time where established physical stores and offices
are shutting down to give way to online businesses. And on the
other hand, due to the ease of setting up a website with one-click
solutions, small businesses and individuals are using the power of the
internet to maximise this reach. But this ease comes at the cost of website
security, which is often overlooked or left to the vendor. We are not saying
that the vendors cannot provide security, but there is a catch. Take popular
website CMS platform Wordpress. Every hacker worth his money knows
the default settings, usernames, login URLs, directory structures and more
about Wordpress. So leaving security entirely to the CMS or website vendor
is not exactly brilliant. There are quite a few things you need to take care
of to ensure that months of hard work from your side to set up the website
does not go in vain.
can check the URLs of a few consecutive image uploads to figure out the
directory address and naming pattern that the upload follows.
Then, instead of uploading an image, the same user can upload a shell
file (think of it like a backdoor access to servers; somewhat like a cPanel
within a PHP file). Now, when the user hits that URL, instead of getting
the image he would get a control panel that would let him take multiple
actions that could create a lot of chaos at the very least.
A simple way to make sure this does not happen is to enforce a check
for filetypes being uploaded. To reduce the overhead, the check should
ALLOW only certain file types and block everything else. Also, this block
should not happen on the user end, as then it can be easily detected and
worked around by looking at the source of any page. On the other hand,
in no situation should the file be brought to the back end.
request validation
Some of the simplest website (and account) hacks have been done through
request alterations, even directly in the URL. Quite recently, someone
exploited a YouTube vulnerability that involved request alteration. Before
we go further, let us make it clear that request here is the method used by
HTTP to communicate with the server/backend (the intricate details about
the workings of HTTP are best left for another Fast Track).
What the person did was quite simple. When he tried to delete his
own video, he simply altered the POST request generated at that point by
replacing his videos ID with a target video ID. This caused the target video
to be deleted and understandably created a lot of panic among youtubers.
Something very similar could be easily executed on your website.
There are extensions and browser plugins that allow you to tamper with
POST (and other) requests, like Tamper Data for Firefox and Postman for
Chrome. Hence it is quite easy to exploit most websites using this method.
To avoid this, simply associate a random value to the users session when
they log in (brownie points for you if you make this value hard to guess).
Store a copy of this value on the server side too. WIth every POST request,
include this value for validation, and reject any request where the two dont
match. With that, youve just made your website a lot safer.
SQL injection
For any poorly coded website, SQL injection is the easiest way to play havoc
with their work. For most such websites, login information is handled in an
SQL query. A normal user would enter their credentials which would be
consequently authenticated. But a hacker could enter a very specific string
that would change the logic of your authentication code to grant him access
to the the first account of the database, which is usually the administrator.
Take the following code for example.
SELECT id FROM users WHERE username = $username AND
password = $pwd;
If the hacker enters username as 1 OR 1=1; -- and any password, the
statement is executed as
SELECT id FROM users WHERE username = 1 OR 1=1;-- AND
password = any password;
The double dashes indicate the beginning of a comment, hence the
password statement is ignored, and the user gets logged into someone
elses account.
96 Secure your website
backup - Always!
Not all security involves
building the strongest walls
and the biggest turrets. A
strategy for when the enemy
does get through the gates is
equally important. And when
The example on a login screen it comes to your website,
backups are your best friends.
On the rare chance that you actually lose your website, re-building it from
day zero might be daunting enough to make you give up. To avoid that, go
for regular backups. Use some reliable FTP tool like FileZilla to backup your
entire website directory (folders, subfolders, files and everything in there)
and put this backup somewhere safe online like Google Drive or Dropbox.
And if you have any database associated with your website, backup that as
well. All of this will be on top of the regular server side backups that your
CMS provider takes. When in doubt, backup again.