When it comes to computer security on the Internet, you’ve already heard and read thousands of tips, such as having strong and well-kept passwords, keeping the system up to date, and a thousand and one more tips.
You know that hackers try to get your password out with brute force attacks, or take advantage of vulnerabilities in your web software to run an exploit, and get access. They’re looking for a back door, an oversight.
But in these years that I’ve been fighting to improve computer security on the Internet, I’ve been discovering errors that are made and have to do with little-known risks that are not taken into account when we talk about protecting a website. And that’s what I want to talk to you about today.
Where does computer security on the Internet begin?
Imagine that your website is your home. Actually, in a way it is.
What measures would you apply to protect your home?
Well, logically, you would start with internal measures, but you would also implement some external measures, wouldn’t you? I mean, on the one hand, locking the door every time you leave the house and, on the other hand, setting an alarm or a security camera.
But on what computer security risks on the Internet should we focus our attention?
Not protecting your computer properly
And what does your computer have to do with your Web?
Well, it’s easy. Where do you connect from?
It’s no use having the strongest password, 12 characters, with symbols and very rare, come on, a %$&hJY78@; that looks like a cartoon swear word. And that for not having the antivirus updated, you have a keylogger that has just captured it completely.
Bam! Your computer security on the Internet has been compromised.
And don’t think that by using Mac OS or Linux you are safe. There are keyloggers for these systems as well, although they are much safer, more difficult to infect with something, and there are fewer threats to them, precisely because of the complication and because they are less widespread.
Protect your computer as you should, and don’t use your workstation for leisure.
Using other Wifi networks is not a good practice for computer security on the Internet.
How free it feels to be a blogger! Or to have a business in the cloud!
Why not take advantage of lunch time, to connect to the restaurant’s wifi network, and see if you have any requests or comments?
What about being able to see your email on your smartphone? All while you shop at the mall and take advantage of its network, so you don’t spend your megs.
Oh, and that if you are not a pillín, and you take advantage of the network wifi of the neighbor, the one that you do not like, and buys those cars so expensive. The ADSL that he pays it!
Situations that are not so far from reality, and happen every day. But this is what can happen:
- The restaurant Casa Pepe does not have a wifi network. The network named CASA_PEPE_WIFI that was open was created by a hacker so that all the traffic would go through his tablet and steal the data.
- While you were at the mall, another hacker drank coffee and “sniffed” (basically, this is monitoring and extracting data) the network, capturing data traffic, and accessing your passwords.
- And the neighbor found out that you were sneaking into his Wifi, and looking at “San Google” found out how to catch your passwords, and now you can’t access your accounts.
Once again we’ve messed up, because you can’t control other people’s Internet security.
Use your own connections. Nowadays it is cheap to have data connection on your mobile, and if you need to use your laptop you can share the mobile connection with it.
Protect well your own connection using at least one WPA2 encryption.
And finally, always use secure SSL connections. This way the data is encrypted and even if they are captured they are not useful.
Do not change the passwords with which you created the website
I know a true case 100%. Shall I tell you?
Come on, here’s your little battalion.
This is a company that sells second-hand cars, and to save a few hard did not hire a professional designer. They wanted a website that would attract more clients, logically.
They made a deal with a kid who bought a car and told them he was a developer. He made them a website in PHP in exchange for the cost of the paperwork. Come on, about 150€. Apart from that, they counted on him for some improvements.
It happened one day that they didn’t count on him to make some changes. So all of a sudden they found that his website was not there.
They hired me to recover their website, and find out what computer security flaws had occurred on the internet.
The issue was clear. It was enough to access the server logs to see that they had accessed the server by FTP, with the administrator account, and from a certain IP, deleting all the files and the database.
That IP was from the city of the guy who designed the web. And just before that there had been attempts to recover a password, using an email account, from an IP. The same IP as the attacker, and it was his email!
So in white and in bottle…
They trusted the person who designed the website for them, and did not put in place preventive measures in the event that this person had a temper tantrum.
I was able to recover the web from some backups, and finally the “designer” was not denounced because what mattered was to recover what was lost, and it could be achieved.
Curiously, the owner is still working on designing a better website, with automatic copies and an effective defense. Let’s see if soon between the manager and me convince him!
Don’t trust anyone.
You only have the access, and for whoever has to enter, create a user that you will later delete. And above all, hire professionals, because people are the main focus of computer security errors on the Internet.
Use the same email password for other services
It’s convenient to use the same key for everything.
But very dangerous.
With the same website I was telling you about before, when I got it back I realized something.
In the database of users of the web, who subscribed to receive offers, the password was not encrypted. So it wasn’t secure, and I could see it myself.
I didn’t try it, but I’m sure that out of 800 people who had, in a large percentage, using their email and password, would have logged into their email account, their Facebook, etc…
And of course, if I access your email, I can recover the passwords of your websites.
Another error mostarlll
One of the first things I did was to apply an algorithm to store encrypted passwords. I thought it was a serious lack of privacy and a serious design flaw.
Luckily, logically, nobody in the company had the knowledge to access the database and have used that information.
But part of the problem would have been for the user to use the same password for everything. With services like LastPass it is easy to generate a key for each service and store it, without having to remember it.
Or at least manage 3 or 4 different keys. One more professional and exclusive, another for leisure, forums, etc … Other for your purchases, … So at least separate something.