Financial Adulting & security decluttering
Wednesday, October 2, 2019
This week we’re found some more useful tips to keep your financials and online security safe. So without a do, let’s launch into some of our top tips.
- If you’re doing a lot of business and transactions online then it’s a real darn good idea not to use your real or true identity in your username. Why is this and why should you not put your real name as your username? Well duh, it’s because of SOCIAL MEDIA nowadays and the internet being both good and bad. You can now look up practically everything at the touch of a button and do background searches and scour across the web and find security questions and answers likely if you do research. So if your real name is “John Smith” for instance you might consider using “paperkraft3657” or something that has nothing to do with your real world identity. This is just an example. Obviously you would adapt to your own needs and security level.
- Also using your real email is starting to become a security no-no. You may need separate accounts and you may need to have an account that doesn’t link to your email automatically. Because if that is your email address then it means a hacker has one less thing to guess and one more piece of information on you. So here’s an example:
You might be called: Anna Belle
You might have a username called: zeitg3ist855
You might have a email address as: firstname.lastname@example.org
As you can see in each case or instance above that a hacker would have difficulty inferring the other piece of information automatically from the other. Don’t make it easy for a hacker to get it. Make them work to break into your account cause your information with worth protecting and worth safeguarding.
- We have this new hobby and habit lately to go through our phone and every single setting, every single app, every single window and click on everything to customize every app, but also tweak the permissions. It’s a good idea to periodically go through any apps that you have on your phone and either lock down permissions or change settings to improve security. For example, on an Android phone you might have an app that you do texting on but for some reason it’s asking for intrusive permissions such as all your contacts, your location, and possibly access to your storage media. There may be legitimate reasons to do so, but in some other cases disabling the permission till you need it may make more sense. This is especially true in many dating apps that now ask for intrusive location settings. If you leave your location on it can leak data possibly to other malicious apps that you didn’t intend to have that data.
- You should also Force Stop any apps that you plan not to use or consider freezing them using special apps to stop or disable the app. Or you might even consider uninstalling ones you infrequently use to free up memory. The reason being is you might discover an app is malicious and spying on your or recording key strokes also know as a “keylogger” or “key tracker” and going in and periodically doing a security audit on both your phone and computer is important. We used to go and press “Ctrl-Alt-Del” to check what was running in memory and kill the apps because certain apps were memory hogs and we truly ran on limited memory and needed to flush the cache. Nowadays memory is cheap and people may not know to do this still. This is how spyware can hide in the background like a horror movie watching your every move. If you don’t do maintenance then problems can crop up over time with excessive programs showing up and slowing down your computer, cluttering up your drive, degrading performance, and also causing overheating temperatures. When you either click the square button on some Android phones to show all current apps (there may be some option similar to this in iOS) then you can swipe away all the programs you don’t need but doing a “Force Stop” makes sure that it does not continue to run. In some cases certain system apps may start again. We noticed this to happen especially with programs like Hangouts and YouTube and other Google type services. If you have a “root” app that has a feature to freeze and disable apps on Android devices it will also prevent or disable the app from showing up. We found this especially useful for pesky apps that come with the phone and are bloatware. A note about heat. Heat will degrade electronics and cause your equipment to wear down faster and reduce performance over time. Extreme temperatures are not good for your computer and it usually prefers being cooler and also a stable electrical voltage current. Make sure to dust out your computer cases and laptops with a canister of dust cleaner periodically, vacuum out the vents and insides and wipe off the computer monitors to prevent caking on exhaust vents include the power supply and check all cords to make sure they are not frayed or oddly warped otherwise you may need to replace them to prevent a short and damage to your expensive equipment. Protect your hard earned investment.
- While you’re at this, consider cleaning out your physical wallet. In the Marie Kondo way, if what you have in your wallet is not needed and sparking joy then toss it out! We’re jesting of course cause you probably have important things in there but this goes true for wallets and purses or any place else you store items and carry on a regular basis such as a suitcase, briefcase, backpack or sack. You need to clean out the clutter to be sure what you have is truly important and also that you don’t accidentally lose something important if you misplace it. It may be a good idea to make copies of anything that you have in your wallet should you need to replace it or have to file a claim for if you lose it.
- Consider changing passwords of your accounts or physical locks periodically. In many businesses and according to many security experts this is a good idea to prevent someone from brute forcing or guessing your password. Or if they already have your information, changing your password can lock them out from that point on. Consider also deactivating and logging out of unused sessions after you’re done. A nice feature on some sites such as Facebook or Google for instance is that it can tell you where you are logged in by browser and time and IP address and prompt you to determine if you recognize the session. If not then you can change your password to prevent or deny any further access to an unauthorized individual. And you can log out of all sessions.
- If you change your password we recommend a minimum of 16 character passwords. We know a lot of sites use shorter and fewer characters which is very unfortunate because as of current writing there are extremely powerful processors and cloud computing server based hacking programs or you can rent clustered super-computing processing power levels of brute force hacking to literally break thousands of passwords within a few hours, minutes, and seconds compared to what used to take years. We’ve seen some sites recommend 12 characters but with computers getting up to the 10th generation and the ability to use multiple GPU cores you can’t really be safe with your “general catch-all recommendation”. Our mindset if it’s good enough for everyone then you need to not be like everyone else to stay ahead of the curve. After all a few days ago Google was rumored to have achieved some Quantum computing level milestone so that means if cryptocurrency enthusiasts and PGP and security analysts are going nuts then you should be starting to worry yourself. No one is going to protect you except yourself and so it’s worth the time and effort to learn how to protect yourself. Most people wait till they are hit with a breach of identity and then they are retroactively trying to put out fires. Don’t wait till it’s too late.
- Also consider removing or deleting unused accounts. It is standard practice in some places that when someone gets hired or leaves an organization that computer accounts have to be given access or denied access to a newly hired employee as appropriate. If you are running your own business, as we hope you’ve been encouraged from our site, then we thoroughly recommend you have some kind of disaster mitigation protocol and security guru on site for all things data protection. When a person is leaving your organization make sure all keys are surrendered and accounts prepared for closure and then once they are no longer there to disable all accounts from further access and change physical access. You may still need access to the accounts as administrator for audit purposes but once it is no longer needed then either purge them or demote or downgrade permissions. A user that used to have high level administrative permissions should no longer be able to gain entry.
- Consider timing out applications or logging users out if they are not active. You see this is many banking apps and financial apps. This is a great feature to add to other sites and we wish there was additional ways to do this on smart phone apps and add that as a plugin to other sites as well.
- Consider having multiple redundant security firewalls. For example have layers of security to prevent access. Let’s say you have a castle. You wouldn’t just protect it with a wall. You might consider a moat with alligators, have so soldiers outside, maybe catapults, maybe a fire pit, booby traps and mines. The same thing is you don’t want your computer to just rely on just passwords. You need antivirus or malware type protection in most cases or have something to prevent someone trying to gain access to your ports. For example if you are accessing the web or telnet or ssh then those programs have an open port that lets information go in and out. You may need to block unused ports or infrequently used ones or highly insecure methods of communication.
- Consider disabling permissions by default. This goes back to firewalls and just making sure to think of security first. You don’t want to wait till zombies have invaded or mosquitoes have come in to close the window. Have the doors closed in the first place and grant permission only on an as needed basis. It may take a bit longer but you won’t have your data as likely to be stolen.
- Lastly, don’t give out sensitive information, and that especially means passwords! You wouldn’t believe how easy it is to give out or share information with people these days. I know a lot of people want to be a couple in romantic relationships or share passwords or Netflix accounts (even though no one admits to it) or other security-no-no’s. But once you give it out then someone can lock you out of your own account. Normally coworkers and such don’t need the password either from you and if someone is really in the “IT department” they will be able to get into your account without that information. So be very wary about weird phone calls and emails asking you to divulge any information and especially over the web. The general rule is if I don’t see you, I don’t know you and shouldn’t give you my information. And if there’s a legal issue then documents and such of legal authority need to be displayed to get information or they can get access other ways. So prevent yourself from losing your shirt and protect your information.
- When you get a new account always change default passwords or usernames if possible. A very common case is router hardware equipment. They typically have usernames such as “admin” or “guest”. Or you might have a new account assigned by your workplace and you get a default 6 or 8 alphanumeric password. Consider changing this. Make sure to take advantage of the randomness of entropy and make your passwords hard to guess. Most people think that passwords are made to be remembered. Sadly passwords are now in our opinion “obsolete” in terms of security because they are hard to remember and there’s too many of them. You may need a very special password manager or alternate way of recording the password for later use. Please consider doing further research for best practices as there are many great security sites online that detail this process.
- If you have set up your own home WiFi consider lowering the transmission power of your WiFi so that it’s not easily seen in your neighborhood and is only within the range of your house. You can do this in certain open source software like DD-WRT for instance. There are many other choices for this as well. Also consider changing your SSID of your router or network. Don’t make it obvious. There’s apparently a “spy-van” type online phenomenon or joke going around but we just recommend to not call it “Bob’s WiFi” so that you’re basically identifying what house you are.
- Make sure you’re using the latest encryption standards. AES-256 was big and still one of the most secure. We don’t know what will happen with quantum computing on the horizon. Also consider setting your WiFi as a WPA2 connection. Don’t leave the security access as open or even WEP as we have found easy tutorials on how you can sniff and brute force and detect network data packets using tools like Wireshark and Stumbler and other network forensic and penetration tools easily obtainable on the net. A lot of people that are new the Internet should take a basic security course and read up on best practices. There is so much information out there nowadays that there’s no reason to be clueless unless you just haven’t read that information yet. There’s always so much more to learn.
- Consider encrypting everything such as your phone or laptop or desktop drive and partitions so that if your information falls into the wrong hands it is more difficult to pry and probe your device. For example if a person can’t log into Windows they might not be able to get into your BitLocker encrypted files for instance even using a different operating system. Consider also zipping up and encrypting any items before sending over the internet or uploading to cloud services. This includes encrypting emails.
- Delete any old data you’re not going to use ever again. Smash it up into itty bitty pieces especially old drives. Burn and completely destroy CD’s and paper files.
- If you go to business conferences beware of free gifts that are actually Trojan horses in disguise. You might get a USB drive or free CD that’s bundled with spyware or other viruses. It’s not recommended to connect any of these to your business or work network computers. It may be a good idea to connect to an airgapped or sandboxed computer and and thoroughly test before sharing any free software with others. Always check your network policy.
- Take inventory of your possessions. This goes back to checking wallets, purses. You can even do this with your food and groceries for instance, after all grocery stores have a loss prevention and security unit so if you run a business or are the CEO you need to know what is on your computer at all times, who you give passwords to, who has access to what, and who has access to keys and what file cabinets etc. A lot of running a business involves keeping good detailed records and keeping backups of everything.
- Limit permissions and capabilities and access to only specific programs, apps, or individuals to get access to sensitive data. For instance, you might not want to access your personal accounts on your cellphones but only on a specific computer at home or maybe only check your accounts by dialing your bank to get the balance for instance.
- There are many methods to have backups. Some recommend a 2 + 1 approach with two local and one offsite such as having your data logs on a laptop, one on CD, and one on a secure cloud network. Obviously you want to do what is right for your situation. The fun thing about thinking of security and doing research is that these skills extend to all parts of your life, from thinking ahead to risk mitigation to considering alternative strategies and thinking on your feet. It is like playing an advanced version of chess so that you don’t get caught offguard. You don’t want to be playing Candyland when your opponent is playing Battleship. Backups should be regular and routine and you should also test your backups to ensure they work especially as needed. And make sure not to have one of your backups connected to anything else to prevent corruption or viruses spread to backups.
- Get regular training and keep up to date on security practices. It’s a good idea to subscribe to some computer training and security sites or read about how people had their identities stolen or compromised or were victims of fraud. AARP has some good articles as does US-CERT. If you live in a different country you might have an organization in your native country that has good security practices.
- Periodically check access logs if you run a website as an Administrator or even if you are on Facebook or Google or other sites. Don’t forget to check for patches and updates and actually patch and update your software to prevent issues. Be alert to Zero-Days. Some websites also will let you know if you’re being DDOS’ed or under attack or high network traffic or there’s odd network sniffing. Make sure to disconnect, review, and notify affected parties.
Remember nowadays there’s phishing and ransomware and other attacks that simple techniques in the past that used to work are now ineffectual to protect your or your organization. We researched the web and will have another follow up article about etymology. But today’s article is brought to you by the word “sucker”. What does it mean to be a “sucker” or to be “suckered in”? The word comes from someone that either sucks such as a lollipop or is a child that’s naive and gullible, recently born or easily deceived. We found this after rooting around on the web. According to Yourdictionary.com and Wikipedia the word may come from the “pig in a poke” scam where a “suckling pig” was put in a bag to be sold. The word “poke” was another word for a “bag” or “sack” but sometimes a fraudster would use a cat instead and thus if you found out the deception before getting home then you discovered the ruse and “let the cat out of the bag”.
Don’t let yourself get suckered or deceived.Some other quotes involving the use of sucker…
- Tai Lopez on playing poker: If you’ve been in the game for 30 minutes and don’t know who the sucker is, you’re the sucker.
- P.T. Barnum: There’s a sucker born every minute.
Note: This last part of the article was inspired by an article about why Nigerian scams (also known as “419 scams” due to that being the country’s penal code that makes these types of scams illegal. According to an article on Quora one theory on why many scams are created to be obvious is to only scam the truly gullible, the truly naive and easily deceived. People that are not awake and sheep and go along with with they see in front of them and don’t use their head often get scammed or just are not well experienced in the ways of the world. So the scams target the “suckers” to make it more likely to weed out the ones that are not likely to be deceived and “waste” the fraudster’s time.
References in this article:
“Sucker” YourDictionary. 1913. https://www.yourdictionary.com/sucker October 2, 2019.
- Note this makes reference to the 1913 edition of Webster’s Dictionary and an English Wiktionary.
Killiam, David. “Why do scam emails have such obvious grammar mistakes?” Quora.com. n.p. 2016. October 2, 2019 https://www.quora.com/Why-do-scam-emails-have-such-obvious-grammar-mistakes?share=1.