Why Do Hackers Attack Websites?

Do you know why hackers target websites? Do you believe that your website is too small or insignificant to be the target of a hacker? It’s time to think again. There are over 90,978 security attacks that happen every minute of every day and hackers have zero prejudice when it comes to the size of the website or business they attack.

Hackers aren’t just looking to take advantage of big corporations. They are simply looking for any kind of exploitable vulnerability.

Hackers Attack Websites For All These Reasons:

1. Inject Malicious Content

Sometimes, hacking is simply about getting malicious content or code onto the front end of your WordPress site with the hopes that your visitors then click on the malicious links. This can happen through comment spam, email hijacking, or through actual content submissions.

2. Steal Visitors’ Personal Information

This is the one you and your visitors should be most worried about. Any security breach is bad for business, but this one also means having to compensate visitors and customers for the money and privacy compromised in the attack.

3. Spread Viruses

Another way which hackers attempt to terrorize your visitors is by using your website to spread viruses and malware. They can do this by using malicious code they’ve written into the backend or with files they’ve uploaded for download on the front end. When visitors interact with these files, hackers then steal the visitors’ information or they cannibalize visitors’ computers to further spread viruses to other websites.

4. Steal Business’s Private Information

Businesses work very hard to keep their secrets a secret. This is why it’s critical not to sync that information to the corresponding business website.

5. Use Your Web Server to Host Phishing Pages

Phishing on websites basically refers to when hackers create fake pages within your website in an attempt to collect information from visitors willing to give it. They can do this by embedding a contact form on the page and directly collecting information.

6. Host Legitimate Pages on Your Web Server

This is less common, but sometimes hackers actually take the time to build legitimate pages on high authority websites to improve their own SEO. These pages talk about them and link back to them.

7. Steal Your Server Bandwidth

Hackers can steal server bandwidth to host their own activities, such as bitcoin mining and brute force attacks on other websites.

8. Overload Your Web Server

Obviously this is relate to the concept above, but when hackers overload your web server with a huge increase of hits, this is what’s known as a distributed denial of service (or DDoS) attack. Once they hit the overload threshold, the site goes down, and they win. Why would they do this? How could a hacker benefit from taking your website offline? Here are some possible reasons:

  • They could be doing it for bragging rights.
  • They might have a personal or political motivation.
  • The website could be just one of many victims in a broader attack.
  • They want a ransom.

9. Vandalize Your Website

For the most part, a hacker might vandalize a website to gain street cred – establish hacker credibility while hurting your brand.

How Can You Protect Your Website?

We have the means to put up a good defense against intruders if we accept two realities:

  1. We are not invincible.
  2. We remain vigilant.

As a reminder, here’s what you can do to protect your website.

 

How Not To Get Hacked – Six Easy Steps

There’s been a lot of talk about Russian hackers these days, and while the thought of getting hacked by the Russians (or anyone else) often conjures up thoughts of Jason Bourne, most incidents of hacking are actually much less sophisticated. Let’s face it, hackers, like us, often take the easy way out and go for low-hanging fruit. The good thing about this is that it’s relatively easy to avoid getting hacked. What follows is a simple primer – how not to get hacked – six easy steps.

How Not To Get Hacked Step 1:

Create Strong Passwords

The first and most important rule is to never use the word “password” for your password. Don’t use these passwords either:

  • 123456
  • 123456789
  • qwerty
  • 1111111
  • 123123
  • qwertyuiop
  • 123321
  • 666666
  • 1q2w3e4r5t
  • google

These were the most commonly hacked passwords in 2016.

What all of these have in common is that they are painfully obvious. It is very important to choose your passwords carefully. Don’t use the name of your dog or cat or children. All of these are easily guessed. Strong passwords are cryptic – a meaningless string of numbers, letters, and characters. It’s also important to not use the same password for everything. Your Gmail or Yahoo password shouldn’t be the same as your Facebook password and that shouldn’t be the same as your bank password. Imagine if you were one of the billion or so Yahoo users who were hacked! The hackers would suddenly also have access to your bank account and your social media presence. They could learn everything about you at once.

Check HERE to see if any of your email account passwords have been compromised. If they have (and they probably were), make sure you go change the passwords at the sites where you have an account (or you set up an account eons ago).

How Not To Get Hacked Step 2:

Stop Trying To Remember Passwords…Get A Password Manager

As a website designer I need nearly 1,000 passwords in order to get my work done. Even if I had a meaningful and secure logical way of producing passwords, I would never remember them all. For the past 4 years I’ve been using LastPass. Basically LastPass creates extremely complex passwords (more than 20 characters if I want) and then remembers them whenever I go to a website. All I have to do is create one very long strong password that works as a master password. The master password will then unlock a secure, encrypted vault that contains each unique password for all of your accounts. Password managers also integrate seamlessly into Web browsers, so you can quickly log into any of your accounts from any of your devices. The basic version of LastPass is actually free. If you want to use LastPass on your mobile devices, then all it costs is $1/month.

How Not To Get Hacked Step 3:

Use Two-Factor Authentication

Two-factor authentication requires you to enter a password and choose whether to receive a second code via email or your cell phone.  Then, that second code is either texted to your cell phone or sent to your email so that further authentication steps will be required. The exact methods may vary, but two-factor authentication is a much more secure way to prove that you’re you.

How Not To Get Hacked Step 4:

Be Wary of Public Wi-Fi

If you take the right steps to secure your Internet connections, you will probably be okay with public wi-fi. However, avoid doing the following things while on public wi-fi:

  • Don’t check email.
  • Don’t access your bank accounts.
  • Don’t shop online.

In general, whether on public wi-fi or not, seek out websites that start with https:// instead of http://. That extra “s” is a critical level of security. Legitimate shopping, bank, and email websites all use SSL encryption.

For more information about the danger of public wi-fi, check out Norton’s post on the risks of public wi-fi.

How Not To Get Hacked Step 5:

Be Defensive and Watch Out for Phishing Tactics

Spoofs are cyber criminals who try to steal passwords from people who actually know how to come up with complex passwords. This is also called phishing. They’ll get you to click on a link leading to a spoofed website that looks exactly like the one at which you have an account. When you “log in” to the spoofed website, your user log-in credentials are stolen. Do not click on the link. Instead delete the phishy email.

How Not To Get Hacked Step 6:

Trust Your Instincts

If an email or website seems suspicious in any way, delete it or don’t visit it. Many of the attacks – an email phishing campaign for example – attempt to take advantage of our caution and reason by appearing to come from an authoritative source – like our banks, credit card companies, or even the IRS. But in reality, most of those entities will mail you multiple letters before any action is taken. If something – even mailed to you – looks suspicious, pick up the phone and call your bank. Don’t use the number on the suspicious mailing or email.

Check For Vulnerabilities In Your Connected Devices

Last week’s DDoS attack on Dyn shut down portions of the internet. A DDos attack is a distributed denial of service attack. Dyn is a major DNS provider. The attack was created by a botnet that took control of a bunch of different connected cameras that still had the default passwords in use. In order to understand how to protect yourself, you need to check for vulnerabilities in your connected devices. And to do that, you need to understand what a DDos attack is and what DNS is first.

What’s a DDoS attack?

At the most basic level a distributed denial of service attack works like this. An attacker sends an onslaught of packets – essentially just garbage data – to an intended recipient. In the case of the most recent attack, the recipient was Dyn’s DNS servers. The server is overwhelmed by the garbage packets, can’t handle any new incoming connections, and eventually slows down significantly or crashes entirely. What’s new about this particular attack is that it’s now possible for an attack by a group of hijacked insecure network devices. The group of hijacked insecure network devices become a DDoS army that can work together to bring down a website.

What’s DNS?

DNS stands for Domain Name Servers. These are the internet’s equivalent of a phone book. Domain Name Servers maintain a directory of domain names and translate them to IP addresses. Without DNS, we would have to remember the IP addresses for websites instead of their easy to remember names. Google’s IP address is 8.8.8.8 but most IP addresses are far harder to remember.

Why Should I Check For Vulnerabilities in Connected Devices?

Since last week’s DDoS attack was created by a botnet that took control of a bunch of different connected cameras with default passwords, it’s important to run a scan on your own network to make sure you don’t have any devices that are essentially open and accessible to an internet hijacking. To scan if you have such devices on your network, Bullguard Security created IoT Scanner. Go to the site, click the scan button, and IoT Scanner will look for open ports on your network.

If IoT Scanner comes back saying that your network can be breached, that means some device that’s connected to your Wi-Fi network has an open port that makes it accessible from the internet. This could be on purpose if you’re running a server or have some other device that you can access from outside your home network. If you’re not doing that and IoT Scanner says your network can be breached, then it’s a good idea to contact your IT professional and see which device has that open port.

Like most tools, take the results with a grain of salt and use this as a starting point to really secure your network.

Ten Tips For Spotting Phishing Emails

Every day millions of phishing emails are sent to unsuspecting victims all over the world. I know because I receive five or six myself in my spam folder every day. While some of these messages are so outlandish it’s obvious they are fraud, others can be a bit more convincing. So how do you tell the difference between legitimate emails and phishing emails? Unfortunately there is no single way, but this post provides ten tips for spotting a phishing emails.

Ten Tips For Spotting Phishing Emails

#1 URLs contain a misleading domain name

People who launch phishing scams often rely on victims who don’t know much about technology or how the DNS naming structure for domains works. The last part of a domain name is the most telling. For example, the domain name info.gabeseiden.com would be a child domain of gabeseiden.com because gabeseiden.com appears at the end of the full domain name (on the right-hand side). Conversely, gabeseiden.com.maliciousdomain.com would clearly not have originated from gabeseiden.com because the reference to gabeseiden.com is on the left side of the domain name.

This happens all the time, especially when the phishing criminal uses a trusting name like Microsoft or Apple or even the IRS. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

#2 The message is poorly written with grammar and spelling mistakes

Whenever a company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality. So if a message is filled with poor grammar or spelling mistakes, it probably didn’t come from a major corporation’s legal department.

#3 The message asks for personal information

This is usually a major red flag. No matter how official an email message looks, it’s always a bad sign if the email asks for personal information. Your bank or credit card company already know your account number and social security number.

#4 The message contains a mismatched url

One of the first things you should check in a suspicious email message are any embedded URLs. Often the URL in a phishing message will appear to be perfectly valid but if you hover your mouse over the top of the URL, you see the actual hyperlinked address (at least in Outlook) and if the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.

#5 The message looks too good to be true

If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.

#6 You’re asked to send money to cover expenses

You might not get hit up for cash in the initial message. But sooner or later, phishing criminals will ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.

#7 You didn’t initiate the action

If you get an email congratulating you on winning the lottery, but you never bought a ticket, you can bet that it’s a scam. If you didn’t do something to initiate the action, it is probably a scam.

#8 The message makes unrealistic threats

Most phishing scams try to trick people into giving up cash or sensitive information by promising instant money. However, some phishing scams use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it’s probably a scam. Let me give you an example.

I once received an email from what looked like the IRS. Everything looked legitimate except for one thing. The letter said my account had been compromised and that if I did not submit a form (which asked for my social security number) along with two picture IDs, my assets would be seized.

I knew this was a scam because the IRS doesn’t send out emails like this. The IRS sends out its threats via snail mail.

#9 The message appears to be from a government agency

Government agencies in the U.S. don’t normally use email as an initial point of contact.

#10 Something is fishy

If you receive a message that seems suspicious, it’s usually in your best interest to avoid acting on the message. On the off chance that it’s a real message, usually the real person will find another way to contact you.

How to stay ahead of cyber criminals

It’s no secret that cyber attacks are becoming more increasingly sophisticated, stealthy, and, as a result, commonplace. We have seen high profile security breaches at Target, JP Morgan, Home Depot, and the US Government. Attackers can infiltrate practically any “secure” environment and maneuver undetected for months at a time while they scope out the best practice (for them) for a cyber attack. So the question for us is – how do we stay ahead of cyber criminals?

This is ultimately a cat and mouse game and it’s clear that the cyber criminals play the cat in this game. As cyber attackers become increasingly aware of cyber security measures, both large and small organizations must be on the defense and continuously learn about potential warning signs. Here are a few helpful tips to help you stay ahead of cyber attacks and reduce the risk of data breaches.

Constant Change

There’s one thing that cyber criminals and the rest of us have in common – none of us like change. We want to keep systems and processes static because it makes life and work easier. Attackers love static systems and processes because it makes it easier for them to study their subjects, learn the ins and outs, and figure out exactly how they can compromise your data. If you want to make it difficult for sophisticated cyber attackers, create a culture that thrives on change.

Monitor for Usage of Irrelevant Information

Cyber criminals do their homework before launching an attack. Sometimes their data is misinformed or incomplete. You should monitor for activity that doesn’t make sense for your organization.

A typical example of an irrelevant information scenario is the “former employee” situation. In this case, an attacker targets a specific user from your list of employees, not knowing that the person no longer works for your organization. Because the employee no longer works for you, that employee should not be taking actions within the company’s network and the network shouldn’t be contacting them. Spotting this suspicious activity can help you prevent data breaches.

Avoid Alarm Fatigue

Security appliances are more sensitive than ever to better detect potential threats, but the sharp increase in alerts leaves security teams running ragged.

It is impossible to launch a full-scale investigation every time your security appliances send a notification. Instead, you must monitor your organization for signs of alarm fatigue and resolve them as soon as possible. If you stop monitoring for serious notifications, you are sure to miss the real issues as they come up.

Invest in Cyber Security Education

Did you know that human error is the leading cause of data loss? Cyber security training and education teaches employees the importance of changing passwords and monitoring for suspicious activity to cut down on the amount of human errors.

One major part of training employees for better cyber security is preparing them for phishing schemes. In Phishing attacks, cyber criminals often send out seemingly legitimate emails, mimicking companies like PayPal or eBay in an attempt to lure readers to click on a fake link. While the link seems real and the landing page is set up with real logos, the site is built to filter sensitive data to cyber criminals. The email might mention an issue with the user’s account and lead them to a site that requests PIN numbers, credit card data and more. These can be tough to spot, but there are warnings to look out for.

All of the security solutions in the world can’t protect your network if your workforce is willingly (but unknowingly) giving cyber criminals access to it. Creating a truly secure workforce requires ongoing education and training.

 

LastPass Hacked, Change Your Master Password Now

LastPass – my favorite password manager – has been hacked. This is the bad news. It’s time to change your master password. If you have LastPass, do this right now before you finish reading this post. The good news is that passwords you have saved for other sites should be safe.

LastPass announced on their company blog that they detected a server intrusion. While encrypted user data (your stored passwords for other sites) was not stolen, the hackers did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account.

According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. If you use LastPass, you should do this immediately. If you share that master password with any other services, you should change it there, too. Finally, if you haven’t enabled two-factor authentication you should do that immediately here.

LastPass Security Notice – Updated June 16, 2105:

Was my master password exposed?
No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.

Am I at risk if I have a weak master password?
An attacker could try to guess your master password, then use your per-user-salt and authentication hash to determine if their guess was correct. Typically, an attacker would try a list of commonly-used passwords or dictionary words (such as 12345678, password1, mustang, robert42, iloveyou). They would have to do this for you specifically, since your “per-user” salt is unique to your account . Because your password is hashed thousands of times locally, and this hashed value is again hashed 100,000 times before being stored server-side, guesses will be very slow. If your master password is weak or if your password reminder makes it easy-to-guess, then the attacker could significantly reduce the number of attempts needed to guess it correctly. Then the attacker would have your master password, but not your data, since your data vault was not exposed. If the attacker attempted to get access to your data by using these credentials to log into your LastPass account, they’d be stopped by a notification asking them to first verify their email address.  We require this security measure for any attempt to access your vault from a new device/location, unless you have multifactor authentication enabled.

Were passwords or other data stored in my vault exposed?
No, your data is safe. Encrypted user vaults were not compromised, so no data stored in your vault is at risk (including form fill profiles, secure notes, site usernames and passwords). However if you used your master password for any other website, we do advise changing it – on LastPass as well as on the other websites. Note that you should never reuse passwords – especially your LastPass master password!

What should I do now?
Our security and processes worked as designed, and customer data was, and is, protected. Because we are requiring verification for any new IP address or device, your account is secure. You will be prompted to update your master password when you login. Not all users will see the prompt immediately, but your account is safe and you can update when prompted. For added security going forward, we recommend enabling multifactor authentication. Also, be wary of phishing emails asking you to disclose your master password, payment information, or any other personal information. Never, ever disclose your master password or any confidential information, even to someone claiming to work for LastPass.

Why did I hear about this in the media first?
Emails have been sent to all users regarding the security incident. Notifying millions of users via email takes time. Therefore, we also announced the security alert to our blog and our social accounts in real-time, and the media quickly picked up the story.

I reset my master password, but now I can’t get in!
If you forgot or mis-typed your new master password, please revert your change: https://lastpass.com/revert.php and login again with the previous master password. Then you can try another change (and be careful of typos!).

I don’t remember my old master password.
Please try password recovery: https://lastpass.com/recover.php on a browser where you’ve used LastPass before. For more information about account recovery, see: https://helpdesk.lastpass.com/account-recovery/

Why Websites Get Hacked

I spend a fair amount of time working on new websites as well as fixing websites that have been hacked and this question always comes up:

Why would anyone ever hack my website? I’m just a small business owner.

Depending on who you are, websites get hacked for different reasons, but there are a few specific explanations.

Automation is key

Websites attacks that target small businesses and smaller websites are fully automated. The benefits of automated attacks provide hackers the following benefits:

  • Mass exposure
  • Reduction in overhead
  • Tools for everyone regardless of skill
  • Dramatically increases the odds of success (for the hacker)

The majority of these attacks are automated and follow a specific sequence:

  1. Reconnaissance
  2. Identification
  3. Exploitation
  4. Sustainment

While thinking about how these attacks occur, it’s important to address the two types of attacks: attacks of opportunity and targeted attacks.

Attack of Opportunity

Almost all small business website attacks are attacks of opportunity. This means that it’s not one individual or group that is trying to hack into your specific website, but rather a coincidence. Something about your site was caught in the trailing net as they crawl the internet looking for hacking opportunities. It could have been something simple like having a known plugin installed, or maybe displaying the version of a platform (displaying the fact that you’re using an outdated version of WordPress, for example).

According to Sucuri, a website security company, it takes about 40 days for a new website with no content or audience to be identified and added to a bot crawler. Once added, the attacks can begin immediately without any real rhyme or reason. It can be any website; the only commonality is that they are all connected to the internet.

These web crawlers then begin to look for identifying markers. Is the website running WordPress, Joomla, Drupal? If so, is the website running any software with known vulnerabilities or bugs in the code? If the answer is yes, the site will be marked for the next phase of attack, exploitation.

The sequence of events can happen in a matter of minutes, days, or months. It’s not a singular event; it’s ongoing and occurs continuously as the bot crawlers are scanning for vulnerabilities. Once your website is on the list, it will just keep on trying until it succeeds. This is why it is so critical to have someone actively managing your website and – at a bare minimum – updating software.

Targeted Attack

Targeted attacks are often reserved for big businesses, but not always. Think of the NBC hack in 2013 or the Forbes hack in 2014. There are many examples of these attacks lately but it’s obvious why there’s an uptick in this trend. Even though it requires much greater hacking skill, the payoff to the hacker can be huge. A very common type of targeted attack is called a Denial of Service attack in which the attacker works to bring down the availability of your site by overloading it with traffic.

Hacking Motivations & Drivers

Now that you have a better understanding of how these attacks happen, let me unpack some reasons why websites get hacked.

Economic Gains

The most obvious reason why websites get hacked is for economic gain. These are attempts to make money by your audience, either by getting them to click on something or download something.

Drive-by Downloads

A drive-by download is the act of injecting your website with malware and hoping to infect as many website visitors as possible. Think of someone visiting your website and then calling you because they installed a fake piece of software that you supposedly recommended on your website. Then their bank accounts were drained. Scary and very real and devastating.

Black Hat SEO

The other type of strategy are black hat SEO campaigns. These are not as devastating, but can be more lucrative for the hackers. This is the game of abusing your audience by redirecting them to pages that generate affiliate revenue.

System Resources

The business of farming system resources is a huge motivator for hacking groups. Botnets are nothing more than interconnected systems across the internet; these can be desktops, tablets, and even servers and they can be tethered together to perform tasks like Denial of Service attacks simultaneously. These attacks that target your system resources are dangerous because they can happen completely behind the scenes without you knowing what’s going on until you get a notice from your host – or worse, a huge bill – exceeding bandwidth.

Hacktivism

The point of these website attacks often comes down to awareness and frequently consists of a hacker defacing your homepage. This form of attack can be combined with others, but more often than not they are somewhat benign and create more embarrassment to the site owner rather than affecting their site visitors.

Pure Boredom

Unfortunately boredom seems to come into play and often there is no real reason why websites get hacked.

Conclusion – Your Best Defense is Knowledge

It is easy to be overwhelmed by all of this, but we believe that your best defense is knowledge and if there’s any real take-away here, it is that you should

  1. hire someone to manage and maintain your website
  2. update whenever updates are available

Remember, security is not about the elimination of risk. Security is risk reduction. Take what you know and use it to lower your chances of getting hacked.

FBI: Businesses Lost $215 Million to Email Scams in 2014

According to a recent alert from the FBI, businesses lost nearly $215 million to one particular type of email scam in 2014. The business email compromise (BEC) swindle is a complicated scam that starts when business executives or employees email accounts are hacked.

The FBI says that the business email compromise scam is a sophisticated and increasingly common type of fraud targeting businesses that work with foreign suppliers and/or businesses that regularly perform wire transfers.

According to the Internet Crime Complaint Center (IC3) – a partnership between the FBI and the National White Collar Crime Center –  the BEC is a global scam with subjects and victims in many countries. The IC3 has received victim and complaint data from people in every U.S. state and 45 countries. From 10/1/13 to 12/1/14, the following statistics are reported:

  • Total U.S. Victims – 1,198
  • Total U.S. Dollar Loss – $179,755,367.80
  • Total Non-U.S. Victims – 928
  • Total Non-U.S. Dollars – $35,217,136.22
  • Combined Victims – 2,126
  • Combined Dollar Loss – $214,972,503.30

CEO fraud is one variation on the BEC scam. CEO fraud starts with the email account compromise for high level executives (CEO, CFO, CTO, etc.) Posing as the executive, the cyber-criminal sends a request for the wire transfer from the compromised email account to a second employee within the company who is normally responsible for processing these requests.

According to the IC3, the wire transfer requests are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request. In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank ‘X’ for reason ‘Y.

The people perpetuating these scams do their homework before targeting a business and its employees, monitoring and studying potential victims prior to initiating the scam. Fraudulent emails have coincided with real business travel dates for individuals whose email accounts were spoofed. These criminals have been able to accurately identify the individuals responsible for wire transfers and also the specific protocol necessary to perform wire transfers within a particular business environment.

The IC3 recommends that businesses protect themselves by adopting two-step or two-factor authentication for email when possible or to establish other communication channels – such as telephone calls – to verify significant transactions.

For more information about how to analyze the security of your inbox, take a look at this poignant infographic by Krebs on Security:

The Value of a Hacked Email Account

The Value of a Hacked Email Account

 

Ten ways to protect yourself online

 

Any time you are online you are vulnerable to hackers. Whether you are a sole proprietor or a massive corporation like Sony, your chances of being hacked, scammed, or infiltrated in some way, are unfortunately about the same. Hackers can steal your credit card numbers, tax records and passwords, erase your hard drive, disable your entire computer, and even use your built-in webcam or microphone to spy on you. The most complete way to protect yourself online would be to get offline and disconnect yourself immediately, but that solution is no longer an option for any of us.

To protect yourself online, you should take these 10 steps very seriously:

1. Fortify your passwords

Don’t reuse your passwords. If an attacker gets your password she might try it on all of your accounts. This means that a given password is really only as secure as the least secure service where it’s used. Use a single master password or passphrase along with a password manager like LastPass. Choose strong passwords – short passwords of any kind, even totally random ones like nQ\m=8*x or !s7e&nUY are not strong enough today.

2. Use a password manager

Check out LastPass. This is what I use. There’s a free version that syncs between devices but doesn’t allow you to sync with your mobile phone. The premium version costs just $12/year!

3. Secure your security questions

Beware of security questions. Honest answers to many security questions are often publicly discoverable facts. If you do use factual information in the security questions, make them more secure by adding numbers and other characters. Your cat Fluffy can be F1uff7 instead.

4. All HTTPS all the time

HTTPS will encrypt any stream of data between you and the service, ensuring that anyone using Firesheep or a packet sniffer on a (usually public) Wi-Fi network can’t glean your login data. Never work at a coffee shop or other public wi-fi without it.

5. Turn on Two-Step verification

Facebook and Google both offer the option of 2-Step authentication when you login, meaning you have to enter a secondary pin number which is generated and/or texted to your phone. It’s a complete and utter pain in the ass whenever you’re logged out, but it’s also a pretty safe guarantee that no one will be getting into your account without a heavy-duty targeted attack.

6. Use a secret email address

Publicly available information is the first way a hacker can get their foot in the door. Few things are tossed around more casually than an email address. Don’t give potential hackers a starting point, especially if you use the same login info across multiple sites (which you shouldn’t be doing in the first place!). Instead, create an email address that as few people know about as possible that you use only for account log-ins.

7. Set up  login notifications

Facebook will allow you to receive a text message anytime an unrecognized IP address logs in to your account. You may not prevent a hack, but if you act quickly enough, you can remotely log them out and re-secure your account before they get their hands too deep into your business. Gmail is also set by default to alert you if it notices anything particularly strange with your login activity.

8. Put passwords on your devices

This is a no-brainer and should not require explanation. All of your phones, tablets, laptops, and desktops should have a password.

9. Don’t save your credit card information in your browser

Another no-brainer.

10. Keep an offline backup

Just in case your online backup provider is ever hacked, it’s probably a good idea to have your most important documents backed up using a physical hard drive connected to your computer.

11. Don’t link your accounts

Facebook sign-on certainly makes life easy for you, but imagine what happens when someone steals the phone that doesn’t have a password or hacks your password on your computer.

12. Use email wisely

Email is a great way to keep in touch with friends and family, and as a tool to conduct business. Even if you have good security software on your PC, however, your friends and family might not have the same protection. Be careful about what information you submit via email. Never send your credit-card information, Social Security number, or other private information via email.

Conclusion

Those of you who are very perceptive will note that I couldn’t resist and actually gave you 2 extra tips for protecting yourself online. Data shows that a blog post titled “ten ways to protect yourself online” will do better than the same post titled “twelve ways to protect yourself online”. If I had to hone in on one or two particularly important ways to protect yourself online, I would pick number 1/2 – fortify your passwords/use a password manager and number 12 – use email wisely as the most important ways to protect yourself online.

Do you all agree with me? Did I miss anything?

If You Aren’t Using a Password Manager, It’s Time To Start Using One Now

Online merchants and secure websites aren’t doing a very good job of keeping your personal information safe. Not a week goes by without news about a major online retailer being hacked. To make matters worse, even those websites that use decent security practices may have been compromised by the recently discovered Heartbleed bug. If the bad guys got your password, you’re in trouble. But if you used that same password at other sites, then you’re really in trouble. The only safe thing to do is to use a different strong password on every site, and the only practical way to do that is with a password manager.

If you aren’t using a password manager, it’s time to start using one now. This is important stuff, well worthy of major procrastination because setting up a password manager involves a considerable amount of time and planning. If you are starting from scratch, chances are good that you are using your browser’s built-in password management feature. There are a variety of password managers but we recommend LastPass and will help walk you through the process. LastPass will import those passwords, delete them from the browser, and turn off the browser’s password management. LastPass goes for a clean sweep, importing from all major browsers.

Beyond The Master Password

Most password managers support authentication using a master password. Since it’s protecting all of your other passwords, that one password needs to be really strong. But if that’s the only protection for your data, a crook who manages to steal your master password can access all of your data. The best password managers offer two-factor authentication.

LastPass 3.0 Premium can be configured for fingerprint-based authentication. LastPass supports authentication via the Google Authenticator mobile app.

Password Capture and Replay

Most, but not all, password managers integrate with the browser to capture login credentials as you enter them and replay those credentials when you revisit the site. LastPass goes a step beyond, actively detecting and managing password change events and capturing credentials as you sign up for a new service.

Quite a few password managers let you log in to your password storehouse from any browser, so you can look up credentials even when using someone else’s computer. Among these are Norton Identity SafeRoboForm Everywhere 7, and Keeper 5.0; LastPass and Dashlane also offer this feature. F-Secure, by contrast, doesn’t allow any online access, considering it a potential security risk.

Form Filling and Personal Data

Given that most password managers already have the ability to fill your username and password into a login form, it’s not surprising that many also serve as form fillers for personal data. LastPass will cleverly offer to capture what you’ve entered if it sees that you are filling a form manually.

LastPass can store various types of ID data such as passports and driver’s licenses.

Free Protection

The free edition of LastPass has almost everything found in the premium; support for mobile devices is the big exception. LastPass Premium costs only a dollar a month. That’s not a lot, considering what LastPass is protecting.

Security Checkup

Virtually every password manager will report the strength of your master password.  And virtually every product will generate strong, random passwords for you on demand.

LastPass takes this concept a step further by offering a security report listing all of your passwords and rating the strength of each. They also report on duplicates—passwords you’ve used on more than one site. And they make it easy to upgrade all your passwords to improve security.