How-to: Avoid Common Security Mistakes On-line Part2

Padlocks by George HodanIn part one, we looked at the most common software mistakes; this time the focus is on the ‘wetware’ – that’s you, the human being, with all your fallible human behaviours.

Mistake #4: Falling for Email Exploits
Email is still the top delivery system for cracks and software exploits. And for phishing. And for social engineering.

Email commonly harbours all those cold callers who try to scam you or steal the contents of your house while you’re not looking.

  • Are you still clicking random attachments, web-links and download links?
    – Don’t. If you didn’t ask for it, just don’t.
  • Are you installing random .exe (executable files) just because an email said it was useful?
    – Executables are program files that run code. They could hide just about anything – trojans, worms or any number of viruses.
  • Are you responding to pleas for money from unknown charities?
    – The charity is probably soem unscrupulous scammers’ bank account.
  • Are you handing over personal details in response to unsolicited emails from a bank or utility company?
    – Banks and utility companies never ask for customer data. This is pure phishing.
  • Are you being asked for bank details to receive a tax refund from the Revenue Service?
    – The tax authorities are actively telling us that they don’t ask for taxpayers personal details or bank accounts. These messages are also phishing ventures.
  • Are you getting pleas for wire transfers to rescue a friend who’s been robbed overseas?
    – And you didn’t know they were even on vacation! They’re not. It’s a scam.
  • Have you won a lottery you didn’t enter? A prize in a competition you never heard of?
    – You haven’t. This is just the same as the prize draw junk mail that comes through your door. It’s either a sales trick or a scam.

How to spot phishing and social engineering scams? Fake phone numbers and addresses, spelling or grammar errors, wrong logos, wrong tone of voice or use of language from a person or organisation are the common giveaways.

And if you don’t recognize the sender, always assume it’s spam.

Mistake #4: Bad Passwords
We could write volumes on bad passwords. Mostly they fail through inconvenience. I’ve got dozens for different services now. How do you remember them all? Do the services all have their own rules on what is or isn’t allowed?

For the sake of convenience, we tend to use the same password over and over again; email, Facebook Amazon; this week another service, same password. Singular passwords are like handing over the master key to your front door. Don’t do it. use individual passwords for individual accounts. You’ll thnk me later when Sony’s PS3 network or Amazon or Facebook next get cracked.

Worse than that, unless we’re forced, like most of our work logon’s, to change them peridocially, we keep the same passwords forever. Once or twice a year, change your passwords to something new.

Use a strong password. Mix up numbers and letters – no common words or strings that could be fed into a ‘dictionary attack.’

Don’t use anything personal likely to be discoverable or in a security question – you mother’s maiden name, you kid’s names, the pet’s names, your football team.

Mistake #5: Giving Away Personal Information
Remember Hagrid in Harry Potter – always letting slip vital security information. Fluffy the two-headed dog: music lulls him to sleep, you know.

What was in that WWII poster? “Loose lips sink ships.” Don’t sink yours by inadvertantly giving out personal information – particularly on social media.

As your social network spreads, many of your social media ‘friends’ are people you’ve never met in person. Why trust them with the kind of personal information you wouldn’t share with stranger on a train (Californians, this may come as a foreign concept to you)?

Crackers will use it in social engineering to convince other people that they are you. It’s the first step to identity theft.

Personal information extends to what car you drive (never give your registration or license number), who you bank with (even without the account number) and your full date of birth. Fine, give out the day and month if you want a lot of e-cards on your birthday, but keep the year between you and your bank.

And finally, don’t ‘lend’ account passwords or credit cards to friends and relative to use online. They won’t be as careful as you. AJS

Related: How-to: Avoid Common Security Mistakes On-line Part1

Image credit: Padlocks by George Hodan, via

4 thoughts on “How-to: Avoid Common Security Mistakes On-line Part2

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s