Lock It Down: 5 Steps to Improve Your Online Security

14 December 2011

Editor’s Note: Nate Gross is a Product Manager at Doximity.

Analysts say that December is the peak month for cybercrime, thanks in no small part to holiday travel’s meandering path through unsecured Wi-Fi networks, and online shopping, which — if your site password is weak — may put you at risk for identity theft. Here are some tips to guide your data safely through the holiday season.

Free Wi-Fi is the modern day free candy van…

These days, it’s easier than ever to find free or cheap Wi-Fi on the go, whether it’s from a coffee shop, airplane, hotel or other hotspot. Because these networks are public, most of them are open and unsecured, meaning they can present serious risks. For instance, sidejacking is an increasingly common practice in which a nearby hacker on the same open Wi-Fi network can use tools such as Firesheep to “sniff” your network traffic and steal your “cookie.” This is far more ominous than the kitchen analogy sounds. It allows them to hijack your browsing session and essentially be logged in to your account, as you, on their own computers.

How can you protect yourself on open Wi-Fi networks? For starters, don’t go on them — and be careful your device doesn’t sign onto the Wi-Fi automatically. But what if you do need an open network to get online?

Opt for HTTPS whenever possible This is where HTTPS comes in. Unlike HTTP, HTTPS (the S stands for Secure, protected by Secure Socket Layer “SSL” encryption) provides a direct link between you and the server. The Google Privacy team has created a series of videos that explain the concept.

Doximity exclusively uses HTTPS across our entire medical-grade security platform. Other networks and services, such as Facebook and Twitter, provide optional HTTPS, but it is often not enabled by default (HTTPS is resource-intensive for the company), so be sure to activate it in the website’s settings. Firefox users can also install a plugin called HTTPS Everywhere that upgrades the connection automatically for many popular web services.

As for cell phones, remember that your smartphone uses Wi-Fi too, so it shares many of these same risks as computers. At Doximity we force full HTTPS across all our mobile apps and websites, so you’re safe with us, but be aware that many of your other apps run over basic HTTP. Luckily, you likely have a 3G or 4G data connection, which allows you to circumvent Wi-Fi to get to online resources. In addition, there’s the option of VPN.

Protect your connection with a VPN While HTTPS encrypts traffic between your device and just one particular web service, a Virtual Private Network (VPN) uses a trusted server to encrypt traffic between it and your laptop/smartphone. This VPN server then decrypts your traffic and sends the data the rest of the way to its destination. The result? All your traffic is protected (but only between you and the VPN server, so be sure that you trust your VPN service provider). Universities and medical centers often provide a VPN service to their employees. You can also build your own VPN server, or use a service such as AnchorFree’s Hotspot Shield (only for basic surfing — avoid a third-party VPN when transmitting sensitive medical data).

Hackers who try “123456″ and “password” have better odds than Vegas…

Upgrade your password strategy: A year ago this month, Gawker Media, parent company to Gawker, Gizmodo and Lifehacker among others, announced their servers had been hacked and that the usernames and passwords of 1.3 million subscribers were leaked. When this freely-available data was analyzed, it revealed that many users had ridiculously weak passwords (“123456″ was the most common, followed by the not-so-clever “password” — 2011′s password of the year), and worse — many users had a habit of using those same email/password combinations elsewhere, to access their email, social media or bank accounts.

The lesson — use strong passwords, and a unique one for each site. What makes a strong password? For starters, use a mix of uppercase, lowercase, numbers and special characters. The English alphabet is 26 letters — but factor in uppercase, numbers and symbols and you have a number closer to 80 potential character states. Password length raises this amount to the N power, where N is the number of digits in the password. So a mixed-character, 16-digit password would have 80^16 = 2,814,749,767,106,560,000,000,000,000,000 possible combinations, wheras a 6-digit numerical password would have only 10^6 = 1,000,000 possible combinations, easily cracked by a fast computer (and rest assured they’ll guess “123456″ first). Of note, passwords do not have to be complete gibberish. A phrase of memorable, nonsensical words will also meet the strength criteria, while being easy to keep in your head.

For extra security, services such as Google Authenticator now offer two-factor authentication. Each login, you’ll be prompted to enter a special code (such as a single-use PIN retrieved from your mobile). Devices can be remembered so that two-factor is only required for new or unrecognized machines.

Use a password manager: Thankfully, there are easy ways to store your million-and-one passwords. If you’re a single Mac user, you can, for example, activate the built-in Keychain. Other password management tools, such as KeePass and 1Password, let you build a database of passwords (highly encrypted by one long master password), that can be manually transferred to other devices. LastPass goes a step further in that it conveniently syncs your passwords to all your devices via the cloud, decrypted only locally on your device, and can be further protected by two-step authentication. These tools offer analysis of your existing passwords, helping you de-duplicate and upgrade.

Encrypt important files — and think twice before you send them: Your computer itself isn’t encrypted, so in the hands of someone else, your files are all quite readable. And don’t be fooled into thinking that your screensaver password can keep you safe. It can easily be bypassed by a bootable CD, or by mounting your harddrive as an external drive for another computer. For this reason, your Mac has a built-in service called FileVault that, when enabled, encrypts your entire hard drive, with only mild performance hits on newer machines. Power users on other operating systems could encrypt confidential folders or disks using TrueCrypt, an encrypted virtual disk for your computer. No matter what your local strategy, when sending ultra-sensitive documents, always remember that a system is only as strong as its weakest link: the people on the other end may not have read our guide about open Wi-Fi, or may store your files on unprotected computers.

FAQ:

Should I click that sketchy link? No! Don’t click on untrustworthy links. Just because a “friend” shared it with you through email or a social network, doesn’t mean it’s safe. Their account might have been hacked, for example. Increase your scrutiny if the accompanying note is generic or out-of-character. Then, look at the URL: if you don’t recognize it and are being asked for personal information, it’s better to type in the parent company’s URL manually and browse to the feature you need to access.

What if my email or social media account was hacked? There are some great guides written on the subject, but essentially you’ll need to log in (or regain access to log in), and immediately verify that the “reset password” or forwarding email addresses are not directed to a hacker’s account. Then, disable any untrustworthy affiliated accounts (for instance, on Facebook, use the settings page to uninstall those malicious apps you often see spamming on behalf of a friend). Be sure to change your password and security questions, and browse your “sent” and “trash” folder to ensure nothing malicious was sent to your contacts.

While certainly far from completely comprehensive, we hope this guide can get you started. Please feel free to add strategies of your own, too, below.