Digit FastTrack Secure Everything

Volume 11 | Issue 10
TECHNOLOGY
YOUR HANDY GUIDE TO EVERYDAY
To
Secure
Everything
Why do I need cyber-security? Securing Mac OSX

The basics of cyber-security Ways to secure your social
Android phone security media accounts
iPhone security Secure your communication
Secure your Windows PC or laptop Secure your cloud data
Methods to secure your Linux system Secure your website
A 9.9 media Publication
fAST
TRACK
to
secure
everything
powered by
chapters
secure everything
OCTOBER 2016
06 Why do I need cyber-security?

Millions of accounts hacked! User data leaked! Massive data breach!
The need for cyber-security has never been greater. Need we say
PAGE
more?
12PAGE
The basics of cyber-security
Here we list down some common sense best practices thatll go a
long way towards keeping you safe online
20PAGE
Android phone security
The DOs and DONTs you need to follow to ensure the security of
your beloved Android devices
29 iPhone security
Yes your mighty iPhone is vulnerable. Learn how to secure your
beloved iCompanion.
PAGE
39 Secure your Windows PC or laptop

Simply because of its popularity, Windows may be the least secure
OS out there. But its also the easiest to secure.
PAGE
editorial Writers
Credits
The people behind this book
Executive Editor Abhimanyu Mehta design

Robert Sovereign-Smith Dhinoj Dings Sr. Art Director
Meghana Gupta Anil VK
Managing Editor Purusharth Sharma
Siddharth Parwatay Sahil Dawka Visualiser
Swapnil Rastogi Baiju NV
Technical Editor
Jayesh Shinde Copy editing
Arnab Mukerjee
Senior Reviewer Manish Rajesh
Mithun Mohandas
cONTENTS 3
47 Methods to secure your Linux system

Dont let the reputation of Linux being more secure than other
systems lull you into thinking it cant be breached. These methods
PAGE
would help keep the system truly secure.
58 Securing Mac OSX

Macs arent hacker-proof! Heres how you can fortify your
Macintosh
PAGE
66 Ways to secure your social media

accounts
You spend a lot of time on social media sites. So do potential
PAGE
threats. See the ways for better security.
74 Secure your communication

Be it email, voice, or instant messaging well show you how to
keep all your communications away from prying eyes.
PAGE
84 Secure your cloud data

Though every service promises security of your data, this security
has far more facets than those which meet the eye
PAGE
91 Secure your website

Be it a blog started on a whim, or your business e-commerce
website, if you havent secured your website, youre taking a huge risk
PAGE
Volume 11 | Issue 10
TECHNOLOGY
YOUR HANDY GUIDE TO EVERYDAY
9.9 Mediaworx Pvt. Ltd. To
Secure
october 2016
Published by 9.9 Mediaworx

No part of this book may be reproduced, stored, or transmitted in any form
or by any means without the prior written permission of the publisher. Everything
COver Design: PETErSON Pj
Secure everything
October 2016
Free with Digit. If you have paid to buy this Fast Track from any
source other than 9.9 Mediaworx Pvt. Ltd., please write to
editor@digit.in with details
Free With Digit october 2016
Custom publishing Why do I need cyber-security?

The basics of cyber-security
Securing Mac OSX
Ways to secure your social
If you want us to create a customised Fast Track for you in order to Android phone security
iPhone security
media accounts
Secure your communication
demystify technology for your community, employees or students contact Secure your Windows PC or laptop
Methods to secure your Linux system
Secure your cloud data
Secure your website
editor@digit.in
10 A 9.9 media Publication
4 INTRODUCTION
Youre not
safe until youve
read this
I
f you look at some of the hacks and leaks of recent times the scale
for some of them and the nature of the data in others the popular
saying that privacy is a myth in the 21st century wont seem too
unbelievable. Be it leaked celebrity photos or corporate data, in
each of these cases the effect has always been disastrous for the ones
who were hacked. These hacks and attacks were carried out under the
effective guise of anonymity that the internet provides. As an unfortu-
nate consequence, the only way you can protect yourself against such
threats is by securing yourself.
Security itself is often overlooked and left to the experts. PC users
leave it to their antivirus, website owners leave it to their CMS managers,
a cloud users trusts the cloud provider and so on. Do you know that on
average, about 37,000 websites are hacked every day in some form? And
more than a 100 billion USD is spent every year to combat cybercrime?
The interesting bit is its not always the hackers fault its yours! Of
course, what they are doing is illegal and with malicious intent. But do
you really think thats going to change? On the other hand, the absence
of some basic security measures, or some silly oversights, make their
work even easier. Some estimates suggest, it takes only 10 minutes to
crack a lowercase password that is six characters long. Add two extra
letters and a few uppercase characters and that now it takes three years.
Adding one character to that and some numbers, symbols and the result
will take 44,530 years to crack.
INTRODUCTION 5
While relying on experts isnt entirely bad, its essential that you
take matters into your own hands. In the chapters to come, we tell you
about securing everything, from your smartphone to your laptop, your
website to your WiFi router and more. Once youre done with this Fas-
track, it would be easier to break into Alcatraz than to break into your
devices. We hope!
6 Chapter #01
WHY DO I
NEED CYBER-
SECURITY
Millions of accounts hacked! User
data leaked! Massive data breach! The
need for cyber-security has never been
greater than now
Why do I need cyber-security 7
I
ts probably safe to say that our days begin and end with us peering
at some digital screen or another. We wake up to alarms on our
phone, check our emails on it, order groceries, services and various
other items on them, pay for these utilities online, and capture and
store pictures and videos on them, more often of a personal nature than
not. Weve practically given away huge chunks of our lives on the cloud,
and its very rare for anyone to stop and think of the possibility of our data
falling into the wrong hands.
But its happening here and now, in front of our very own eyes. Youd
have to be living under a rock if you dont know about the massive data
dumps that have been posted on the internet recently. Large amounts of
confidential data, not limited to names and physical addresses, but also sen-
sitive information such as credit card details and account passwords have
been compromised, and have generally stemmed from a security breach of
a large corporations servers. And considering our increasing reliance on
computer systems and smart devices, including smartphones, televisions
and other electronic devices that are part of the Internet of Things, weve
only started providing more ammo to hackers and cyber-terrorists, looking
to create havoc and disrupt our routine.
Such incidents only further emphasize the need to safeguard our data and
proceed with caution when giving away personal details on the internet. For
those who still are unable to fathom the gravity of the situation and the threat
these cyber-criminals pose to our life, well just take a look at some incidents
of mass hacking that have had severe consequences for all parties involved.
LinkedIn
If we look at the LinkedIn hack, back in 2012, passwords for nearly 6.5 mil-
lion user accounts were stolen by Russian cyber-criminals, and many were
unable to log into their accounts following the theft. A LinkedIn hack might
not seem like such a big deal for those who dont use the website regularly,
but the theft in 2012 turned out to be worse than anyone anticipated. In May
2016, an additional 100 million email addresses and hashed passwords
were leaked from the same 2012 breach. And soon after the leak, dozens of
celebrity Twitter accounts were hacked, including that of Mark Zuckerberg.
All signs pointed to the fact that Zuckerberg used the same LinkedIn pass-
word for his Twitter account, which is a pretty common mistake. Another
problem that was highlighted after analysing the data dump was the lack
of password etiquette, despite people being constantly told to keep different
8 Why do I need cyber-security
passwords for different accounts.

LeakedSource published a table about
the most commonly used passwords
on LinkedIn and its the stuff made of
cyber-security nightmares. The most
commonly used password is 123456,
second most common password was
linkedin and then came password,
at the third spot. It must be noted that
the hack occurred in the first place
because LinkedIn stored the pass-
words in SHA1 with no salting, which
makes them extremely easy to crack. The LinkedIn hacks most common
passwords
Apple iCloud
Theres also the iCloud break-in of September 2014. Hackers stole a collec-
tion of almost 500 private pictures of various celebrities, mostly women,
such as Jennifer Lawrence and Kate Upton from their iCloud accounts. The
images were believed to have been obtained via a breach of iCloud but it
later turned out that the hackers could have taken advantage of a security
issue in the iCloud API which allowed them to make unlimited attempts at
guessing the victims passwords. In this case, the blame rests with Apple
and its security mechanisms. But it also serves as a vital lesson for us to
avoid storing compromising and/or personal data on any public server.
Sony
And who could possibly forget the infamous hacks on Sony servers,
once in 2011 and another in 2014. While the 2011 attack led to seven
million PlayStation Network and Sony Online Entertainment account
details being stolen, including but not limited to credit and debit card
information, but the 2014 hack reared its ugly head of economic loss.
Data included personal information about Sony Pictures employees and
their families, e-mails between employees, information about executive
salaries at the company, copies of then-unreleased Sony films, and other
information. Millions of dollars were lost because of the leaked movies,
and the studio was left worse for wear due to the loss in reputation. It
might be worth noting that the 2014 attack was instigated by the release
of Sonys The Interview, which the hackers were against, because of
the fictional depiction of the

North Korean presidents
assassination. Seeing as
how most fingers seemed to
point towards North Korean
government hackers, this
incident could be classified
as an act of cyber-terrorism
between countries.
Ashley Madison
While most of the data leaked
from these dumps is recov-
erable and might not cause
damage to ones personal life,
the fallout from the Ashley
Madison dump in July 2015
was another story. Ashley
Madison is a website caters
to people who are already in The movie that ignited the 2014
relationships but still want Sony hack
to date. Hackers allegedly
gained access to millions of the websites customer information database
and posted 10 GB of personal data of users, including their names and
email addresses. Since the website didnt ask for email verification for
the profile to be created, many fake profiles were created. And since the
company required the owner of the email account to pay money to delete
the profile, many people with fake profiles or misunderstood names did
not bother getting their accounts shut. All in all, many people ended up
having their personal details exposed, when they had not intended for
the same to happen.
LastPass
In another hack with slightly less devastating consequences, LastPass
email addresses and encrypted master passwords were compromised in
a breach in June 2015. Many password managers, such as LastPass, were
created to address the issue that passwords are a notoriously poor form of
security. They function by requiring you to remember one strong master
10 Why do I need cyber-security
password, that would be used to access the managers encrypted vault. It

would be this vault that would allow you to generate unique and tougher
passwords for your other accounts and store them here for future use. Since
people tend to use weak, easy-to-remember passwords, re-use passwords
across a multitude of accounts, and forget to change their passwords often
enough, this solution worked brilliantly for all parties involved. Unfortu-
nately, this massive breach only proved that even the strongest of ideas to
manage password securities can fail.
But all these thefts were on a much larger scale, and more because of
negligence on the part of the bigger corporation involved. Billions of internet
users are the risk of having personal data stolen right from their laptops
because of hackers employing malicious software containing viruses, bots
and malware. And the sheer number of people falling prey to these will
astound you.
Ransomware
The most current and popular form of virus is a Trojan Horse ransomware.
Targeted towards Windows users and propagated through emails, this
The screen on a device affected by CryptoLocker

virus will encrypt certain files on the hard drive and any mounted storage
connected to it with RSA public key cryptography. The original ransomware
on the market was CryptoLocker, and the hackers would demand a ransom
(hence, the name) in exchange for the decryption key. In June 2014, Opera-
tion Tovar took down Evgeniy Bogachev, the leader of the gang of hackers
behind CryptoLocker, but many knockoffs are still running around in the
market, though the affected user base is a much smaller one. CryptoLocker
managed to affect around 500,000 users in its 100 days, and the hackers
made off with upwards of $30 million with this heist.
Keyloggers and Viruses

Then there are the multitude of viruses and malware that steal passwords
and user account details by logging in keyboard strokes whenever the user
visits any website. Theres the Gameover ZeuS trojan, which steals ones
login details on popular Web sites that involve monetary transactions.
It works by detecting a login page, then proceeds to inject a malicious
code into the page, keystroke logging the computer users details. Zeus
was been created to steal private data from the infected systems, its still
customisable to gather banking details in specific countries and by using
various methods.
But the worst of viruses, which is the first example of the potential of
cyber-terrorism, is the Stuxnet computer worm, believed to have been cre-
ated to sabotage Irans nuclear program. The virus is typically introduced
to the target environment via an infected USB flash drive, which then intro-
duces the infected root-kit into the system, modifying the codes and giving
unexpected commands to the computer while returning a loop of normal
operations system values feedback to the users. The aim of the worm was
to fake industrial process control sensor signals so that the infected system
does not shut down due to detected abnormal behaviour.
While most attacks have been limited to computing systems like servers,
desktops and laptops, hackers now focus on the IoT ecosystem and all its
connected components. Large networks of IoT deviceslike CCTV sur-
veillance cameras, smart TVs, and home automation systems are prone
to hacking, and the modern age thief will make use of these to carry out
coordinated attacks against individuals and corporations. So unless we
beef up our arsenal against these goons, theyll move on to stealing biom-
etric data and personal information that can be used to impersonate fully
functioning individuals.
12 Chapter #02
THE BASICS
OF CYBER-
SECURITY
Here we list down some common sense
best practices thatll go a long way
towards keeping you safe online
The basics of cyber-security 13
Y
ou might feel that protecting yourself against cyber attacks
is a job only for specialists, but that isnt really the case. Also,
securing yourself isnt about throwing money at the problem
either. Sure you can choose to shell out a few bucks initially for
the sake of convenience you dont really need to.
Of anti-virus software and firewalls

The most basic step anyone could take is to install an anti-virus software. For
a long period of time, the understanding was that only careless Windows
users, who had no inkling about separating the fishy links from the legiti-
mate ones, and who roamed the weird and unsafe corners of the internet,
needed to have an anti-virus program. But in todays age of zero-day vulner-
abilities and large-scale hacking, this notion is a dangerous one to spread.
A zero day vulnerability refers to a hole in software that is unknown
to the vendor and has the potential to be exploited by hackers in the form
of infiltrating malware, spyware or illicit access to the software users
personal details and information. Such security loopholes are exploited
by hackers before the vendor is made aware of them, and has led to many
zero-day attacks in the past. For example, in March 2013, Oracle discovered
two zero-day vulnerabilities, of which one was actively used by hackers in
targeted attacks. The vulnerability could be exploited remotely, without
any form of authentication to kick-
start it in affected machines. Since
the risk applied to both Windows
and Mac devices, the number of
possibly affected devices could run
into millions. Theres also the mas-
sive Elderwood project, a platform
that has used, as researched and
reported by Symantec, an unlim-
ited number of zero-day exploits,
attacks on supply chain manufac-
turers who service the target organi-
zation, and shift to watering hole
attacks on websites likely visited
by the target organization. Their
biggest target was Google, back in
2012. Though no data was stolen or An example of an anti-virus software
14 The basics of cyber-security
compromised, these findings brought to light the increasingly sophisticated

techniques used by hackers to bring even the biggest corporations to their
knees. So theres no doubt that if a player as big as Google can be a target,
then even the most careful of users are vulnerable to these loopholes, and the
first and foremost step that anyone who owns a PC, laptop or smartphone
should take is install anti-virus on their device.
While choosing your anti-virus, its best to go for the big names. Windows
has a built-in Windows Defender, though most security experts recommend
installing additional AV software. In its defence, since Widows Defender is
free and built-in to Windows 10, it doesnt harass you with pop-ups and
requests for money, and is lighter than some competing antivirus solutions
making it the preferred basic line of defence by a lot of people. Yet, if youre
constantly installing new software and engaging in high-risk behaviour,
paid anti-viruses like Norton, McAfee and Kaspersky etc are known for
their detection rates, and are considered safe bets. The same would go for
Macs, and Linux is known to not require an anti-virus, though that largely
depends on how technically informed the Linux user is, which a majority
are. Free anti-virus solutions like Avast, Avira and AVG are just as good
as the paid ones except you dont get priority support. The core detection
engines offered by free ones are the same as their paid versions in most cases.
Though installing anti-virus software is the recommended way to go,
enabling a Firewall on your device also goes a long way, though it cant
provide the same level of protection an anti-virus would. A software Fire-
wall, just like a device-based hardware Firewall, would filter information
coming through the Internet into your system. If an incoming packet of
information is marked by the filters, it is not allowed through. In large
corporate institutions or any business that has a small to large private
network it wishes to protect from outside attacks, the main function of a
Firewall is that it stops anyone on the outside from logging onto a computer
in the internal network. Since most home networks would not be subject to
such an invasion, a Firewall might not perform the exact way youd expect
it to. Nevertheless, when it comes to cyber-security, more is merrier, and
you can never go wrong with a Firewall. ZoneAlarm and Comodo are two
well known free solutions you might want to try out.
Before you plug in that USB stick

There are several more precautions one can take to prevent malware from
external sources. Making sure the software you install is from a verified
source goes a long way. A lot of malware is installed as a result of people

not taking care about the kind of software they give permission to run on
their systems. Whenever downloading any such thing, go to the verified site
first, and avoid using any external links that redirect you to the official
site. Even if you dont use the internet much, viruses and malware now have
a way of spreading through pen drives and external HDDs. This doesnt
need much effort from the hackers side - theyll simply disguise the virus
as an executable having a recognisable name; even if the virus might not be
a software, the common trend in many infected disks is to create a shortcut
that contains all your files that were previously visible in your external
disk. When you try to open any of the folders, the virus automatically gets
executed and infects your PC. The best and only way to get rid of such
viruses is to get your anti-virus to scan the infected drive and have it weed
out the virus. The best way to go would be to scan any external drive thats
inserted into your device, no matter how trusted the source is.
Wheres that free Wi-Fi?

One particularly prevalent and unavoidable issue is the use of public Wi-Fi
hotspots. The very convenience that makes public Wi-Fi so attractive is what
is probably its downside. The fact that public networks require no authen-
tication to establish a connection is what allows hacker to get unrestricted
and unlimited access to unsecured devices on the same network. Since
there is no password or passphrase to encrypt the information being sent
to and fro between the router and the device, any hacker can use software
to intercept those signals at which point they can see everything on a fellow
Understanding how a VPN works

free WiFi users screen. Such sniffer software intercepts the traffic between
the router and device to filter out important information. These unsecured
networks can also be used to plant malware in another network users
device if file-sharing has been enabled. Another popular method used by
hackers is to set up rogue Wi-Fi hotspots with generic names, hence fooling
unassuming users into connecting to these networks, following which their
information can easily be collected.
Considering that necessity generally overrides such concerns many
times, one can take certain basic and inexpensive steps to avoid any mis-
handling of personal information. If you find yourself needing to connect
to public Wi-Fi networks frequently, itll be worthwhile to invest in a
Virtual Private Network (VPN). A VPN is a private network that enables
users to send and receive data across shared or public networks as if their
computing devices were directly connected to the private network. A bonus
is that VPNs will allow you to access blocked and filtered content, hence
providing a better internet experience. Most trustworthy VPN services
require a monthly subscription of a few hundred rupees, and are certainly
worth the expenditure if youre regularly using public networks. Some great
VPNs in India are Private Internet Access, Torguard, CyberGhost VPN
and TunnelBear, which cost between Rs. 400-800/month. If your usage
of public networks is infrequent and you do not need to visit websites with
confidential personal information, credit card data and important emails,
enabling the Always Use HTTPS option, or simply installing browser
add-ons like HTTPS Everywhere is useful and does the trick. Another
useful tip is to turn off device sharing on such networks, so that malicious
devices cannot access yours, and enabling the Firewall, as discussed before.
What happens if I click on this pop-up

Once youre on the internet, a lot of what happens to your computing device
is in your hands. How you deal with spurious links, banners and pop-ups
will determine the health of your device.
It goes without saying that many of the banners, ads, pop-ups and
emails that you view and receive on the internet are scams. Many of these
popups, which look like legitimate posts coming from your email provider,
favourite social media websites or e-commerce sites are generally spurious
and fake versions. Many a times these pop-ups pretend to find viruses
and malware on your device and report them. Entering your personal
details while executing any kind of operations on these imposter websites
is only going to lead to hackers picking up your details, and youll have
only yourself to blame. This process of tricking you into sharing your
information is known as phishing. And software that engage in this kind
of behaviour are known as scare-ware. If such software go a step further
and demand money for making your system function properly again, they
are known as ransomware.
In a very common practice, many users receive mails from seemingly
trusted sources, stating that the said user has provided incorrect infor-
mation for important documents, and that they will have to resend their
information to revive
a suspended account
or some similar scare
tactic. People will end
up going to the imposter
version the hacker
wanted to redirect them
to, and end up providing
bank account and email
account details will-
ingly. In the case youre
looking to visit any such Beware of such pop-ups
website, always visit the
encrypted and original website by using a popular search engine to obtain
the website details. Big providers like Google, Yahoo! and Bing always give
correct and accurate results, and can be trusted to provide the original links
for certified websites.
In other methods, flashy banner ads on websites are created as sources of
malware. Clicking on them automatically gives them permission to install
the said malware onto your device. In most cases, the malware simply
logs keystrokes and sends them to the hacker, allowing them to monitor
your data and thus making it extremely easy to get access to your private
information. While your anti-virus should help prevent the download and
execution of such malicious software, its better to be safe than sorry and
just not click on these banners.
Is your password 123456?

When it comes to how you store your confidential data, you need to take a
hard, long look at your passwords for your various accounts. The dilemma
for most people is choosing between a weak password that is easy to

remember and is easy for hackers to crack, or a strong password that is
hard to remember but much tougher for hackers to guess, even with their
fancy-schmancy algorithms. Well assume you go with the latter, since
no security conscious individual would ever choose the former. First and
foremost, never lift passwords from a dictionary, even if they are multiple
words one after another. Such passwords are easy for hackers to figure out
using a dictionary as a source dump for a brute force attack. To further
secure your password, use special characters and a mixture of lowercase
and uppercase letters, as well as numbers. In addition, longer passwords
are better than shorter ones, since they become harder to crack with each
character added. A rule of thumb is to keep a minimum length of 10 char-
acters. Having said that a brute-force attack to guess the password will
always succeed if enough time and processing power was available to the
attacker. So, it is always recommended to change the passwords often. Try
to keep the timing between every 4-6 months.
Then theres the general guidelines. Avoid using standard and repetitive
sequences, and absolutely NO personal information should be included.
If the hacker happened to have your personal information, dont make it
easier for them to crack your password. And if you do happen to create a
tough-to-remember and uncrackable password, make sure NOT to reuse
it for any other account. As tempting as it sounds, it can have severe con-
sequences for you in case the hacker knows the details of one account. This
does bring us to the point of remembering your passwords for ALL your
accounts, which numbers runs into tens for those active on the interwebs.
Its considered smart to not write your details on paper, and instead use
an encrypted password manager. As described in the previous chapter, a
password manager requires you to remember only one master password,
and the rest and generated and stored by the encrypted password vault
itself. LastPass Premium and Dashlane are considered good alternatives
for those willing to shell some money, while LastPass and LogMeOnce are
available for those on a budget. Still, its recommended that you invest in
a paid password manager.
None of these will work if youre giving out your password left, right
and center. Avoid sharing your password, and even if you have to, please,
for the love of glob, dont email it to the other person. Its unnecessary and
you will have only yourself to blame for such an egregious error. In other
etiquette, avoid leaving your accounts logged in on public terminals, and
LastPass Password Manager on a Mac
make sure no ones watching when youre typing your details. These
common and basic steps will go a long way in securing your cyber life.
In case your password is hacked or leaked in a data theft, one way of being
notified of any incorrect access is if youve enabled multi-factor authentica-
tion, which is extra layers of security that require not only a password and
username but also an external key that only the user has on them, with the
key generally being some sort of physical token. In most cases, its a one-
time password sent to your mobile phone, and in rare cases, another email
ID (the latter is an unsafe choice in the eventuality that the second account
has been compromised). While this method has its own drawbacks, its a
good idea to have two-factor authentication enabled across your accounts.
We mentioned zero-day vulnerabilities earlier, and talked about how
anti-virus software is a great way to patch those up but be sure to keep your
AV software up to date. Seeing as how many hackers might misuse the patch
release notes to explore those vulnerabilities on unpatched machines, its
important to install such software updates as soon as possible after theyre
available. Browser plug-ins also form a huge part of the issue, and to be
completely sure that you dont have outdated browser plug-ins, visit your
browsers plug-in check website.
A lot of these methods are basic common sense and no more. If you feel
like you need a little more information for platform-specific devices, do read
the following chapters to get a better idea.
20 Chapter #03
ANDROID
PHONE
SECURITY
The do and do-nots to ensure the online
and offline security of your beloved
android devices
Android phone security 21
W
e now live in a world where not owning a smart phone is
considered rural and ancient. Smart phones have taken
the world by storm. And the harbinger of this revolution
is the popular and almost undisputed Operating System,
Android. Its open source and that is one of its biggest strengths. But we
live in the times of Mr. Robot and NSA. To cut things short, it wouldnt be
wrong to say that anything and everything is accessible if the right tools
are used. So in such a world, one must know how to protect themselves
from the likes of hackers and those with malicious intent. One should not
underestimate the impact and magnitude of such attacks. For instance
there was this case when a group of German Hackers hacked a countrys
voting machines to tamper the election results. This is a where the world of
hacking gets ugly and must be acknowledged as a real and constant threat.
But we got you covered. We shall tell you about simple ways in which
you can protect yourself from such attacks and the measures to be taken
are surprisingly simple. Let us begin
Types of attacks
Basically you could be subjected to intrusive danger in two ways, either
physically hacked in which a menacing agent might snoop into your
privacy by breaking into your phone. E.g. knowing your password. Take
for example a webpage opens up which is attached to some unknown
application on your phone which downloads tonnes of malware that you
never even asked for.
Protect you android phone from all kinds of attacks

22 Android phone security
Tips and tricks

Passwords
We all have passwords on our phones. A password can protect your privacy
and keep all your important data private. Your phone stores passwords for
various social accounts like Face book, Twitter, etc., and even more important
stuff like passwords for your online wallets and internet banking portals.
But the basic password system in almost all devices can bypassed, and all
your personal information accessed. So here are some precautions you can
take to make sure your phone and all your social accounts are hack safe.
1. Not Saving passwords

It is as simple as it sounds. The next time a web page prompts you to store
passwords, decline. Because your passwords can be stolen via simple
phishing pages or even by accessing the cookies that the web page stores.
Also, if you save passwords and if someone was to hack your phone or gain
access to it, whats to stop them from using all your social security codes
and payment passwords to make transactions? A lot of people have fallen
prey to such malicious attacks and have been robbed online. It might seem
a little paranoid to some, to those people I say, better safe than sorry.
2. Use Strong Passwords

Most of the websites that require you to save passwords will require you to
have long alphanumeric passwords (at least 8-12 characters long). And it is
a necessary practice. If you have simple passwords, they can be bypassed
by social hackers or by using something as simple as permutations and
combinations. A lot of people invest a lot of time in trying to figure out
what peoples passwords will be. So it is much safer and better to have a
password that is not predictable such as your birth date or wedding anni-
versary or your maiden name. We cant stress upon how important it is to
have a strong password.
3. Android built-in security

Android OS knows how important your security is for you, so it comes with
a strong secure built in security system. You might have noticed that in the
password section of your settings, there are various types of passwords
that you can use ranked according to how secure they are. The most com-
monly used password type is probably the linked dots password which can
be very easily broken into. There is an option for keeping an alphanumeric
Your phone is like a security locker for all your information that you
wouldnt want robbers getting into
password instead too. But we recommend you to use this security provi-
sion to the fullest. There are also options like facial recognition and even
fingerprint scan in some devices. Use them, you cannot be secure enough.
After all this is your phone we are talking about. You wouldnt want your
personal information accessed right? Hackers are very creative when it
comes to such thievery.
Applications
Google play store blew the world away. Suddenly, games like angry birds and
apps like Face book and Instagram were at your disposal. Google has always
been a harbinger of the free for all open source movement. It encourages
developers to experiment and test their products out at a global level with
much ease. However, this coin too has a flipside. Google Play store is the
biggest online marketplace offering all kinds of services. However, it is not
the only online marketplace for android. Although the usual android phone
is factory set to NOT allow downloads from unknown sources, it is common
practice as this setting can be easily changed. That being said, even Google
Play store may not be safe enough as it might sometimes have malicious
apps cleverly designed to blend in as normal apps to an unsuspecting user.

These apps can harm your well being and online security in innumerable
ways. So here are certain necessary precautionary measures you must take
1. Backup
Taking a secure backup is a smart practice because this way, even if your
important files and folders are affected by some kind of malicious virus or
worm or Trojan, you can always keep your data safe on the cloud. And there
are several good services to do this. However dont choose services that ask
you to upload all your data without your constant permission or password
protection. This way even if your phone were to get infected, you can reset it
without the risk of having to lose your data. However, be careful as to what
medium you use to take this backup. It should be a trusted source because
you cant trust anything and everything on the internet. Some good secure
services are Idrive, Sugarsync, Crashplan etc.
2. Security options
Use the security options if the app provides any. Even if someone broke
into your phone and now has access to all the applications, you can have
security passwords for your applications. Most apps come with an in built
provision for this. Even if they dont, there are certain apps like APPLOCK
which gives you the provision to secure access to your applications using a
security password. It is recommended to have multi security layers so that
even if your phone gets lost or broken into, you dont have to worry about
anyone accessing your private stuff. Especially with apps with your bank
account details such as an e-commerce application.
3. Google Play store

Dont just download from any source. We cant stress enough on this. Most
of the online app vendors dont have a thorough safety checks and are loaded
with advertisements and misdirection. Dont download applications from
unknown sources and dont download applications which dont have a lot of
downloads. Even some apps on Google Play store are loaded with unwanted
advertisement which might redirect you to unwanted pages or phishing
site. Dont give any important information in such applications. They might
seem normal and suddenly alert you to an attack on your device. That is
your cue. It is always wise to see the number of developers and comments
of any app that you want to download. Certain apps you download might
There are a lot of people looking forward to break into your phone by
using otherwise harmless looking applications
make your phone download more other apps without your consent. You
dont want that.
Network
The internet is filled with opportunistic people who want to scam their way
into your phone and get your personal information. It is simply not possible
to not be on the internet too. Its a coin with a flipside. However, if you take
some easy subtle safety measures, you can secure the network you are on
and thus, your android device.
1. Be on a secure network at all times

If you have a Wi-Fi service, make sure it is password protected. People
can access your device if you are on an unprotected network. Also, avoid
using unknown public Wi-Fis. Free Wi-Fi, as tempting as it might seem,
comes with a lot of danger. The hacker can use simple applications and
snippets of code to break into everyone on the same network as you if its
not a protected network. There is a way to make sure this doesnt happen.
Use applications like HideNinja VPN to make sure your outgoing network
is always encrypted with a digital signature, hence killing the chances of
a compromise in security.
2. Dont use just one account

If you share a device with someone, e.g. a tablet or a phone, you have the
option to create multiple accounts to make sure that your stuff stays exclusive
to you. This can easily be done by going to SETTINGS and the USER sec-
tion in your android device. This way you can easily share the device with
other people and have separate password and preferences for the separate
accounts. You can find apps on the play store to help you manage different
accounts on your android device too. For example, SWITCHME or PAR-
ALLEL SPACE. There are even apps to create multiple social accounts on the
same device for apps like WhatsApp and Facebook. If you are sharing your
device with someone, you can make sure that your data stays truly private.
3. Security apps
There might be many malicious apps out there but genuine apps that can
save you from such applications exist too. The best example is probably AVG.
It is a free bundle; there is a paid version too with some better features. It
comes with basic security options like not letting you download stuff from
unknown sources, tracking your phone in case it goes missing, etc. Also
it keeps on doing thorough
checks to see if any malware
exists in the phone. There are
several applications like this
you can use. But be sure to use a
trusted application for this pur-
pose only. You dont want to get
infected by an application that
meant to protect you in the first
place. So here are some trusted
applications that you can use Just be sure to download security apps
1. AVG from secure sources
2. AVIRA anti virus
3. Norton anti Virus
4. AVAST mobile security
5. CM Security
When you lose your Android device

Everything is good until you lose your phone or it gets stolen. Our lives
depend on our phones, our contacts, passwords, applications. And if your
phone is to get stolen, the whole world comes crashing down. Whats worse
is the situation of your stolen device landing in unwanted hands. This is
a big issue for all android and phone users in general. However, there are
certain applications now that can help you retrieve your stolen phone using
GPS SAT-NAV or even wipe off all your data remotely. Here are some
measures you can take in case you lose your android device
1. Wipe your data

In case your phone gets stolen and you are certain you are not getting it back,
you must erase your data immediately using a remote data wipe mechanism.
You can follow the following procedure as it is mentioned on the Google
official forum:
Select Remote Wipe when a device is lost or stolen to
erase all data on the device and to do a factory reset.
You can remote wipe an Android device with the Google Apps
Device Policy app installed and any supported mobile device
withGoogleSyncconfigured.Alldataiserasedfromthe
device (and SD card, if applicable), including email, cal-
endar,contacts,photos,music,andauserspersonalfiles.
Note that Remote Wipe erases the devices internal
storage. Your users device must already have Device
Policy(orGoogleSync)configured.Youcannot
install Device Policy and run Remote Wipe retroactively.
For Android 2.3+ devices, Remote Wipe also erases the
devices primary SD card
Plus you dont have to feel bad about having to erase all this priceless
data, because you followed our advice and had taken online backup Data.
A little bit of planning goes a long way.
2. Remote Track your Lost phone

If you lose your phone and want to track it using some other android device,
you can either use applications like AVG security system or you can down-
load additional apps like FIND MY PHONE for android to GPS track its
location using satellite navigation.
You can even do this without any extra application as well.
You just need to have a Google account. Your android device must just be
connected to internet. Your android device is equipped with a location tool
called ADM (android device manager)
Be sure to diagnose any problem your phone and take measures in case it is acting up
If all the above conditions are met, then all you need is to Google Where
is my phone and your phones location shall be displayed on Google maps.
It works most of the time, just be sure that ADM is activated in your device.
Conclusion
Last but not the least, make sure your phone is always safe with you and
stay away from pickpockets. Phones are inevitable parts of our livelihood
and now you are equipped with the knowledge to fend off hackers and
malicious attacks. Just remember to be cautious and follow all our steps
and you shall be fine. Android does a good job at offering security options
even though it is so widely use and subjected to constant attacks.
Chapter #04 iPhone security 29
iPhone
SeCURITY
How to secure your beloved icompanion
T
he iPhone is the worlds most selling item. Let that sink in. The
Presidents of many countries use iPhones. They took the world
by storm. Pretty much the vini vidi vici story. It was Steve Jobs
brainchild not even a decade ago and the rest is history. However
it is not impervious to attacks of all kinds. As a matter of fact, it is more of
a challenge to the vicious hackers to break into this fort Knox and it has
happened many times. Apple gives a lot of stress on security and much of it
is mainly because of Jobs desire of exclusivity. Complete exclusivity was a
necessary price to pay for a virus-free environment. However, if you own
30 iPhone security
an iPhone, nonetheless, there are a bunch of things you should do to ensure

your complete and wholesome security. Your iPhone is a gateway to your
world of personal information and details that should remain private at
all costs. And although you have a fingerprint lock on your iPhone, doesnt
mean that hackers wont try just about anything to break into it. We are just
saying that the fact that it can be done is reason enough for some people to
try and do it. So follow these instructions religiously and the safety of your
beloved iPhone is guaranteed.
Apple security policy

Apple System security is designed so that both software and hardware are
secure across all core components of every iOS device. This includes the
boot-up process, software updates, and Secure Enclave. This architecture
is central to security in iOS, and never gets in the way of device usability.
Needless to say, Apple lays huge stress on securing the worlds best phone.
They were the first to popularize the use of the fingerprint scanner on their
home button. And the feature works pretty seamlessly and has become a
commonplace practice, giving the iPhone another layer of protection after
the security password.
Apple also has a separate for Apple product owners only store called
the iStore, which you can access with your Apple ID. And most of the better
applications you find on Google Play Store, you are likely to find an even
refined version here on iStore. Also, Apple has a very strict application
Apple likes to believe that they have built a Fort Knox when they sell their iPhones
iPhone security 31
monitoring policy and not just anyone with a malware app can upload it
for the whole world to download on iStore (unlike on Google Play Store).
And although this policy is debatable and is almost always argued upon, it
works to some extent. However, as safe as this may sound, it is no surprise
that Apple iPhones security has been compromised from time to time and
you should take precautionary measures nonetheless.
We shall tell you about General settings that you should change to
ensure that you secure your iPhone.
Then we shall tell you about some applications that might come in handy
to make sure your iPhone stays hack-free.
General settings
1. Keep your iPhone firmware updated
Apple comes up with frequent updates for the iOS. Be sure to follow
them carefully as with every new update, they tackle security issues
present in the last one and deem that version almost redundant. Go to
Settings>General>About. There you shall be shown the current version of the
iOS firmware. Be sure that this is the latest firmware because if it is not, your
version of the firmware is vulnerable to intrusive security breaching attacks.
2. Keyboard Cache
This one is a little tricky. Your keystrokes are stored as a database in the
iPhone directories as cached memory for up to a year. This database basically
includes all your typed words and the automated response of the phone via
the phones keypad for them. A clever hacker can break into this database
with ease and data mine this into finding out important details like your
information or even your passwords. You should keep this cache cleared.
This is not at all a paranoid practice. There have been reported instances
of this feature being exploited.
Navigate to General in Settings>Reset>Keyboard Dictionary. This should
reset your keyboard cache for you.
3. Disable features which can be accessed without pass code

Your iPhone has several features on the home screen, even when the phone is
locked, that can be accessed. And you have a say in them being accessible. For
example, turn the Voice Dial feature off by going to Settings and disabling it.
Also, your messages can be previewed on your locked home screen as
a prompt pop up. This is probably the simplest, most overlooked factor
32 iPhone security
in iPhone security. You must keep this feature disabled if you dont want
people reading your private conversations.
4. Secure passcode and auto timeout

You must have a secure password for your device. Not just the four digit
numeric password. That can easily be guessed by people or even judged from
the smudges on your phone (Mr. Robot much?). Try going for the fingerprint
as well as the alphanumeric password option to keep a long secure password.
Also, you can decide after how much time your phone locks itself. Be sure
to enable this feature so that even if you forget to turn it on standby mode
manually, your phone does it on its on. It can be easily decided and enabled
in the Settings menu of your phone under the Auto-Lock option.
Be sure to use the fingerprint scanner feature of the iPhone
5. Erase Data setting

Now this may seem a little harsh, but if you have secure online backup of
your phone, and your phone security is very important for you, you can
set the number of times that a wrong password is entered after which the
data of your phone is erased.
iPhone security 33
Also, you might be aware of iPhones return policy. They exchange

your phone in a time period of one year for all kinds of physical or soft-
ware damage except water damage and give you a brand new iPhone in
exchange for your old one. Be sure to erase all your data before doing
this. Also if you are getting your iPhone repaired, you should make sure
that it has no important data in it that might compromise your security
and private information.
6. JailBreak
you must be aware of the fact that you can have a hacked version of iOS on
your iPhone. This process is called Jailbreaking the iPhone and compro-
mises your iPhone security and warranty by doing it. Avoid Jailbreaking at
all costs. Unless you own an old model and want to use it for experimental
purposes. Jailbreaking your new iPhone is not recommended at all. The
reason is quite simple. After doing this, Apple no longer takes guarantee
of the firmware of your phone and anyone could easily bypass the broken
firmware. If you bought an iPhone, you must stick to exclusivity. (Or you
know, buy an Android).
7. Safari Browser
iPhone has the Safari browser and it is pretty good. You can change its
settings so that it gives special attention to your privacy and security. Go
to Settings>Safari options>disable cookies on untrusted sites. You can also
disable password remembering which is a recommended practice. Also,
there are a bunch of other options you can toggle.
The Autofill Setting should be disabled
Enable fraud warning
Block pop-ups
If you set all the above settings, you can be certain that your Safari
browser is a safe workplace.
8. iPhone Network Settings

iPhone like any standard phone has a Bluetooth and Wi-Fi system. You
should try to keep these services disabled when they are not in use. This
keeps intrusive attacks from taking place in case you land up in an unsafe
network. You should password protect the internet network that you are
on to make sure it stays exclusive, and refrain from using Wifi that is free
for anyone to use and not password protected.
34 iPhone security
You must never be on an untrusted network and use a VPN hider if you have no alternative
You can also make sure that your SSL setting is enabled while using
email and Gmail. Go to Settings>Mail and calendars>Advanced>Toggle the
SSL option ON. SSL stands for secure socket layer and this will make sure
that your emails are transmitted securely.
9. Find My iPhone
Apple has a special service called Find My iPhone which is free of cost and
helps you retrieve your stolen iPhone. You just need to add a MobileMe
account and then login to the account using your AppleID. Once con-
nected, the Find app will be turned on and the location of your IPhone can
be remotely detected. In addition to this, you can also get it to do a bunch
of stuff like display messages, or make beeping sounds. The service works
ONLY if the device is password protected. You can even use this service to
RemoteWipe all your data in case you are certain that your iPhone is beyond
retrieval. And then you can retain all the lost data from the cloud backup.
10. Restrictions
You can set certain restrictions on all your apps by enabling certain options
in Settings. They are basically parental codes and would require a security
passcode to be entered every time the user tries to access the applications.
This is very important and useful feature as by using this feature, you can
assure that your social apps stay exclusive to your use only, even if the
first security level of the home lock screen is bypassed. You must use this
iPhone security 35
Always select an autolock timeout for your iPhone
feature to your advantage for you social networking apps, mail apps and
online wallets. Basically anything that has your private and important
information stored as cookies.
Applications
In addition to these general settings which are common for all iPhones, you
can download applications from the generous variety offered by the iStore.
These apps can help you keep your phone safe and sound.
1. Lookout
Lookout is basically a better version of Find my iPhone. It saves the last
location of the iPhone before its battery dies out and comes with some other
clever features. The app also has a instant contact and data backup option
and can be accessed via any web browser.
Price: Free
2. Foscam Surveillance Pro

Now this is not a security app per se, but it is so cool we thought we would
include it anyways. You can basically run a security camera service using
this application and get LIVE feed from up to 6 cheap IP cameras. You can
even control the movement of some. If you dont want to spend a tonne on a
home security service or want a handy baby monitor, search no more. Plus
it has a little DIY element for all you enthusiasts.
Price: $4.99
36 iPhone security
You can basically make your iPhone into a security survellience device by using Foscam
3. mSecure
If you are like me then you have a hard time keeping track of all those passwords.
Do not worry; MSecure is the perfect application to manage all your passwords.
The procedures are very simplified and you can manage all your different
accounts very easily. It is built while keeping the careless customer in mind so
if you have the problem of forgetting or mismanaging passwords go for this.
Price: $9.99
4. Private Photo Vault

Your camera roll might be susceptible to intrusive attacks so you can make
sure that all your precious photos are save in the secure Private Photo Vault.
It gives a break in report if it is tried to be tampered with and is a good way
to save your private media items.
Price: Free
5. SurfEasy VPN
In case you want to make sure that your browsing is safe and even if you
are uncertain about the security of the network you are on, you can use this
application. This encrypts your outgoing signals and protects your phone
from attacks by users of the same network. You must always use this app
if your phone is mostly connected to a lot of other members on the network
too. It is a safe practice.
Price: Free
iPhone security 37
6. Norton Identity Safe

Norton has been around for a long time. So this is a pretty good and whole-
some app. It acts as a one point hub for all your security management
options. It can be locked using a security code. It stores all your important
information like passwords, credit card details, website cookies etc. It also
has a password generator which you can store and use. The app is free of
cost and you should definitely have this on your phone.
Price: Free
7. Best Phone Security Pro

Dont judge an app by its name. This is a really good app. What it does is
that whenever someone will try to open your device, an alarm will go off.
Sounds fancy, doesnt it? You can even record your own alarm to go off (my
personal favourite is Shame! on repeat)
You should manage your passwords using secure apps to ensure you never
lose your social accounts
The app also uses the front camera to take a picture of the intruder. And
last time we checked, iPhones have a great front camera.
38 iPhone security
Conclusion
The iPhone is the worlds most selling item. You must ensure your iPhones
security just for the sheer fact that so many people use it. Imagine if the
security of all the iPhone community members were to be compromised at
once. Sounds like something straight out of Black Mirror, doesnt it? The
point of this is not to make you feel paranoid but to make you understand
the ways in which your iPhone can be broken into. If you take all the infor-
mation we have provided and put it to use, you can almost be certain that
you will not fall prey to hackers. Also, make sure to utilize your phones
replacement policy in case your iPhone is not behaving normally. You
can always contact Apple customer care in case you are wondering about
certain settings or unsure of a certain security clause. They like to take their
customer care seriously Ive heard.
Chapter
Secure#05
your Windows PC or Laptop 39
Secure Your
WindoWS Pc
or LaPtoP
Windows may not be the least secure OS
out there, but youre not safe yet!
A
recent security report published by GFI, a network and secu-
rity solutions provider, stated that Apples Mac OS X, iOS
and Linux Kernel are the top three most vulnerable operating
systems, beating the common misconception that Windows
is the least secure OS out there. Microsoft is one of the biggest technology
40 Secure your Windows PC or Laptop
Learn how to secure your Windows account
companies in the world. It is always on its toes and is super fast in releasing
critical patches and updates to make your computer more secure. This is
not to say that Microsoft Windows has always been this way and is known
to have a sad security history, but the company learned from its mistake
and has been successful in making Windows 10 one of the most secure
Windows versions ever,while also being the most targeted OS out there.
If you think of it, the reason for this is simple. Imagine if you had a year
to learn how to break into into Vault A, used by 80% of the banks, or Vault
B, used by 20% of the banks, What would you choose?
Windows dominates the PC and laptop OS market with a 52.02% share
while Apple and Linux Kernel based OS have a 26.2 % and 21.7% share
respectively. Chances of encountering a Windows machine on the internet
are more than any other. And this is why hackers everywhere are religiously
creating new viruses and malwares, and exploiting zero day vulnerabilities
to get into your Windows machine. And its not just the bad guys who are
after you. The technology buzzword of last year was privacy and the good
guys (read: Microsoft) are after your data too.
Worry not though. We are here to teach you how to secure your Windows
machine, from both the good and bad guys.
Secure your Windows PC or Laptop 41
Saving yourself from the Bad guys

The safest computer in the world is one that is turned off
Over the years Windows users have seen some of the nastiest viruses. From
ransomwares to irritating autorun viruses, we have seen it all. Security has
never been Microsofts strong suit but slowly and steadily it has built it up.
Windows 10 is probably the most secure version till date.
But no computer in the world is unhackable. If you want to completely
secure your windows machine, the best bet is to start afresh with a new
installation. But if you dont want to lose all your installed software and
saved data (which can be backed up anyways if you decide to do a fresh
installation) follow these steps to scan and remove malware, and secure
your PC:
Disconnect from the internet

The first thing you need to do is disconnect your computer/ laptop from
the internet. If your computer is hacked or infected with a virus/malware/
spyware, disconnecting from the internet will stop it from communicating
with the hacker.
To get away from the bad guys first get away from the internet
Update/ Install an antivirus, an antispyware and a firewall

If you havent already installed an antivirus, an antispyware and a fire-
wall, then download the latest version on a computer you are sure is safe
and transfer it to your machine. There are a number of good free and paid
antivirus, antispyware and firewalls that you can choose from, which are
listed in the next section.
Some viruses also stop the user from installing any new programs. If
this is the case with your machine, then switch it off, boot into safe mode
and install the programs.
If you already have these software installed then update them before
disconnecting from the internet.
Boot into Safe Mode and run a full scan

In Safe Mode, the OS loads only the necessary services and drivers which
means that viruses and malwares who have added themselves to the startup
list of services wont run. To boot into Safe mode in Windows 10, go to Start
menu and click the Power button. While keeping the Shift key pressed,
select Restart. Your computer will restart and present you with a couple
of options. Select Troubleshoot> Advanced options > Startup settings. A
new screen will notify you that you have to restart your Windows again to
change Advanced boot options which include the Safe mode. Click Restart
and select Enable Safe Mode by pressing the F4 key.
Once into the Safe mode, open your antivirus and scan your whole
computer. Do the same with the antispyware software. This can be quite a
time consuming task and the scans could run for a couple of hours. You can
go get some food and finish your other chores in the meantime.
Clear browser cache, cookies, and other temporary files

and folders, and remove unnecessary software.
Clearing all these files and folders will not only remove any traces or
infected files left behind by the viruses, but also give your computer a
significant performance boost. You can either choose to manually clear
all these places, or instead download a software like CCleaner to do the
same. Download CCleaner off the official site and install it. The software
clears a number of temporary folders and files by default, so go through
the checklist once before running it. Once you have selected all that you
want to clear, select Run Cleaner and let it do its work. Once that is done,
go to the Tools section and uninstall all the unnecessary software you dont
need. Then go to Tools>Startup

and disable all the unnecessary
software and bloatware that
you come across.
Update your Windows

and all other software,
especially your
browser CCleaner can do a number of things including
According to data collected by clearing out your junk, uninstall programs and
remove software from startup
Kaspersky lab, one of the big-
gest antivirus vendors, almost a
million new threats are unleashed online every day which include viruses,
malwares and zero day vulnerabilities. The best bet to protect yourself
against these threats is to keep your operating system and software com-
pletely up to date. Set all your important software, especially your browsers,
to automatically update. Also set your Windows to automatically download
and install all new updates. Type Update in the Start menu search box and
select Windows update. Change settings to Install Updates Automatically
(recommended) if it is not already selected.
These steps should be enough to clear your computer of any threat, but
if you want to be 100% sure about it, then do a fresh installation of it on
your machine. To do so, follow these steps:
Do a fresh installation of Windows

Doing a fresh installation is the best way to go about securing your Win-
dows PC. Even out of the box machines that come with pre-installed
windows have extra junk and bloatware installed that slow down your
computer.
Update your browser and other important piece of

software
Its not Windows who is always guilty. There are a number of popular soft-
ware which are commonly used and known to have a history of security
vulnerabilities. Software like Java, Adobe Flash, Adobe Acrobat Reader,
Google Chrome, Mozilla Firefox are regular targets of hackers looking for
weaknesses to exploit and break into your machine. So make sure all your
software are updated regularly.
Create a Clean Restore point

The first thing that you should do after installing your OS is to create a
Restore point. This makes sure that you dont have to install Windows and
start again afresh the next time you encounter a problem. Go to Control
Panel > Recovery > Configure System Restore. Select the Create button and
follow the onscreen wizard to create a System Restore point. If the Create
button isnt working, Click the Configure button and check Turn on system
protection radio button.
Install an Antivirus and Antispyware

All Windows 10 computers come with Windows Defender, a built in anti-
virus which offers a baseline protection to your system. Though a solid
antivirus, its not good enough and cannot stand against other industry
leaders. There are a number of paid and free antiviruses in the market,
enough to boggle your mind. Though each has its own set of pros and
cons, one cannot go wrong with Kasperskys security suite if you want the
best paid protection. Avast and Avira are two good free antiviruses. Most
paid security suites have their own anti spyware but if you are using a free
version, chances are youll have to install another program to protect your
machine from spyware. MalwareBytes Anti-Malware and SpyBot Search
and Destroy are two good free options available.
Keep UAC turned on

User Account Control, a built in feature of windows, provides an additional
layer of security to your computer by notifying you whenever a suspicious
program tries to make changes to the system. The UAC is turned on by
default. You can change its intensity by going to Control Panel > User
Accounts > User Account Control Setting and then moving the slider.
If you followed the above steps, then your machine is completely virus
free and secure as of now. But if you want to keep it this way you need to
use common sense and be proactive. Keep in mind the following things to
keep your Windows machine safe and secure:
Only download files from trusted sources and scan them before opening.
Ignore Unknown, Spam or shady emails telling you about the money
your great great grandfather left you or an all expense paid trip to Spain
you won.
Scan every external storage device you connect to the computer before
accessing it.
Use a limited account to browse the internet and stay away from
shady websites
Dont click on suspicious links and advertisements online
Saving yourself from the Good guys

Its been a long time since it became common knowledge that privacy is a
myth. The government is tracking everything you do. Facebook doesnt delete
your personal information even after you delete your account. Microsoft
collects tons of personal data about you. All the Good guys are wolves in
sheeps clothing and we are here to protect you from them.
You would think that saying this is a stretch but once you look at all the
information Microsofts latest OS, Windows 10, collects you will realize that
maybe this is something you should be worried about. Everything from
your address book, GPS locations, credit card numbers to your audio and
video messages are collected by Microsoft. And guess who gave them the
permission to do so?
YOU. The terms of service agreement you skipped reading (we know, we
all did) said that you allow Microsoft to do all this and much more.
Well wouldnt it be scary if one day Cortana wakes you up with the
nickname only your mom calls you by? Read on to find out what you can
do to stop Microsoft from invading your privacy and secure your computer.
Turn off tracking in the privacy menu

The fine print in Microsofts privacy statement says that company uses
your data in 3 ways. To operate their business and provide, improve and
personalize the services they offer, To send communication, including
Promotional communication, To display advertising. And to do this
Microsoft collects tons of your personal data. To view and change these set-
tings, open your Start menu and type privacy. After opening your privacy
settings you can see a list of permissions for various things including your
location, access to camera and microphone and much more. Once selected,
you can either completely turn off the data collection or do it for individual
applications for each of these. Also, go to General and change the Send
your device data to Microsoft setting to Basic.
Dont Create/ Disconnect your Microsoft Account

Windows 10 asks you to create a Microsoft account by default. You can
use this to log into your computer. It also comes with a built in 2 factor
authentication making it more secure. But it has its own tradeoffs too. Your
Microsoft account connects your computer to your account and starts storing
a lot of personal data which you might not be comfortable with.
So dont create a Microsoft Account when you are prompted to do so
and instead select local account instead. If you have already made and are
using one, follow these steps to disconnect your machine from it:
Open Start Menu and Type Account, then select Manage your account
Click on Sign in with a local account instead
Create a new username and a secure password
Log out and log in again using the new account.
Again go to the Manage your account setting and remove your older
account from under the Other accounts you use tab.
You will lose out on some features including Cortana if you use a local
account but that is the price you pay for securing your privacy and data
on a Windows machine.
Stay away from Cortana

Cortana is one of the most talked about feature of Windows 10 and one step
towards a future where everyone will have their own J.A.R.V.I.S. Cortana
gathers information and learns about you from your location, contacts,
speech data and much more, to create a more personalised experience for
you. But to do this, it access loads of personal and sensitive information
some of which you may not be comfortable sharing with Microsoft. If you
want to disable Cortana, Go to Privacy settings, Select Speech, inking
and typing from the left menu and change the setting to Stop getting to
know me and you are done.
If you have had Cortana enabled for a while, you would also want to
delete all the information it has stored already. To view and delete it, go to
https://www.bing.com/account/personalization. Once logged in, clear all data
including interests and Speech, Inking and Typing information.
Chapter
Methods#06
to secure your Linux system 47
Methods to
secure your
Linux systeM
Dont let the reputation of Linux being
more secure than other systems lull you
into thinking it cant be breached. These
methods would help keep the system
truly secure.
O
ne main advantage that Linux brings to the table (or the desk,
if you prefer it that way) is the better security that if offers.
Sometimes, the case is such that an antivirus is more orna-
mentation than utilitarian. But thats not to say that Linux
is an impenetrable fortress within which you can reside safely- a digital
cocoon where you neednt fear any malicious element from entering. Such
optimal scenarios are only possible in fantasies-possibly realized with CG
made using computers that run on open source.
But theres no reason to fret. You are by no means a hapless damsel in distress.
There are certain measures you can adopt to further secure your Linux system.
Lets start with looking at some basic tricks you can use:
Basic tips
Choose Full Disk Encryption
Regardless of the operating system that you use, its always advisable to
encrypt the entire hard disk. In the event that your laptop is lost or stolen, a
login password wont probably be enough protection. For instance, one can
easily boot into Linux from a USB key and read all the data on the system
without using the password. By encrypting, it wont be possible to read
anything without using the FDE password.
While encrypting only your home folder and the files contained in it is
a possibility, FDE has a significant advantage - you wont have to worry
Go all the way, choose it fully!

Methods to secure your Linux system 49
about breach of temporary files, swap files and other directories where
significant files may lie.
And unless the computer is pre-historic, the slowdown due to encrypting
everything on it is barely perceptible. In many Linux distros including
Ubuntu and Fedora, full disk encryption can be done during installation
itself. You just have to select the Encrypt the new Ubuntu installation for
security option.
Keep the software updated

Keeping software up-to-date is so not an exercise in vanity like keeping
abreast of the latest trends in fashion without really knowing if they actu-
ally suit you or not. Regardless of the OS, you should always keep the OS
Update, secure.
and other applications-including but not limited to web browsers, PDF

readers and video players- updated.
And its easy to perform on most Linux distros. On Ubuntu, for instance,
the security updates are automatically installed. To make this happen, just
make sure that the Important security updates option is turned on by
going to System Settings->Software & Updates->Updates
Make use of Linux Firewall

The Linux kernel comes embedded with a Firewall component called ipfire.
Stay secure within the wall
This offers a pretty effective tool to manage network traffic and also to check
different types of cyberattacks. In Ubuntu you will find the application
called Uncomplicated Firewall(UFW) which is a frontend program which
simplifies setting up iptables.
UFW would be disabled by default. To turn it on, you can bring up the
command prompt and type the following on it:
$ sudoufw enable
A graphical configuration tool like GUFW or UFW Frontends could
be a good tool to learn more about ipfire and more relevant - what it can
do for you.
Fedora comes with the alternative firewall management toolkit calleFire-
wallD. Its enabled by default, so you can chill. A graphical user interface is
also available for FirewallD. Called firewall-config, you can install it from
the command prompt using:
$ yum install firewall-config
Improve browser security

Its important to have the browser secured as much as possible since the
browser provides the way in for many contemporary cyber attacks. This is
true whether you use Google Chrome, Mozilla Firefox, Opera or any other
browser for that matter, so no point pointing the finger at any particular one.
However, to improve browser security- and your privacy, multiple
free extensions are available. Some of the most effective options include
HTTPS-Everywhere, Adblock Plus,

NoScript, Ghostery and Disconnect.
Use an anti-virus software

Those who are super-confident
of the security provisions that
Linux naturally brings to the
Close the chink in the browser! picture(and youll be surprised
by how many there are) may say
that an anti-virus on a Linux system is totally unwanted.
One reason why they say so is that most malware detected on a Linux
system will be for Windows. But that doesnt
mean that its not a part of your problem. For
instance, what if you pass a corrupted file to
someone else.
And while its a fact that malware on Linux
desktops is rare compared to other systems, that
still doesnt mean that they dont exist. It also
doesnt mean that you are completely immune
to attack. After all, rare doesnt mean zero. Dont be anti anti-virus!
Most secure distros

Tails
One of the more widely recommended distros is Tails, and for good reasons.
Tails is actually the short form for The Amnesic Incognito Live System. What
makes Tails extremely recommendable is that its user-friendly while having
significant stress on security. Instead of just focusing on a secure OS, it also
ensures that whatever you do on the system also remains secure-at least as
much as possible from the get go.
Tails is based on s stable branch, so
you can put your heart at ease since its
known for the great stability and secu-
rity. Also, Tails runs in a live environ-
ment alone which is actually a smart
Offers great stability and security security feature-given how it wipes
out completely any trace of use on the
system once its shut down or restart. Talk about being security conscious
from the very beginning!
Just about every need you may encounter is addressed with one software
or the other with which Tails come. A customized browser that uses the
Tor network is a case in point. Also, in Tails Firefox includes other exten-
sions to make browsing extra-secure with HTTPS Everywhere and NoScript.
LPS
Lightweight Portable Security or LPS is another feasible option. The distri-
bution, in fact, is maintained by the American Air Force. LPS is also kind of
unique for the fact that it has a very minimalistic approach. The hardened
code aside, it has a lightweight desktop environment which is akin to Win-
dows XP. The environment includes Firefox and some additional tools. You
also get to use whats called as an Encryption Wizard that will help you
gain more privacy and security, and which is easy to use.
As with Tails, LPS too runs only in a live environment. And yes, it
doesnt leave traces once you shut down or restart.
Minimal but secure
The common Ubuntu distribution

Just because something is all too common doesnt necessarily mean that
its bad. Its not enough to give you an all-

encompassing secure environment like
Tails but the OS would be enough to secure
your system, as long as your security
requirements are regular. You will need to
keep the OS updated with available patches
using the distributions Update manager.
Also, you can make things more secure by
Common, but uncommonly secure! adding programs like OpenPGP or Tor.
Make use of Security-Enhanced Linux(SELinux)

There exists a Linux Kernel security module called Security-Enhanced
Linux or SELinux. It provides a means by which you can assign security
policies for different software, limiting how much data they can access and
the functions they can perform.
The users and roles in SELinux neednt be related to the actual system
users and roles. For each current user of process, SELinux will assign a
three string context which contains a username, role and domain. Usually,
most of the actual users will share the same SELinux username while all
access control is managed via the third tag- the domain. You can use the
command runcon to launch a process into a clearly specified context(user,
role and domain). However, SELinux may deny the transition if it hasnt
been approved by policy. Separate measures to protect system integrity
(basically the domain type) and data confidentiality is one of the key fea-
tures of SELinux.
SELinux comes as a part of RHEL Verison 4 and subsequent releases.
The supported policy in RHEL4 is not that restrictive, since a key objective
is to bring in the maximum ease of use.
Methods for securing the Linux server

Encrypt data communication
Its common knowledge that any data transmitted over a network can be
monitored. However, its unfortunately not a common enough practice to
encrypt the transmitted data using passwords or keys/certificates. You
shouldnt make the same mistake.
Encrypt data communication whenever its needed or possible. You
can use ssh, scp, rsync or sftp to transfer files. Its also possible to mount
remote server file system or a home directory with the aid of special sshfs
and fuse tools. GnuPG is also

something you can use-it
allows you to encrypt and
sign data and communica-
tion and also has a versatile
key management system and
access modules for all types of
public key directories. Talk safely!
Use only the software that you actually want

We live in an age of choices-especially if you are a netizen. But that doesnt
really mean that you need all those web services installed in the system, does
it? If you dont install unnecessary software, you are by default bringing
down the systems vulnerabilities. You can use an RPM package manager
Keep it simple, keep only those you want!
like yum to review the installed software packages on the system. That will
give you a good idea of which packages are actually utilized and which are
just taking up the space. Remove the latter.
Make a rule of running just one network service per system

Its always advisable to run different network services on separate servers.
This is so that the number of other services which could be compromised
can be limited. For instance, if a hacker successfully exploits a software
like Apache Flow, then

that person gets access
to the entire server
including other ser-
vices like e-mail server
and MySQL.
Disable root login

Its never a good idea to
login as the root user.
Lets call it the power of one! Root level commands
can be executed, as and
when required using sudo. Without sharing root password with other users
and admins, sudo enhances the security of the system. It also gives some
simple auditing and tracking fea-
tures as well.
Ensure security of the

physical server if you have
one
It must be ensured that the Linux Thats cutting off the root of a problem!
servers physical console access is
protected. To this end, configure the BIOS and also disable booting from
external devices like DVDs and USB drives. To
protect these settings, set BIODS and grub boot
loader password. Make sure that all production
boxes are locked in Internet Data Centers. Also
that everyone should pass through some secu-
rity measure before they can access the server.
Delete X Windows
X Windows on a server is not exactly necessary.
Dont forget whats in the
brick-and-mortar world! No reason exists for you to run X Windows on
your dedicated mail and Apache web server.
X Windows can be disabled and removed to improve server security and
performance. Edit/etc/inittab following which set the run level to 3. To
remove X Windows system, use the following command:
# yumgroupremove X Window System
Turn off IPv6

The Internet Protocol version 6(IPv6) brings in a new internet layer of
the TCP/IP protocol suite which not only replaces IPv4 but also provides
multiple benefits. There exist no decent tools at present with which you
can check a system over network for seeking out IPv6 security issues.
IPv6 protocol is set as default by most Linux distros. And bad traffic can
be sent by crackers via IPv6 since most admins dont monitor it. Unless
its required for the network configuration, either disable IPv6 or set up
Linux IPv6 firewall.
Disable unwanted SUID and SGID Binaries

If the SUID/SGID executable faces a security issue or a bug any SEID/SGID
enabled file could be misused. Also, any local or remote user could make
use of such a file. Finding all such files is then highly recommended. You
can use the following command for the same:
#See all set user id files:

find/ -perm +4000
# See all group id files
find/ -perm +2000
# Or combine both in a single command
find / $ -perm -4000 o perm -2000 $ print
find / -path prune o type f perm +6000 ls
Use a centralized authentication service

Unless theres a centralized authentication system, user authentication data
will become inconsistent. This could lead to out-of-date credentials as well
as forgotten accounts that ought to have been deleted. With a centralized
authentication service, you can maintain central control over LINUX/ UNIX
account and also authentication data. It will also be possible for you to keep
authentic data synchronized between multiple servers. Instead of using the
NIS service, go for OpenLDAP for clients and servers, if you want to have
centralized authentication.
Secure OpenSSH Server

For remote login and file transfer, the SSH protocol is highly effective. But
SSH is vulnerable to many type of attacks. So you better make sure that the
OpenSSH server is secure.
Install and make use of Intrusion Detection System

A Network intrusion detection system (NIDS) is a useful ally in your fight
for better system protection. As the name makes it clear, the NIDS is a
system that detects intrusions-more precisely malicious activities like denial
of service attacks, port scans and attempts to breach into a computer by
observing network traffic.
You will do good to deploy an integrity checking software before the
system goes online. If at all possible, you should install AIDE software prior
to the system getting connected to a network. For those who dont know,
AIDE is actually a host-based intrusion detection system(HIDS) which
could both monitor and analyze a computing system.
In the journey of securing your Linux system, the methods mentioned
here will help you go a long way. And those who may wish to breach into
your system will always fall short.
58 Chapter #07
Securing
Mac OSX
Macs arent hacker-proof! Heres how you
can fortify your Macintosh
introduction
The Mac operating system has long since been associated with an aura of
user-friendliness and immunity to viruses and other malware. In fact, it
is true that there are almost no viruses (in the sense of malware that can
saliently infiltrate a computer without any user interaction) that affect a
Mac OS (thanks to their file permission system). However there do exist
vulnerabilities, as exemplified by the Rootpipe fiasco, which was patched
Securing Mac OSX 59
after a whopping 6 months in

April 2015 (exclusive to Yosemite
and not for older versions), only
to be exposed as an inadequate
fix a few days later. There are also
quite a few trojans, which usu-
ally piggyback on other software
like video plugins. Their installa-
tion however, requires tricking
the user into authenticating it.
Of course, it is true that the Mac
operating system is compara- Even the best Apples can have bugs
tively immune to malware, but
that is only because most malware targets Windows operating systems,
and malware written for Microsoft Windows will not run on an Apple
Macintosh. If you compare it with the number of different malware written
for Windows, malware that targets Mac operating systems are a drop in
a pond, but that is only because so many more people use the Windows
operating system. So like it or not, Macs can and do get affected by malware
and vulnerabilities, and are a far cry from being completely secure. Yet
how many Mac users use anti-virus software?
This anti-antivirus usage on Macs also means that even if there are
malwares common on the Mac OS, hardly any of them get reported and
as a result, carry on their infiltration without raising any flags. After all,
an evil genius would design his/her malicious software to be as silent and
unobtrusive as possible, in order to be detected as late as possible, post
infiltration. Other than malware, security breaches on a Mac are also pos-
sible via third-party software like a browser. In particular, Adobe Flash
and Java have been notoriously popular with malicious hackers thanks to
their many holes and bugs, some of which allow the applet to gain access
to the filesystem of the computer (if granted permission) but they are not
the only culprits.
Now that you have an idea of the potential threats to your system, here
are some ways you can fortify your Mac:
Setting up Safely
Whether youre setting up your new Mac or upgrading your OS, there are
certain steps you can take the first time you start up the operating system
60 Securing Mac OSX
that ensure minimal susceptibility to malware. There must exist at least

one admin account and if youre the sole user, as is mostly the case, that
will be you. It is a good idea to create an unprivileged non-admin account in
addition to this, to use for your everyday activities. Doing this will greatly
reduce the amount of risk that you are exposed to, and even if something
malicious gets in, it wont be able to accomplish much. Other than a com-
promise of privacy, the main purpose of security is that you dont lose your
files, so backups are also a basic step for prevention of data loss. Take them
regularly, and take them often.
Use your secondary account for your daily technology chores like
reading manga or downloading songs. You can store your files without
hassle and if ever you need to install something, youll be asked for the admin
login details. On the one hand this does mean many more popup dialogues
to enter credentials if you have relationship issues with software, but on the
other, it gives you the freedom of being more exploratory while wandering
the web. Also, set up your login screen to prompt for the password often if
you leave your Macbook lying around.
Prevent a passerby peeping
getting a complete Firewall

Apple includes a firewall built in to the Macintosh, however that is an incom-
plete firewall because it blocks incoming connections but has no check for
outgoing connections, which is what malware writers use for stealing data.
A good two way firewall is one of the first pieces of software that one should
Securing Mac OSX 61
install before wandering on the web. Sometimes software that you never
suspected may be connecting to the internet without your knowledge, and
without an outbound firewall, you will not know, nor be able to do anything
about it. Software like Little Snitch 3 and Intego Net Barrier overcomes this
limitation, allowing you to monitor and filter outgoing connections as well
as incoming connections.
Purchasing Privately
The urge to shop is a powerful one, it
can rival almost any addiction. Retail
therapy is ever more accessible thanks
to the modern ability to shop online
and purchase with a few clicks. If
ever this urge strikes you when you
are using a public connection, like an
airport or coffee house wifi network,
your precious transaction data can
be sniffed by an enterprising lurker.
After all, what can be more lucrative
information than credit/debit card
numbers and passwords. Fortunately, Make yourself anonymous, use a VPN
most online transactions are secured
by additional protocols so it is not super risky to order your groceries
online before you board your flight. Besides making sure your connection
is encrypted using https, you can use a virtual private network (VPN) to
ensure that extra level of safety. VPNs offer an added layer of encryption
and anonymity on the internet no matter when your entry node is physically
located. Carrying out transactions and other sensitive communication over
a VPN is sure to foil any attempts of sabotage from sniffed information.
Logging in Manually
By default, Macs are set to login automatically on boot, which makes things
especially easy if you are the sole user of your system. While this is a great
feature for the perpetually lazy, it is a potential security hazard for people
whose system resides in a high traffic area and can be easily physically stolen.
Once someone else picks up your precious Mac, all they have to do is open
the screen and they are in. To disable this double-edged feature, open System
Preferences, and inside Users & Groups you will find Login Options. Here
62 Securing Mac OSX
you can set up your system

to ask you to enter your user
account manually every time
you boot or open your Mac.
encrypting the entire

hard disk
In the event that your Mac
lies in the hands of thieves, a
surefire way to protect your
sensitive data is by having
Enable FileVault to secure your data it encrypted from the start.
Apples FileVault is their
proprietary software that
encrypts all that you tell it to
with the XTS-AES 128 algo-
rithm. To turn it on head to
System Preferences > Secu-
rity and Privacy > FileVault
and after unlatching the lock
in the bottom left corner, click
on Turn On FileVault. Your
account will need to have a
password which you will
Make sure the bad guys dont know where you are enter to unlock your hard
drive everytime you start up
your Mac, which ties in to the previous point. However, in addition, every
time you power down your Macintosh it will encrypt the entire hard disk
making your precious data securely inaccessible to the prying penetrator.
auditing your Security and Privacy settings

Under System Preferences > Security and Privacy > General, it is a good idea
to set your computer to allow the installation of apps only from the App
Store and Identified Developers. In the odd case that you need to install
some software that doesnt have Apples verified developer signature, you
will be asked to enter your admin password to authorize the one-off case.
This step greatly reduces your chances of being affected by rogue malware,
unless you blindly accept every exception request of course.
Securing Mac OSX 63
Also if you head to the Privacy tab on the same System Preferences page
and selection Location Services on the left, the right hand pane will show
you all the apps that are allowed to access your inbuilt location services
and also the apps that have utilised this service in the last 24 hours. Keep
a lookout for software that should have no business knowing where you
are, it may be broadcasting your location to a malicious data merchant.
regularly updating your Software

Another very basic precaution that can prevent being the target of malware
attack is regularly updating software as most known Mac vulnerabilities
and holes target flaws on older versions of Macs OSX and other software.
Security patches and fixes are rolled out officially in updates from the
authoring company and so it is highly recommended to keep your operating
system and all third party software up to date. This may sound obvious but
Keeping your Mac up to date
many people skip updates out of data usage concerns or sometimes even
pure laziness. While not always a must-have, software updates are almost
always a good idea. Apple Stores Software Update is the place where you
can handle it all.
Staying away from Warez

Warez is a popular term for illegal peer to peer file sharing software that
allows users to download and share pirated songs, movies, etc for free over
64 Securing Mac OSX
the peer to peer network. Unfortunately, what most people dont realize is
that the drawback of this whole free file sharing system is that it compro-
mises your identity online. Moreover, since it is illegal, the software will
obviously not be verified and therefore it is a prime candidate for piggy-
backing malware or other malicious code. Other than the warez software
itself, malicious code is often also added to the content files themselves,
which unsuspecting users are in such a hurry to download. If you are a
hardcore (or part-time) pirate who does not believe in contributing to the
mega-corps, a safer (but still illegal) alternative is to use a bit torrent client
over a VPN to ensure anonymity and encryption.
installing trusted
and reputed
antivirus software
Antivirus software is the
single most effective solu-
tion against viruses, other
than common sense safe
browsing practices. It is
important to note that life
often offers u-turn plot
twists for the unsuspecting
Setting up ClamXav for Mac wayfarer, such as the
trusted and reputed anti-
virus software itself being the malware or adware. The problem is that even
genuine antivirus softwares can only promote themselves and convey their
capabilities so much via web content and marketing, and someone who isnt
in touch in the industry may not be able to discern the difference. Genuine
players carve out their reputation over time so any good antivirus software
will most likely be from a company which has been around for long and
knows the field. Unfortunately, many unsuspecting users have fallen prey
to software like MacKeeper, MacSweeper, MACDefender, and others. The
common tactic is to scare users with annoying and unnecessarily exagger-
ated popups and security warnings that are designed to make well-meaning
but non-tech-savvy people download their software.
While there are almost no strict viruses that can wreck havoc in the Mac
ecosystem (as of now) it is still a good idea to have an antivirus software
like ClamXav to look over your files, especially those that are frequently
Securing Mac OSX 65
exchanged with others.

Even though a virus for
Windows will not affect a
Mac, it can certainly pass
through, and ClamXav
(or your favourite Mac
antivirus) can detect and
delete it for you.
conclusion
It is well and good to take
precautions but at the
end of the day, the funda-
mental piece of the security
puzzle is the user. A lot of Good or bad, technology aids every business
trouble can be avoided with
common sense and safe browsing practices. Congratulations! By choosing
to use a Mac you have already dodged 99% of the malware out there. Thanks
to statistics, along with the above mentioned steps, you may yet remain
protected as you surf the wide web. A clich worth repeating, better safe
than sorry.
66 Chapter #08
Ways to
secure your
social media
accounts
You spend a lot of time on social media
sites. So do potential threats. Heres how
you can better secure yourself.
Ways to secure your social media accounts 67
S
ocial media is where its all at right now. The most happening places
on the Internet are social media sites. So it comes as no surprise
that for most of us, social media sites are pretty much our second
homes. So naturally, when so much is happening on one platform,
its very likely that someone or the other would take this opportunity to
snag some sensitive information out of you, and in most cases you wont
event realise youve lost that sensitive info which could result in financial
losses for you, among other things.
In order to prevent such a thing from happening, you would do well to
adopt certain methods to secure your social media accounts. Heres what
you need to know to do that.
enable two-factor authentication

Two-factor authentication has been around for a while but its only been
of late that folks seem to have woken up to its use. Well, better late than
never, we say.
Simply put, it asks you to enter a secondary bit of information so that
you can access your account. This means that even if a password or PIN is
stolen, your data security isnt compromised.
In fact, two-factor authentication is way more secure than passwords.
As per experts, many a high-profile hack, including the one where Twitter
accounts of many media accounts in the US were hacked in 2015 wouldnt
have happened if a two-factor authentication was in place. The reason is
that even if a malware is placed on a system and the password is stolen, a
breach is still not possible.
Two-factor doubles the security

68 Ways to secure your social media accounts
make use of a password manager

Coming up with a super-secure password is not our niche. This makes
using a password manager a rather good idea since they have the feature
with which you can generate secure passwords.
Lastpass is one such service. Once you have signed up for it, you can
alter the password manually and then make use of the password man-
agers secure password generator. A secure password does make your
social accounts way more secure. But that doesnt mean they become
impenetrable. However, the safety quotient certainly goes up with harder-
to-guess passwords.
as much as possible, use a

separate email address for
social accounts
While its the case that many people are
Manager for a secure environment lousy at coming up with strong pass-
words its also true that people often
reuse the same password on multiple accounts. This can be a huge issue
since if a hacker can access your social profile, they wont just stick to
your social profiles.
To be more clear, they are gonna try the password on multiple platforms.
Possibly the most sensitive digital data regarding yourself is to be found
in your email account and you can be sure that the hackers gonna try the
password there as well. If you are part of what we suspect to be the majority,
you would have used the same password everywhere.
The better alternative is to have a distinct
email account for your social profiles. Make sure
that the email you are using isnt the one that has
financial or other personal data attached to it.
That way, even if someone gets into one of your
social profiles and figure out the email id, your
main account remains out of reach. A simple but
effective method by all means.
Keep it separate, keep
things safe
as a recovery option, add your phone
number
There are many social platforms, and most of them allow you - the user - to
add a phone number as an emergency recovery option. The merit of such
a move is that even if the account is compromised you can get the social
profile to call the phone number and provide you the option to recover your
account. Almost all the major social networks have this feature. Its well
worth your time to go through the account settings and enable the function.
make use of the privacy options on the social network

One of the simplest ways in which a hacker can access recovery info on
you is by, well, looking at your profile. For instance, in Facebook one of the
recovery questions is about the colour of your dog. Now assume that you
A number, so that recovery is always an option
have posted a dogs picture on your profile. Since its posted publicly anyone
can see the picture. This holds true for other bits of information like the
relatives maiden names etc.
So, unless youre a celeb who wishes to flaunt each and every move
that he or she makes in the course of a day, its probably a good idea to re-
assess the privacy settings on all social profiles and alter them according
to your requirements.
Be wary of suspicious
links
The social media platform
you are on may be cent per-
cent reliable. But thats not
the case with all the people
who use the platform, and
one may not be sure that the
folks who appear there are
in fact who they claim to be. Benefit from the built-in options
Thats why being wary of opening links shared on the platforms particu-
larly if theyre shortened links is not a paranoid reaction but an intelligent
strategy to stay secure.
Another thing you need to be cautious about is any link thats
embedded in an email message which supposedly arose from a social
network provider, or some other trusted source. If at all you find your-
self on a page which doesnt feel right, close the browser tab making
sure that you dont click on
any buttons on the page itself
so that you dont end up the
victim of clickjacking attacks
etc.
You can instead try con-
necting directly to the site
instead by typing the URL
If it doesnt look right, it probably wont click right! on the address bar.
check your email for suspicious login attempts

Good social platforms
improve their information
security practices more or
less continually, Facebook
and Twitter are particularly
effective with their improve-
ment strategies. Whenever
theres suspicious activity
with regards to your account,
you will be alerted. So, do One of the rare times when a mail not from a
check your email for such friend/family may be worth it!
mails, and take appropriate action if necessary.
Most of the social media accounts not only block suspicious login
attempts, they will promptly ask you to change the password as well. If
such is the case, you should by all means change the password asap to
minimize the chance of a malicious agent laying his digital hand on your
personal info.
Be conscious of the type of info youre putting out there

This may sound kind of obvious saying that you shouldnt put up sensitive
information for anyone to see. But the thing is, we all get carried away at
times and end up putting up info about others or ourselves which would
be better off remaining private.
And sometimes the info
you share without realising
might have been private for
someone else. For instance, if
youre mentioning the names
of your friends kids online,
you should be sure that
they are okay with that-
younger people are always
the most vulnerable on an
online platform.
As for your own privacy Draw the line on what you put on the page
settings, you should do a
double-check since your page may be visible to all viewers, regardless of
whether they are a friend or not. Such public info, if it falls in the wrong
hands may be used for nefarious activities like identity fraud.
make use of good security controls

There exist good network security products that enable you to provide
application control on FB and Twitter. A dedicated SSL application for
decrypting SSL traffic or a
next-generation firewall are
examples. Some of these prod-
ucts would also scale based
on the network performance
requirements.
avoid unnecessary
add-ons and apps
Quite frequently, you see
games and apps that are pro-
moted through social media. Bring in an ally, in this case a good security control
Well it does make sense, since
almost everyone spends more time on here than in the real world these days.
But the problem is not just that there might be an overwhelming number of
such utilities that are promoted, there may also be those that are promoted
with malicious intents by crooks. These apps may be promoted as things that
enhance the functionalities of your social network or something similar but
which in reality will be intended only for getting your sensitive information.
Be very sceptical about too-good-to-be-true offers

The social media is where you learn that your favourite nephew got a special
certificate for participating in the schools annual dance competition. Its
also where you learn that you can earn a hundred million dollars if only
you would follow the shared link and give certain information. Information
Avoid the unwanted, avoid a whole lotta headaches!
of the latter kind is most definitely bound to be a spam. Sometimes, such

updates come from sources that appear to be from reliable sources, like,
say the Coca-Cola company maybe?
The bottom-line is that whenever theres an offer than promises way
more than what your intuition tells you an offer should, or can offer, you
should be wary of it. Clicking on the link could compromise your internet
security. And be doubly careful if they ask for such sensitive information as
your bank account details. Before taking any action check the website of the
company from which the offer

supposedly originated and
verify if they have launched
such an offer/campaign.
With these measures in
place, you social life online
ought to be safe and secure.
Enjoy the updates, respond
with emojis even the tongue
out variety, and have no wor-
ries! Yeah, thats life, at least
when theres no work to do. Too good is not always for the good
74 Chapter #09
Secure your
communication
Be it email, voice, or instant messaging
well show you how to keep all your
communications away from prying eyes.
T
ill about a couple of years ago, security, especially for normal
folks, was not a big concern. But the Edward Snowden expos
revealed to the public for the first time, the extent to which our
own governments are snooping on us and collecting our data.
Secure your communication 75
As if this wasnt enough, there are also bad guys out there trying to break
into our private channels of communication. So what do we do?
There are many points of vulnerabilities when you are communicating
with someone, be it email, phone calls, or whatsapp. This guide will teach
you how to plug all these holes and secure all your means of communication.
internet
Wi-Fi router settings
Your Wi-Fi is your gateway to the vast internet. It is also what makes you the
most vulnerable. No matter what you do, a badly set-up router will remain
a big potential source of leaks. Follow these steps to secure your router:
1. Change the default admin password and the SSID of the router. Go to
192.168.1.1 and login using the default username and password youll
find in the manual (or try combinations of admin and administrator).
If you want to go a step ahead, turn off Wireless Web Access too. This
will make sure that only people inside your house with physical access
via a LAN cable can change these settings.
2. Change the Security mode under Wireless Security to WPA2 Personal
and use a strong password that doesnt have any dictionary words, and
has a good combination of alphabets, numbers and special character.
WEP is old and relatively easy to crack.
3. Update your firmware regularly. New vulnerabilities keep popping
up and new patches and updates are regularly released. You can
do this either by going to your manufacturers site and looking for
updates for your specific model or alternatively, checking for updates
under advanced or administration settings tab in your routers
control panel.
4. Go a step further and install custom open source Firmware like DD-WRT
or Tomato. Most of the stock firmware on routers is clunky and includes
many undocumented features and setting that can be exploited. There
are many guides available online that teach you how to install custom
firmware on your router. Link:http://dgit.in/DIYHckRtr
TOR
Its ironic that a project that was started by the US navy has grown into
something that is used by everyone from whistleblowers, to activists and
privacy enthusiasts, to protect themselves and their identities from both the
bad guys and the snooping government. TOR, short for The Onion Router,
is right now being developed

by a non-profit organisation
dedicated to developing online
privacy tools.
How TOR works and why it
is so secure, is because it encrypts
your data and sends it through
random nodes on the network to
TOR is the best bet to secure all your communica- the destination. This makes sure
tion going in and out of your machine that anyone who is monitoring
the traffic cannot trace any data
back to its source or destination. To use TOR, follow these steps:
1. The easiest and quickest way to use TOR is to download the TOR browser
for your operating system which is basically a modified version of Firefox
with add ons and features that connect it directly to the TOR network.
2. Download and install the software from the projects official site only.
3. Open start TOR Browser.exe and a new window pops up asking if you
want to connect directly to the internet over TOR or want to configure
the settings.
4. Novice users should select Connect directly instead of trying to con-
figure the browser manually.
5. Check your IP address from both ,your normal browser and the TOR
browser, by going to www.whatismyip.com. If the IP addresses displayed are
both different then you are all set to go. Browse the internet anonymously.
VPN
A VPN (or Virtual Private Network), tunnels your entire internet connection
through a virtual local network. What this means is that all the data leaving
your computer is encrypted and goes through a network of computers
protecting your privacy from people trying to snoop on you. VPNs are a
good choice if you are connected to the internet over some public Wi-Fi .
There a number of free and paid VPN services out there which let are easy
to download, install and use. Some of the good ones are:
1. OpenVPN server (free)
2. CyberGhost 5 (free)
3. Hotspot Shield (paid)
4. NordVPN (paid)
5. PureVPN (paid)
Web browser proxies

Web browser proxies dont encrypt
your complete internet connection
but only whatever goes in and out
of your Web browser. There are
a number of websites online that
keep a list of active proxy servers
which you can use with your
browser. Hidemyass and Prox-
yNova are two such sites which
have a long dedicated list of active
proxy servers, with each proxys
PureVPN ranks among the best paid
speed, level of anonymity and proxy services. It is also one of the fast-
country of origin listed. Choose est and most secure VPNs out there.
one from these and set up your
browser to use the same.
To use a Web browser proxy, do the following in your browser:
Firefox: Tools> Options > Advanced > Network > Connection > Settings
Google Chrome: Options > Settings >advanced settings > change
proxy settings
Internet explorer: Tools > internet options > Connections tab > LAN
settings > Use a proxy server
Once there, enter the port number and the IP address of the proxy server
ProxyNova has a comprehensive list of proxies categorised according to countries

you are going to use. If the proxy requires a SOCKS connection, go to the
advanced option and enter the settings.
cloud storage
Looking for the most secure way to share your files over the internet?
There are a number of cloud services available in the market. Almost all
of them provide its users with some free storage. But which one do you
choose when you not only want to protect your data from hackers but also
be sure that not only hackers but also the company that is offering you the
service doesnt rat you out? SpiderOak and Wuaka are your top two choices.
SpiderOak offers you 2GB free after which you can buy each additional
100GB for $10 a month while Wuaka gives you 5GB for free after which
SpiderOak prides itself in having Zero Knowledge about your data
you can get 100GB for $12 per month. What these services offer and their
more popular counterparts Google Drive and Dropbox dont is, that
they locally encrypt your file and then upload them. This makes sure that
even the companies and their employees themselves cannot access the files
they have stored on their servers.
You can also add an extra layer of security by encrypting the files before
uploading and sharing them. There are a number of software out there which
can do this like 7-Zip. Follow these steps to encrypt your files using 7-Zip:
1. Download and install the software from its official site (www.7-zip.org).
2. Select the file(s) you want to encrypt and right click
3. Go to 7-Zip > Add to Archive

4. Set the Encryption method to AES-256 and enter a strong password that
is long and a good mix of alphabets, numbers and special characters
5. Click on OK and Voila your encrypted archive is created.
Now share the file over cloud storage and share the password over some
other medium like email or IM.
email
Email is one of the most used means of communication over the internet,
specially for important and sensitive information. Unfortunately, it is also
one of the most vulnerable ones. Email accounts are regularly hacked and
emails are routinely intercepted. Your email provider keeps a record of all
SecureMail for Gmail is an extension that lets you encrypt and decrypt emails right
from your browser window
your emails, which they have to handover to government agencies in many

cases. So what can you do to secure your email account? Read on to find out.
The emails you send dont only contain the text and attached files. They
also have a lot of metadata like your IP address. Email service providers
such as Yahoo and hotmail dont hide this information which make you more
vulnerable. Gmail on the other hand hides your IP address and unlike the
former two, also encrypts the content of the mail. But it still keeps a record
of them. However, you can use the Secure mail for Gmail chrome extension
to encrypt and decrypt emails from right within your browser window.
If you want to go a step further use an email provider like RiseUp. https://mail.
riseup.net provides free email and is aimed at activists who need a secure and
anonymous means of communication. The company uses a secure connection
for both logging in and sending emails just like Gmail, and also has very strict
policies in place to protect their customers privacy. But the thing with Riseup
is that you need two invite codes from existing users to signup. There are a
number of other secure web services like Rmail, Sendinc and Hushmail which
provided a free limited account and fully featured paid account.
Infoencrypt is a website that lets you encrypt the text of your email.
All you have to do is enter the text and a strong encryption password and
it will encrypt the text using a strong encryption algorithm. Copy paste
the text into your email, and share the key separately with your recipient.
instant messenger
Instant Messengers are the quickest form of communication used in
todays world. There are a number of secure instant messaging applica-
tions and services out there. The best options if you want to secure your
IM conversation are
WhatsApp, the worlds most popular instant messaging service cur-
rently owned by Facebook, added end to end encryption to its application
a few months ago. What this means is that the messages sent by you
are automatically encrypted and decrypted only by the receiver. This
makes it almost impossible for anyone snooping on your conversation
to intercept and understand the messages. Even the company itself cant
decrypt your messages. WhatsApp offers more than enough basic secu-
rity for the privacy conscious out there but it still lacks in places. The
company still keeps a backup of your messages on its servers and maybe
even logs your whole activity. Which means it is stored somewhere on a
computer. And if the data is stored somewhere it can be hacked. Switch
over to some other application if you want more security and privacy
otherwise WhatsApp does just fine.
Download and use Pidgin: The application supports a number of existing
messaging protocol, letting you use your existing accounts with it easily.
Though the main feature is the end to end encryption which is activated
only after the Off-the-Record plugin is added.
Chatsecure is another free application for both iOS and Android that
helps you keep your messages private. It does this by using various open
source cryptographic libraries along with OTR and Tor.
Silent Text is one half of the Silent Circle software package that lets
you send secure , encrypted voice, video and text communication. The
software comes at a price of $12 per month and is one of the best in
the market
TextSecure for android and Signal for iOS are a pair of secure SMS / IM
applications by the company WhisperSystems. TextSecure integrates
with your default android messaging application and automatically
encrypts the message you send to another TextSecure user. Signal,
the iOS application, does not integrate with the system like its android
counterpart does, but works the exact same way . Also the two apps can
be used to securely communicate with each other. Both the applications
are freely available on Google play Store and iOS app store.
Telegram is another good option for people looking to securely com-
municate with their friends and families. The creator of the application
describes it as AhatsApp but encrypted, cloud based and faster. The
application has also the features that a good IM app has like sharing
media, and messaging upto 200 people at once, but it is its security
features that set it apart. The application not only uses end to end
encryption making your communication safe and secure, but also has
a secret chats feature that leaves no trace of your communication on
the Telegram servers. You can also set a time for automatic deletion
of your messages.
call
The Edward Snowden leak brought NSAs infamous PRISM program
to the limelight, making the world realise the extent of invasion of pri-
vacy that governments have been involved in. So how does one make a
phone call without being afraid that each and every word that you are
saying isnt being recorded somewhere? Simple. Use one of the following
applications:
Redphone (Android only) - An application by the same WhisperSys-
tems who developed TextSecure and Signal, Redphone lets make you
free encrypted calls through your android phone over the internet.
The application encrypts everything from your data to the metadata
attached to your call, shutting out everyone trying to eavesdrop on the
conversation, be it the government or a hacker.
Silent Phone (iOS and Android) - The paid application lets you make
secure and encrypted phone calls between android and iOS too. Also,
the Silent Phone user can call non-users with it, where only one side
of the conversation will be encrypted.
Ostel (iOS and android) - Another paid application, Ostel uses Open
Secure Telephony Network to make encrypted calls across platforms.
All you have to do is create an account on Ostel.co and download the
application for your device (CSipSimple for Android, Groundwire for
Ostel lets you make secure and encrypted phone calls between android and iOS
iOS and PrivateGSM for Blackberry and Nokia for those who still use
them). Once downloaded you are all set to make secure encrypted calls
to other Ostel users.
Video conferencing
Microsofts Skype and Google hangout, two of the most used video confer-
encing tools, both encrypt your communication making it safe from prying
hackers. But your whole communication goes through the servers of the
companies where they are also logged and stored. This information in some
cases could be revealed to the government agencies.
The best and most secure video conferencing tool out there right now is
Bitmessage a complete email suite. Based in part on the bitcoin principle,
the service encrypts all its communication data and metadata, and can also
Even though Skype encrypts your communication, it still stores the data and logs on their
servers making you and your data vulnerable
be used with TOR. You can download its official client called PyBitmessage
with a built in video conferencing tool.
Facetime, the competitor by Apple provides end to end encryption, but
the company is known to regularly comply to court orders and govern-
ment agencies.
Also, there are a number of paid software out there like OmniJoin and
BlueJeans that provide safe and secure cloud based video service.
84 Chapter #10
Secure your
cloud data
Though every service promises security
of your data, this security has far more
facets than those which meet the eye
R
emember one of your friends birthday when you planted face-
first on the giant pizza and your best friend took a snap of that
moment? Well you did ask your friend to put it safe on the cloud,
so it should be fine, right? Or not?
Cloud storage and online backup have now become household terms.
We use it to save our important documents which we want to make avail-
Secure your cloud data 85
able everywhere or simply share our favourite moments with others.

Cloud-first has also become a primary part of a lot of businesses strategies.
The productivity ease and versatile storage capabilities make it a lucrative
technology to invest in. But even with such widespread acclaim, most of
us fail to consider the underlying truth about internet. Nothing is safe. Or
at least not safe forever.
In the light of this revelation, encryption becomes a guardian for eve-
ryone. But the trouble is, encryption and online security have many layers
to it and therefore its easy to get fooled into believing that your data is being
kept secure. This security could mean any level of security. Most of the
popular services such as Dropbox lack substantial security measures to

truly make your data private. Plus, the lack of HIPAA compliance which
protects your medical information from being openly available is also not
given much importance. But there is always a silver lining on the internet.
Here are some services which actually provide security to your data.
pCloud is a Swiss service which inherently means extreme privacy. To

increase the confidence of people, they even hosted a challenge to hack
their system within 6 months. Interestingly no one was able to take the
prize of $100,000 home. Next thing you notice is the generous amount of
free storage the service provides. 20GB! Sharing the files is just a right-click
away. But the service lacks a View only feature and the ability to allow mul-
tiple users to edit the files simultaneously. Also instead of creating shared
folders similar to what other services do, pCloud sends upload links to all
users. There is also a nifty Facebook and Instagram data backup feature if
youre into it. The business plan offers storage space to every member of the
team along with a coming soon feature whichll enable custom branding.
Pricing:
Free - 20 GB
Premium - US $3.99/Month - 500GB
Premium Plus - US $7.99/Month - 2TB
Business - From US $50/Month - From 5TB (multiple users)
Sync.com is an excellent choice in almost everything. Incredible security,

easy to use, superior control of file sharing permissions and great transfer
speeds. The service works in a common manner. Create an account, down-
load the client, drop files into the unique folder and the service does the rest.
The ability to set expiry dates for folders, put download limits, wipe accounts
remotely, save audit logs, have access to unlimited versions and HIPAA
compliance make it a wonderful choice for businesses as well. Although
only the latter two are available in the free account. Downsides? The desktop
client poses limitations in sharing options and often requests opening of the
web version. The single sign-on helps considerably in this matter though.
Also mobile app and web version lack the ability to upload folders.
Pricing:
Starter - Free - 5GB
Business Pro - US $49.00/Year - 500GB
Business Pro - US $89.00/Year - 2TB
E-box is a service which is best kept for businesses. Everything from com-
plexity of the features to pricing modules says it all. E-box boasts of a web
interface which is simple an able to run on all interfaces, plus there are no
software installations required. The experience here is actually a mix. There
is also a robust grouping system. This allows some really great permissions
and file sharing customization. There is also an extremely detailed auditing
system, which records every single action performed by every single user
with timestamps. The security is almost impossible to crack, but giving
the ability to manage keys personally would have been a more powerful
option. Sharing files or folders require the other user to have an E-box
account, there is no way to share public links. The interface doesnt provide
any preview or a quick access menu. This coupled with a complicated UI,
especially during initial setups can be a major setback. Although there is
an interactive wizard to help you around a bit. E-box might lack a huge
deal in terms of user interface, but it fills that void with its richly detailed
features which allow an exponential amount of customization.
Pricing:
Business - 5/Month/User - 1TB/User (multiple users)
Private Cloud - From 1,000/month - Customized
SpiderOak One sacrifices usability for extreme security. This ones for
people who dont care much about anything other than security and privacy.
SpiderOak calls this Zero-Knowledge Guarantee where the user owns the
encryption keys. Every file is locally encrypted on the users computer
before being sent to the server, making it nearly impossible for anyone to
peak in. Along with a highly secure storage service, one also provides a
backup service, which while being highly secure is a bit complicated. There
is no actual Restore button, instead youre forced to download the files and
folders to a location of your choice. An ability to automatically download to
the original location is missing. Also there are no step-by-step wizards to
guide you along the way. From the perspective of user interface the service
leaves a lot to desire. But as mentioned before, this ones a mighty contender
for security. Unlike most sync services, one doesnt require you to create
a separate folder, instead you can choose any of your existing folders to be
enabled for syncing.
Pricing:
2GB - Free - 60-Day trial
30GB - $7/Month or $79/Year
1TB - $12/Month or $129/Year
5TB - $25/Month or $279/Year
Now sometimes for some reasons you cannot leave your existing service.
Maybe you have your work ecosystem setup or youre not ready to leave
the interface of your comfort. For such scenarios we have the following
services which add local encryption to your files while you upload.
Boxcryptor encrypts files or folders and turns them into a .bc format which
then can be easily either uploaded or synced using any cloud storage service.
Boxcryptor works wonderfully with any service that uses WebDAV. While
you setup the client, Boxcryptor needs to be specified a safe folder which is
basically your existing cloud syncing folder. To view an encrypted .bc file,
boxcryptor needs to be mounted on a drive. Paid versions allow filename
encryptions as well. The company package provides the master key and
allows enforcement of policies.
Pricing:
Basic Features - Free
Unlimited Personal - US $48/Year
Unlimited Business - US
$96/Year (multiple users)
Viivo is similar to Boxcryptor,

it locally encrypts the files. A
little advantage here is that
during installation, Viivo rec-
ognizes installed storage ser-
vices and sets them up respec-
tively. Instead of mounting
a drive, a folder is created.
The Pro version also includes
multifactor authentication.
Pricing:
Personal - Free
Business - US $4.99/Month (multiple users)
Finally, cloud backup services. Cloud backup is a little different from cloud
storage. Where in storage you pick out files and folders to be put on the
cloud to access later, in backup essentially a copy of your whole computer
(excluding the OS) gets backed up on the cloud. Yep, these are the big boys
of the town.
IDrive although doesnt provide unlimited backup, but it does come with
extensive amount of features and customization, though they might become
too confusing at times. It also allows creation of backup sets to ease manage-
ment of your backups. IDrive allows automatic sync and even file sharing.
Pricing:
Free - $0.00/Year - 5GB
Personal - US $69.50/Year - 1TB
Personal - US $139.00/2 Years - 1TB
Personal - US $499.50/Year - 10TB
Personal - US $749.25/2 Years - 10TB
Crashplan provides unlimited cloud backup. In fact, its considered truly

unlimited. Apart from all the data, it backs up every version and even
every deleted file. It supports hardware backups like from a NAS. You are
also given full control of your keys. The only major setback is the transfer
speeds, for large scale backups, the service takes hours to both upload and
restore the data. A point to be noted here is that free service only allows
managing of local and offsite backup with 30-day trial of online backup.
Pricing:
Free - US $0.00/Month
Individual - US $5.00/Month
Family - US $12.50/Month (multiple users)
Work - Customizable (multiple users)
Storage has been an integral part of our society since we learned to procure
things. Now we can even make digital copies of almost everything. The
advancement of internet has truly boosted our ways of storing information.
Although with this advancement came the risk of cyber thefts, thankfully
were not hopelessly vulnerable. Prevention, another integral part of us,
gave rise to encryption and other forms of digital security. Its time we
embrace them.
Chapter #11 Secure your website 91
Secure
your webSite
Be it a blog started on a whim, or your
business e-commerce website, if you
havent secured your website, youre
taking a huge risk
B
usinesses are increasingly moving online and we are already
at a point in time where established physical stores and offices
are shutting down to give way to online businesses. And on the
other hand, due to the ease of setting up a website with one-click
solutions, small businesses and individuals are using the power of the
internet to maximise this reach. But this ease comes at the cost of website
security, which is often overlooked or left to the vendor. We are not saying
that the vendors cannot provide security, but there is a catch. Take popular
website CMS platform Wordpress. Every hacker worth his money knows
the default settings, usernames, login URLs, directory structures and more
about Wordpress. So leaving security entirely to the CMS or website vendor
is not exactly brilliant. There are quite a few things you need to take care
of to ensure that months of hard work from your side to set up the website
does not go in vain.
the hiding part

From the early days of war and espionage until today, the importance of
hiding your presence and details has always been a crucial tactic. Just think
about it - how does one take something down when they dont know what it
is in the first place? The same effectiveness is completely applicable when
it comes to the details of the content management system at the backend
of your website.
As mentioned earlier, the default details about most popular CMS
options are very well known to hackers, and without additional protec-
tion, they are quite easy to hack into using standard well known methods.
By just retaining the default folder structure, you would be handing over
the access to your login URL on a plate. Nowadays most popular CMS
providers allow renaming the default folder structure, including the
administrator folders. And the best thing to do with that freedom is to
go crazy and name them something that only you (and the other people
with the authority) can guess.
For the very same reason, also change the default username. This is not
what is going to stop all the hackers out there, but it might be just enough
to discourage the impatient ones.
use a web firewall

Most of our digital devices are now secured with some kind of digital protec-
tion - mainly antiviruses and firewalls - like our PC, Laptop, Smartphone
Secure your website 93
etc. because we are more aware of the possibility of an attack on those

devices. What we often overlook is the fact that our website is also stored
on a physical server somewhere, be it a dedicated server that you have set
up, or the standard server provided by your CMS vendor. In both cases,
setting up a firewall is not only good, it is essential.
A typical WAF layout
A web application firewall (WAF) is a server plugin or a physical device

that sits in between all incoming traffic and your server. Its most basic job
is to monitor all the traffic that tries to reach your server. There is a certain
set of rules that each WAF follows to allow or block traffic at the check-
point. It is especially good with HTTP traffic and can detect XSS (Cross-site
scripting) and SQL injection attacks quite well and can also be configured
to deal with additional, more sophisticated types of attacks. As we said
earlier, this can be deployed at both the physical as well as online level.
There are quite a few vendors with competitive offerings, and we suggest
you check Amazons AWS offering.
check file extensions

This might feel insignificant until you understand the true possibilities. If
your website allows files to be uploaded, then there is most probably a way
to use that process to gain control of your backend. For example, if your
website requires the user to upload an image (for profile pictures, docu-
ment verification etc) and renames the file using the user ID, then the user
can check the URLs of a few consecutive image uploads to figure out the
directory address and naming pattern that the upload follows.
Then, instead of uploading an image, the same user can upload a shell
file (think of it like a backdoor access to servers; somewhat like a cPanel
within a PHP file). Now, when the user hits that URL, instead of getting
the image he would get a control panel that would let him take multiple
actions that could create a lot of chaos at the very least.
A simple way to make sure this does not happen is to enforce a check
for filetypes being uploaded. To reduce the overhead, the check should
ALLOW only certain file types and block everything else. Also, this block
should not happen on the user end, as then it can be easily detected and
worked around by looking at the source of any page. On the other hand,
in no situation should the file be brought to the back end.
transport Layer security vs Secure Socket layer

If the two terms above seem alien to you, just look at their abbreviations -
TLS and SSL, the two protocols used for establishing secure and verified
connections between websites, apps and web servers. And you clearly need
to choose one over the other.
SSL is the precursor
to TLS and although it
is more widespread, it
is definitely less secure.
Recently, the POODLE
vulnerability in SSL 3.0
has been exposed that
allows access to sensitive
information like pass-
words, cookies and more.
This has caused a wide-
spread shift to TLS and
this one time, you should
The exchange involved in a TLS authentication follow the crowd.
When setting up your
website, make sure that you manually configure your webserver, especially
you are going to deal with sensitive information like the ones mentioned
above. And when you do, definitely go for TLS 1.2 even if it comes at an
added premium.
Secure your website 95
request validation
Some of the simplest website (and account) hacks have been done through
request alterations, even directly in the URL. Quite recently, someone
exploited a YouTube vulnerability that involved request alteration. Before
we go further, let us make it clear that request here is the method used by
HTTP to communicate with the server/backend (the intricate details about
the workings of HTTP are best left for another Fast Track).
What the person did was quite simple. When he tried to delete his
own video, he simply altered the POST request generated at that point by
replacing his videos ID with a target video ID. This caused the target video
to be deleted and understandably created a lot of panic among youtubers.
Something very similar could be easily executed on your website.
There are extensions and browser plugins that allow you to tamper with
POST (and other) requests, like Tamper Data for Firefox and Postman for
Chrome. Hence it is quite easy to exploit most websites using this method.
To avoid this, simply associate a random value to the users session when
they log in (brownie points for you if you make this value hard to guess).
Store a copy of this value on the server side too. WIth every POST request,
include this value for validation, and reject any request where the two dont
match. With that, youve just made your website a lot safer.
SQL injection
For any poorly coded website, SQL injection is the easiest way to play havoc
with their work. For most such websites, login information is handled in an
SQL query. A normal user would enter their credentials which would be
consequently authenticated. But a hacker could enter a very specific string
that would change the logic of your authentication code to grant him access
to the the first account of the database, which is usually the administrator.
Take the following code for example.
SELECT id FROM users WHERE username = $username AND
password = $pwd;
If the hacker enters username as 1 OR 1=1; -- and any password, the
statement is executed as
SELECT id FROM users WHERE username = 1 OR 1=1;-- AND
password = any password;
The double dashes indicate the beginning of a comment, hence the
password statement is ignored, and the user gets logged into someone
elses account.
To avoid this, you should use mysql_real_escape_string() function

(for PHP version < 5.0) or start using mysqli (for PHP version >5.0). Both
of them will filter out the unwanted characters and stop the hacker from
exploiting the vulnerability.
backup - Always!
Not all security involves
building the strongest walls
and the biggest turrets. A
strategy for when the enemy
does get through the gates is
equally important. And when
The example on a login screen it comes to your website,
backups are your best friends.
On the rare chance that you actually lose your website, re-building it from
day zero might be daunting enough to make you give up. To avoid that, go
for regular backups. Use some reliable FTP tool like FileZilla to backup your
entire website directory (folders, subfolders, files and everything in there)
and put this backup somewhere safe online like Google Drive or Dropbox.
And if you have any database associated with your website, backup that as
well. All of this will be on top of the regular server side backups that your
CMS provider takes. When in doubt, backup again.

Digit FastTrack Secure Everything

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Digit FastTrack Secure Everything

Hochgeladen von

Copyright:

Verfügbare Formate

Volume 11 | Issue 10

Why do I need cyber-security? Securing Mac OSX

06 Why do I need cyber-security?

39 Secure your Windows PC or laptop

Executive Editor Abhimanyu Mehta design

47 Methods to secure your Linux system

58 Securing Mac OSX

66 Ways to secure your social media

74 Secure your communication

84 Secure your cloud data

91 Secure your website

9.9 Mediaworx Pvt. Ltd. To

Published by 9.9 Mediaworx

Custom publishing Why do I need cyber-security?

passwords for different accounts.

the fictional depiction of the

password, that would be used to access the managers encrypted vault. It

The screen on a device affected by CryptoLocker

Keyloggers and Viruses

Of anti-virus software and firewalls

compromised, these findings brought to light the increasingly sophisticated

Before you plug in that USB stick

source goes a long way. A lot of malware is installed as a result of people

Wheres that free Wi-Fi?

Understanding how a VPN works

What happens if I click on this pop-up

Is your password 123456?

for most people is choosing between a weak password that is easy to

LastPass Password Manager on a Mac

Protect you android phone from all kinds of attacks

Tips and tricks

1. Not Saving passwords

2. Use Strong Passwords

3. Android built-in security

apps cleverly designed to blend in as normal apps to an unsuspecting user.

3. Google Play store

1. Be on a secure network at all times

2. Dont use just one account

When you lose your Android device

1. Wipe your data

2. Remote Track your Lost phone

an iPhone, nonetheless, there are a bunch of things you should do to ensure

Apple security policy

3. Disable features which can be accessed without pass code

4. Secure passcode and auto timeout

Be sure to use the fingerprint scanner feature of the iPhone

5. Erase Data setting

Also, you might be aware of iPhones return policy. They exchange

8. iPhone Network Settings

Always select an autolock timeout for your iPhone

2. Foscam Surveillance Pro

4. Private Photo Vault

6. Norton Identity Safe

7. Best Phone Security Pro

Learn how to secure your Windows account

Saving yourself from the Bad guys

Disconnect from the internet

Update/ Install an antivirus, an antispyware and a firewall

Boot into Safe Mode and run a full scan

Clear browser cache, cookies, and other temporary files

need. Then go to Tools>Startup

Update your Windows

Do a fresh installation of Windows

Update your browser and other important piece of