If there isn’t such a thing as an Internet Safety class, there should be one. In some US states, it’s a required in high school: education department teaching materials include documents such as “Sexting: Implications for Schools” and “Cyberbullying and School Policy”. These are the digital equivalent of a self-defence class. Common online threats are less sensational – and, thankfully, preventable. Though the problems are technological, the solutions are behavioural. Just five rules can help anyone stay safe online. by John Herrman
Change your passwords
“Change your passwords” is the “eat your vegetables” of the tech world – we all know we should do it, yet most people don’t. But changing passwords addresses only part of the problem: there’s not much point in switching to new passwords if they’re not good ones, or if you’re using the same one for every account.
What you’re trying to fend off isn’t some hacker hellbent on guessing or decoding your password; a more realistic concern is that, when a large Web site you use gets hacked, an opportunistic criminal could take the leaked information – your username, e-mail, and password – and try it out on other sites.
An ideal password strategy looks something like this: new, 20-character alpha-numeric passwords for each of your online accounts every month. A more reasonable strategy might look like this: new, six-character alphanumeric passwords for each of your accounts every three months. No strategy is foolproof, but no strategy is foolish.
Learn e-mail forensics
It’s always a little funny to get an e-mail from a bank you don’t use, asking for information about an account you don’t have. This kind of scamming, or phishing, is often clumsy to the point of absurdity.
What’s less funny is when the bank is your bank, and the e-mail looks legitimate. Some phishing scams replicate organisations’ e-mails exactly and even spoof e-mail addresses. There are a lot of ways to identify this advanced kind of phishing attack, but there’s one technique that’s guaranteed to work: checking e-mail headers.
Think of e-mail headers as breadcrumbs showing the path of the message from its origin. The method for finding headers differs from program to program, but it’s usually somewhere in the View menu – in Gmail, it’s labelled Show Original and hidden in a drop-down menu for each e-mail. Once you see the headers – they look like lines of code – look for a line that says “Received from”. If the address doesn’t match the organisation the e-mail is allegedly from, you’ve hooked a phish(er).
Cover your tracks
Free Web sites are supported by ads, and Web ads are much more valuable to the advertiser if they’re well targeted. Using files called tracking cookies, websites gather information about your browsing habits to serve relevant ads elsewhere. Searching for a product on Amazon can result in ads for that product appearing on Google. Search something on Google and you might see it again on Facebook.
The best way to stop this tracking is to install a browser add-on. Firefox users can download a free extension called Priv3 hat limits the ability of social networking sites and search engines to track your online movements. Chrome users should try Adblock Plus, which can be used to prevent tracking or block ads altogether. (Remember, though, most of your favourite sites depend on ad revenue to survive.)
Insist on encryption
A typical interaction with a Web site goes like this: you either click on something or enter text into a box. This information is then sent over your Internet connection – often through a Wi-Fi network – to the Web site you’re looking at. The problem with this system is that the information sent back and forth between user and site, including passwords, can be exposed to other people on the same network. The availability of free “packet-sniffing” tools, such as the Firefox extension Firesheep, has made stealing information on public networks (coffee shops, airports) frighteningly easy.
Legitimate sites that request private information will almost always use something called SSL, which is a protocol for encrypting data before it’s transmitted from user to website and vice versa. A site that’s using SSL will have two qualities: its URL will start with https instead of http, and there will be a small padlock icon next to its URL in the address bar of your browser. If the lock is broken, or red, the site’s SSL certificate – which must be issued by a trusted third party – is either expired or invalid. In other words, your data is not safe.
Some sites that support SSL for logins and transactions might not support it for all site functions. To trick a site into using SSL, simply add an “s” to the “http” in the URL. If the site supports SSL, your inputs will be encrypted. (Firefox users can install the “HTTPS Everywhere” add-on, which automates this process.)
Manage your identities
Anything you post on a social network can be used against you in a court of… well, anywhere with an Internet connection. On your Facebook page, or your Twitter feed, or your LinkedIn account, exercising caution is common sense.
As they’ve become more popular, these social networks have grown deep roots in the Internet. Countless thirdparty sites depend on users’ Facebook accounts, Google logins, and Twitter handles to register for new services or to leave comments. If you’ve logged in to a site using an account that’s associated with your real name, you should assume that everything you post can be traced back to you, be it a silly joke or an overly casual comment.
If you don’t want to use your real name to, say, comment on a news story, see if the site allows you to create a separate account with an e-mail address. If a site requires a social network account, make a dummy. Twitter and Google don’t mind if you set up an account with an alias. Facebook doesn’t allow it, but they don’t really check either.