Post Equifax computer security

Some thoughts on computer security post Equifax.  Equifax is different from say the 2013 Yahoo hack that stole usernames and passwords.  Equifax has a full file of your social security number, your drivers license number and a collection of assets, loans and bank accounts.  Yup they have been collecting data on each of us for years.  So someone could impersonate you with all this stuff and you might not know it.

1. Your biggest risk might be getting your email account hijacked.  Use your smartphone and turn on 2 factor authentication for your google account (which includes gmail).  It’s a pain into ass, in that anytime you log into google using a new computer (or one you haven’t used in a while), you need to verify it on your smartphone.  https://www.google.com/landing/2step/. So enable it on your gmail account.
2. Use a damned password manager, REALLY. Use  https://www.lastpass.com/.  http://lifehacker.com/5529133/five-best-password-managers. Install the browser helpers so you can easily log into things.  The password to this should be a long passphrase with things you’ll remember like:  MIssBogigianChandlerWells1978. Every Year last pass will want you to picks a new passphrase, BUT IT’S one of the only password you need to remember!!!!  Here is a list of the most common passwords, ‘123456’ is the current favorite, and yes these are the first a hacker will test.  Also, the current standard is for your password to be encrypted then stored; if the holder of this password is hacked, your encrypted password will be compromised.  If you used a dictionary word or VARIANTS of that word then your at real risk of being hacked, since hackers will encrypt the entire dictionary and compare the word with your encrypted password.  And yes they know that an @ is a common replacement for an ‘a’ and they will test those also.
3. Once your using a password manager, make sure Chase (or other banks), investment accounts, etc. are all using STRONG passwords.  Like 16 characters of garbled nonsense.  Use this on any account where you’d like to keep the information, ever thought about someone hacking your airlines miles? If it’s a concern then it should have a strong, computer generated password.
4. Also, once your using a password manager, set a password on your computer (or all your computers if you have more than one), set a code to unlock your smartphone and tablets.  Logging into lastpass is sticky, and if you don’t have a computer password someone might get access to lastpass by stealing your computer.
5. The answers to common ‘security’ questions are now easily accessible to hackers (post equifax).  Mother maiden name? Street name of the house you grew up on?  Don’t answer truthfully!  For each site that asks, add your answers to the secure notes of your password manager.
6. Use 2 factor authentication for Facebook and twitter.  This works by forcing you to verify a login on a new computer via your smartphone.  Generally these systems send an authorization code vis your cell number.  This will protect your social media profiles from being hacked.  If you use 2 factor authentication, you might want to change your iphone messages so that the authorization code can’t be seen without typing your pin or using your finger.  Also if your going to be out of the country and using a different smartphone sim, you need to be aware that this will make this process more difficult.
7. Your default password that you use everywhere since the dawn of time is already hacked.  You lost it when Yahoo was hacked 7 years ago, and if you didn’t lose it to yahoo, someone else compromised it.  After you’ve gotten use to using the password manager, have it search your passwords for duplicates.
8. Have an active home backup strategy.  Yup, not just a disk once a year, but an actual regular backup.  For Mac users, you can install a network disk in your home that time machine will use.
9. Consider a network backup strategy, or using dropbox as a backup and paying for more storage
10. Use a virus scanner.  One that runs every day.  Even for a Mac.  I use clamxav, (other’s have recommended avast) but pick one and use it.  This will attempt to protect you from ransomware.  There are millions of PC’s (called Zombies) which have been taken over by hackers, many without the knowledge of the owner.  From webroot security: “As of August 2011 there are between 100-150 million computers worldwide (out of 600 million PCs on the Internet) infected with bots and under the control of hackers.”
11. UPDATE YOUR SOFTWARE! Always! Most software is built on some open source software that allows anyone to read the code, this means that hackers can study this code and find interesting ways to break it.  The producers of software are in a race with hackers to close the loopholes.  By the time you get an update, you need to install it ASAP to be safe.
12. Set your smartphone to automatically update software, if you can’t set this, consider replacing your smartphone.  Several cheap smartphones have a fixed version of the Android operating system which is un-upgradable.  This means this phone is a target for hackers who can exploit the bugs in that particular operating system.
13. Never trust email.  Ever.  Be skeptical about every single email you receive and NEVER clink on a link embedded in the email.  Everything in email can be created and spoofed: who its from, who sent it etc. etc.  Nothing is verified.  In government tests, up to 50 percent of employees were conned into logging into a site which stole their login credentials.
14. Specifically for Equifax Step 1:  You want to gain control of your US social security account, and assign it a secure password so hackers can’t access it and say change your mailing address.  You need to go to my social security and create an account if your not already online with SSA.  The US social security agency uses Equifax to verify who you are, so do this BEFORE you lock down your Equifax account.
15. Specificially for Equifax Step2: There are four credit agencies: Equifax, Experian, Innovis, and Trans Union.  If you have assets more than a years pay to protect and have excellent credit rating and therefore would be a target for someone with your personal information, you can spend $10 per year per person (Equifax just waived this for US customers), as I understand it and ask EACH agency to place a security freeze on your credit file.  This blocks NEW creditors from being able to ‘pull’ your file unless you unfreeze it for them.  This means that someone cannot ask for a loan for a property in the next state without you realizing it. https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/  . These companies are using weak pin algorithms, so you need to have good email security (see step 1) to stop a hack.
16. When traveling, limit the use of computers you didn’t take to only googling information, NEVER LOG IN TO ANYTHING, including google.  If you have your own computer, investigate using a VPN so that everything will be encrypted back to the US.
17. Try to be anonymous, don’t tempt fate.  Don’t be cute and respond to Nigerian email scammer, don’t infuriate phone scammers.  We live in a world where being anonymous has value.  If a hacker wants to hack you I believe that he or she can be successful.  The trick is don’t wave a red flag in front of a charging bull.  Go ahead and google your home phone number, my result lists my kids.
18. Buy your software.  Don’t get ‘free’ versions of paid software: hijacked copies of Photoshop come with viruses.  Only put software on your machine that you trust, either by reputation or by purchase.
19. Don’t mess with the dark side.  Using Bit Torrent, Pirate Bay, IpTorrents etc. to download pirated movies and software is asking for a train wreck.  If you have teenagers, make sure they are using antivirus software and ‘encourage’ them to not mess with the dark side of the web.
20. If you have your own personal website: NEVER host it on your personal computer, your asking to get hacked.  If your using a web service an common software like wordpress or drupal, make sure you login as an administrator and update the software WEEKLY.  Also find a way to secure the administrative login, computer bots attempt to login many times a day for every website on the web.

Another thought about computer risk, always use https: instead of http when possible.  Also, avoid using random computers when traveling (like in coffee shops in Thailand) for anything other than simple google searches.  If you want to check your bank account, bring your laptop and use a VPN to connect to the US.

Updated 9/24/17