So you just got hacked. What now?

Okay, so it probably wasn’t you. It was probably some friend of yours that has been ignoring your advice on security for years and just got a call from their credit card company telling them that a new card was being issued due to “suspicious activity”. Maybe something was posted on Facebook under their name. Maybe they’ve just spend their third week trying to remove a piece of malware and are tired of playing whack-a-mole.

In any case, you are now faced with having to tell your friend what to do and what not to do to prevent such a thing from happening again. This post summarizes the top four things both to do and not to do so you can give it to your friend and go on to more important tasks like catching up on Daredevil on Netflix.  (Note: at the time of this writing, I am only half way through the season and may well be embarrassed by this reference in a few weeks.)

4 things to do if you’ve been hacked

1. Patch

Whatever operating system you’re running, keep things patched. This applies to Windows and OSX, but also applies to Linux, Android, iOS, and Windows Mobile. Do not wait for the system to tell you that it needs to be patched, but once a month, spend a few minutes checking. If an attacker takes over your system, the first thing they’ll do is disable the automatic updates so an update doesn’t later kick them out.

In addition to patching your operating system, you should also pay attention to critical applications. Some applications are common targets for attackers and while the average person cannot be expected to check every single application that they install, they can check a list. This is the list of basic applications that should be part of a monthly patch check: Oracle Java, Adobe Flash, Adobe Reader, Mozilla Firefox, and Apple Quicktime.

2. Anti-virus

Run a real anti-virus application. Yes, information security professionals know that they are imperfect, but for most people, they serve a basic function of helping to make sure that the most common attacks aren’t successful. Much like outrunning the bear only requires outrunning a slower person, protecting against standard attacks only requires being better than average. Attackers will go after the easiest, weakest, targets so doing a very basic job of protection will go a long way.

This is not the place to tell you what to use. However, consider that if a technology is freely available to you its also freely available to attackers and if they find a flaw, they’re going to use it. So products that come with a computer by default and those that are available for free may not provide the level of protection desired.

3. Backup

Backup everything. It’s not realistic to invest in a full-fledged enterprise* quality backup system. However, in today’s constant-connected world there are numerous cloud-based backup options out there for a very low monthly cost. Many of them are built in such a way that the providers themselves cannot see the data that is backed up there. If a monthly cost isn’t workable for whatever reason, many USB hard drives come with easy-to-use backup systems. If choosing one of these, be sure to select one that handles multiple copies of backups so if something goes wrong and affects the backup, you stand a chance at being able to recover.

Interesting note. If you watch the show, you will notice that none of the Enterprises on Star Trek actually had decent backup systems.

4. Access credit reports

If you live in the United States, you get a free credit report from each of the three credit bureaus. This means that, every four months, you should pull a report from a different agency. This may not protect you directly, but the earlier you discover something hinky going on, the better off you’re going to be.

4 things NOT to do if you’ve been hacked

1. Keep standard administrator rights

If your standard account has administrator rights, stop it now. Most people running Windows or OSX at home run with full privileges because it makes it easy. You can install software, apply updates, and change running applications without being bothered. Sadly, that means that any attackers can also install software, apply updates, and change running applications without bothering you. Modern malware is written with this idea in mind so all it takes is one bad link and the entire system can be taken over.

Instead, create two accounts. The normal account “JimBob”, for example, will be set up regularly. It won’t be vulnerable to basic attacks as all activities would require logging in or “boosting” to another account “JimBob-admin” that has a different password.  This can be hard for many people to adjust to, but once done will go a long way towards improving the overall security of any system.

2. Hand out private information

Phone and Internet-based scams are on the rise. Whether they call you, contact you through instant message, Facebook or email, the basic rule is the same. If you contact someone, you can be reasonably sure that they’re who they say they are. This may not be 100% true, but if someone contacts you, chances are above even odds that they’re not who they claim to be. Now, sometimes you’ll get an email telling you to call a specific number, as they want to trick you into thinking that you initiated the discussion, but since they sent the first email or created a website warning, they started it.

The rule is, if they start the discussion, you shouldn’t need to give them any information that they already have. For example, if you call someone to order something, it makes sense to give out your credit card number because they don’t have it and they need it to complete the sale. However, if someone calls you and claims to need your credit number, it’s odd because they should already have it. If people already have the information and need you to verify who you say you are, they don’t need the whole card number, the whole social security number or any other item in its entirety. If they ask for more than the last four digits, there might be something unpleasant going on.

3. Use the same browser

If you are a technical person, you’re probably doing wacky stuff with browser profiles and separate users. If so, good on you. However, if you were doing that, there’s no reason for you to read this post so go somewhere more interesting.

For everyone else, stop using the same browser for everything. If you use Firefox, Chrome, Safari, or Internet Explorer for your regular browsing, consider using something like Opera, Whitehat Aviator, or Midori to manage your banking. When attackers target your bank account, they will try to track your browser activities. So, if you’re browsing the web in Firefox and they manage to take over your browser, they may be limited to only being able access your email and Facebook. Now, that’s not good and, given time, the attackers may be able to takeover a bank account by working through your email account. However, since attackers tend to take the easier path, they’ll more likely focus on people who also access their bank account from the same browser. So, simply dedicating a single browser to everything involving your money will go a long way towards keeping the simpler attacks from being successful.

If it is financially feasible for you, you can even go one step better and get a cheap ultrabook/chromebook and use that for all banking activities. Then, even if your primary computer is completely taken over, they can’t get anything critical because all of that is done on a different system.

4. Use a debit card

If you live in the United States, consider stopping using your debit card altogether. The way the banking system works is that anyone who can access your account can often take out whatever they want. In a credit-based system, they can pull money that is on loan from other companies and, because that is outside of your control, it is their responsibility to protect their money. With a debit card, it is your responsibility. Since the large credit card companies have more resources to put into fraud detection, they are better equipped to protect you (i.e., them). Thus, if your credit card account gets taken over, you are limited both by practice and by law in how much money can be lost (and it’s usually zero). If, however, your checking account gets hit, your position is a lot less certain. While some banks will protect you, you’ll never really know what they’ll do unless it happens to you. With either credit or cash you have a high level of certainty as to what would happen if you do get attacked.

In the end, the world is full of attackers, victims and potential victims. If you’re not actively engaged in attacks, you’re somewhere on the victim spectrum. To keep from being converted from a potential victim to a true victim, you have to be better than most of the other potential victims. This doesn’t mean that you have to be better than everyone. Just think of ten of your closest friends. If you are taking better care of your systems and data than six of those, you are probably in decent shape. If you manage to do everything on this list, you might be better than all ten and have very little to worry about.

All that said, though, anyone can be a victim at any time. All it takes is a single failure or a particularly dedicated attacker, and it can be game over for you. In addition to defense, you must put a bit of attention to resiliency. Just as in the real world, follow basic security rules:

1. Keep an eye to what’s going on around you. You can’t know what’s going on unless you’re aware of what “normal” looks and feels like
2. Consider likely scenarios and have recovery plans. These need be detailed.
3. Develop friendships. Both being a good friend and having good friends means that you’ll have the help when you truly need it
4. Trust no one…in moderation. It is easy to become fearful when you really start thinking about this stuff, but try to stay practical. Most people are not out to get you and if you act as though they are, you will get lost in paranoia and lose the clear planning and friends you’ll need if stuff really does go down.

Real life security is complicated and messy. If you are experienced enough to see the things I left out here, good.  That just means that this post wasn’t for you, it was for your friends. Every single person on the planet starts at learning level zero. In terms of security, a whole lot of people don’t get much past that, which is why so many basic attacks are successful. Most people won’t read this post, but my hope is that the few that will will get better. If you share with your friends, the hope is that they’ll get a little bit better, and bug you a little bit less. This will give you the time you need to improve your own skills and help all of us improve.