by Fadia, Ankit
For example, the image above shows that my account was last accessed five minutes ago, using a browser from the IP address 108.35.118.245 in the location New Jersey, USA. It was also accessed six minutes ago from an unknown mobile phone with the IP address 178.239.83.150. Maybe it was my BlackBerry phone, but I can’t be sure by simply looking at this page, since, if you notice, there is no location that is showing up, nor does it show what kind of mobile phone it was. In such cases, if you want to get more detailed information about the IP address, simply connect to the IP Lookup feature on the website What Is My IP Address (http://whatismyipaddress.com/ip-lookup).
Copy-paste the IP address you want to look up in the space provided and click on the Lookup button. Within a few seconds, you are likely to be shown something like the following image.
What Is My IP Address and the What Is My IP Address logo are registered trademarks of CGP Holding Inc., used with permission.
This confirms that the unknown IP address is indeed my BlackBerry phone and it is accessing my Gmail account from the UK server of Research in Motion (the company that owns BlackBerry).
In case you come across any suspicious log-ins to your Gmail account, then the best part about the Last account activity feature is that you can click on the Sign out all other sessions button to end all currently logged-in sessions worldwide except yours. This feature not only logs out any cybercriminal who may have somehow managed to log in to your account, but also allows you to log out from any legitimately logged-in session that you may have forgotten to log out from another computer. For example, in case you had accessed your Gmail account from a hotel business centre computer or a friend’s computer but forgot to log out, this feature can be very useful.
Gmail and the Gmail logo are registered trademarks of Google Inc., used with permission.
It is highly recommended that you keep track of information in the Last account activity page on a regular basis to detect any suspicious activity at your account.
2. Facebook
Facebook allows you to view a history of all logged-in sessions to your account by clicking on Settings > Account Settings > Security > Active Sessions. If you notice any active sessions that you did not start, you click on the End Activity link to remotely log out from it.
It is also recommended that you enable Login Notifications on your Facebook account, so that you receive an email and an SMS text message each time someone logs in to your account from a device that you have not used before. To enable Login Notifications on your account, simply go to Settings > Account Settings > Security > Login Notifications and enable them.
70. How to make your accounts hack-proof
< 300 Seconds
Have you ever clicked on links received in an email? Have you ever used the same password for all your accounts? Have you ever used a computer other than your own personal computer to log in to your Gmail account? Have you ever downloaded software or music or movies from a dodgy website? If you have done any of this, chances are that, unbeknownst to you, some malicious attacker would have tried to hack into your Gmail account at some point of time.
Hundred per cent security does not exist, but Gmail allows you to get close. If you want to make it almost impossible for a cybercriminal or malicious attacker to hack into your Gmail account, then you need to enable 2-step verification on it. This unique feature adds an additional layer of security to your Gmail account. As the name suggests, once you enable 2-Step Verification in your Gmail account, there will be two different security layers protecting your Gmail account. In the first step, you will need to enter your username and password as you normally would, and then in the second step you need to enter a special Verification code that is sent to your mobile phone via a text message or voice call. Only if the correct information is entered by a user in both the layers of verification is access to the Gmail account provided. This means that the only way a cybercriminal can hack into your Gmail account is if he is able to get your password and also steal your mobile phone from you.
To enable 2-step verification in your Gmail account, log in to your Gmail account and then click on your name in the top right corner of the screen, and then on the Account link, to reveal the Accounts settings page for your account.
Gmail and the Gmail logo are registered trademarks of Google Inc., used with permission.
Click on the Security option in the left column of your Account settings page. This will open up the Security settings page for your account, which allows you to manage various security options related to your Gmail account. If you notice, by default the 2-step verification feature on your Gmail account will be switched off. Simply click on the Edit button to enable it.
Gmail and the Gmail logo are registered trademarks of Google Inc., used with permission.
You now need to enter the mobile phone number to which you want Google to send the verification code. Based on your personal preference, you can choose to receive the verification code either via text message or voice call. Now click on the Send code button so that Google can send a code to your mobile phone to verify that you have entered a correct mobile phone number.
Gmail and the Gmail logo are registered trademarks of Google Inc., used with permission.
Once you receive the verification code on your mobile phone either via text message or voice call, you need to enter it in the space provided so that you can verify your mobile phone device.
Gmail and the Gmail logo are registered trademarks of Google Inc., used with permission.
You can choose to be asked to enter the verification code every time you log in to your Gmail account from any computer. You can also choose to get Gmail to trust your current computer, so that you are asked to enter the verification code only whenever someone attempts to log in to your Gmail account from a computer other than your trusted computer.
Gmail and the Gmail logo are registered trademarks of Google Inc., used with permission.
Now click on the Confirm button to enable the 2-step verification feature on your Gmail account.
The next time, whenever you attempt to log in to your Gmail account from a trusted computer, you will only be asked for your username and password. However, if you or someone else tries to log into your Gmail account from some other computer, then not only would they be asked for your username and password, but they would also be asked to enter the verification code from your mobile phone.
Gmail and the Gmail logo are registered trademarks of Google Inc., used with permission.
What happens if you have enabled the 2-step verification feature on your Gmail account and your mobile phone gets stolen or lost? How do you access your Gmail account? The first thing to do is to log in to your Gmail account from a trusted computer, in which case you will not be asked to enter the verification code from your mobile phone. However, if you are travelling out of the country and cannot get to a trusted computer, how can you still access your Gmail account?
This is where the Backup phone feature comes into play. It is possible for you to add a friend or family member’s number as the backup phone on your Gmail account. In case of an emergency, you can ask Gmail to send the verification code to the backup phone instead of to your regular phone. This feature ensures that you will still be able to access your Gmail account.
Gmail and the Gmail logo are registered trademarks of Google Inc., used with permission.
Let us imagine an even bigger emergency. You have lost both your regular phone and your backup phone. Or you have lost your phone and, for some reason, you are not able to get in touch with the person who has the backup phone. How can you still access your Gmail account? This is where something known as Printable backup codes is helpful. Using this feature, you can print a bunch of backup verification codes and store them in a safe place (like your wallet). These backup codes will be the only way for you to access your Gmail account if both your regular phone and backup phone are misplaced.
Gmail and the Gmail logo are registered trademarks of
Google Inc., used with permission.
If you are using an Android, iPhone or BlackBerry mobile phone, then you don’t even need to rely on an SMS or voice call to receive your Gmail verification code. Instead, you could install the 2-step verification mobile app on your phone and it will do the rest.
Gmail and the Gmail logo are registered trademarks of Google Inc., used with permission.
One problem that you may encounter after enabling 2-step verification is that you may not be able to access your Gmail account from web or mobile apps other than a browser (Google Talk, Picasa, Push Email on your smartphone or tablet, email clients like Outlook). The reason why these other apps no longer work is that they were not designed to have any additional space available for you to enter the verification code. In other words, they are not compatible with the 2-step verification feature. This is where Application-specific passwords come into the picture.
Gmail and the Gmail logo are registered trademarks of Google Inc., used with permission.
Gmail and the Gmail logo are registered trademarks of Google Inc., used with permission.
Application-specific passwords are special sixteen-character-long passwords that are generated for specific apps only and cannot be used elsewhere to log in to your Gmail account. Application-specific passwords do not need to be memorized by you and only need to be entered once into the app that does not support 2-step verification. You should remember to enable the Save password option in your app, so that you don’t need to generate the Application-specific password repeatedly.
71. How to avoid phishing attacks
< 60 Seconds
Phishing is a technique used by cybercriminals who try to steal your confidential information by pretending to be someone you trust. For example, you may receive an email that seems to have been sent by your bank asking for your account details, but in reality would have been sent by a phishing expert. Even though the email seems very real, it is actually sent by a cybercriminal and is an attempt to steal your account password. Phishing attacks have become even more dangerous and sophisticated today, since they accurately replicate the legitimate trusted source. For example, they will have the real logo, will use the same font and will seem to come from a real email address. Typically phishing attacks can be in the following forms:
1. Account upgrade, system maintenance, software crash or some other mundane reason
2. SMS text message that seems as if your bank or relative or friend is trying to get in touch with you
3. Instant message asking you for confidential details about some online account
4. Private message on Facebook containing a link that may take you to a page that looks like a log-in screen for Facebook, but actually is a fake log-in screen that steals your password
There are some simple things that you can keep in mind in order to avoid becoming the victim of a phishing attack:
1. Your bank or credit card company will under no circumstances ask for your password. Really. It will never happen.
2. If the email you have received contains a link, do not blindly click on the link, since it could potentially lead you to a fake log-in screen or a malicious website, or execute some other type of a phishing attack. Before clicking on a link, you can find out where it is going to take you by holding your mouse over it for a few seconds and looking at the status bar of your browser.
3. You may receive an email that contains a link that looks very authentic. Even if you hover your mouse over it, it may seem like the link to a legitimate, trustworthy website. Take a look at the following web address—https://[email protected]$.com. At first glance this may look like a page on the website of ICICI Bank, but in reality it will take you to a completely different address which begins separately after the @ sign. Such simple URL obfuscation tricks are commonly used by cybercriminals to fool unsuspecting victims. Please do not click on any link in these emails, no matter how genuine and trustworthy it might seem.
4. Even if a link seems safe, if it was sent to you from a dubious source, you should avoid using it to log in to any of your accounts. Whenever you want to log in to any online account (email, bank, social networking site or others), always open the browser in a new window, type the website address and then type the username and password to log in.
5. Always check for ‘https’ in the URL address bar of your browser, before you enter any confidential details on a website. Typically, only trustworthy websites will use ‘https’ and phishing websites normally use ‘http’.
6. Make sure that you are on a genuine website by carefully reading the URL address bar. Watch out for websites with spellings that are similar to the actual website. For example, make sure you are not on ‘online.citibenk.com’ instead of ‘online.citibank.com’. Cybercriminals are known to register website domain names with a spelling similar to a trusted website.
7. A simple way to differentiate between a real email and a phishing email is to carefully look for your full name mentioned somewhere in the email. Usually, a cybercriminal will not know your full name and will instead use a generic salutation (like ‘Sir’ or your email address) to address you. If you don’t find your full name or some other unique identifier (credit card number, bank account number and others) mentioned anywhere in the email, then you should be suspicious.
8. Another telltale sign to look out for is the fact that a phishing attack email will usually have a number of spelling or grammatical errors.
Google Chrome and the Google Chrome logo are registered trademarks of Google Inc., used with permission.
9. Most popular browsers (like Google Chrome, Mozilla Firefox and Internet Explorer) maintain a list of known phishing websites in their database and warn you whenever you are about to visit any phishing website that appears in their database.
10. Many popular email providers, like Gmail, also have built-in anti-phishing features that will automatically scan all incoming email for things normally found in known phishing scams. Whenever a phishing attack is detected, Gmail will automatically move the email to the spam folder or may display the following message when you try to open the email:
Google Chrome and the Google Chrome logo are registered trademarks of Google Inc., used with permission.
11. If you receive a link and are not sure whether it is safe to click on it or not, you can check whether it has been reported as a suspected phishing website by submitting it to a site called PhishTank (www.phishtank.com). This website maintains a comprehensive list of known phishing websites and provides a quick way to check whether a website appears in that list or not. If your link appears in their database, it is a bad idea to click on it.
PhishTank and the PhishTank logo are registered trademarks of OpenDNS LLC, used with permission.
PhishTank and the PhishTank logo are registered trademarks of OpenDNS LLC, used with permission.
12. There are commercial anti-phishing software tools available that provide you protection against phishing attacks. For example, McAfee’s SiteAdvisor Live is a product that allows you to identify and protect yourself from risky websites. You can buy it online from http://home.mcafee.com/store/siteadvisor-live.
13. Most importantly, if you have never opened an account with a particular bank and they email you, then it probably is a phishing attack. No matter how tempting their offer might be, do not click on any of their links.
If you keep these simple tips in mind, you won’t have to worry about becoming a victim to a phishing attack.
72. How to encrypt and password-protect your files and folders
< 300 Seconds
Sometimes just setting a password on your file is not enough. If a cybercriminal is really motivated and has the right technical knowledge, they can crack this password and gain illegal access to your confidential data. Hence, it is always advisable to encrypt your confidential files and folders with a strong encryption standard. The TrueCrypt encryption tool can be used in such situations. It is available as a free download from http://
www.truecrypt.org.
Before we continue, there are a few computer-related terms that we need to understand properly:
Term
Definition
Virtual Disk
A file that seems like an actual drive to your system
Volume
A finite amount of storage space on a drive (like your hard drive, USB drive etc.)
Mount
Before a computer can use a device or a drive (like a hard drive or CD or pen drive), it has to be mounted so that it becomes accessible to you.
TrueCrypt creates a virtual encrypted disk within a file on your computer and mounts it as a real disk or drive, so that you are allowed to store files on it in encrypted format. You will be allowed to save files on the virtual disk just the way you normally save files on any other disk on your computer. The best thing about TrueCrypt is that it does all the encryption on the fly, without causing any time lag in your day-to-day work.
Before you can start storing your files and folders in an encrypted format, you need to create a TrueCrypt volume. Think of this as a finite area on your hard drive, inside which all the encrypted data will be stored. To create the volume, start TrueCrypt on your computer and click on the Create Volume button. This will start the TrueCrypt Volume Creation Wizard.
TrueCrypt and the TrueCrypt logo are registered trademarks of TrueCrypt Developers Association, used with permission.
Next, you need to create a virtual disk within any file on your computer. Select the first option which is selected by default, and click on the Next button to continue.