In light of the recent and well-publicised release of celebrity nudes, and 5 million Gmail passwords, it's probably time to give you kids the "talk". You know the one - the birds, and the bees that are hacking the bird's computers. To start this conversation, I probably need to say this:
I have a background in IT, including networks and servers, database admin, and programming. I am NOT a security expert by any stretch of the imagination. I will probably miss things. I take no responsibility for the actions you take in response to this post. Any advice I give in this post is general, and does not take your specific circumstances into account. Ask before doing. Additionally, I am not able to see into the future - services and software mentioned in this thread COULD be compromised in the near future. For this reason, you need to understand this completely:
There is no such thing as complete security on the internet.
The aim here is the same as putting deadlocks on your doors: be harder to break into than next door. If someone really wants to get in, they still will. At the end of the day, it boils down to this: if nobody should see it, don't put it on a device that is:
Connected to the internet
Likely to leave your house
Easy to steal
Seriously, take nudes with a polaroid, and keep them in a [gun] safe, if you have to keep them.
I hope, that by starting this conversation, I can make you more mindful of the risks of poor security practices with your internet-connected devices. Following the advice by anyone in this thread will not make you hack-proof, but it could save you time, money, and embarrassment.
Additionally, I welcome the input of the other IT guys - hopefully we can cover all the bases reasonably well between us.
Let's make a start with...
1) Why do people hack or make viruses?
Spoiler: show
There are a few reasons:
Money
This is the driving force behind most hacking, spyware, adware etc. Whether it's a keylogging virus that gives the hacker your bank details, advertising that is paid for, or building a botnet to DDoS a competitor, money is usually behind it.
The Challenge
The array of security tools keeping computers safe these days is mind-boggling. Perpetrating a successful hack is like solving a difficult logic puzzle. A good one will get you standing among your peers, and it usually can, as a happy coincidence, then be used to take peoples money. These people often enter hacking competitions like Pwn2own.
Political causes
Political motivations have driven hacks by anonymous and supporters of various Islamic movements to deface important (usually government) websites.
To fix things
Whitehat hackers are the good guys - they perform penetration testing for networks to help ensure that they are secure, and build tools to fight the other hackers.
Because it sounds cool/fun/funny
This is generally the 14-18 year old demographic. They use prebuilt tools just to cause trouble, but usually lack any deep understanding of what the tools do, or how computer security works.
Warfare
Many countries have teams of hackers that are used to hack and counter-hack other governments.
Corporate espionage
Not unlike the people operating under the warfare banner, these are hackers and counter-hackers that help their companies keep secrets, and attempt to steal secrets.
Terrorism
Terrorist hackers attempt to gain access to systems running critical infrastructure in order to be assholes.
2) What's at risk for you (why you should care)
Spoiler: show
Your money (stolen credit card details, Paypal details, internet banking details)
Your data (you care about baby photos, eTax files, MYOB files, emails, and stuff like that, right?)
Your privacy (you accidentally synced your photos to your iCloud, and now there's 10,000 14 year-olds dirtying their socks over your pasty white arse)
Your identity (They now have your full name, date of birth, and mothers maiden name)
Your reputation (Social media/email: spam from your accounts, posted revelations from privacy loss, eBay accounts trashed in scams)
If you weren't worried before, you should be now.
3) Where are the hazards?
Spoiler: show
At home
Viruses
Your computer is susceptible to viruses. Windows 7? Yep. 8? Yes. Mac? Absolutely. Linux/Android? Indeed. Whatever the operating system, and whatever antivirus you have installed, you can still get viruses. Antivirus software is mostly scanning for THINGS THAT IT RECOGNISES. Most people understand this. Most people don't connect that to the idea that it means that you have no protection from any virus until the maker gets a copy of the virus, analyses it, and works out a way to fix it. You are therefore susceptible to every new virus designed for your OS for 3 days or more before a fix filters through.
Assuming that they find it as soon as it comes out. Antivirus software also looks for "things that look like viruses" (heuristic scanning), but they tend not to be very successful at it. Further, no one antivirus program will get everything.
Unfortunately, installing more than one virus scanner is likely to make your computer unusable. No one antimalware program will get all the malware.
WiFi
Are you running a WiFi router at home? Unless it is running WPA/2 security, it is probably vulnerable. WEP security can be broken in under 5 minutes. Turning off SSID broadcast is only effective if nothing is connected via WiFi. MAC Address whitelists are almost useless as a defense. What can someone do with your WiFi connection? They can get files from file shares on your computers, put things on your computer file shares, print things to network printers, use up your internet download quota, download things on your connection that would put you on Government watchlists, and in some cases, log in to your modem and steal your internet password, which then gives access to your ISP email address and account management tools.
At WiFi Access Points
Unsecured guest WiFi
You go to McDs, or your favourite coffee place with free WiFi, and connect up. If you didn't put in a password to connect, anyone with a laptop can see the data you are sending. It's not so bad if you're on a secure webpage, but if your email isn't set up for a secure connection, and your laptop/phone/tablet tries to check your email automatically, anyone within 50 meters could capture your email address, password, and server settings.
Untrustworthy networks
Every time you connect to somebody else's network, you run the risk that they are logging everything you do. Usernames, passwords, emails, everything. Secure/encrypted pages give you some measure of security, but a man-in-the-middle attack makes it possible to eavesdrop even on SLL/https connections.
On the internet
Anywhere that you keep data is a problem, including out on the internet. On the internet, you are relying on server owners to keep their data, and your data, secure and secret. This includes information that you signed up with (name, username, email, password, DoB, answers to secret questions, photos, ICQ/AIM/MSN/GTalk/Y!/Skype details etc), accounts you've attached this account to (Facebook, Twitter, Photobucket), files you've uploaded (pictures, videos etc), and things you've typed up (blog posts, notes, etc).
4) Risky behaviours: what you shouldn't be doing
Spoiler: show
Passwords
A lot has been said on the subject over the years, but what it boils down to is this: the easier it is to remember, the easier it is to guess. The best passwords are long, complex, not based on English words, and mix uppercase, lowercase, numbers and symbols. Reusing passwords is also bad. If a single forum that you are on is compromised, and you've used that password with that username or email address elsewhere, finding out where is just a Google search away. And then you go from a single account broken to all of them broken.
Viruses
Ignoring the health of your computer is a bad thing. The longer a virus lingers, the more chance there is that the maker will get something important from you. Assuming that you only need your virus scanner is a bad thing. It's not comprehensive.
Free WiFi
Using non password-protected WiFi is dangerous. If you have to, understand that everything that you or your phone does on the internet could be seen by anyone. Additionally, if the owner of the network isn't trustworthy, you could lose your privacy, even on a secured network connection.
Bad websites
Any information you give when you sign up to a website is completely available to the owner to do whatever he/she(/it?) likes with it. If you just type in all the info they ask for without thinking about it, you could be in for a surprise.
5) How to safen up and be safe
Spoiler: show
Passwords
Don't reuse passwords
Make your passwords long and complex
This is really hard without help. Luckily, help is at hand. Password managers will generate random passwords for you, and save them. I use KeePass, but there are many other options. If you want instructions for setting up KeePass to be useful across multiple devices, I can post that below.
Viruses
Use a good virus scanner
Keep it up to date
Run regular virus scans
Be careful about opening email attachments and clicking "Yes", "OK" or "Accept" on websites that shouldn't be asking you to. Flash gaming sites, porn sites and pirate software/music sites have traditionally been the worst for this.
Supplement your virus scans with anti-malware software. There are plenty of freebies available (I recommend Spybot S&D and Malwarebytes AntiMalware).
Free WiFi
If it doesn't need a password, just say no. Any number of apps on your computer or smartphone could attempt to auto-connect to their respective web hosts, making your passwords freely available without you ever knowing it's happened.
Don't send important passwords across untrustworthy networks, whether they are secured or not. You never know if your hotel/coffeeshop is collecting what you are doing.
Bad websites
If it's not a service that you should have to sign up to use, either don't use it (find an alternative) or use false information.
If the information the website is asking for is irrelevant to the services they provide, don't answer the question, or lie.
Online Shopping
Make sure that the connection is secure (https, with a good certificate) before sending any information.
Always use Paypal, attached to a credit card, or a credit card directly. Visa in particular have been very good at recovering money taken in scams or from credit card number theft. Direct deposit offers you no protection. If you don't have a credit card, sign up for a Visa debit card from your bank. The Visa number works as a credit card for online purchases.
Always try to shop with well established and reputable sites.
Home internet connection
If your home router has a firewall, make sure it's turned on
Change the admin password for your router to something non-standard
Righto, I'm done for now. Please post comments, questions, suggestions and corrections below.