A Few Disorganized Web Safety Hints

I had a conversation with my uncle earlier today about protecting yourself from all the horrors of the internet (spyware, viruses, identity theft, etc). Here's a dramatized reenactment:

Uncle: So what do you to protect yourself from this stuff? Do you use anti-virus software or something?
Me: Me? Not a thing! I shield myself in a cacoon of impenetrable awesomeness and roam the web without fear.
Uncle: Er, right... So do you do online banking and stuff?
Me: Absolutely! The convenience is outstanding and with my total and perfect knowledge of all possible attack vectors, I never need worry about identity theft.
Uncle: ...
Me: Also, never use a virus scanner! Those things are worse than the viruses they claim to protect you from. It's all a big racket.
Uncle: Okay, so what do you recommend I do?
Me: Er, run windows update? Good luck!

I obviously had a good time, but I doubt my uncle came away much better off than he started.

In the infinity of things to be good at, I actually do happen to know a lot about computer stuff. I also read about food enough to know that you should eat some fat with your tomatoes to make the healthy lycopene more bioavailable. That's about it. Computers and magic food medicine. For me it's pretty much those two, with a substantial emphasis on the computers.

However, gentle reader, that doesn't do you a bit of good. If by standing next to me you can't absorb any protective mojo, then I'm pretty darn worthless. Here's what I thought of after I wished my uncle luck and set down the phone.

There are 3 ways your computer can become compromised and only 2 apply to ordinary people:

1. Though laziness, trickery, or accident you actively install malware.
2. By not keeping your operating system or browser software up to date, you provide security holes that can be used to remotely install malware without any action on your part. In many cases, the actual task of scanning for and attacking vulnerable computers can be automated.
3. You attract the attention of actual serious professionals that may break in to your house while your gone and mess with your computer. (Most of us don't have to worry about this one.)

The one that scares me the most is #2. If I screw up and run a virus, I figure I at least share some blame. Just getting pwned (technical term, means "owned") while I'm out on the web trying to learn more about the flu-fighting powers of garlic is just uncool.

Follow these steps to protect yourself from #2:

1. Set up your computer do do automatic windows updates. Every Tuesday, Microsoft pushes out a batch of updates and frequently they include security patches. The holes these patches fix were identified by talented, intelligent individuals that, good or evil, have better things to do that fry your computer and steal pictures of your cats. However, the longer the knowledge is out there, the more 14 year olds get their hands on automated scripts that they can use to identify and mess with your vulnerable computer.

2. Use a modern web browser, not IE6. IE8 is fine. Firefox and chrome are also fine. Using IE6 provides every website you visit with an open conduit directly into your computer. Here's a scary article (one of many) from the washington post if you need convincing.

2b. When your modern web browser pops up a red screen and says, "Stop! This website is known to do terrible things to visitors' computers!" Walk away. The web is big. You can learn more about enhancing the alzheimer's-fighting properties of turmeric by combining with black pepper at a different site.

Running a firewall might be helpful here, but if you're at home you're generally behind your router anyway. If you've got a router it acts as an effective firewall. If you're at a coffee shop or plugged directly into the internet, running a software firewall may be a good idea. There is one built into Windows, there's no need to buy one.

Protecting yourself from #1 is, unfortunately, very difficult.

1. Be reluctant to install browser plugins or activex components. You may see, "Click to install the plugin that lets you use the greeting card generator." Or, "This site requires you install an activex plugin to operate." Many times this is legitimate, many times it's not. When you install browser plugins you are installing software onto your computer. You are also creating additional attack "surfaces" that are available to every other site on the internet. I think the only plugin I have installed is Flash (and it has known vulnerabilities, so having it installed means I need to be more careful where I visit on the web).

2. The other problem is that you may want to download and run a program of some sort. First rule: microsoft does a pretty good job of getting the most out of your RAM, hard drive, network connection, etc. If you see a program promising to "enhance" your RAM or, ah, anything else you might want enhanced, it's probably a scam.

Something to remember: the instant you run a program on your computer, nothing can protect you from it. All of the stuff you want friendly programs to be able to do (e.g. access your hard drive, install services, communicate on the web) can be used just as easily by non-friendly programs. Want an example? The driver software for the energizer USB battery charger allows remote system access: http://blogs.zdnet.com/security/?p=5602

On anti-virus software. I have never seen an instance where antivirus software protected someone from the previous paragraph. It also has extremely high overhead. Some people feel like it's due dilligence, but I just feel like it's a mirage of a safety net that makes your computer run at about 60% of its potential speed.

Lastly: So you've got a virus! If it's a lame virus or you're a pretty sharp user, you can sometimes surgically remove it from the computer. In my limited experience it's time to back up the family pictures and format the hard drive. While you are deciding what to do, your computer is very likely a secret member of a zombie computer army some 14-year old in eastern europe is using to launch denial of service attack against amazon or hulu or norton. The sooner you put it out of its misery, the better. When you're done, it'll have that nice new car smell :)

PHISHING

Even if your computer is completely secure, you can still run in to trouble. What I believe to be the most insidious, vile, and effective way to steal your credit card numbers is a technique called phishing. It basically amounts to a con man walking up to you and convincing your to tell him all your security information. Everybody thinks they're smart about this sort of thing, but nobody is. It's social engineering and it's really sneaky.

Usually, you get an email with a link in it. The crook wins by pretending to be official (e.g. your bank) and convincing you to follow the link and type stuff in.

The big red flag is a sense of urgency. "Warning! Your bank account information is about to expire! Please login to prevent loss of service." That email will contain a link to a site that may be an exact duplicate of your bank's familiar login page. Only, instead of logging in to your bank, it emails your username and password to a crook.

When sending email, the FROM field is completely arbitrary. Remember when you set up your email client and it asked you to type your name and email? Later, those things show up in the FROM field when you send emails. You could have typed anything you wanted. Imagine the potential!

The fix? Legitimate companies never request sensitive information via email. They also know to avoid the urgent tone because of exactly this problem.

I hope that helps. Good luck!

EDIT 3/9/2010: added energizer battery charger link

Comments

Unknown said…
Thanks Charlie! I had forgotten that I was not on IE8.

Clara's Grandfather
Yay! For every person I convince to stop using IE6, every web developer has to give me a dollar. Or at least, they should :)

Popular Posts