Call us cynical or hard-edged, but we frankly believe that the world is filled with hustlers, grifters and crooks out to bamboozle us at every turn.
Those suspicions are doubled for our digital lives. For no longer do bunko artists need to trick you into buying that iPad box with a brick in it. Today, they can rip you off by auto pilot. With the deadliness and stealth of a UAV, these scumbags can steal your banking credentials, clone your debit card or infect your computer. Don’t worry about being too paranoid. There’s really no such thing as being overly vigilant when it comes to your digital security.
Protect Your Desktop PC
Installing strong, up-to-date security software is a given. But it takes much more than that to defend the epicenter of your digital life.
Keep Your OS Patched
Could real people actually be as clueless as some of those characters we see in movies? Sadly, you need no more evidence of that cliché than the average computer user. Even though he or she knows that an OS update is as critical as, say, nailing boards over your windows in a zombie apocalypse, many choose to ignore the updates until something crawls in and eats their brains.
The most basic security step PC users should take – regardless of OS – is to install the latest updates. Yes, we know, it can be teeth-gritting – especially when the updates are larger than the original OS – but it’s necessary for patching holes being used by attackers to squeeze into your PC.
Lose Windows XP
Windows XP was a great operating system but it’s now pushing 10 years old and it’s a popular target for attacks. Why? It’s not as secure as its replacements. It’s also where the money is – literally – with 51 per cent of computers on the planet running it. Many attacks specifically target XP and ignore Windows Vista and Windows 7 completely. Unless you like to wrench on your OS all day, we recommend that you give XP the retirement it has earned.
Keep Your Applications Patched
Even Microsoft haters have to admit the company has done an admirable job patching its operating systems in a reasonable amount of time. Because of this, many of the weak spots on a PC aren’t even the OS anymore, but rather the third-party applications. While Microsoft will patch its own products in Windows Update, it doesn’t do squat about anything else. With literally dozens of apps to check for updates every week, you can see where the problem lies. That’s why we run Secunia’s PSI Scanner (www.secunia.com). The free app runs in the background and checks your installed apps and plugins for available updates and then gives you a link of where to download the patch. The latest beta version will actually install some of the updates for you. The company also offers an online scanner but we don’t recommend it because it runs in Java.
Secunia’s free PSI app will monitor the dozens of applications installed on your machine for available security patches.
Beware the Usual Suspects
Start by disabling Acrobat/Reader in your browser. In Firefox, go to Tools, then Add-ons, then Plugins, and disable the Acrobat plugin. While you’re there, you should also probably disable QuickTime, Java and even the DivX Web Player if you want to be extra cautious.
Disabling plugins for Acrobat, QuickTime and other media players can mitigate some of the damage from new zero-day exploits.
To disable these plugins in Chrome, go to Options, Under the Hood, Content Settings, Plugins, and select “Disable individual plugins.”
For QuickTime, start the player, dig into Edit, Preferences, QuickTime Preferences, Browser and uncheck “Play movies automatically”.
To mitigate the damages from Adobe Flash, consider running the FlashBlock extension in Firefox and Chrome. This will prevent Flash from being displayed on a page. In its place will be a place holder that, when clicked, will play the Flash content.
Use a Virtualised Browser
Since the vast majority of attacks are coming from the browser, one of the safest ways to surf the web is from a virtualised browser or a virtual machine. Dell offers its free KACE browser (www.kace.com), which virtualises Firefox 3.6 along with Adobe Reader and Flash. Malware that exploits holes in Firefox, Reader or Flash would be contained within the virtual machine. The bad news? If you do get an infection and need to flush the virtual Firefox, you lose all of your settings. That includes the numerous updates to Firefox that come out seemingly every month and any bookmarks and plugins you installed. An alternative is to build a virtual machine using either Virtual PC 2007 (www.microsoft.com) or VM Ware Player (www.vmware.com). Both are free, and both Microsoft and VM Ware offer free images that include browsers. Microsoft offers Vista and XP with IE8 installed and VM Ware offers Ubuntu with Firefox installed. Of the three options, VM Ware’s is the most solid but folks not used to Linux might be thrown for a loop. Microsoft’s images time out after three months, so you’ll have to download it again.
Get a Second Opinion
Do you really know if that file is truly untainted? Many malware writers are specifically crafting wares to avoid detection by antivirus suites. If you have a file that you need to run, we recommend that you incubate it for a few days or a few weeks if possible. This gives security software a chance to catch up to any new exploit. We then recommend that you get a second opinion from Virustotal.com. This website lets you upload a file to be scanned by two dozen AV engines. Just remember that malware writers are also using tools such as Virustotal.com to see if their wares can pass muster, so long incubations are key.
Unshorten Those URLs
Shortened URLs can conveniently turn unwieldy web address into bite-sized morsels, but they can also disguise a link to a malware-ridden site. Though many of the URL shortening services check for malicious websites, it’s usually better to verify a shortened URL’s destination. For that, we use Longurlplease.com. It supports 81 shortening services. As for cryptic shortened URLs, visit Virustotal.com to have the address checked by six URL analysis engines.
Although many URL shortening services claim to scan for malware, it’s probably best to lengthen those URLs before you click on them, using Longurlplease.com.
Run in a Standard User Account
Running as an administrator in a Windows OS is a bit like giving someone the right to walk into your home and rummage through every nook and cranny. One easy way to avoid or greatly limit damage from malware is to always run with standard user rights. As with all things, this is no guarantee against harm. Some malware, even when executed in a standard user account, can grant itself administrator privileges and still run rampant through your PC, but running as a standard user minimises risk.
Running in standard user mode in a Windows OS has proven to be useful in beating back malware attacks.
Use a Live CD/Linux Distro to Do Banking
That Windows is the number one target for cybercrime and mischief is not news to any of us-naturally, owning 95 per cent of the market makes it an obvious target. That’s why we agree with security journalist Brian Krebs (http://krebsonsecurity.com) that members of the most at-risk group should do online banking with a Linux Live CD. You can do your gaming and other Windows-based computing booted from your hard drive. But once you have to go into secure mode, whip out your Live CD and boot to it. Numerous Linux builds are available, but the most popular, and among the easiest, is Ubuntu.
Restrict PC Access for Others
So, you’ve created this incredibly secure moat, ringed with razor wire, claymores and mines. And then you let your 14-year-old nephew play some Flash games or “check email”. Right. The best solution is to have visitors use a separate, secured guest PC. But if they must use your machine, make sure you have the guest account activated. Another option is to have them use a virtual machine. Once they’re done, simply shut down the VM and erase any trace of their activities. Or have them use your HTPC, where they’re working in the open instead of being left alone in your office.
PHYSICAL SECURITY: Put Your Laptop on Lockdown
Kensington’s new ClickSafe key lock makes it an easy one-step process to secure your laptop from snatch-and-grabs.
Obviously, all the same security risks and safety recommendations that apply to your desktop computer also apply to your laptop. But your laptop carries the added risk of being stolen. And let’s face it: If you haven’t encrypted all your sensitive data or been diligent about backups, the loss of your laptop could be mighty painful. One way to prevent the potentially dire consequences is to use a laptop lock.
The vast majority of notebooks have a slot to accommodate a physical locking mechanism-it’s usually designated by a padlock icon. The lock itself is attached to a reinforced cable which cannot be easily cut without the aid of a large and very noticeable set of bolt cutters. The cable is either bolted to the floor-in your office at work, for instance-or looped around a substantial or immovable object. Kensington is one of the biggest names in cable-lock makers, and offers both combination and key locks, priced at $US25 and $US50, respectively.
Protect Your Network
Keep your digital bits out of the hands of baddies.
Use Google Public DNS
If the crooks can’t convince you to visit their phony-baloney banking webpage, the next step is to get you there against your will. One way to do that is to poison the DNS cache you’re using. The DNS server translates URLs into IP addresses. By exploiting flaws in the DNS software, crooks are able to redirect you to any sight of their choice-even if you typed in the correct URL of your bank.
Bypass your ISP’s DNS for one that’s likely faster and more secure, Google DNS.
To avoid this, we recommend switching from your ISP’s DNS to Google’s public DNS (http://bit.ly/7Ti5tM). It’s free and the company has implemented many of the recommended safeguards against cache poisoning. To change the DNS on your client PC, go to Network Connections, right-click on your connection, and double-click Internet Protocol. Then simply enter the preferred DNS of 18.104.22.168 and alternate of 22.214.171.124 and click OK.
Conduct Personal Business at Home
You want a simple reason not to check your personal email at work? Someone in your network could be using a so-called “man in the middle” attack to spy on you. Whether by exploiting ARP cache poisoning, session hijacking or some other technique, MITM attacks let a crook steal the credentials issued to your machine and then fool, say, Yahoo or Gmail into thinking he’s you.
At work, with hundreds of computers and a network that stretches the coasts, you really wouldn’t know where the MITM attack is coming from. This risk negates the possibility that your corporate network is more secure than your home network. So, assuming you have secured your home Wi-Fi (or don’t use wireless) and that the other machines on your home LAN are secure, save your personal email and banking for home.
Secure Your Wireless
Quick, what’s the most secure wireless available today? None. OK, we jest, but probably no wireless protocol is 100 per cent secure. But just because there’s a theoretical way to break the latest wireless encryptions doesn’t mean you should be using the weakest form. The weakest, of course, is WEP. Easily broken in under a minute by anyone capable of reading an internet how-to, WEP is far less secure than WPA or WPA2. If you’re running WEP because some old hardware doesn’t support WPA2, consider junking the old equipment or upgrading your router to one that supports guest networks. This lets you keep your internal network behind WPA2, while keeping guests roped off with the weaker WEP protocol to access the internet. If you’re running WPA2, the adage in security circles is that the longer and more randomised the key, the better.
Although not a guarantee, you can also set up your router’s wireless to only accept connections from known MAC addresses. These are the unique IDs assigned to each computer’s network card. The hole there is that an intruder could easily spoof a MAC address from a trusted client to still access your wireless network.
Check Each Machine’s Shares and Services
You can check what files are shared on a machine by right-clicking My Computer, selecting Manage, and clicking Shared Folders. Great, now how do you do it for all of the machines on your network? One way is to use NetBrute Scanner (www.rawlogic.com). This free utility will scan your internal network and report on shared resources that are available.
Scan Your Network for Intruders and Piggybackers
If a neighbour has broken into your network so he or she could download movie torrents, how would you know? Since most home networks use DHCP, go into your browser’s setup screen and check the DHCP screen to see how many IP addresses are assigned. Then, try to match those up with the systems on your network. If you have more IP addresses assigned than devices (remember that your smartphone will eat an IP address if it’s using Wi-Fi), you may have an intruder. Another option is to use RogueScanner (www.paglo.com), a free tool that will query devices on your network and compare them to an online database of devices to help you identify the machines.
Running an internal port scan may help reveal intruders freeloading on your network’s bandwidth.
So what do you do if you have an intruder or suspect one? Since the person has likely infiltrated your network via wireless, you’ll want to lock down your wireless by switching to WPA2 and using a very long and very random key.
It’s a lot smaller than your desktop PC, but the risks are just as big.
Hang on Tight
Currently, the number one threat to smartphone users is having the device end up in the wrong hands, through theft or loss. Your first line of defence, therefore, is constant vigilance regarding your smartphone’s whereabouts.
Use a Password and Encryption
Should your phone get lost or stolen, a good first layer of protection is a password, an option many phone users neglect. Choose the strongest password option available – a passphrase, for instance, rather than a four-digit code or swipe pattern. Encryption options vary among mobile OSes, but when possible, you should encrypt your storage card as well as your device memory.
Back Up Your Data
Just as with a PC, backing up your smartphone is important. Regularly synching the device to a linked computer will do the trick. It’s insurance against the loss of your phone, corruption of your OS, or any other event that jeopardizes your data.
Don’t Store Sensitive Data
The surest way to guard your sensitive data is to keep it off your smartphone altogether. Minimise the number and/or days of emails you store on your phone, or better yet, save email and attachments to a server. Make it a habit to regularly move or delete anything you wouldn’t want to share with strangers.
Practise App Awareness
An abundance of apps is both a blessing and a curse for smartphones-there is no way every app that makes it to market can be thoroughly vetted for 100 per cent fail-safe security. By selecting reputable apps, backed by favourable user reviews, from a trusted source, you can diminish the risks. Avoid apps with scant reviews or that have only recently been uploaded. Also be cautious when granting an app permissions; consider the app’s function and what it might reasonably need access to.
Keep Software/Firmware Updated
Make sure you are running the latest versions of your apps, OS, and phone manufacturer software and firmware. This will ensure that any security holes are patched and your device is less vulnerable to hacks.
Disable Bluetooth and Wi-Fi When Not in Use
Unsecured wireless networks can be used by hackers to either attack your phone or steal information from it. You can protect yourself by keeping Wi-Fi and Bluetooth off when you don’t need them. When wireless is needed, stick to known Wi-Fi networks using WPA2 and beware of public networks, which are sometimes set up by crooks to snare people’s data.
When using Bluetooth, make sure it’s in non-discoverable mode to avoid hacks like “Bluesnarfing” (stealing data), “Bluejacking” (sending unsolicited messages), and “Bluebugging” (listening in on your calls).
Beware of Links and Attachments
You’ve long been warned about the risks of opening strange links and attachments-particularly those arriving in unsolicited emails or text messages. All those same warnings apply to smartphones. And those warnings also apply to calling unfamiliar phone numbers received in messages, and clicking links for app “updates”. You can ensure the authenticity of an update by going to the app’s website.
SMARTPHONE AV: Add Extra Protection with a Third-Party Security App
Currently, smartphone malware infections are rare-nothing like what you see with PCs. But as proliferation of the devices grow, expect viruses, worms, and trojans to become more of an issue. To combat these threats, you need third-party software, and if you’re like the majority of smartphone users, you don’t have it. But even if malware isn’t a pressing problem at the moment, a security app can offer other useful benefits, such as browsing protection, telephone and text-message spam blocking, and theft-protection features like locking down, wiping, or even locating a stolen phone.
You can find mobile security apps by many of the big names in PC protection. Independent security testing lab AV Comparatives (www.av-comparatives.org) recently evaluated mobile apps from ESET, F-Secure, Kaspersky, and Trend Micro and gave them all “Approved” designations. See the full report at http://bit.ly/cGRySZ.
In today’s connected landscape where we enjoy internet access not only from our desktops and notebooks, but also from our smartphones, tablets, and even our portable media players, it’s easy to see why free-to-use webmail has become so popular. Most webmail accounts now offer several gigabytes of storage space, effectively turning us into digital pack rats.
Everything you choose to save – from sensitive email exchanges to confidential attachments – is not only accessible to you, but anyone who manages to figure out your password, whether by brute force dictionary attacks or by answering a series of weak security questions. And it’s not just your email history that’s in danger; an unsecure webmail account opens the door to other security breaches, like using your email account to send spam and spread viruses. Here are some ways you can avoid becoming just another statistic.
Create a Burly Password
Your webmail account is only as secure as your password, so use a strong one. The best way to do this is to use a combination of letters, numbers, and even symbols if your webmail provider allows. Avoid using real words at all costs, as these are easily cracked by any teenage hacker using a brute force dictionary script. For particularly sensitive accounts, use a random password generator (http://bit.ly/bf9oB2).
Use Multiple Passwords
The key to your house doesn’t unlock your car door, nor does it work with your safety deposit box. If it did, you’d be three feet deep in dung if it ever fell into the wrong hands, and the same concept applies to your digital accounts. In practice, most people tend to use the same password for various accounts, and that’s a rookie mistake. Use a different password for your email than you do your bank account, forum login and whatever else you do online. If you have trouble keeping track of them all, store your passwords in a virtual safe, like KeePass (free, http://keepass.info).
Log Out/Leave No Trace
It might be slightly inconvenient to log out of your webmail and clear your browser cache, but if your notebook ends up lost or stolen, you’ll be glad you did. And if there are others around, log out and close your browser before heading off for a bathroom break.
About Security Questions
Answering security questions can save your bacon if you forget your login credentials, but keep in mind that anyone who knows you well can probably guess the correct answer(s). Only rely on these if the questions are particularly personal in nature, or if you’re allowed to create your own that are not easily guessable. And, for God’s sake, don’t publish that information in your Facebook profile. There’s no point in having a security question of what city where you born in, or what your pet’s name is if your public profile gives the answer away.
Maximum PC brings you the latest in PC news, reviews and how-tos.