Tuesday, September 14, 2010

Protecting Yourself Online [Updated]

It used to be that all you needed was anti-virus software, a firewall, updates for your OS and applications, and didn't open email attachments you were pretty safe. Fast forward to today, you still need to do all that, but attacks have elevated to where you can get infected by visiting the wrong web site using a browser or plug-in that has not been updated.

There is a technology race between the bad guys creating new exploits to steal your data, to the good guys trying to come up with better ways to stop them. Things change all the time, for example it used to be that Firefox was the safest browser. Although over the years Microsoft has made several enhancements to Internet Explorer that make it more secure then it ever was. Microsoft has also made several security advancements in Windows 7, to make it the most secure OS that they ever produced.

Although even with all these advancements the bad guys are producing newer techniques and methods to steal information from you, or use your computer as minion in a much larger activity aimed at a company or government such as a botnet. In the real world, there are precautions you take protect yourself, family and your property, you also need to take other types of precautions to protect yourself and your data while you're online.

You have probably already heard a great deal of advice from several sources (from friends, blogs, etc...) on how to protect your computer and your data while you're on the Internet. Although, I have not seen a list as comprehensive as the one I am offering below, and what I have seen available seems out of date. I am going to try to update information where appropriate, and offer new advice where I can.
  • Use Software Updates: Make sure your OS and applications are up-to-date. If you use Windows and Microsoft Office, make sure the Microsoft Update feature is enabled in Windows Update. To find this application in Windows 7 and Vista, under the Start menu > All Programs, select Windows Update.
    • Note: Other programs that you may use like Adobe Flash, Acrobat Reader, etc. generally have an application updaters that is built into them. Its important to keep this software at the current release level because it generally contains fixes to exploits which can be used to compromise your computer.
  • Use Anti-Malware Suite: Install a anti-malware suite that can protect you against different types of malware threats (such as: viruses, Trojans, worms, spyware, rootkits, etc.), and make sure you keep it up-to-date. The Microsoft Security Essentials suite, is free and I have heard good reports about it. Check out the following search for reviews of other Internet Security suites that are available on the market.
    • Note: if you want to check if your anti-malware software is working you can use the following test files and see if you get a response from it. These test files don't work on all the versions of the anti-malware software available on the market.
  • Check Your Firewall: If you are using a modern operating system (such as: Windows XP SP3, or higher [Windows Vista, Windows 7, etc.]) and/or a fairly recent home router (bought within the last few years), they generally include some type of firewall which can protect you against most types of network attacks. To perform a basic test if your firewall is working, check out a site called "Shields Up".
    • Note: This test only checks the first 1024 ports (which are called "well known" and therefore the most attacked), there about 64000+ ports that aren't checked by this site.
  • Backup Your Data: Computer backups are like a cheap insurance policy against losing all your personal documents, pictures, music, etc. Every version of Windows since Windows 95 includes some type of backup software, and the backup application in Windows 7 is pretty good. To enable this feature in Windows 7, under the Start menu > Control Panel > System and Security, open Backup and Restore.
    • Note: If you want something more comprehensive, I recently posted an article about a free home version of GFI Backup Software (Home Edition). There are also several online backup solutions that you can check out, some offer a basic level of service that might be free but most of these solutions do cost money. Check out the following search for reviews of other Internet backup services that are available on the market.
  • Wireless Access Points (WAP): Most home routers today include some type of wireless access technology (such as: 802.11b/g/a/n). Most modern home routers come locked down by default, generally with WEP encryption (which is the weakest form of wireless encryption available, and very easy to crack). If you're using a wireless access point in your home or business, its important that you lock it down so people can't steal your Internet access or data from computers on your network.

Notes:
  • To find out how to secure your WAP, see its manufacture's documentation or web site, and use a strong password to secure the administration console.
  • Make sure to use WPA or WPA2 encryption, and use a strong password to secure the connection between your computer and WAP.
  • Also make sure that you're using the latest firmware for these devices, see the manufacture's web site.
Other useful tips:
  • Beware Pop-Up Alerts: If you get a pop-up window/alert while surfing a web site that warns you that a virus just infected your computer or something else is wrong. I would suggest that you immediately close that window or cancel the dialog, and that you run a anti-malware scan of your local computer just in case it somehow got infected.
    • Note: Most modern browsers employ some type of pop-up blocking. To test how well your browser's pop-up blocking technology is working, check out the following site (www.popupcheck.com).
  • Beware Phishing Sites: These are web sites that look like legitimate web site, but are forgeries of the original site designed to steal your login information. Most browsers (such as Internet Explorer, Firefox, etc.), OpenDNS, and search engines employ phishing filters designed to protect you. Although, this can almost be a losing battle because the bad guys are constantly changing their tactics.
    • Note: One way to avoid falling for this type of scam is not to click on links sent to you in emails. Its also a good idea if the SSL digital certificate (HTTPS://) is legitimate.
Google Warning Page
Google Warning Page (explanation)
  • Don't Trust Email: Beware of email phishing attacks, these types of attacks have gotten more sophisticated over the years. They try to use social engineering techniques to get you to reveal passwords and other types of personal data by sending you legitimate looking emails. Most SPAM filters can help protect you against these types of attacks, but you still need to be careful when opening emails and file attachments from known and unknown people, and businesses.
  • Use Strong Passwords: Use strong passwords to protect your different online accounts that you use across various web sites, and rotate them on a regular basis. There are several solutions available for managing your passwords, from an encrypted spreadsheet to a 3rd party password manager (such as KeePass [an open source password manager]). Or whatever solution works best for you.
    • Notes:
      • Don't share your passwords or account information with others.
      • A web site (such as: Amazon, eBay, etc) will never ask you for the password to your account.
  • Encrypt Your Data: One of the best ways to protect your data against being stolen, is to encrypt it. This is especially important if you have a laptop, which can be lost or stolen. Corporation and government organization have to deal with this problem all the time. Also, If you have a flash drive its important that you encrypt the data on that device as well.
    • Note: Microsoft Windows 7 Ultimate edition support the EFS (for file) and Bitlocker (for drive) encryption. It's very important to backup your encryption keys, if these keys get damaged and you don't have backups. Your encrypted data will be unrecoverable.
  • Protect Personal Data: People are often too willing to give away personal data simply because someone asked for it. For example, you walk into a store and buy something and the sales clerk asks you for your phone number before they start ringing up the merchandise. Data like that can data mined, and can be used to cold call you in the future. Another example, If a site requests that you register with your personal email address, and don't want to give that information. Use 10MinuteMail.com to create a temporary e-mail address that lives for 10 minutes.
    • Note: Be careful about posting too much data about yourself on social networks (like: Twitter or Facebook). For example, if you're going on vacation don't broadcast it to everyone in your network before you go. Also avoid posting other personal information such as your birthday or physical address.
  • Beware Public WiFi: Connecting to public or unsecured wi-fi hotspots can be dangerous because the unencrypted data can be captured without you knowing about it. So you need to be careful about accessing any sites that contains confidential or personal data from these locations.

Notes:
  • Use trusted DNS providers on your portable devices (such as laptops, and smart-phones) like OpenDNS to help protect against certain types of attacks.
  • If you have use one of these type of public or unsecured wi-fi hotspots look into commercial VPN solutions to encrypt data between your laptop and the Internet.
  • Beware Public Computers: Its very easy for public computers to be compromised and setup to steal confidential information. Don't access any site where you enter personal information (such as work related sites, email, financial, etc.) using one of these computers.
    • Note: Be careful about installing your flash drive into one of these devices as it could get infected with some type of malware.
  • Locking Your Screen: Whether you're at home, or at work its always a good idea to lock your computer screen when other people are around. It's also recommended that to set your computer to auto lock after a few minutes of inactivity.
  • Limit Start-up Services: You should review all your start-up services, and disabled or uninstall any of them that are not being utilized. You can use a program like Autoruns, to manage these programs.
  • Limited User Accounts: Most users should not be running under a user account with administrator privileges on the local system. It's convenient to have these privileges, but if you don't need them then it helps limit the potential that you computer can get infected.
    • To manage user accounts on your local system, go into the control panel and search for "User Account".
  • Enable UAC Feature: If you don't want to use a limited user account, Microsoft has created the UAC (User Account Control) feature. Whenever a privileged actions are executed, you're prompted with a dialog to approve or deny this function.
    • To enable UAC, go into the control panel and search for "User Account Control". Use the slider to adjust amount of notifications you want to receive. The higher the slider, the more notifications you will be displayed.  For more information, see the following article.
  • Limit File Shares: You should review all your file share that are on your computer, and disabled any of them that are not being utilized. You could accidentally expose files that you don't intend to share on your network.


    • To manage your file shares, go under the Start menu, right-click on Computer and select Manage. Expand Share Folders, and Shares to see what file paths are being published.
  • Uninstall Unused Programs: Over time we all install applications on our computers that we may have used once. These unused programs can sometimes contain exploits and other vulnerabilities that can be used against it. My suggestion is that you uninstall any programs that you're not using. This also frees up disk space, and could also potentially uninstall unused services running in the background or in the notification area that you might have forgotten about.
  • Turn Off Your Computer: There are several good reasons to turn off your computer when when you're not going to use it for long periods of time. Just to name a few, it saves you money (no power is being used), saves the environment, and keeps your computer from being exploited or getting infected.
  • Check Facebook Settings: As you know Facebook and other social networking sites like twitter can help you to accidentally expose information (such as what you really did over the weekend or what you may think about someone) that you don't want to share with the world. By locking down your privacy controls, you can limit who has access to that information.
    • Notes: Facebook has recently released type of dashboard to help you manage these setting so you can quickly see how your information is being shared. If you need more information on your privacy settings, check out the following web page.
  • Lock Your Laptop: Laptops are portable, powerful, feature packed, and cheap these days. They can replace most of the functions that only full desktops used to do. This is a perfect combination for mass adaption. With all the great things that laptops offer, they are also very easy devices to steal and therefore you should do a few things to protect them.
    • Never leave your laptop sitting by itself. Buy a laptop cable lock, then secure the machines to a desk or table when you're not using it.
    • Windows 7 Ultimate edition allows you utilize BitLocker to encrypt all the data on your laptop's hard drive.
    • Make sure to enable automatic screen locking, and biometric features (such as finger print scanners if available).
    • Use trusted DNS providers on your portable devices (such as laptops, and smart-phones) like OpenDNS to help protect against certain types of attacks.
Bonus Tips:
  • Need some additional help, you can call Microsoft and get free technical support if your questions are about Windows security, or malware removal. Just call 866-PCSafety (866-727-2338).
  • If you're going to buy something online, I would recommend that you avoid using a debit card and a use a regular credit card if you can.  You generally have more rights and protection if your credit card information is stolen or abused.
  • Some people are concerned about the hidden information (known as metadata) stored in documents. Many popular applications store this information for different reasons.  Although, there has been issues where this metadata has reveal information that people and corporation were not expecting to be released.
    • To address this problem some software developers include tools in their applications to remove this data.  For example, the current version of Microsoft Office contains built-in utilities that allow you to manually view/remove the metadata from its files.  See the application help file for more information.

    Please post your tips in the comments, I look forward to reading them.

    No comments: