Online Security and Safety December 17, 2008Posted by TimTheFoolMan in Security.
Tags: AdBlock, AVG Free, Firefox, HOSTS file, NoScript, Sandboxie, Secunia, Security, SteadyState, Windows XP
Instead of just telling everyone the same thing over and over, I’ve tried to codify my recent advice about keeping your system safe and secure online into one document. I’ll be moving this to my “Protecting PCs” page soon.
Please note that this advice is primarily intended for home users. Much of this applies to businesses, but there are some additional things a business should do that aren’t feasible for the home user.
Rules and Advice
Here are the basic rules from which my advice springs:
- Don’t trust sites that you visit regularly (NY Times, Courier-Journal, etc) too much. Commercial sites pay a lot of money to make sure their systems aren’t hosting bad stuff, but your opinion of “bad stuff” and theirs may be different. They may feel that it’s perfectly OK to track your shopping behavior as you go from site to site, but you may not. Also, because big sites tend to be trusted, hackers know that planting something bad there will almost guarantee to infect lots of people.
- Protect yourself against problems with untrusted sites by limiting how much of the content on their site your computer downloads and uses.
- Learn to trust VERY few sites (Facebook? Kinda. MySpace? No!)
- Trust your friends, but don’t trust your friend’s computers. You may be a freak about how you take care of your computer, but they may not, so you have no way of knowing that the email they sent with some really cool application or movie or picture, wasn’t really sent by a virus on their system.
- Recognize that porn sites and sites with bit-torrents are prime places for hosting bad stuff (they use freebies to get traffic). Accordingly, this is why the worst virus infections hit computers used by teens.
- Recognize that control over your computer is worth real money to a large number of people, most of whom have ties to organized crime, and have no problem with doing all sorts of things, and putting forth a great deal of energy, just to get control over your system. Recent research has determined that hackers have gained remote control of hundreds of thousands of computers, and organized them into large “botnets” (networks of Internet robots) that they can use in various nasty ways to make money.
- In addition to #5, recognize that information you possess may be even more valuable, especially if you do online banking, make purchases, and so on. Passwords to bank accounts can be worth $1000’s, so you have to protect the computer accordingly if you use it this way. Recently, a small town had it’s bank account wiped out to the tune of $50,000 when a virus was implanted to get the town clerk’s passwords to the town bank account. Crooks now tend to steal smaller amounts from more people, as it’s less likely to be noticed.
- Virus infections used to be something like taking out the trash. Not anymore. Today, a computer infected with a virus is like a bowl of soup with poison poured in. Even if the color of the poison makes it stand out, how can you be certain that you got it all? For the most part, you can’t, and would just throw the whole bowl out and start over. This applies to computers, as the only way to REALLY know that a machine is clean is to throw everything out and start over.
What I wrote above should frighten a lot of people, because most people treat the Internet as a friendly place. It’s not. The percentage of bad people online is probably higher than it is in real life, largely because of the anonymity that the Internet provides.
With that said, there are two major ways computers are used, and the approach is different for each one: used only by me, and used by others. Each scenario requires some variations to accommodate the advice above.
Used Only by Me
If the computer is used by me only, then I can take full responsibility for everything that happens to it, and have complete control of where I surf, what I download, and so on. For the most part, what I wrote above might very well be all that is necessary to protect someone who is the only user of a computer. However, even someone who is careful can do something dangerous, so having some extra protection in place makes a ton of sense.
A) Keep your computer up-to-date
If you’re running Windows, you should be downloading updates from Microsoft automatically. If you run custom software or business-critical stuff (or if you’re a control freak like me), you might want to install them manually, but otherwise, you should set your system to install them automatically. Microsoft sends these out on “Patch Tuesday,” the second Tuesday of each month.
To monitor potential issues with other applications, download the Secunia Personal Software Inspector from here: http://secunia.com/PSISetup.exe and it will alert you to applications that have known security issues. You don’t need to run this all the time, but you should at least run it once a month. I recommend running it on Patch Tuesday, since that’s when you’re updating everything else. The little notice from Microsoft that your system was (or needs to be) updated can be your reminder to run Secunia.
If you’re running something other than Windows (Mac OS X or Linux), then the risk of your system getting infected is much lower. This is for a variety of reasons. Even so, it pays to keep your operating system (and other applications) up-to-date.
B) Keep your computer from downloading bad stuff to begin with
This may seem obvious, but it’s not, and this suggestion has several parts
- Get this file: http://www.mvps.org/winhelp2002/hosts.zip and follow the directions in the ReadMe.txt file.
- Download the Firefox web browser from here:
http://www.mozilla.com/en-US/firefox/. There are other good web browsers, but Firefox can use some add-ons that make it much safer than the other options out there.
- After installing Firefox, download and install NoScript from here: https://addons.mozilla.org/en-US/firefox/addon/722
- Next, download and install AdBlock Plus from here: https://addons.mozilla.org/en-US/firefox/addon/1865
- Get the ad filter list from the following location (AdBlock should prompt you for this): http://easylist.adblockplus.org/easyelement+easylist.txt
- You’ll notice that NoScript causes a bunch of stuff to break, the first time you visit a site that uses “active content.” Go here http://noscript.net/features for an explanation of what it’s doing, why, and how to allow the content you want, and block the content you don’t want.
Using the blocking HOSTS file, Firefox, AdBlock, and NoScript addresses
C) Protect your computer from bad stuff that you got anyway
In spite of our best efforts, sometimes, stuff sometimes finds it’s way through, and hits our computers. There are two ways of addressing this problem: sandboxing bad stuff, and catching bad stuff after it gets in.
As I mentioned earlier, viruses are like poison that’s been dumped into soup. The stuff in section B was telling you how to keep the poison out, but what if some of it gets through? The hope of most Antivirus products is to search out and find the “poison,” hopefully before it’s mixed in thoroughly, and hopefully before you eat some of it. However, new kinds of viruses come out every day, and the people writing them are so good, they typically install all of the major Antivirus software on a test machine, and don’t bother releasing a new virus unless it goes undetected on the test system.
Geek note: Yes, I’m aware that there are products that attempt to protect your system based on the behavior of malware, often referred to as “heuristic” scanning. There is not much in the way of conclusive evidence that the end-user products that do this are as effective as the overall strategy I’m recommending here.
At this point, most Antivirus products will not protect you from something brand-new. This doesn’t mean you shouldn’t run an Antivirus, but it means you should not pay much, if anything, for it. My current recommendation is the free version of AVG, found here: http://free.avg.com/. Pay for Antivirus only if you have extra money sitting around, and can’t think of anything better to do with it.
To “sandbox” downloaded things, imagine the scenario of the soup with poison in it. Instead of dumping stuff into the pot as the soup is cooking, what if you just dump it into a bowl? If you do this, then all you have to throw out is one bowl, and the rest of the soup is still good. What do you sandbox, and how do you do it? You sandbox anything that touches the Internet, but most specifically your web browser, your instant messaging software, and your email client.
I use and recommend Sandboxie (called this because it was originally developed to “sandbox” Internet Explorer, commonly called “IE,” so the name was really “SandboxIE”). The sandbox keeps everything you do on the Internet in a “sandbox,” and doesn’t let it get out to touch the rest of your system without you doing so very intentionally. You can download and try Sandboxie here: http://www.sandboxie.com/. If you decide to buy it, it’s about $30 USD.
D) Don’t surf or answer email using an Admin account
I put this last because many of the steps above require you to install software, update your system, or change the configuration. All of these are risky things to do, and they are things that shouldn’t happen very often.
One thing most people don’t recognize is that most versions of Windows (except for Vista) run, by default, as the System Administrator. Why is this a big deal? Well, in computer terms, the System Administrator is God, and can do whatever he/she wants, like installing new applications, and changing the way the system works. Obviously, it’s important to have an account like this, but unless you install new applications all the time, there’s no reason to use this account most of the time.
Instead, create a new admin user. Now, log out, log back in as the new admin, and change your old user account to be a non-admin account. Finally, log back out, and log in using your old name & password, which is now a “regular user.” You won’t be able to install applications here, but most software should work correctly, and even if you do get bad stuff, it won’t be able to infect your system in nasty ways. In effect, by restricting the rights of your account, you’ve put handcuffs on all of the applications you run, which is similar to sandboxing. (However, I recommend that you run in a sandbox, even as a non-admin user.)
Used Only by Others
If the computer is used by other people, you want to do everything in A, B, C and D above, except for installing Sandboxie. Instead, download and
install Microsoft SteadyState (http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx), and make sure you turn on “System and Disk Protection.” SteadyState gives you a ton of features, but the most important (from a security standpoint) is the ability to simply reboot, and have the system completely forget about everything that happened on the startup disk. (Obviously, if you want to save any work, you need to store that on a jump drive, or another disk.)
If you’re logged in as an Administrator, SteadyState will ask you if you want to save changes when you shutdown/reboot. This allows you to use the admin account to install new programs, save those changes, and then go back to normal usage.
For All Systems
Remember item #7 at the beginning? Imagine that you’ve done everything that I’ve suggested, but now you’re surfing around, and hit a site that contains some bad stuff. You shouldn’t allow it to run everything, but you ignore the NoScript add-on and run all their content anyway. At this point, you’re running your browser inside a sandbox (or within a SteadyState-protected user account), so all the bad stuff will go away when you shut down the sandbox (or reboot). Unfortunately, any bad code you’ve downloaded during this session will still be there. What do you do?
Always… always… ALWAYS shutdown your browser/system and start from scratch before doing any kind of financial transaction, or hitting any site that requires important passwords. If you’re using Sandboxie, shut down the sandbox and start a new browser session. If you’re using SteadyState, shutdown and reboot.
If you follow the advice above, you’ll keep your system clean and free from nasty stuff, and you won’t have to worry about anyone capturing important financial information from you.