Mar. 11th, 2015

blatherskite: (Default)
Watching the news tonight, I saw yet another story about people victimized by malware. Malware is software designed to subvert your computer; it includes viruses, trojans, and a wide variety of other obscure things. Most of the people who are victimized make the same basic mistakes, and they're the kinds of mistakes that are simple to avoid with a little foreknowledge. In this post, I'll try to provide the basic knowledge you need.

DISCLAIMER the first: People who create malware for a living are smart. Mostly really smart. Smarter than me, smart. Probably smarter than you, smart. If they want to get you specifically, they probably can do it. After all, you frequently read about them breaking into the computers of governments and large companies -- organizations that have full-time staff on the watch for such things. Me and thee? We don't have the expertise or the time. This guide will only make things more difficult for the bad guys and encourage them to look for easier targets; it's not guaranteed to stop them.

The good news? I'm not sufficiently important or wealthy or (mostly) annoying for anyone to want to target me. You probably aren't either. Make an effort not to make enemies online and you'll probably stay off the radar of the bad guys.

DISCLAIMER the second: If any significant number of people read this article, there's no way I can possibly answer all their questions. Thus, please don't write to me unless you have something significant to add to this post (a serious error or something important I forgot to mention). If you've got a question, ask your techy relative who's always going on about computers, your brother's or sister's smart 14-year-old, or the store that sold you your computer. Then research their advice online to make sure it's sensible. Please don't ask me. This article contains most of what I know, and gives you enough of the key terms that you can look up the information yourself.

The good news? All of the steps I'm going to list here are easy to do yourself, possibly with a little help from a knowledgeable friend. They won't give you 100% security, but life's like that in the non-computer world too. All you can do is make an honest and reasonable effort to make it more difficult for the bad guys to harm you.

That being said, here are some things you should do for any computer:


  • Set your computer to automatically download and install security updates. For Macs, see Apple's article "Update OS X and App Store apps on your Mac". For Windows, see Microsoft's article "Keep your PC up to date". Computer companies don't always get it right the first time, no matter how hard they try, so it's usually reasonable if you prefer to wait a day or two after an update has been announced to ensure there are no problems.

  • Install an integrated product that contains antivirus software, antimalware software, and a firewall (see below) to protect you against the various types of danger that lurk online. The companies that produce these products are constantly leapfrogging each other in quality, but any of the main commercial products and several free products are a "good enough" choice. For peace of mind, stick with one of the big companies until you develop the expertise and skills to create and maintain your own solution. The Norton family of products has been a solid choice for both Macs and Windows, and have been around for many years. Kaspersky's security products for Mac and Windows have recently become a serious contender and are worth a look.

  • Set the password for your network, because it's much more difficult for someone to get in if they don't know the password. (See the note at the end of the article about creating strong passwords.) Most people connect to the Internet via a cable modem or router, and these devices tend to ship with a default factory-installed password. Consult the documentation to learn how to reset that password. For your WiFi network, use WPA2 security if your router offers it; WPA is your next-best choice, but if that's the best the router has to offer, consider investing in a more modern router.

  • For those who travel with their computer, beware the lure of public (open) wi-fi networks. Again, choose the strongest security you can find for the connection (at least WPA2), and make sure that you're using the actual network being provided by (say) the coffeeshop or airport lobby you're in. You'll occasionally come across a fake network that's intended to capture your login name and password or other useful things. Most often someone is doing this purely for sport, just to prove they can do it, but sometimes they have more sinister motives. For some thoughts on how to use public wi-fi safely, see "Safe Communications with Open Wi-Fi Hotspots" (scroll halfway down the page to reach this title).

  • Run a firewall -- software that keeps the Internet at arm's length by preventing casual snoops from seeing your computer behind the wall. If people can't see your network or your computer, they can't sneak into it. Both the Mac and Windows come with built-in firewall software, accessible via the preferences panes (Mac) and control panels (Windows). All you need to do is turn it on. Commercial products may be stronger, but using what Apple and Microsoft created for you is a good start.

  • Set the password for your computer (again, see the advice below about strong passwords). Learn how to set up multiple user accounts on your computer, and give most of those accounts only basic usage rights; if a user can't intentionally install safe software, it's less likely they'll be able to inadvertently install malware. Create a special administrator account for all software installations, and only use it when you need to install something. Don't let anyone install software in their user account unless you're confident they know what they're doing.

  • Don't respond to phone calls claiming to be from your computer manufacturer or the developer of your computer's operating system. Microsoft and Apple could care less about you, and they will never call you unless you called them first.

  • Don't give your password to anyone over the phone or over the Internet unless you initiated the dialogue with them and you're sure that you reached the right people. Most banks, credit card companies, and other reputable businesses won't ask you to give up your password or click a link to go to their site; they'll suggest that you log into the site yourself to do whatever is necessary.

  • Don't open any attachment that someone sent you unless you're sure it's legitimate -- and the fact that it appears to have been sent by a friend or family member is no guarantee it's safe. A common ploy is to send malware via an e-mail message that looks like it came from someone you know. (The bad guys can get this information easily from places like your Web site, blog, Facebook account, or LinkedIn profile.) The only way to be sure is to ask the person where they got the file, and (if you trust that site), go get it yourself from that site. For example, ask for the title of a YouTube video and then search for it yourself on YouTube.

  • Don't click any link embedded in an e-mail. If you think it's legitimate, go directly to the appropriate site (type its home address yourself in your Web browser) and search for the information described in the link.

  • Don't visit sites of questionable virtue. People who think nothing of (for example) stealing software or slandering public officials or posting nude photos of celebrities probably don't have your best interests in mind either.

  • Google is your friend. (Or Bing or Yahoo or DuckDuckGo, if it bothers you that Google has long since removed the "don't" from their former corporate mission statement, "Don't be evil.") Whether something seems fishy or legit, look it up online from a trustworthy source before you trust it.

  • If it seems too good to be true, it usually is. There ain't no such thing as a free lunch. Except the stuff on my Web site. There's an exception to every rule.



Setting a strong password: You'll see a lot of advice about the best way to create a password, including the suggestion to use odd combinations of symbols and numbers chosen from the keyboard. In fact, two things about passwords are more important than their complexity: First and foremost, it needs to be something you remember; if not, it'll frustrate you so much you'll choose a simpler password. Second, it's more important that the password be long than that it be complex. The easiest way* to create a strong password is to use a sentence: "todayisthefirstdayoftherestofyourlife", for example, or if that's too long, "titfdotroyl", the first letter of each word. (DON'T use that example. Duh!) Aim for at least 8 characters; double that is better. Although symbols and numbers aren't necessary, they greatly increase the number of options that must be tested by anyone who wants to crack your password, so if you can include them in a memorable way, by all means do so.

* Actually, the real easiest way is to use password manager software that helps you create and manage passwords for the dozens of sites that require them. I use Password Wallet, which is simple, elegant, and effective, but there are many other options. Nonetheless, you still need to create a strong master password for that software. Needless to say, write it down and store it somewhere safe, far enough from your computer that a thief won't find it easily.

Some of these rules can be bent or even broken if you know what you're doing. Most of us don't know what we're doing nearly as well as we think we do. When in doubt, play it safe and stick to the rules.

One rule that shouldn't be broken under any circumstances: Create ongoing backups to ensure that if the worst does happen, you can easily recover your important things. The best backup solution is one that you will actually use, so an automated service like Carbonite or DropBox is probably your best bet; it doesn't rely on you remembering to make backups. One powerful advantage of such services is that they store your backups outside your home. Malware isn't the only bad thing that can happen to a computer, and if you store your backup at home, a fire or flood that destroys your computer (or a burglary) is also likely to ruin your backup.

Grateful thanks to Bill Blinn of TechByter for a reality check.

Profile

blatherskite: (Default)
blatherskite

Expand Cut Tags

No cut tags