Thursday, October 4, 2012

Basic PC security Part Deux

Part 1

How can I look at things safely?

It's somewhat difficult to concisely talk about the browser and browsing habits because some of the issues are technical, and some are human in nature.  I'll focus on the technical first, because they're easier to address.

The web gets its interactivity through technologies like Flash and JavaScript.  Unfortunately, those very same technologies can prove to be harmful.  Flash, in particular, is known for its related exploits, both because its creator, Adobe, is slow when it comes to patching them, and because of Flash being the platform online advertisements are generally built on, which gives would-be attackers an incredibly wide target audience.  While it's less common now, attacker-compromised ad servers are a popular way to spread malware.

While not dangerous directly, JavaScript can be used to dynamically load other data, or bring the user to another destination that contains something dangerous.  While JavaScript can be turned off in the browser, many websites (like just about everything Google owns) require it, so removing it from the equation entirely is essentially impossible.

The solution for both problems come in the form of browser plugins and/or settings, depending on the browser itself.  For Firefox and Chrome, the plugin Ad Block Plus stops any and all adds (after tweaking some settings) from appearing.  In some cases, that can lead to some site functionality to break, but you can tell it to not stop ads on a particular site.  Similarly, for JavaScript, the No Script plugin stops all scripts except for those you explicitly allow.  That kind of granular control will allow you to customize your internet experience.

Bad browsing habits are a bit harder to curb.  Generally speaking, sites that offer free merchandise (like, say, an iPad), sites that offer free porn, sites that offer crass, edgy videos and images tend to be a breeding ground for malware and assholes.  I'm not sure if it's the same today, but back in the day sites like Ebaum's World crawled with bugs.  If it sounds too good to be true, or if the site would attract people who would have no qualms with screwing with other people, try to stay away.

Be aware of any downloads.  If you're downloading a document, it should end in .pdf, or .doc, or .docx.  Don't open anything from a source you're not familiar with.  That means email, images, files, etc.  If you don't know the source, you can't trust the source.

One final thing: be cognizant of what you share on social media.  Do you really want the entire internet connected world to know your address, number, work address, husband's/wife's/children's info, or pictures?  Information is power.  Don't let those you don't know have power over you.

I'm sensing a common theme... the human factor is key, huh?

In any system, the weakest point is where ever humans enter the picture.  We're fickle, impatient, moody, and ambitious - the perfect combination for exploitation.  Social engineering (or, in non-nerdy terms, conning/scamming) is still one of the most effective ways to compromise a system.  Attackers disguise themselves and their requests as legitimate, hoping that they're in contact with a computer illiterate mark who will be lead to give away their own secrets.  And it happens all the time.  This year's rash of Xbox Live account thefts were largely due to people duping the Microsoft employees on the customer service line.  Someone posing as Windows tech support tried scamming Ars Technica.

There are so many ways that attackers can disguise themselves, it's impossible to talk about them all in this space.  But, I can give some general tips:
  1. If something seems suspicious, it probably is.
  2. No reputable company will ever ask you to email them your login credentials.  They already have them, and don't need them to refer to your account.
  3. Be wary of any email asking you to login to fix some error.  Call the company (and be sure to use their real number, NOT what's in the email) to verify.
  4. Tech support will never call you out of the blue.  It doesn't work that way.
  5. Where available, use two factor authentication.
  6. When in doubt, ask your nerdy friend/relative.
Above all else, remember that there are people out there who would like nothing more than to get their hands on your money, your identity, and your very being.  Be cautious, be smart.

What about viruses and stuff?

Amazingly, it's fairly simple to protect yourself.  Windows' firewall is turned on by default.  The question then becomes, "What anti-virus and anti-malware software should I use?"

New computers come with a heap of useless crapware.  That McAfee or Symantec/Norton anti-virus that came with it?  Also crap.  They're bloated pieces of code that have low detection rates and cost money.  Horrible.  There's no need to pay for a quality anti-virus program.  While there are many free alternatives (AVG, Avast!, etc.), I prefer Microsoft Security Essentials.  It's absolutely free; no fee for initial download or any kind of subscription nonsense.  It doesn't take a lot of resources.  It's unobtrusive.  It has a high and accurate detection rate.  For my needs, and likely the needs of most end users, it's just about perfect.

For my anti-malware supplement, I use Malwarebytes' Anti-Malware.  It's also free, and is a no-nonsense malware detector/remover that can sniff out just about anything.

Do these programs make a computer bulletproof?  No.  But when combined with other preventative measures, like good browsing habits, they're very effective.

As an aside: those Finally ads, and any other service built around "Clean up your PC!" are selling snake oil.  There's no reason for anyone to pay for that kind of service.  With the links provided above, you already have most of the tools needed to clean up your PC yourself.  Why pay someone $60-$80/hr to do it when you can do it yourself in a weekend?

So, is that it?

Well, not really.  Security is a broad topic, so broad it's impossible to completely tackle in a blog format.  My main goal is to raise awareness and curiosity.  There's no reason to not be aware of the incredibly basic steps needed to help secure yourself.  Given our ever increasing online presence, protecting ourselves on the internet is at least as important as physically protecting ourselves, our families, and our homes.  Since the only real costs involved are time and employing common sense, there's no reason not to take preventative action.

No comments:

Post a Comment