Home || Computing Articles || Mac Articles and Links || Working with Windows
Why should you initiate and maintain the effort to ensure that your computer has the latest operating system patches, application bug fixes, virus definitions, spyware protection, and use a firewall? Here's a relevant excerpt from an article about online scams on O'Reilly's Web site:
The [spam application] configuration file specified that the scam be sent through a set of "proxy" computers to hide the identity of the phishers. An accompanying list of the proxies included hundreds of apparently virus-infected or hacked home personal computers connected to cable modems or DSL lines.
Spam is unwanted bulk email, often commercial. Spam may also mimic email from legitimate businesses and include links to bogus Web sites. Phishing is having you reply to email with personal information or use a bogus banking or shopping Web site with the sole purpose of luring naive users to submit their personal information, credit card numbers, etc. in an email or Web form. These sites may accurately mimic the look of legitimate Web sites. Both spam and phishing activity only grow over time. For an example, security vendor F-Secure posted screen capture of a PayPal phishing example.
The compromised home computers mentioned above are often referred to as "zombies" or as members of a botnet. You can read the online articles "Dutch smash 100,00 strong zombie army" or "Vint Cerf: one quarter of all computers part of a botnet." for examples of the threat. To further illustrate, I will describe a recent holiday visit to a friend's family. I found their computer sluggish and unresponsive with numerous ad pop-ups. I ran an online spyware scan that identified 964 problems. (The high number from the scanner may result from identifying advertising cookies as problems, but there were also a number of high risk problems like trojans, and spyware highlighted in the results.) I also visited the "Are You Cracked" link on the DShield.Org Web site and found a high number of attacks attributed to the IP address listed in its attacker (i.e., compromised computer) database. I recommended The Parasite Fight: Quick Fix Protocol to a family member. The next day the computer was running much better. Another cleanup session in the afternoon used the recommendations of the Optimize Guides: Diagnose XP page for more tools and techniques. Another recovery resource is "Guide for Fixing a Buggered Windows Computer".
A really good introduction to malware—viruses, trojans, and worms—is available in the MacWorld article "Leap-A malware: what you need to know" about the first exploit for MacOS X. It covers user actions, the different types of exploits, and details of the particular exploit. It is concise and valuable. Check it out. Another site's blog entry "How to protect yourself against the latest Mac OSX Trojan/worm/virus" includes more information and links on that problem.
You can take steps to ensure your computer is protected by becoming knowledgeable, using tools, and changing your online behavior. I have an index of links to security information sources. I also have a couple of additional security articles. See Securing Windows XP on My Home Computer and the Spyware and Troubleshooting Resources page for more information.
Computers using the Microsoft Windows operating system occupy the majority share of the computer market and therefore are the biggest target for attackers. (I also use a Macintosh.) There is a article on Protecting Your Home Network on the Microsoft: Security at Home site that lists four basic steps to secure your computer:
I will describe items I use in my home network of Windows and Mac computers:
I use a combination of hardware and software. Threats come from incoming and outgoing connections. A router and most firewall software will protect you from incoming connections, port scanning, etc. You also need to protect yourself from outgoing connections from viruses, trojan horses, and spyware running as local programs. You can review one vendor's Firewall Q&A information site for details on these issues and techniques.
Internet -> Telco DSL signal -> DSL modem -> wireless router -> home LAN
I wrote an article on my wireless router setup. At a minimum, you should:
At the least, read the manual on authentication and encryption. (By the way, in setting up a home router/firewall about a year or two ago, it was only a minute or so before I found a port scan attempt in the router log.)
On Windows, ZoneAlarm—in Free, Pro, or Suite versions—is highly regarded. It protects incoming and outgoing connections. Once installed, the default settings will keep you well-protected but it took some time to understand the alert windows that appear when local programs want to access the Internet. There is a tutorial that links to the ZoneLabs Web site and the local help system is extensive. (I did notice the help in the free version describes features only available in the Pro version.) Technical support includes a user forum. Visit ZoneLabs technical support and download the PDF User Guide. Another, well-regarded, personal firewall product is Kerio from Sunbelt Systems.
On a Macintosh, MacOS X has a built-in firewall that you can activate in System Preferences: Internet & Network: Sharing: Firewall to limit incoming connections. For a deeper understanding of the underlying ipfw Unix utility (Internet Protocol FireWall) that allows you to set up connection rules, see the Configuring Jaguar's Firewall article. Mentioned in the article is a utility, BrickHouse—now Flying Buttress, for advance configuration of the MacOS X firewall. In addition, I'm now using a program for my Mac called Little Snitch, available from http://www.versiontracker.com/ which tracks outgoing connections from your computer to sites on the Internet.
Little Snitch handles only outgoing network connections on all network interfaces (Airport, ppp, network cards, ...) Little Snitch intercepts and delays an application network access until you decide to allow or deny the request or handles the request based on an already defined rule. Incoming connections can be blocked with the Mac OS X built in firewall.
Both ZoneAlarm (PC) and LittleSnitch (Mac) display alerts about automatic connections that happen behind the scenes. On my Mac, I see automatic connections from Software Update, iTunes, Virex, my email client, and others that surprised me. Both utilities allow you to approve the connection once or remember the setting and provide finer control over your applications activity. You can visit the GRC.Com Web site and use the online firewall tester "Shields Up!". The explanation pages for the report are invaluable. Review the site's other information and utilities.
For an alternate opinion of personal firewall software, from the perspective of a help desk technician, visit the Sam Spade page on personal firewalls and an essay on "snake oil" as it relates to personal firewall software. The author recommends a hardware firewall.
It is essential to keep your operating system (OS) up to date. Everything depends on the OS. I use Windows Update on my Windows XP computer and Software Update on my MacOS X computer. Both are set by default to run on a regular basis and prompt you before installing updates. I set Windows Update to run automatically each night. (See Start: Settings: Control Panel: Automatic Updates.) You can also check for application updates and patches at VersionTracker.Com. (Enter the application name in the search field for your OS. Some updates might require additional cost. Read the docs.)
On Windows, I use Symantec's AntiVirus and subscribe to updates on a yearly basis. You can get it as a separate program or as part of Symantec's Systemworks. It will update your virus definitions automatically via LiveUpdate, a very nice feature. I set it to check nightly. While there are currently no viruses on MacOS X, I still use Virex 7.2 for virus protection, getting my definition updates from VersionTracker.Com. (It appears MacAffee has abandoned individual users in current versions of Virex as there is a minimum 5-seat purchase.)
I use the following spyware-checking and protection tools on my Windows XP computer and I manually check for updates. I have links to more information on the Spyware and Troubleshooting Resources page.
I tried other spyware detection and protection programs. I grew tired of the Microsoft Antispyware beta's endless pop-up windows at each startup. (I'm running as a limited user and I believe that is why the "allow settings change" checkboxes don't stick.) Microsoft purchased GIANT software for its product and is doing further development. CounterSpy is also based on the recommended GIANT software engine and it works better for me. Spyware Doctor from PC Tools didn't have the custom configuration options I needed to avoid false positives in cookie review and it exited a couple times. An upgrade became available that "now allows you to specify your own cookies to keep using an in-built whitelist", but I didn't re-install.
By the way, I visited a web site to consider their email alerting service. Naturally, I sought and found their privacy policy. I copied and pasted the policy into the EULAlyzer review window and it worked as expected. A privacy clause and an advertising clause were highlighted in the results window. I could click on the "Goto" icon to review the clause in context. I can also save license agreements for later review. I find this tool very handy.
Your Internet Services Provider (ISP), (Earthlink, MSN, AOL, etc.) will have tools for blocking pop-up windows, catching spam and redirecting it to a special place for review, and optional parental controls for limiting access to Internet sites and/or restricting information submitted from your computer. You will probably have to log in to your ISP account and configure your settings, using your Web browser over a secure connection (URL address begins with 'https'.) Check out the options. See: Earthlink's home tools page for an example of the sorts of things that are available.
Additionally, ISPs can use email certification services to assist legitimate email marketers and reduce spam. Goodmail is one such service. A different approach is Return Path's Bonded Sender. See the AOL-Goodmail Deal Jars E-Mail Marketers article for a summary.
There are a couple Web sites where you can test your computer security. You usually need to use Internet Explorer for these online testers.
Tools can only take you so far. You need to be diligent in protecting yourself by securing your computer physically. i.e., who has access to sit down at your keyboard? Does a user have to login before work? Can anybody install anything? Do users run under Windows as limited users? You need to modify your online and computing behavior.
As End User License Agreements (EULA) are often confusing, I use a the Pro version of a free utility, EULAlyzer from JavaCool Software, to review license agreements before installing. With the free version, you can manually check an agreement. The Pro version tracks the agreement portion of installations from the background and you can copy and paste Web site user agreements for review. You can read an example of an extensive user agreement and privacy policy at the Pandora.Com music discovery service Web site. It covers sales, data collection, third party agreements and liability. It is well done and worth the read.
Select any combination of 6-15 characters using A-Z and 0-9. Do not use punctuation or spaces, and do not repeat any characters.
I also didn't see any note that the password would be case-sensitive, further limiting your choice of password. The AskTog.Com Web site has a fascinating article reviewing this situation. Here's a quote:
I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.
That sounds a bit contradictory, but I will soon prove my point...
Many recommend changing your password on a regular basis. Symantec has a page on Creating a Hacker-Proof Password. Here is something I found on the 'net quite awhile ago:
Obvious passwords include, but are not limited to, any of the following patterns (in decreasing obviousness)...
your user name. your real name. your initials. your husband's/wife's/girlfriend's/boyfriend's/dog's/frog's/machine's etc name. your car licence plate, make, model, etc. your birthday. your student/MediCare/social security/tax file/etc number. any of the above backwards. any word from a dictionary (especially an electronic dictionary).
Good passwords can be found by making up nonsense words or using letters from a common saying and by including non-alphanumeric ASCII characters. GRC.Com has a Perfect Password Generator that generates truly random long passwords on their web site, if you are interested. You can also download the Sourceforge password generator for use at the command line. It generates a table of 8-character passwords.
Discarded: 28,917,687 Released: 44,914 Percentage: 1.6
"Released" means a service subscriber reviewed a list of held messages and decided to forward one or more messages for manual review, as it might be legitimate. (It could also still be spam!) I wrote a lengthy article on spam options that contains much more information and many links.
It is an understatement that browsing the Web can be a problem if you are not informed and prepared. There are exploits that rely on flaws in unpatched versions of Microsoft's Internet Explorer, Microsoft's Java, or Javascript in general. Internet Explorer will allow you to set levels of security in the Tools:Internet Options: menu under the Security tab. My goal is to have several Web browsers available, to be aware of possible browser flaws, and to keep current with browser versions. For an overview of the risks involved in not keeping current with updates, or not using a more secure browser, see the "Browser Bugs" article index at PCWorld.Com. The magazine's site also has a 10-Step Security article. Secunia.Com also tracks vulnerabilities in the major Web browsers and a number of other products. (By the way, there is an interesting article on browser security information, "Security Fix: Incomplete Information from Uncle Sam", at the a Washington Post columnist's blog.)
In order to limit exposure to spyware, I have a couple utilities running in the background that track browser modifications. (Mentioned above in Spyware Detection and Protection.) For Javascript control, I use the Firefox browser and the NoScript extension. It disables Javascript by default and you use its status bar menu to allow Javascript temporarily (this session) or always for the site visited, which adds the site to a "white list". NoScript helps secure Firefox even further by watching for cross-site scripting, XSS, vulnerabilities. It is also a useful exercise to see how many different sites (the page author, advertisers, third party content) are running Javascript on the page. For example, I visited Merriam-Webster's online dictionary site and found when I enabled one off-site script temporarily, it added a couple more Javascript site links. Here is the screen capture showing all the sites called from Javascripts on the page. (Note, once you allow a Javacript, the NoScript menu items become 'Forbid' selections.)
By the way, while securing the browser itself is essential, you may still be vulnerable through helper applications. For an example, read the article Mozilla Fixes QuickTime Flaw in Firefox, which describes a QuickTime vulnerability in Firefox, how the NoScript add-on helps, the fact that Internet Explorer is not as vulnerable, and that Apple really needs to address a vulnerability. I noticed the automatic Firefox update to 2.0.0.7 yesterday (19-Sep-2007). Vigilance and awareness are key.
There are phishing web sites that pretend to be legitimate sites to collect user information. There are other web sites that provide free or low cost downloads that may include spyware programs. There are two utilities that can help you verify a visited site and view a report on whether you may be exposed to spyware or other browsing risks.
Netcraft's Anti-Phishing toolbar gives a visual cue when visiting Web sites. It is available for Internet Explorer (Windows 2000/XP only) and Firefox. It displays a "risk rating" bar (green or red), information about the site you are viewing (how long it's been around, its rank in visits, and its country and host provider.) I like it because you can confirm legitimate sites with a quick glance. The toolbar also has a couple drop-down menus that link to more statistics and analysis information on the Netcraft site.
SiteAdvisor.Com, crawls Web sites and scores them on security issues for their reference database. You can download browser plug-ins for Internet Explorer and Firefox that query the SiteAdvisor database. In Firefox, I see its menu button down in the status bar. In IE, it is up in the toolbar section. The button will display green, yellow, or red as you browse. (Or, gray for my offline HTML index page.) Clicking the button displays a menu where you can get a site report, help, etc. Another nice feature of SiteAdvisor is that it adds a "check" icon in Google site results. If I hover the cursor over the icon, a mini-report displays about that site with a link to a fuller report, if desired.
You can view a screenshot of my Firefox browser displaying a Google search results page. The image shows the Netcraft toolbar (above the results) and SiteAdvisor button (down in the status bar.)
A cookie is a small text file on your Mac or PC that a Web site uses to store information to personalize your visit, make recommendations, remember who you are in order to make it easier to do business with you, or keep statistics on how their Web site is used. For a quick overview of cookies and privacy, see the online article "Consumer Tips: How to Opt-Out of Cookies That Track You" on the World Privacy Forum site.
I believe most browsers are set to accept all cookies by default. You can often set Web browsers (Firefox, Safari, Opera) to only accept cookies from originating sites, if desired. The menu choices are usually something like Tools: Options: Privacy. You can review your settings, or disallow cookies to third-party advertising sites. Advertising revenues support the site you visit, but you may not want your browsing information tracked. In speaking to an academic librarian, I discoverd some online journal or database services must have their third-part cookies enabled. Review your needs and options.
I remember working at a university library where students used the computers by logging in with their student ID and a personal password they created after first login with an assigned password. At the end of their session, they would logout and browser history, bookmarks, cookies, etc. were reset to a clean, minimal state. (There were some default cookies for online resource access.) For the home, cybercafe, or public library user, I see Opera has Tools:Delete private data and Firefox has Tools:Clear Private Data... and Internet Explorer 7 has Tools:Internet Options: where you select the General tab and the Browsing History:Delete button. Each allows you to clear your personal information when using a public machine.
On Windows, running Windows Update automatically is a good way to keep Internet Explorer and Outlook Express secure as these two applications are regularly under attack. You might also consider using non-Microsoft Web browser like Firefox from Mozilla.Org. It is an open-source Web browser available for Windows, Linux, and MacOS X and is my current favorite. At the start of 2006, 1 in 10 use Firefox. It auto-updates (as of version 1.5), it is cross-platform (Windows, Mac, Linux), has tabbed window capability, allows you to block pop-up windows, and install extensions that add features. You can also set it to not remember passwords or form data entered, or only allow visited site cookies. (See a Wired magazine article on Firefox.) Here is some food for thought, from the Firefox FAQ:
Q: Is Firefox more secure than Internet Explorer?
A: Yes, Firefox and all other Mozilla-based products are more secure. Why? Here is a list of the most important reasons:
- It is not integrated with Windows, which helps prevent viruses and hackers from causing damage if they somehow manage to compromise Firefox.
- There is no support for VBScript and ActiveX, two technologies which are the reasons for many IE security holes.
- No spyware/adware software can automatically install in Firefox just by visiting a web site.
- Firefox doesn't use Microsoft's Java VM, which has a history of more flaws than other Java VMs.
- You have complete control over cookies.
Version 1.5's automatic update feature downloads and installs security and bug fix updates in the background, prompting you to re-launch upon its completion. Note, Firefox needs to be running with admin privileges for this. I run under XP's Limited User option. Therefore, I had to launch Firefox from an admin command shell and after about an hour, I saw the update complete.
But the key is that Mozilla issues patches faster [than IE's once-per-month updates] and with their new updating system they can be delivered to the userbase quickly. In fact, over 90% of FF 1.5 users upgraded to 1.5.0.1 within a week of the update being issued thanks to the new system. The faster patches and the better update system just makes FF safer to use. [posted by an "advisor" on the Sitepoint forum.]
I run Firefox with a couple useful add-ons: IEView allows me to right-click a page and view the page in Internet Explorer (IE) as some sites require IE. I mentioned NoScript, Netcraft Toolbar, and McAfee SiteAdvisor add-ons above in the "Browsing the Web More Securely" section. I also have some add-ons that assist with web page development: Firebug; Web Developer Toolbar. Be aware add-ons can conflict. I discovered a conflict with a Javascript Debugger add-on that intermittently quit Firefox.
If you are thinking about using Firefox in a business environment, searching Google for "Firefox" and "vulnerabilities" will probably find articles cautioning against it. Check the dates on the articles and the version of Firefox as it had critical vulnerabilities before version 1.04. The Mozilla Group has a change history page listing versions and vulnerabilities. The security site Secunia tracks Firefox, Internet Explorer, and other web browsers. As I mentioned, the current version 1.5 of Firefox is quite good with updates. For deployment and central management of settings, see the Firefox 2.0: Institutional Deployment page and the "Useful Tools" section on that page, which lists deployment tools for current versions.
One last word on Firefox... you might want to review the Web Sites That Don't Work Well With Firefox page. It illustrates some display differences. It mentions the fact that Firefox doesn't support ActiveX, which is a good thing for better security, but also a limitation, as ActiveX is required on some very useful sites. It lists web sites that don't support Firefox. Wikipedia also has Criticisms of Mozilla Firefox and Criticisms of Internet Explorer pages. There is also a Firefox Myths page. Review the pages, noting limitations, browser versions and decide.
In addition to running Windows Update regularly and using Firefox, there are other web browser and email clients you might consider.
Opera is a Web browser for Windows, Linux, MacOS X, and several other OSes. It has a Quick Preferences menu option to accept or reject pop-up windows. It has a "delete private data" menu option to remove cached Web pages, recent history, cookies, etc. that would be handy in a multi-user environment to help protect your banking and other user data. Opera is more secure than Firefox or Internet Explorer but does have its critics as well.
Eudora Pro is my favorite email client. It is intuitive to use, has a handy filtering feature. If you don't want to manually set up filters, Spamnix is a pre-configured plug-in for Eudora for Windows or MacOS X that automatically sends spam to Eudora's Junk folder. It uses Bayesian filtering (like the SpamAssassin server tool) and has an Accept/Reject utility.
Another option is to browse the Web using a virtual machine. See the article "Secure Browsing with Virtual Machines" and then visit the related VMWare page to get the free VMWare Player application and a Browser Appliance. On my Windows XP computer, VMWare Player runs Browser Appliance in the Ubuntu Linux virtual environment, a safe browsing container. You can read the PDF included with the application or the online FAQ on using the Browser Appliance.
In addition to securing your computer, you may wish to further protect your information. Here are some links.
The article does have a sidebar of recommended steps browsing users can adopt to minimize their exposure while browsing the Web.
The Internet remains an exciting but largely untamed resource and buyer beware is the motto of the day. There are a number of proposals for more secure computing, like secured email, etc. but you need to get appropriate tools, often subscribing to updates for best protection, and change your online behavior to ensure the security of your personal information and files.
After this long article, I can provide a short list of recommendations:
Become informed and act! Best of luck to you. I hope these basics prove helpful.
