Internet Safety & Security

Anti-virus

• Anti-Virus (AV) software is a must on all of your computers.
• AV software can be had for free. The newest versions of Windows have free anti-virus built in now.
• Learn how to use the AV software. It has to be fully enabled, scanning any data entering or leaving your computer - including e-mail.
• You have to actually scan all of your files on a regular basis. This includes any storage media (CD-R/RW/ROM; DVD-R/RW/ROM; floppy; USB drive; etc.) each time it's inserted / connected. This is important so you don't get infected with malware from the media’s source.
• Most AV programs can be configured to scan your hard drive automatically. Just configure the software to scan your files at a time that you won't be using the PC (but it does have to be ON).
• AV software is useless unless it has the latest updates. If a computer has been turned off for days, it is missing vital updates. Leave the computer on for a while to give those updates a chance to download.
• This updating process is usually automated, but be wary of such an important task happening in the background. You may miss the fact that the update never took place - such as if the Internet connection is down or the computer's been off for a while.

Spyware

• Many free downloads whether from peers or businesses come with potentially undesirable side effects.
• Spyware is software installed without your knowledge or consent that adversely affects your computer (although it’s often mentioned in the EULA). Spyware works mostly by monitoring how you use the software itself, or your internet surfing habits which are collected for marketing purposes.
• To avoid spyware, resist the urge to install any software unless you know exactly what comes packaged with it.
• You can install anti-spyware software, which scans for and deletes any spyware programs that may have sneaked onto your computer.
• Be forewarned however, removing spyware may render the software that it came with unusable.
• AV software doesn't necessarily include anti-spyware detection.
• The jury is still out whether spyware is as bad as the hype. I believe most isn't.
• The biggest problem in my opinion is that some things being labelled as spyware should more appropriately be called malware (virus; trojan; worm). This results in spyware getting a bad rap.

Email

Attachments

• Never open an attachment that you are not expecting, even from a sender you know. The sender's email address is easily spoofed. If it's unexpected - suspect it.
• Email attachments and embedded web links are the single biggest vector (means) for distributing malware.

Phishing

• "Phishers" send spam or pop-up messages claiming to be from a business or organization that you might currently deal with.
• For example, an Internet service provider (ISP), bank, online payment service, or even a government agency.
• The message usually says that you need to "update" or "validate" your account information. The message might threaten some dire consequence if you don't respond. This preys on your mind's inability to reason when it senses danger.
• The message directs you to a website that looks just like a legitimate organization's site, but it isn't.
• The purpose of the bogus site is to trick you into divulging your personal information (by logging in) so the perpetrators can steal your identity and run up bills or commit crimes in your name.

Don't take the bait:
• Don’t open unsolicited or unknown email messages.
• Don’t open attachments from people you don't know or don't expect.
• Never reply to or click on links in email or pop-ups that ask for personal information or offer to fix something on your PC.
• If you are unsure whether an email request is legitimate, try to verify the request by contacting the company directly.
• Do not use contact information provided on a web site connected to the request - check previous statements or other official documents for contact information.
• Information about known Phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
• Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about employees or other internal work information.
• If an unknown individual claims to be from a legitimate organization, verify his or her identity directly with the company.
• Legitimate companies don't ask for personal information or ask for account verification via email.
• Open a new browser window and type the web site address (URL) into the address field, watching that the actual URL of the site you visit doesn't change and is still the one you intended to visit. Most organizations have information on their web sites about where to report problems.
• It is very easy to spoof a web site address (URL), so don’t trust that a labelled link in an email or other message is really taking you to the indicated site. It is always safer (albeit less efficient) to type in a URL than to click a web link from an unknown source.
• If an email offers to take you to a web site you're familiar with, you're better off just navigating to that site on your own by using a bookmark / favourite or typing the URL by hand.
• Mis-spelled URL’s are yet another way to be spoofed into dangerous territory.
Example: www.rbay.com versus www.ebay.com
• IE and Firefox have anti-phishing settings

Embedded code

• Set the default options of your email program to view opened emails as plain text to avoid active web links or pop-up scripts in the messages.
• Embedded code does not have to be clicked on to execute – often just opening an email is enough to execute the code. The email programs most guilty of this are Outlook and Outlook Express.

Spam

• Ask your Internet provider about spam filtering and virus scanning options provided by them, and learn how to use your email client's spam filter.
• Keep in mind that spam filters are not perfect and are likely to sometimes filter out legitimate email messages.
• You will find that even with spam filters in place, some spam will still get through. This is because spammers continually come up with clever ways to disguise their spam. One of the most recent ploys is to change the ad inside the message from text to an image.
• Do not reply or attempt to unsubscribe to spam. They use your response as confirmation that they have discovered a working (and therefore valuable to sell) email address.
• If you value the (relative) anonymity of your email address, never leave it on a web site / forum. Spiders regularly comb all web sites looking for email addresses to add to spam lists. If you have to leave contact information in the form of an address, try disguising the address: my first name at that free email service that's 'hot' (get it?).
Preview mode
• To avoid automatically opening messages and risk executing anything embedded, turn off the "Preview Pane" functionality in email programs. At the very least, this allows you to prevent an email message from opening until you are ready to open it.

Web Mail

• Web mail is one of the safest alternatives to using an email client program.
• The web mail method keeps the messages and their attachments on the mail server, rather than downloading them to your PC. With web mail, you’re only viewing the messages remotely, not downloading them. Attachments are not downloaded until you specifically and manually instruct it to do so.
• Web mail also offers the added benefit of giving you access to your messages from any internet connection - with traditional email the messages are only accessible from your PC once you retrieve your email.
• Another recent benefit of web mail services is that most of them now automatically scan your messages for viruses, using their own built-in resources.

OS / Software Vulnerabilities

SecurityFocus Home User's Security Checklist for Windows

Windows updates

• As your operating system (OS) matures, security vulnerabilities are discovered and updates are made available by Microsoft / Apple / Etc. to patch those vulnerabilities.
• To take the guess work out of the whole issue of updates, make your OS do them automatically - this is usually set up by default.
• If you insist on doing updates manually, find out what updates or patches are available for your OS and your programs (Office, etc.), especially the critical and security-related ones.
• Let your OS find and apply the updates.
• If you ever re-install your OS or any program, make sure you begin the update process right away.

Software updates

• It's important to note that Windows Automatic Updates may do a decent job of updating Windows and its embedded applications (IE, Media Player, etc.), but it probably will not update other programs on your computer - even other Microsoft products like MS Office.
• You must find, download and apply these updates yourself.
• This oversight in Windows creates an huge false sense of security and leads to security postures on PCs that are almost as bad as having no updates at all.
• In contrast, the Linux and the MAC OS X operating systems update every program installed on your system, making these operating systems much safer.

Insecure Configuration

The hidden file extension.
Windows is configured by default to "Hide file extensions for known file types". Certain extensions are hidden when files are displayed in Windows Explorer / My Computer. This is a horribly dangerous situation. Windows users should re-configure Windows Explorer to show all file extensions. The reason this is a problem is that many email-borne viruses are known to exploit the hidden file extensions option. The first major attack that took advantage of this was the VBS/LoveLetter worm which contained an email attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". Other malicious programs have incorporated similar schemes. Examples include:
Downloader (MySis.avi.exe or QuickFlick.mpg.exe)
VBS/Timofonica (TIMOFONICA.TXT.vbs)
VBS/CoolNote (COOL_NOTEPAD_DEMO.TXT.vbs)
VBS/OnTheFly (AnnaKournikova.jpg.vbs)
The files attached to the email messages sent by these viruses may appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or other file types when in fact the file is a malicious script or executable (.vbs or .exe, for example).

Firewalls

A firewall is something that monitors your Internet connection and allows or disallows data to pass based on a set of rules. You can use a hardware (built into a Cable/DSL or wireless router) or software Firewall. I would recommend to use both kinds.

Hardware or Network (Cable / DSL modem)

• The reason I suggest to use both a hardware and a software firewall is that a consumer-grade hardware firewall only stops unwanted incoming connections.
• Learn how to use your firewall. This might not be easy. Don't let that deter you.
• You will likely need to do some re-configuration of your firewall if you use certain types of software (like peer to peer file sharing programs) that accept connections from the Internet.
• Home PC Firewall Guide

Software Firewall

Built into Windows
Windows has a built in software firewall which gets better with each new version of Windows. Bear in mind that it only protects against unwanted outgoing connections. If you decide to use something other than the Windows firewall (3rd party software), make sure that you turn the Windows firewall off so that the firewalls don't interfere with each other.

3rd Party
You can get a software firewall free if price is an issue.

Zone Alarm

Comodo
While configuring your firewall, pay as much attention to what you allow out of your network as to what you allow into your network. This is because an infected computer will take advantage of an always-on, high speed Internet connection as a perfect platform from which to launch attacks on other computer systems. This is activity that you may never notice is happening. This describes what is known in the security field as a 'zombie computer'.

Wireless Security

Many people who set up a wireless network in their home have no idea what wireless security is about, how it works or why it's desirable to set it up correctly.

• It is a good idea to change the default Service Set Identifier (SSID) of your wireless access point or router from the default (or the one you may have chosen), to something that doesn’t readily identify you.
• It is critical to change the default password for your wireless router / access point to something hard to guess.
• Turn off SSID broadcasting if that is an option. This makes it so that the wireless router doesn't advertise its existence. It's a minor point, but it helps.
• You should encrypt your communications on your wireless network. The best to worst protection is, in order: WPA2 (WPA AES), followed by WPA (WPA-TKIP), WEP 128 bit and the least secure WEP 64 bit. The issue is that while the latest and most secure encryption / protection options might be available on your wireless router, they might not be supported by the device(s) you are connecting to the wireless network.
• To protect your wireless network from rogue devices connecting to it, set the DHCP options to only offer IP addresses for the same number of wireless devices / computers that you have on your network. For example, if you have 4 computers set it to 101-104. The only thing is that you'll have to remember that anything new you buy will not be able to connect until you adjust this setting.
• An even better method of protecting your wireless network from rogue connections is to use MAC filtering if it is possible. See below ‘How to find your MAC address’.
• Always enable your router’s built-in firewall to restrict unwanted access to your network from the internet.
• Consider turning your access point off when it is not being used for extended periods.
• Most Access Points are configured to use channel 6 by default. Try using an alternate – channel11 offers the least interference.
• Keep your wireless system patched and up to date.

WEP - (Wired Equivalent Privacy) was intended to make a Wireless / Wi-Fi network difficult to penetrate, but vulnerabilities were discovered very quickly in WEP, making it about as useful as the luggage lock that comes with a suitcase.
WPA / WPA2 - (Wi-Fi Protected Access/Wi-Fi Protected Access 2) WPA/WPA2 addresses the security issues of WEP. WPA utilizes just a passphrase, although the underlying technology actually makes it harder to crack than WEP.

How to find your MAC address: From the Windows Start Menu, Run and type ‘cmd’. This opens a command prompt. Type ipconfig /all. The ‘physical address’ is your MAC address.

Links: Wireless Security by Bob Rankin
Securing your Netgear wireless router
Wireless networking made easy

Passwords

• Come up with a password that is sufficiently complex, yet easy to remember.
• The longer a password is, the more difficult it will be to guess. A length of 8 characters is good, 12 is better - this is why pass phrases are becoming more commonly recommended.
• A good password will have many random combinations of upper and lower case letters, numbers and even symbols.
• One method for creating good passwords involves using the first letter from words in a phrase and changing the case of some letters and some of the letters to numbers and symbols. For example, "There is a lot of money in the lottery" could become T1@lomitL . The phrase itself is easy to remember, but guessing that particular password is difficult.
• Do not use one password for everything - if the password is compromised, so is everything you use it for. Having said that, it is OK to share a password amongst web sites that only offer a simple anonymous service access, like a news site or basic forum. But if the site involves using or offering access to personal information (online shopping or banking), do not use a shared password.
• Don't write passwords down where they can be found - this includes in an obvious file on your PC (such as 'passwords.docx').
• It is not wise to let your web browser remember your passwords for you to access web sites. This convenient yet dangerous feature makes it possible for anyone to sit down at your computer and connect to a web site / account as if they were you. Worse, the passwords are stored on your computer in a manner that they can be easily copied.

Browser Security

How to configure Internet Explorer security.

IE Security Settings
• A Web browser can run malicious applications on your computer without you knowing - if you don't have it configured correctly.
• The easiest way to make your online browsing experience a little more secure in one easy step is to switch from using Microsoft's Internet Explorer to Mozilla Firefox, Google Chrome or any other non-Microsoft browser.
• Internet Explorer (IE) has a horrible security track record. IE often makes things too easy for attackers by letting special and potentially malicious content (Active X, java, scripting, etc.) run on your machine without you knowing - unless you have disabled all these functions.
• Disable Java, Javascript and ActiveX if possible, but keep in mind that doing so may prevent web sites you depend on from working correctly - or at all.

Alternate Browsers• Using Firefox, Chrome, or Edge instead of IE lets you avoid many of IE's security issues altogether and still offers a very nice browsing experience.
• You can still have multiple Web browsers on your computer. Some sites for example, will only work properly with Internet Explorer. Use IE for those sites and then go back to your alternate browser for your regular browsing.
Browser Hijacking
If your browser seems to be diverting your search site to something other than what you normally use, or if pop-ups appear even when you visit sites that normally don’t suffer from pop-ups, or if your home page has been changed without your doing, your browser may have been hijacked.

Hijacked browsers are often difficult to fix and usually require help from a professional, but they are repairable in most circumstances.

Once a browser is fixed, consider using a browser that is less prone to hijacking – like Firefox, Chrome or Opera.
Pop-ups

You must be extremely cautious of any pop-up. Even though some pop-ups are just harmless ads, it’s the malicious ones you must never click on. These include pop-ups announcing your computer status, or offering a fix to a computer problem, or announcing that you’ve won something, etc.

Pop-ups are a normal side effect of certain web sites, but if pop-ups are appearing when your browser isn’t even open, or when you browse sites that normally don’t offer pop-ups (like Google), your browser may be hijacked.

It is very important to understand that if a pop-up appears out of nowhere indicating that there is a security issue with your computer, offering that if you download a program, that it will automatically fix it - it's a scam. Never, ever fall for this. Estimates indicate that there were 9,287 bogus anti-malware programs in circulation in December 2008. Some of these programs are nasty. Internet Antivirus Pro software displays fake Windows security messages to trick people into thinking the product is legit. It also contains a password stealer that watches where people go online and grabs their login credentials.

Chaperoning your Web Browsing

It’s impossible for the average user to know the difference between an uninfected web site and an infected one. As a result, many security product companies now offer to help chaperone your web browsing experience. One example is McAfee’s Site Advisor plug-in for your browser.

Firefox has an option built in that will tell you if the site you’re visiting is a suspected forgery, based either on a list Firefox provides, or you can ask it to use Google to automatically check.

Cookies
• Cookies get a bad rap.
• There are a number of utilities that offer to delete them for you - but is this really necessary?
• Cookies are used by the web sites you visit to anonymously identify you. They do this in an effort to make return visits to the same web site more personal by remembering your preferences.
• Cookies are also used to track what ads are being placed in your browser window and whether you click the links that are presented to you in those ads.
• Many folks go around paranoically (new word) deleting cookies, but this is fruitless. As soon as you surf to the next web page, the cookies start piling up again.
• Deleting cookies not only makes visiting certain sites behave like you've never been there before, in some cases the lack of a stored cookie may render the site inoperative for security reasons – this is especially true of work related web sites.

Shopping Online

Credit Card Use
• Using a credit card online is much safer than most people think.
• As long as your browser is in secure (encrypted) mode while credit card numbers and other pieces of personal information are transmitted (the browser lock icon is visible), you're fine - interception is highly unlikely.
• In fact, the real danger is not what you'd expect. What consumers should really worry about is whether the entity at the other end of the transaction is trustworthy or not. What does the vendor do with all that personal information once it's in their hands?
• For folks who still have reservations about online credit transactions - one sensible safeguard is to consider getting a separate credit card with a low limit just for online shopping.

Paypal
• The safety of using PayPal online is no different than a credit card, except that PayPal is usually tied to more than one source of money (it may have ties to both your credit card and bank account).
• Reduce the risk by limiting what PayPal is connected to.
• Only use PayPal to pay at trusted online vendors.

Personal Information on your Computer

Sensitive Files

• Ask yourself: "Is there any information stored on my computer that I wouldn't want to lose or that I wouldn’t want falling into the wrong hands?" (workplace information, sensitive work content, pictures, sensitive personal messages or documents, financial information, personal contacts, passwords, personal identification, etc.)
• If the answer to the last question is 'yes', is the computer's hard drive the appropriate place to store this sensitive data? Valuable data can be lost to a complete hard drive failure, a power surge or even theft. Consider storing very important and highly sensitive information on something other than your hard drive (USB memory stick, CD-ROM, DVD-ROM, USB external hard drive).
• Personal information should be hidden, encrypted or better yet - removed from the PC altogether.
• A very popular mobile storage solution of late is the USB memory stick - and they have become quite inexpensive. These are a great way to transport information between computers but are not the best choice for long term storage.
• Make backups of anything you can't replace (Windows and software can always be re-installed - but documents, pictures, music, etc. cannot). Storage media is too cheap these days to ignore the option of backups.

Physical Security

• Laptops are a double-edged sword when it comes to security. On the one hand, they are portable, making them easy to take with you. On the other hand, from a thief’s perspective, they are portable, making them easy to steal.
• Laptops should be locked to an immovable object with a security tether.
• Laptops should never be left unguarded, even for a moment. That’s all it takes. A thief will not look any different from a legitimate laptop owner whilst carrying your stolen laptop and can easily hide the laptop in a backpack or briefcase.
• Since laptops are easily stolen, measures should be taken to protect the data that is stored on the laptop's hard drive. All business laptops should employ hard drive encryption to protect company data. This adds another layer of security so that anyone with a stolen laptop in their possession can only format the hard drive, they cannot access any data stored on it without the password. Security FOBs can also be used to protect the laptop - you need both the login credentials and the FOB to access the laptop's programs and data.
• Storage media deserves protection too. CD-ROM / DVD-ROM discs containing sensitive information must be guarded. Memory sticks may be potentially storing important data and are easily stolen.

Address Book

• The problem with the Windows / Outlook address book is that the people who write malware know exactly where its files are located on the computer and this makes it easy to create malware to harvest the address book’s contents.
• I solve this problem by using an Excel spreadsheet with an obscure filename to store all of my contact info and saving frequently used (but not sensitive) email addresses within my web mail services.

Parental Controls

• There are inherent weaknesses in relying on software to babysit childrens’ web surfing habits.
• For one, all parental control software can be defeated. So in the end, relying on it leads to a false sense of security.
• Second, using this type of software sends the wrong message to our children - that there is an automated, non-human, blanket solution to every problem. It also indicates a lack of trust.
• Third, parental control software is going to prevent your children from accessing many perfectly legitimate web sites (the software is notorious for producing false positives). Worse, the software will not prevent them from accessing all objectionable sites (false negatives). The false negatives are much more common than the false positives. This is because web site owners know how to circumvent the detection methods of the software.
• Fourth, it has been shown that some parental control software actually monitors child Instant Messaging and Facebook chat content and sells this information to marketing companies.
• The best way to protect your child from objectionable content online is to actually supervise their online activity. By this I don't mean look over their shoulder every second, I mean keep their computer in an area where they can be seen – where you are likely to appear at any time without warning.
• If you feel they can be trusted to surf in private (such as behind a closed bedroom door), then they don't really need any controls whatsoever.
• Would you trust a computer program to decide who your children can play with? If you answered no, then why would you trust it to determine what they can surf online?
• Many parents don't stop to consider that all of the best parental control software in the world installed at home will not prevent your children from accessing objectionable material while they are at school, at the library, at a friend’s house or at an internet café. Then, there's mobile access from phones. It's a battle you cannot win.

Malware and their sources

File Sharing / Peer to peer / Bittorrent - File-sharing can give people access to a wealth of information, including music, games, and software. Special software connects your computer to an informal network of other computers running the same type of software. If you don't check the settings, you could allow access not just to the files you intend to share, but also to other information on your hard drive, like your tax returns, email messages, photos, or other personal documents. In addition, the endless collections of files you can find online are seeded with malware pretending to be something else. These are but some of the risks associated with file sharing.