Our learning intentions for our digital security topic is to understand the importance of passwords and to identify the characteristics of a strong password this lesson has been specifically designed for use in tonight’s because this would be around the time they would be sent receiving their own electronic devices that will give them access to the digital world it’s relatable.
And relevant to their lives making it thoughtful meaningful and a visually.
Appealing topic that raises the awareness of digital technology in security I would first introduce early some of the brainstorm to understand what the students know.
About cyber safety while we use passwords and what they protect this requires students to think recall and process information linking into.
The New Zealand Curriculum 2007 key competency strand of thinking I would also link in to the participation contributing competency as students will be required to contribute to the discussion and brainstorm about cyber safety in passwords I would then compare it against the protection.
Of non electronic devices such as locks for a bike or keys for a house and then related to the protection passwords have on our devices preventing people from stealing or using them without permission using a plaque ball and debris it shared examples would like to learn more mainly for unrelatable thus given the importance of digital security across to our students.
So they can stay safe on the Internet I would then share a video from the Mira’s Bank on YouTube called the importance of creating strong passwords this clearly explains tips and advice about security and privacy on the internet and how to keep.
Your device as an account safe this relates to the managing self competency taken from the New Zealand curriculum 2007 students will need to manage themselves in their behaviour in order for them to understand and get the key information out of the video they also take responsibility for their own digital security and acknowledging ways to strengthen and protect themselves to stay safe I would then go.
Over the video with the students and add to the brainstorm or with their information gathered from the video students will be connecting with each other during the process which.
Zealand curricula 2007 key competency of relating to others it’s through these quality and inclusive interactions of discussion then students will be.
Relating to to and interacting with one another through information and share experiences finally I would encourage your students correct their own password for.
The pier to figure out using the information tips and tricks them from the lesson either give them an iPad or paper allowing them to write or give a four-digit code or succeed a password with a partner the students are using the New Zealand curriculum 2007 language symbols and tix competency by using language symbols and ticks when creating their own password this is an inclusive and differentiated teaching in the Nativity that all students can contribute to its.
Catering for a keen static visual and auditory learners by working with others giving them the choice with iPads or paper and.
Lots of people know DuckDuckGo as the privacy-focused search engine. Whether you like DuckDuckGo because you’re sick of Google or just love its cool bang feature, there are plenty of reasons to check it out.
Now here’s another: DuckDuckGo just launched updated browser extensions and mobile apps to help keep you safe and your data more private online. Let’s take a look at what they offer.
DuckDuckGo’s New Browser Extensions
DuckDuckGo offered browser extensions prior to this major update, but they were pretty basic. They set your default search engine as DuckDuckGo and allowed you to quickly access the website to search, but not much else.
Now, the new extension called DuckDuckGo Privacy Essentials has a lot more to offer. Install it in your browser of choice, and DuckDuckGo protects you in a variety of ways.
The first, and most obvious, change you’ll notice is that the extension sets your default search engine to DuckDuckGo.
Unfortunately, due to the way that Chrome handles extensions that modify your default search engine, you can’t change this setting without completely disabling the extension. Firefox doesn’t have this problem. You can change the search engine after installing and the extension will work fine.
Of course, if you’re interested in the privacy that DuckDuckGo offers, you probably don’t want to search with Google regularly anyway.
When you’re clicking around the web, it’s easy to forget that most sites don’t take your privacy seriously.
To address this, DuckDuckGo’s new extension offers a privacy score for every website you visit. You’ll see it displayed as the extension icon in the upper-right corner of your browser and can click it to see more details.
The lowest score is F, while the best is an A. Click a site’s score in the dialog box, and you’ll see more details on why it received that score.
If some feature of the DuckDuckGo extension improves the privacy score, you’ll see that reflected here. For instance, if the add-on blocks a major tracking network or forces an encrypted connection, the score could improve.
Trackers and Privacy Practices
If you’ve ever wanted to see exactly who’s tracking you online, you can get a peek with this extension. Click the X Tracker Networks Blocked entry on the dialog and you can see what’s embedded into the website. You’ll see a lot of Google and social media sites here.
DuckDuckGo’s extension also forces encryption to websites where available. Like the HTTPS Anywhere extension, this enables a secure connection if a website offers it.
Rounding out the extension’s features are a DuckDuckGo search box and a Site Privacy Protection slider. Disable this to whitelist a site and the extension won’t run on that domain. This is useful if you find the extension breaks some sites.
DuckDuckGo’s New Mobile Apps
For increased privacy on the go, you should also take a look at the revamped mobile apps from DuckDuckGo.
Like the browser extension, the mobile apps do most of their work in the background. Open it up, and you’ll get a simple DuckDuckGo search page to find whatever you’re looking for.
You’ll see a privacy score for every website in the top bar that you can tap for more information.
The Fire icon in the menu bar lets you instantly erase all your browsing data and close your active tabs. However, we couldn’t find any way to open a new tab in our testing, and there’s no history menu. This button makes it easy to “reset” the browser, but we’re not sure what exactly it’s deleting.
DuckDuckGo’s mobile browser rounds out with a basic bookmark function so you can easily jump to your favorite sites.
Overall, the DuckDuckGo browser isn’t full-featured enough to become your default. However, it’s a good idea to keep it around for when you want to search something without being tracked. Opening DuckDuckGo to search for sensitive medical or personal questions is worth it.
Are DuckDuckGo’s Apps and Extensions Worth It?
Overall, DuckDuckGo’s new browser extensions and mobile apps are solid offerings, but not anything groundbreaking.
The company intends it as an all-in-one privacy solution, as explained in the announcement blog post:
“To date, cobbling together an effective privacy solution has required researching complicated technologies, installing multiple add-ons and apps on each device, and often worsening your internet experience. Others have been unfortunately misled by supposed simple solutions. Think ‘Incognito’ mode blocks Google from watching what you’re doing? Think again.”
This is accurate. DuckDuckGo’s extension combines the forced encryption of HTTPS Everywhere, the tracker blocking of apps like Disconnect, and private search. If you like having one extension that does it all, you might prefer to install this one instead of three separate extensions to get the same effect.
The mobile app is bare-bones but effective. Firefox Focus offers a similar package with more features that you might prefer. And the company’s note about private browsing is right: websites can easily track you even using private or incognito browsing.
If you’re really privacy-conscious, you should skip these extensions and install a completely private web browser.
Will You Try DuckDuckGo’s New Apps?
We’ve seen what DuckDuckGo’s new apps set out to accomplish and how they work. If you’re a DuckDuckGo fan, give them a try and see if you appreciate what’s new.
But if you already use a privacy extension or browser and are happy with it, there’s not much reason to jump to DuckDuckGo’s new offering. Regardless, it’s great that this privacy-focused company is improving its products!
For more privacy on the go, check out the best Android apps to protect you.
Have you tried any of the new DuckDuckGo apps? What do you think of them? Share your favorite privacy apps and extensions down with us in the comments!
Last month news broke about Starbucks’ loyalty cards having a security flaw. The flaw was discovered and exploited by Egor Homakov, a hacker who works for penetration testing, source code auditing, and vulnerability assessment firm Sakurity.
The loophole allowed Egor to duplicate funds on a Starbucks gift card, which then he managed to spend in a shop without being questioned nor alerting the company to his activity.
The news made headlines around the world, both for the existence of the flaw in the first place, but also for Starbucks less-than-friendly response – with the coffee giant failing to thank him and instead discussing his actions in terms of “fraud” and “malicious actions”.
Although Starbucks’ PR-fail is superficially laughable, as a consumer it should also give you cause for concern.
How Widespread Is the Problem?
As criminals look for increasingly sneaky ways to grab data and get their hands on anything with value, loyalty cards and gift cards are in danger of becoming the latest proxy in the ongoing war.
Late last year, American Airlines and United Airlines both became victims of a similar hack – with more than 10,000 flyers seeing air miles stolen. Criminals used the victims’ miles to upgrade their own flights and book free holidays, and in the cases where users have the same password for multiple sites – access other services.
Starbucks themselves have been targeted in the past. Aside from Egor Homakov’s “free coffee” hack, criminals have often been found to hijack consumers’ loyalty accounts, emptying the balance, and then using the auto-reload function to hack any associated debit and credit cards details.
Gartner security analyst Avivah Litan says the whole scheme is part of a new trend. “Fraud is moving away from banks into big e-commerce companies,” she said. “Criminals are learning how to turn rewards programs, points, and prepaid cards into cash.”
Why Are They Vulnerable?
Companies such as Starbucks often have systems and security measures that are much easier to hack than those of banks, credit cards, and other financial institutions.
Litan uses the example of bank and retailer fraud-fighting software. Such software will typically detect unusual purchase patterns (such as big-ticket purchases in a foreign country), but auto-reloads of a gift card would trigger no such warnings.
For criminals, this is a potential gold mine. The Starbucks mobile payment system has more than 16 million users and processed in excess of $2 billion in mobile transactions last year alone.
Why Do Criminals Want Access to Reward Cards?
It’s easy to understand criminals’ attraction to cards that have an auto-reload function, or are directly associated with a debit or credit card. As with the Starbucks card, these can be easily exploited for financial gain – but what about reward points?
Criminals want access to reward cards for one main reasons – consumer details.
Consumer details are actually more valuable to a criminal than your credit card details. While businesses that have been hacked always quickly move to reassure its customers that “no personal details were stolen”, in reality this is offering false comfort.
If a hacker gets hold of your credit card details, they can use them to shop online and sell them to other criminals online – that’s about the extent of the damage. However, if a hacker has your name, address, date of birth, and other official information, they can commit online fraud and apply for credit cards, loans, mobile phone contracts, and even mortgages in your name. Ultimately, they can do anything that requires an ID verification.
Should You Be Worried?
The short answer to this question is “yes”. It’s why Starbucks’ tepid response to Egor Homakov was so concerning. They should care a lot more, and be a lot more vigilant in protecting customers.
Of course, the usual online security tips of making sure all your passwords are different, being careful what you access on public networks, and running effective anti-virus software all apply – but they won’t be enough to protect you.
It’s extremely difficult to either control whether or not your personal information is stolen, and almost impossible to limit the damage if it is. People cannot change their names, addresses, and social security numbers as easily as cancelling a credit card.
Are Loyalty Cards Worth the Risks?
If you consider risk versus reward, there is an argument to suggest you should dump all your loyalty cards.
Loyalty schemes are hugely valuable to the companies that operate them. They reveal details about customers’ purchasing habits, help retain clients, create brand advocates, and reduce promotional and advertising costs.
On the other hand, there is an increasing amount of research that suggests that they are no longer such a good deal for consumers. At Costa Coffee in the UK, customers now need to buy 39 Americanos just to get the 195 points needed for a free coffee – in other words, they need to spend £76.05 (over $100) to save a mere £1.95 (just over $3).
This averages at a five pence per coffee saving. If you are a financially prudent consumer, the smartest thing would be to see if any other coffee shops in your vicinity sell coffee for less than £1.90.
The questions you ultimately need to ask yourself are these: “Are all my personal details, emails addresses, and credit cards numbers worth more than a five pence saving?”, and “Is it worth exposing myself to this growing area of cyber-crime and fraud (and handing over all my shopping preferences to corporate businesses) for such a small return?”
The answer should be no.
Do YOU Use Loyalty Cards?
What’s your experience with loyalty cards? Have you ever lost money through them? Perhaps you sit at the other end of the spectrum and have seen massive savings?
We’d love to hear your thoughts. Leave us your comments and feedback in the box below.
Image Credits: Thief carrying a bag via Shutterstock
Working remotely online is all the rage these days. I’m living the glamorous lifestyle of tech article writing, sunbathing, and Pina Coladas. But if you want to be like me (and who wouldn’t?), then it pays to be a bit careful when applying for jobs online. There are sharks out there lurking and ready to take advantage of you, whether it’s extorting “training fees” out of you, getting your personal details for identity theft purposes, or simply getting as much work as possible out of you and not paying for it.
But as always, MakeUseOf is your guardian angel in all things tech. So here are the warning signs that the Elbow Grease Salesman job might not be as kosher as you thought.
It’s On Craigslist
Anybody can post anything on Craigslist cheaply (the fee for job listings vary depending on the location, but it is still dirt cheap). Proper companies with real, credible job offers are going to be on reputable jobs boards, such as Monster and Indeed. Blogging jobs are likely to be on Problogger. If it’s on Craigslist, then personally for me it’s a red flag, because they are advertising on the cheap. And if they are skimping on advertising costs, what else are they skimping out on? Salaries, maybe?
And ladies, be extra careful of the waitressing jobs. You might instead end up being interviewed for a job where you’ll be expected to take your clothes off. Unless that’s your thing. In which case, more power to you.
Make a Million Dollars! Look, Here’s My Adsense Balance!
I’m sure you’ve seen it online many times before. Someone offers you the chance to make an easy million dollars. But there’s a secret (shhh!!!), and they won’t give away that secret for free. To tell you how to make a million dollars, they want you to pony up $99.99 to them first. Even though they have that million in the bank, they still need to pay the bills, so secrets are not free you know?
And to sweeten the deal, they have posted a screenshot of their Google Adsense account. Look at all those zeros! Sweetheart, give me a hundred bucks! Food for the kids? Nah, this is more important! But before you hand over your dough and consign the kids to eating cat food for the rest of the month, bear this little nugget in mind. The picture and screenshots are fake.
We Have High-Paying Waitressing/Cleaning Jobs Overseas
This is another one for the ladies to be careful about, as sex trade traffickers normally use the ruse of well-paid overseas waitressing or cleaning jobs. Women then apply believing that they are going to be in a really good job only to have their passport taken away from them when they arrive. Then they are transported into a life of hell.
I’m not trying to be excessively gloomy and morbid here, but nevertheless it would be remiss of me not to mention it. I AM talking about job scams, and this is the biggest scam of all.
We Don’t Need to Interview You, You’re Hired!
If you apply for a job and you are instantly hired without even so much as an interview, then that is when you need to get suspicious.
It doesn’t even have to be a full proper interview. Even just a casual chat on Skype would be fine. But if they base their decision without even talking to you once, then you have to ask yourself — is there even a job there to begin with? And if so, does FlyByNight Industries have any intention of paying you at the end of the month?
Their Contact Email Address Is a Yahoo or Hotmail Address
Proper companies have professional domains. For example, MakeUseOf is makeuseof.com. It is not makeuseof.blogspot.com, or makeuseof.googlesites.com. Therefore a professional domain means professional email addresses at that domain.
If you get a job offer from firstname.lastname@example.org, or email@example.com (in case you haven’t worked it out, “remmacs” is “scammer” backwards), then it’s time to run for the hills. Credible companies do NOT email from free email accounts. If they do, they will either pay extremely little, or not pay at all. I should know, accepting that job offer from firstname.lastname@example.org was the worst decision I ever made.
I mean, come on, how much is a domain these days? $10 a year? Less, if you go to GoDaddy?
They’re Being Trashed on Google
This is the biggest red flag of all that you should not apply to join a company. Before sending in a job application, you should always Google the company first to see what people are saying about it. But as with everything in life, a sense of perspective is needed here. EVERY company and individual gets a little criticism sometimes — it’s all part of the game. Nobody is going to please every single person all of the time. Hell, I get people mad at me every time one of my articles comes out.
But if you see pages and pages of search results all saying the same negative stuff, then you have to conclude that there is a pattern forming there — and it isn’t good. Time to start applying at Walmart as a greeter.
Wait, Did I Really Apply to Be Donald Trump’s Toupee Groomer?
Quite often, I get emails telling me that I have been accepted for a job vacancy. Normally that would be great, except I didn’t actually apply for the job in the first place.
If you get the same emails, then the chances are this is just outright spam, getting you to click on a link so they can infect you with malware. Or getting you to reply to them, so they can con your personal details out of you to steal your identity and/or your money. If it is a Nigerian Prince offering that you become their personal banker to transport a “bountiful amount of untraceable gold and jewels in the sum of 10 BILLION DOLLARS”, then trust me, this is a job offer to delete.
Besides, that thing on The Donald‘s head doesn’t need combed. If you try, it’ll bite your hand off.
Well Payn Jobb Opattunitties! Big $$$$!
Lastly, one of the biggest things to set off your internal scam siren should be grammar mistakes in job adverts. Why should spelling mistakes bother you? Well because it speaks to the professionalism and standards of the business if they are prepared to let such sloppy marketing go out in public.
That sloppiness can then lead on to how they treat their staff.
Of course it goes without saying that the occasional grammar blooper is fine. We’ve all done it (I would get “Mississippi” wrong without Chrome spell-check!), but in the age of browser spell-checkers highlighting misspelt words, there is less of an excuse for professional companies to put out illiterate job adverts. I’m not being snobbish when I say this, it’s just a plain fact. Maybe you disagree?
It’s Not All qs Bad Aqs You Think
There are countless companies online who have a unimpeachable reputation (MakeUseOf being one of them, I am proud to say). So it is entirely possible to get a well-paying online job with flexible hours, and other benefits such as working from home in your Superman pajamas. But it also pays to be extremely careful that you don’t accidentally fall victim to the predators out there. Hopefully this article has covered the basics you need to watch out for.
Let us know in the comments what other tell-tale signs there are for spotting a shark online.
Assaults on our right to privacy have become commonplace, despite activist groups (and a considerable number of writers on MakeUseOf) objecting to mass surveillance. Our confidentiality is of importance to all of us.
But a recent study by the University of Pennsylvania’s Annenberg School for Communication concluded that:
“[A] majority of Americans are resigned to giving up their data.”
Is this true? Is it a wider issue affecting more than just Americans? And why?
In Exchange For: Financial Benefits
The Trade-off Fallacy mulls over the idea that Americans give over personal data in exchange for certain benefits – deals, free Wi-Fi, and memberships, for instance. The study, however, concludes that the majority think they’re not given a fair deal. Of the 1,506 surveyed, 91% disagree that companies giving a discount in exchange for them collecting data about them without their knowledge is a fair deal.
It begs the question, why do we still relinquish our privacy?
“62% do not know that price-comparison sites like Expedia or Orbitz are not legally required to include the lowest travel prices.”
Stick with me here: these beliefs are understandable. There are plausible reasons. Ignorance is still ignorance, but everyone is ignorant of vast amounts of information, and at least the blame can lie largely at the door of marketers, not the public.
You would think, then, if the public were aware of this deceit, more of a fuss would be made of privacy leaks. But perhaps not so…
Because the really worrying part of this survey is a shocking conclusion about those who know their data’s being sold on and used, as C|Net notes:
“The more people actually did know about the realities of online marketing, the more resigned they were to accept the inevitable and utter lack of privacy.”
In Exchange For: Safety?
A separate study by the Pew Research Centre came to similar conclusions, worryingly. It does, though, view this seemingly laissez-faire attitude from a different vantage point, and therefore brings an extra caveat to consider: terrorism.
It’s not solely financial benefits that make us surrender some freedom, but also fear.
If the Government pass rulings infringing on privacy rights in exchange for protection from terrorists, surely that’s acceptable? After all, the media obsesses over Daesh (better known as ISIS), Al-Qaeda, and other extremist cells, and such saturation naturally means widespread concern. The problem here is how difficult it is to stand up for something as intangible as human rights when the opposing argument is supposed to bring an end to suffering.
But those surveyed by Pew disagree. Their research shows:
“A majority of Americans (54%) disapprove of the U.S. government’s collection of telephone and internet data as part of anti-terrorism efforts… In spring 2014, 74% said they should not give up privacy and freedom for the sake of safety… This view had hardened since December 2004, when 60% said they should not have to give up more privacy and freedom to be safe from terrorism.”
“Americans also say anti-terrorism policies have not gone far enough to adequately protect them.”
This, they argue, is of more importance to Americans than their privacy: however great their sacrifices, more should be done to keep the nation safe. Furthermore, Pew finds there’s a degree of futility; that we are troubled by who has access to our data – from the National Security Agency to social media like Facebook, from drones to Internet giant, Google – but feel very little can be done about it.
And that’s a great point. We haven’t given up on our own privacy… but how do we fight for it?
Is It The Same Throughout the World?
This is also the case in the UK, where terrorism is blamed in order for the Government to introduce The Communications Data Bill, nicknamed the “Snooper’s Charter”, and revised as the Draft Investigatory Powers Bill. This would force telecommunication companies to keep metadata records of its users for at least 12 months. People generally kicked up a fuss, but largely because it threatens the existence of WhatsApp and other encrypted instant messengers.
Nonetheless, it appears to still be going through. In fact, some parts of it were already passed in November 2015 – to little fanfare. The Data Retention and Investigatory Powers Bill, nicknamed DRIP, is similar but it expires this year; it was rushed through parliament so no one could object before it was actually passed.
In this case, it’s not that the British public are complacent; it’s that they’re given no choice. Still, controversies over DRIP didn’t last. It’s naive to think there will be much outrage at the Snooper’s Charter.
EU courts deemed it unlawful on Humanitarian grounds, and signed rules to aid consumers in keeping their data to themselves – so it appears that at least those 28 nations are concerned over their citizens’ privacy. The EU Data Protection Directive is definitely a step in the right direction.
The Indian Government, meanwhile, wants similar surveillance as the UK, but the Centre for Internet & Society notes that this is of considerable worry to its nationals:
“[T]hough these provisions create a framework for interception they are missing a number of internationally recognized safeguards and practices, such as notice to the individual, judicial oversight, and transparency requirements. For many years there has been running public discourse about the surveillance that the Indian government has been undertaking. This discourse is growing and is now being linked to privacy and the need for India to enact a privacy legislation.”
It might seem that China, whose Golden Shield Project (or “Great Firewall”) blocks out many websites, would have looser privacy laws, but things are apparently changing – at least commercially. The Chinese might be willing for their Government to keep tabs on their activities, but the officials have introduced a number of regulations on the private sector.
What You Can Do
It’s extremely ignorant to think only American citizens are complacent to infringements to their rights. In fact, it’s ignorant to think it’s just plain complacency. People haven’t given up. They might think it futile to rally against authorities, but that doesn’t mean they don’t. You can fight for your freedom.
Educating yourself and others is perhaps the biggest step. That goes beyond flicking through George Orwell’s Nineteen Eighty-Four and recommending it to anyone who listens. Take in as many books about online privacy as you can. Don’t be afraid of social media either: Twitter might seem like an opportunity to leak private information yourself, but it also gives advocates a chance to talk about their worries.
You could also go really paranoid and take precautions at every turn.
Write to your local senator or MP. Find out who’s fighting the good fight on your behalf. Sign or even start a petition on Change.org. Even if you think it’s useless, if everyone took a stand like you’re doing, the world might be a very different place.
Buyers shopping for new iPhones have found themselves scammed by criminals employing a cross site scripting vulnerability on eBay listings. Find out how to avoid being caught out by a weakness the auction marketplace should have already patched.
EBay: Another Security Breach
Earlier in 2014, we learned that eBay had been hacked, with millions of usernames and passwords potentially revealed to cyber criminals in a leak that the online auction service somehow failed to reveal for several months. The company is already facing a class action lawsuit in the USA concerning this event.
This week (just days after a seven hour outage hit sellers) researchers discovered that eBay security has been breached again, this time by manipulating the cross site scripting vulnerability, a weakness that should have been patched a long time ago.
By clicking on the link for an iPhone, the user would then be taken to an eBay login page, where their username and password would be requested, which the user would have to enter before getting the opportunity to buy the device. Except, there was no device, and the buyers weren’t on eBay anymore.
Here’s a video explaining the vulnerability, which was discovered by Paul Kerr, from Alloa in Clackmannanshire.
What this means is that it was possible for scammers to use a relatively simple technique to take you out of the genuine eBay site to a convincing spoof (essentially a clone of eBay), a phishing site where your payment details are taken and used for criminal purposes.
What Is Cross-Site Scripting?
Cross-site scripting (also known as XSS) is a vulnerability first recorded in the 1990s and by 2007 accounted for 84% of online weaknesses documented by Symantec (opens PDF file). We’ve previously explained why this is such a threat to websites.
Causing havoc with a site that is open to attack from XSS is often as simple as inputting code into a form (or in some cases, the address bar) that can be used to overwhelm the website, hack the database or, as in the case with eBay, divert the customer to a different site entirely.
There are two types of XSS, non-persistent and persistent. In the case of the eBay attack, the attacker’s data was saved on the eBay server, meaning that the same links were introduced to various users, taking them all away from the comparative safety of eBay to the spoof sites constructed to record their data.
Regardless of the type of XSS used, however, the dangerous code should have been stripped when it was submitted. This is a basic aspect of website security, and the fact that eBay somehow overlooked this is a scandal.
How EBay Dealt With This Breach
EBay spoke to the BBC about the breach, which the company essentially played down.
“This report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page […] We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”
However the BBC identified three such listings before they were removed by eBay.
Just as concerning as the discovery of an age-old vulnerability is the company’s response time. Kerr reports that he was advised by the eBay employee he spoke to on the phone that the matter would be dealt with immediately, but somehow it took 12 hours and a BBC phone call for any action to be taken.
There is also no confirmation that the vulnerability has been patched, or how often it has been employed by scammers in the past. Perhaps more worryingly, eBay’s PR department doesn’t even bother to provide an official narrative for the problem (or, indeed, confirm its existence).
EBay customers surely deserve better than this.
What You Should Do Now: Stay Away From EBay
Until eBay is able to deal with this breach AND introduce a policy of transparency concerning future security issues, we would suggest that you give the site a wide berth. This is assuming you haven’t already cancelled your account following the previous breach, that is.
If you think you have been caught in a similar scam using XSS code in eBay listings to divert you away from the site, and have submitted personal information to a phishing site as a result, you should head to www.ebay.com straightaway to change your username and password. If credit card information was submitted, contact your credit card company, and if you used PayPal, check your account.
EBay: It’s Time To Change
EBay in its current form is living on borrowed time. Unless its management changes the culture concerning communication with its users about security matters of importance, trust is going to deteriorate further. During 2014, we’ve seen several offers of free listings on weekends, the introduction of 50 free listings a month, and most recently competitions to giveaway 10,000 free listings.
Could these be an attempt to maintain interest in a site that people are walking away from?
Whatever the case, after two major security breaches in the space of just a few months, MakeUseOf advises its readers to find reputable sellers and secure marketplaces away from eBay, or even buy offline until changes are made.
How do you feel about eBay now? Will you keep using the online auction marketplace, or has this news turned you off for good? Tell us your thoughts below.
By now you’ve probably heard that UK-based company Cambridge Analytica reportedly harvested 50 million Facebook profiles and used that data to build software that targets and influences voters.
Cambridge Analytica was able to access the data of millions of users through an app that was used by just a few hundred thousand people. Because Facebook allows apps to access the data of not only those who grant access, but also data shared by their friends, Cambridge Analytica was able to harvest so much more information than they normally would’ve been able to.
1. Kill Switch for Facebook App Permissions
This kill switch feature allows you automatically remove all apps that have access to your account in one easy step. It will also completely disable future logins on third-party sites using Facebook.
- Go to Settings > Apps > Apps, Websites and Plugins.
- Click the Edit button.
- Click Disable platform.
Changing this setting means:
- You will not be able to log into websites, mobile games, or applications using Facebook. (If you try to, Facebook will prompt you to re-enable Platform.)
- Your friends won’t be able to interact and share with you using apps and websites.
- Instant personalization will be turned off.
- Apps you’ve logged into (with Facebook or Anonymously) will be removed.
- Posts by apps will be removed from your profile.
So for example, if you’ve posted to Facebook automatically using Instagram, those posts will disappear from your profile.
Facebook also points out that apps you’ve previously installed will still have information you have shared with them, and recommends contacting them directly for details on how to remove this data.
2. Revoke or Edit Individual Facebook App Access
If you prefer a selective approach, you can pick and choose which apps have access to your profile, as well as choosing what kind of information you share with them. (If you’ve already disabled Facebook Platform, you won’t see these settings.)
- Go to Settings > Apps.
- In the list of apps, click the Edit Settings (pencil) button.
- In the popup window that opens, you can uncheck specific items that are being shared. This may include your friend list, email address, and who can see items shared on your Facebook profile through this app.
You will find that with some apps, there are certain items that can’t be unchecked including name, age, profile picture, and any other public information.
- To completely remove the app, click the X button associated with each app.
3. Prevent Your Friends From Sharing Your Data
If you’ve disabled Facebook’s Platform setting, this feature will already be turned off. But if you choose to keep Platform enabled, at least disable this setting that was integral to Cambridge Analytica’s software.
- Go to Settings > Apps > Apps others use.
- Click the Edit button.
- Uncheck all the items that friends could be unknowingly be sharing from your profile.
In addition to adjusting your Facebook privacy settings, you’ll probably also want to take precautions to prevent Facebook from selling your browsing data to advertisers.
Did you know that files can be pulled from data drives that have been wiped? That includes hard disk drives, solid state drives, and yes, USB flash drives. It doesn’t matter if the drive is internal or external — data recovery is a real thing that works.
So the next time you have a flash drive that contains a sensitive file, you should know that dragging that file to the Recycle Bin is not enough to actually get rid of it. This simply marks the file as deleted. The bits are still there.
If you want to obliterate your flash drive so that nothing is recoverable, you’ll need to take a few extra steps. Here are a few simple methods you can use that require no technical expertise.
Method 1: Use a Third-Party App
The web is full of apps, both free and paid, that promise one-click solutions for wiping your drives. Unfortunately a lot of them are outdated, ineffective, harmful, or simply too pricey for what they offer. That’s why we recommend Eraser — it’s none of those things.
Eraser supports Windows XP SP3, Vista, 7, 8, and 10. You can even use it with Windows 98, ME, NT, and 2000 as long as you stick with version 5.7 or earlier. However, for best results stick with the latest version, which is 6.2 as of this writing.
1. Download and install it per usual. Just visit the download page and grab the latest available version. Run it as soon as it’s installed.
2. Create a new task. At the top left, click the arrow next to Erase Schedule and select New Task. (Or just use the Ctrl + N keyboard shortcut.) A prompt will pop up where you can input the details of this task.
Give the task a name like “Wipe Flash Drive”. For Task Type, leave it on manual. If you want to automatically wipe the drive on a regular basis, feel free to experiment with the other types and don’t forget to set up the recurring details under the Schedule tab.
But the most important bit is setting what to erase. Do this by clicking on Add Data. For Target Type, select Drive/Partition. Under Settings, use the dropdown menu to select the drive you want to erase. Be VERY CAREFUL and triple-check the drive you select. If you pick the wrong one, there’s no going back after erasure.
3. Select an erasure method. As with all things computer-related, there’s never one solution that fits all use-cases. For data erasure, there are several different algorithms that you can use, with each one designed to fulfill a specific purpose under specific circumstances.
For example, the Gutmann method run 35 different passes over the drive to maximize coverage and ensure that data is as unrecoverable as possible. It works for HDDs, SSDs, and USBs. However, it takes a long time to run 35 passes and is thus overkill for anything but the most sensitive bits of data (e.g. government secrets).
Most security experts agree that seven passes is a great compromise between speed and efficacy. Therefore we recommend using the Schneier 7 pass method for wiping your flash drives.
4. Run the task. The Erase Schedule should now contain the newly-created task. Right-click it and select Run Now to begin the process (or use the Ctrl + Alt + R keyboard shortcut).
Note that modern flash drives have built-in wear-leveling algorithms that try to distribute files evenly across all storage cells. This is meant to extend the lifespan of the device. However, it also prevents the operating system from choosing where to write files.
In other words, secure erasure of flash-based drives is never a sure thing. You can rest assured knowing that most of the drive will have been overwritten, but you can never be sure that all of the drive was securely wiped.
Download — Eraser (Free)
Method 2: Use the Command Line
Windows comes with many built-in command line utilities, and one of them is called Cipher. Cipher can do a lot of things related to drives, file systems, and encryption, but we want to use it for one specific feature that it has: removal of unused data.
1. Launch an elevated Command Prompt. The easiest way to do this is to press Windows key + X (to open the lesser-known Power Menu) and select Command Prompt (Admin). You’ll need administrator-level UAC access for this to work.
In the elevated Command Prompt, type cipher /? to see a full description of what it can do and all of the different switches that are available.
If you scroll down, you’ll see a switch called /W which stands for Wipe. According to the description, it will go through the entirety of whatever drive you submit and overwrite all bits that have been masked as unused.
2. Run Cipher on your drive. In case you missed it in Method 1, flash drives have built-in wear-leveling algorithms that try to spread data evenly across all storage cells and the operating system can’t override that. (Cipher came out back in the HDD days.) As such, you can never be 100% sure that every unused bit of data was actually overwritten.
That being said, running Cipher several times will at least overwrite some of the drive — we could even say that it overwrites most of it — so it’s better than nothing. Just make sure you format your flash drive before running Cipher on it.
To run Cipher, use the following command:
Replace D:CRUZER with your own drive and partition. To find it, open File Explorer (keyboard shortcut Windows key + E) and navigate to This PC in the left sidebar. Then, under Devices and Drives, you should see your drive and its partition letter.
Be very careful when using this method and make sure you type the drive name correctly. A mistake here could be costly!
Method 3: Use a Hammer
Because of the aforementioned built-in wear-leveling algorithms, flash drives can’t be securely wiped with absolute certainty. This is one of the downsides to using them instead of traditional hard disk drives.
In all seriousness, the only way to guarantee unrecoverability of flash drive data is to physically pulverize the flash drive. Specifically, you’ll need to shatter the storage chips within the drive case. The more you crush them, the more unrecoverable they become.
It’s an extreme measure, yes, but flash drives are cheap these days and it’s a small price to pay for data security.
Plus, it’s fun.
It’s Better to Use Encryption Instead
Going forward, it would be better for you to encrypt your data before putting it on your flash drive. You can do this using a reputable third-party tool data encryptor. Remember to encrypt the data before transferring it on!
This way even if someone manages to get their hands on your drive, they won’t be able to view the contents. And if you ever wipe your drive and someone recovers the data, they’ll still need to get through the encryption. That’s real security.
How do you store your sensitive data? Know of any other methods that work to securely wipe flash drive data? Let us know in the comments below!
It’s a jungle out there. From trojans to worms to phishers to pharmers, the web is seemingly full of hazards. Keeping yourself safe requires not only the right software, but an understanding of what kind of threats to look out for.
That’s where “HackerProof: Your Guide to PC Security” Comes in. This excellent guide, brought to you by MakeUseOf’s own Matt Smith, provides an objective, detailed, but easily understood walkthrough of PC security.
By the end of this guide, you will know exactly what PC security means and, more importantly, what you need to do to keep your PC secure.
Knowledge is power; arm yourself!
Table of Contents
1.1 What is PC Security?
The terms “PC security” or “computer security” are vague in the extreme. They tell you very little, like most general terms.
This is because PC security is an incredibly diverse field. On the one hand you have professional and academic researchers who carefully try to find and fix security issues across a broad range of devices. On other hand, there is also a community of inventive computer nerds who are technically amateurs (in the literal sense of the word – they’re unpaid and unsupported by any recognized institution or company) but are highly skilled and capable of providing useful input of their own.
PC security is linked to computer security as a whole, including issues like network security and Internet security. The vast majority of the threats that may attack your computer are able to survive only because of the Internet and, in some cases, the survival of a security threat is directly linked to a security flaw in some high-end piece of server hardware. However, the average PC user has no control over this.
This means that PC security – defined as protection of the personal computer you own – has a fortress mentality. It is your responsibility to protect your fortress from whatever might exist in the unknown beyond its walls. This mentality is expressed in the terms used by companies that want to sell you PC security software. Words like “firewall” “blocker” and “shield” are easy to find in advertisements of PC security software.
These words are supposed to clarify the purpose of PC security, but this isn’t always the case. The information received from a company that sells security software is likely to be biased in favour of their product, as well, further confusing issues.
This guide provides an objective, detailed, but easily understood walkthrough of PC security. By the end of this guide you will know exactly what PC security means and, more importantly, what you need to do to keep your PC secure.
1.2 A Brief History of Computer Viruses
Computer viruses haven’t always been a major threat. The earliest viruses, which spread themselves in the 1970s via the first Internet networks (such as ARPANET), were relatively mundane programs that sometimes did nothing more than display a message on a computer terminal.
Viruses did not start to gain notice as a serious security threat until the mid and late 1980s. This period saw a number of firsts in the field of computer viruses, such as the Brain virus, widely considered as the first IBM PC compatible virus. This virus was capable of infecting the boot sector of MS-DOS computers, slowing them down or rendering them unusable.
Once the earliest malware became known the number of viruses quickly ramped up as savvy nerds saw the opportunity to engage in a bit of online vandalism and prove their technical knowledge to their peers. Media attention towards viruses became common in the early 90s, and the first major virus scare occurred surrounding the Michelangelo computer virus. Like hundreds of computer viruses after it, Michelangelo set off a media panic and millions across the globe worried that their data would soon be erased. This panic proved misplaced, but put a media spotlight on malware that has yet to fade.
The proliferation of e-mail in the late 1990s wrote the next chapter in malware. This standard form of communication was, and still is, a popular method through which malware can reproduce. Emails are easy to send and attached viruses are easy to disguise. The popularity of email also coincided with a trend that proved even more important in the evolution of malware – the rise of the personal computers. While enterprise networks are usually staffed by a team of people paid to watch over their security, personal computers are used by average people who have no training in the field.
Without the rise of personal computers many of the security threats that rose in the new millennia would not possible. Worms would have fewer targets, trojans would be detected quickly, and new threats like phishing would be pointless. Personal computers give those who want to write malicious software a field full of easy targets.
The key, of course, is to ensure you’re not one of them.
2.1 The Traditional Virus or Trojan
Malware, through most of history, have spread by user error; that is to say, the PC user takes some kind of action to trigger a virus into action. The classic example of this is opening an email attachment. The virus, disguised as an image file or some other common file type, springs into action once the user opens the file. Opening the file may result in an error, or the file may open as usual, fooling the user into thinking nothing is wrong. In any case, the virus required the action of the user in order to spread. Reproduction is made possible not because of a security flaw in a program’s code but instead through deception.
In the late 1990s this type of malware, more commonly called a virus, was by far the most threatening. Most people were new to email and didn’t know that opening an attachment could infect their computer. Email service was far less sophisticated: there were no effective spam filters capable of keeping virus-containing spam emails out of inboxes, nor were there any effective antivirus solutions that automatically scanned emailed attachments. In recent years, technological advancements on both of these fronts have made it less effective to send a virus via email, but there are still millions of people who don’t have security software and don’t mind opening email attachments.
As email viruses are now a (relatively) well known threat, virus design has become more creative. Viruses can now “hide” in file types most people consider secure, such as Excel spreadsheets and PDF files. It is even possible for a virus to infect your PC through your web browser if you visit a webpage containing such a virus.
Some PC users boast that avoiding a virus is simply a matter of common sense – if you don’t download files from unknown sources and don’t download email attachments you’ll be fine. I disagree with this view. While many threats can be avoided with caution, viruses with new methods of reproduction and infection are being developed constantly.
Trojans, while different from a virus in its payload, can infect PCs through the same methods listed above. While a virus attempts to run malicious code on your PC, a Trojan attempts to make it possible for a third party to access some or all of your computer’s functions. Trojans can infect computers through almost any method a virus can use. Indeed, both viruses and Trojans are often lumped together as malware, as some security threats have traits associated with both a virus and a Trojan.
The term “worm” describes a method of virus infection and reproduction rather than the payload which is delivered. This method of infection is unique and dangerous however, so it deserves its own category.
A worm is malware that is capable of infecting a computer without the user taking any action (besides that of turning on their computer and connecting to the Internet). Unlike more traditional malware, which usually tries to hide in an infected file, worms infect computers through network vulnerabilities.
The stereotypical worm spreads by spamming copies of itself to random I.P. addresses. Each copy has instructions to attack a specific network vulnerability. When a randomly targeted PC with the vulnerability is found, the worm uses the network vulnerability to gain access into the PC and deliver its payload. Once that occurs, the worm then uses the newly infected PC to spam more random I.P. addresses, beginning the process all over again.
Exponential growth is the key here. The SQL Slammer worm, released in January 2003, used this method to infect approximately 75,000 computers within 10 minutes of its initial release. (http://www.wired.com/wired/archive/11.07/slammer.html)
As with many PC security threats, however, the term “worm” covers a wide range of malware threats. Some worms spread by using flaws in email security in order to automatically spam themselves via email once they infect a system. Others have an extremely targeted payload. Stuxnet, a recent computer worm, was found to have code that many believed was designed specifically to attack Iran’s nuclear research program. (http://www.schneier.com/blog/archives/2010/10/stuxnet.html )
While this worm is estimated to have infected thousands of computers, its actual payload is designed to only take effect once the worm encounters a specific type of network – the type Iran uses for uranium production. No matter who the target was, the sophistication of Stuxnet provides a great example of how an automatically reproducing worm can infect systems without its users having the slightest clue.
A particularly nasty bit of malware, rootkits are capable of obtaining privileged access to a computer and hiding from common antivirus scans. The term rootkit is used mainly as a means of describing a specific type of payload. Rootkits can infect systems and reproduce themselves using any number of tactics. They may operate like worms or they may hide themselves in seemingly legitimate files.
Sony, for example, found itself in hot water when security experts discovered that some music CDs distributed by Sony were shipping with a rootkit that was able to give itself administrative access on Windows PC’s, hide itself from most virus scans, and transmit data to a remote location. This was, apparently, part of a misguided copy protection scheme.
In many ways a rootkit’s payload seeks to achieve the same goals as a regular virus or Trojan. The payload may attempt to delete or corrupt files, or it might attempt to log your keystrokes, or it may try to find your passwords and then transmit them to a third party. These are all things that a virus or Trojan may attempt to do, but rootkits are far more effective at disguising themselves while they’re doing their work. Rootkits actually subvert the operating system, using security flaws in the operating system to disguise itself as a critical system file or, in severe cases, write itself into critical system files, making removal impossible without damaging the operating system. (http://www.wired.com/politics/security/commentary/securitymatters/2005/11/69601)
The good news is that rootkits are harder to code than most other types of malware. The deeper a rootkit wishes to plunge into a PC’s operating system, the more difficult the rootkit will be to create, as any bugs in the rootkit’s code could crash a targeted PC or alter antivirus software. This might be bad for the PC, but it defeats the point of trying to hide the rootkit in the first place.
2.5 Phishing and Pharming
The world of malware in the 1990s looks quaint compared to today. Back then, malware was often written by hackers who wanted to display their talents and gain notoriety among their peers. The damage done was severe, but often limited to the computers infected. Modern malware, however, is often nothing more than a tool used by criminals seeking to steal personal information. This information can then be used to hijack credit cards, create false identifications, and perform all sorts of illegal activities that can have a severe impact on the life of the victim.
Phishing and Pharming are techniques that best illustrate the criminal element of PC security threats. These threats as significant, but they don’t technically attack your PC at all. Instead they use your PC to deceive you and steal important information.
Both of these terms are closely related. Pharming is a technique used to redirect a person to a bogus website. Phishing is the act of harvesting private information by posing as a trustworthy entity. The techniques often go hand- and-hand: a pharming technique sends a person to a bogus website which is then used to “phish” private information from the person.
The classic example of this sort of attack begins with an email that appears to be sent from your bank. The email states that there has been a suspected security breach of your bank’s online servers and you need to change your username and password. You are provided a link to what appears to be your bank’s website. The page, once opened in your browser, asks you to confirm your existing username and password and then type in a new username and password. You do so, and the website thanks you for your cooperation. You don’t realize anything is wrong until you try to log into your bank’s website the next day by following the bookmark in your browser.
2.6 Malware – The Catch All
While the rogues above are widely recognized as serious problems with definite characteristics, it is still difficult to categorize threats because the ecosystem of security threats is diverse and constantly changing. This is why the term malware is used so frequently: it is the perfect catch-all for anything that is trying to do harm to your computer or trying to use your computer to do harm to you.
Now that you know about some of the most common PC security threats, you may be wondering what you can do about them. The best place to begin that discussion is with operating systems.
The operating system that you are using has a significant impact on the malware threats that you need to be aware of and the methods you can use to counter-act them. Malware is, in most cases, programmed to take advantage of a particular exploit in a particular operating system. Malware coded to take advantage of a network vulnerability in Windows can’t infect OS X computers because the networking code is much different. Likewise, a virus that attempts to delete driver files found on a Windows XP computer won’t have any effect on a Linux machine because the drivers are completely different.
I think it is accurate to say that the operating system you choose has a bigger impact on your PC’s overall security than any other single variable. With that in mind, let’s take a quick look at some common operating systems and how they handle security.
3.1 Windows XP
Introduced in 2001, Windows XP quickly became Microsoft’s most critically acclaimed operating system. It was loved for its relatively simple interface, which offered improvements but remained familiar to users of Windows 95, 98 and ME. It also proved relatively slim for a new Windows operating system, and it remains capable of running on older machines that can’t handle newer Windows operating systems.
At the time of its release, Windows XP introduced some notable security improvements over previous Windows operating systems. It closed up some security holes that made it easy to mess with Windows systems by using blank network accounts or certification errors. Windows XP’s security received a big addition in Windows XP Service Pack 2 with the introduction of Windows Security Center, which made it easier for users to find out if their Windows XP computer was protected by anti-malware software and had the appropriate security updates installed.
However, Windows XP is a nearly ten year old operating system, and over the years it has been attacked relentlessly by hackers. The popularity of Windows XP makes it an obvious choice for malware seeking to infect as many computers as possible. In addition, Windows XP simply does not have access to a number of improved security features that are standard in Windows 7.
Overall, Windows XP is the worst common operating system currently available from the standpoint of security. It lacks new security features, is well understood by those coding malware, and is frequently attacked.
3.2 Windows 7
The latest operating system from Microsoft, Windows 7 is a refinement of the heavily criticized Windows Vista (the information in this section mostly applies to Vista, as well). Windows 7 is not as easy to run as Windows XP, but it offers a wealth of new features, including features relating to security.
For example, User Account Control is a new feature that was introduced in Vista and also included in Windows 7. When it first arrived, UAC was commonly mocked in the media – Apple even made an advertisement about it. That’s an odd move because OS X has similar functionality, and because UAC is very important when it comes to security. It protects your PC by ensuring that programs cannot gain elevated access privilege to your system without permission. Prior to UAC, malware could easily do this without the user ever knowing the wiser.
Microsoft has also made improvements that further refines Window’s ability to convey important security information to users. The Security Center is now called the Windows Action Center, and it does a better job than ever before of automatically obtaining important updates and notifying users when action needs to be taken. This is crucial, because known security exploits that are not patched are a liability no matter the operating system you prefer.
Windows 7 also benefits from an attitude towards security that is far more reasonable than the attitude Microsoft had during the creation of Windows XP. This is readily apparent when you compare the number of security exploits Microsoft has had to patch during the first year of XP’s release with the first year of Vista’s release. Windows XP had 65 vulnerabilities corrected, while Windows Vista had just 36 vulnerabilities patched.
Unfortunately, Windows 7 remains heavily targeted by malware because of its popularity. Windows is still the operating system used by most of the world, so it makes sense of malware to target it. For this reason, Windows 7 users still face numerous security threats.
3.3 Mac OS X
Mac OS X still feels modern, but is at its core a rather old operating system. The first version was released in 2001, making it just as old as Windows XP. Apple, however, takes a far different approach to updates than Microsoft. While the folks at Redmond usually focus on big releases, bringing out new operating systems every five or six years on average, the Apple crew had updated OS X eight times since the operating system’s initial release.
Those releases usually contain a few security updates, and Apple has earned a reputation for offering security that is far beyond that of Windows. This reputation, however, tends to fall apart upon closer examination. Malware targeting OS X does exist, and Apple has to patch security flaws with about the same frequency of Microsoft. A 2004 report from a security company known as Secunia discovered that in the previous year Mac OS X was subject to 36 vulnerabilities, only ten less than Windows XP – however, a higher percentage of OS X vulnerabilities could be exploited via the Internet. (http://news.techworld.com/security/1798/mac-os-x-security-myth-exposed/)
More recently, Apple was forced to release a number of major security patches, the most recent of which addressed 134 vulnerabilities. (http://www.fiercecio.com/story/apple-releases-massive-mac-os-x-security-update/2010-11-12).
This is not to say that Mac OS X is not secure. One advantage, which carries over from OS X’s UNIX heritage, is the need to sign in as “root” to make changes to important files and settings (Window’s UAC is essentially an attempt to emulate this). However, an unfortunate number of users seem to believe that OS X is immune to security threats due to its relative obscurity. While there is a degree of truth to this, security threats for OS X computers do exist and can be just as damaging as those that target Windows. The security of Mac OS X is also hampered by a slim selection of security suites.
Most PC owners will never use a computer running Linux. With that said, Linux is more accessible now than it has ever been in the past. Free Linux variants, like Ubuntu and Jolicloud, offer a graphical user interface that is robust and provides the basic functionality you expect from a PC, such as the ability to read your email and browse the web.
Linux, like OS X, requires that users sign in on a “root” account to make changes to important files and settings. Linux also benefits greatly from security by the way of obscurity. The Linux user base is small and, to make matters worse for malware, the user base does not cling to a particular variant of Linux. Although the underlying code is often the same, there are subtle changes to different variants of Linux – and many advanced Linux users go so far as to code in their own custom features. This makes attacking Linux users in-mass a difficult and also pointless proposition. If you’re looking to harvest credit card numbers, targeting Linux is not the way to go.
The niche nature of desktop Linux makes talking about its security difficult. Security vulnerabilities do indeed exist on Linux systems, and these vulnerabilities are not always patched as quickly as vulnerabilities found on Windows. (http://www.eweek.com/c/a/Linux-and-Open-Source/Linux-vs-Windows-Which-Is-More-Secure/) However, Linux operating systems are actually impacted by security threats less frequently, and the threats are often less severe.
3.5 A Summary – Which is Best?
Overall, Mac OS X and Linux are clearly superior to Windows if security is measured by the frequency with which users are impacted by security threats. This does not mean that Microsoft is asleep at the wheel. It is simply the reality of our world. Windows is by far the most popular operating system and, as a result, malware is usually coded to target Windows PCs.
On the other hand, Windows computers have access to superior antivirus suites and the Windows Action Center in Windows 7 has no peer. This means that Windows users are arguably more likely to be aware of a security issue when it arises, but trying to quantify this is impossible.
Still, whatever the reasons, it’s impossible to get away from the fact that Windows users are more likely to be impacted by malware than users of OS X or Linux.
4.1 Avoiding the Email Inbox of Doom
Ah, email. Once upon a time it was the primary method of reproduction for most malware. A virus was attached to an email, disguised as a cool program or a document, and then sent on its merry way. Open the email and – bam! – you’re infected.
At the time this sort of deception seemed like the pinnacle of trickery. Today, such simple means of malware reproduction and infection seem quaint – it would be nice to go back to a world where avoiding email attachments protected your computer from the majority of threats.
Spam filters and automatic antivirus protection has made it much harder for malware to spread effectively via email, and most users now know better than to open an attachment from an unknown source (and if you didn’t know better – now you do!)
However, malware has compensated by using automated methods of reproduction that disguise the malware email as something that looks trustworthy. For example, malware that infects your parent’s computer may then send an email from them to you with the header “Photos from a recent vacation.” If your parent weren’t on vacation, you would probably catch on to the trickery. However, everyone’s parents go on vacation sometimes – and if yours just came back from an international trip you may open the attachment.
The rule of thumb is this – if the attachment is something that you did not already know was supposed to be sent to you, confirm with the sender before opening it. Alternatively, you can scan the file with your anti-malware application of choice. Be warned, however, that no security software can detect every security threat.
Although malware is always an issue, phishing is undoubtedly the threat that is currently the most devious and difficult to detect. Always be wary about unexpected emails that are supposedly from your bank, employer, or any other institution. No legitimate institution will ever ask you to enter your username and password by presenting you with a link sent via email!
In fact, it is a good idea to never directly open any link supposedly sent to you from an institution. If your bank is contacting you to give you your monthly e-statement, for example, this information should be accessible by going to the bank’s main page and then logging into your account.
4.2 Using Caution for Safe Surfing
Web surfing has always presented some security threats, a fact that many users forget. As with email, it’s often assumed that you’ll be perfectly protected if you simply avoid opening files from unknown sources. Being scrupulous about the files you download is, of course, an extremely good idea. But this alone is not enough to properly safeguard your PC.
Most of the security exploits you’ll need to worry about exist because of a security problem with either your web browser or an important plugin, such as Java or Adobe Flash. Products like Flash make it very easy for web developers to create interactive web experiences that are far beyond what can be accomplished otherwise, but the added complexity tends to result in security holes. Java, Flash, Shockwave, ActiveX and other web development tools have been patched time and time again after security flaws were found. These flaws are nothing to laugh at, either – some of them make it possible for an attack to take full control of a PC simply by luring a person to the website with the malicious code.
Malicious websites are rarely found at the top of Google search results. These sites usually spread themselves through spam email, random instant messages, and social media. With this said, however, even a trustworthy website can sometimes become a security threat. Malware can infect web servers, too, and in some cases this can result in a website spreading malware without the owner’s knowledge.
Your best defense against all malicious threats is to ensure that your web browser and its associated plugins are kept up to date – a matter we’ll discuss more about later in this chapter.
4.3 Checking Links – Do They Lead Where You Think?
It is wise to be careful about how you handle emails and instant messages, but a simple no-click policy isn’t always practical when it comes to links. Indeed, there are some social networking sites – like Twitter – that are heavily reliant on links. Without links, Twitter would be mostly pointless.
This puts users into a precarious position. On the one hand, a social networking site like Twitter can be a lot of fun, and it can make it easier to keep tabs on friends that you might otherwise lose contact with. On the other hand, simply using the social networking site can put you at added risk – and to make matters worse, links are shared using tiny URLs that redirect you to the real webpage.
Fortunately, you can easily discover the true location of a web link by using a website that lifts the veils for you before you actually click on the link. I like to use TrueURL (http://www.trueurl.net/service/)but you can find similar sites of various types with a few Google searches.
4.4 Updating Your Software – The Most Important Step
Most security threats thrive because of security flaws in software that can be exploited. Exercising caution will help keep your PC away from potentially dangerous situations, which means there are fewer chances for malware to infect your PC. But that’s only half the battle. The other half is taking actions that ensure that your PC will not be compromised even if you expose it to a security threat. How do you do this? By making sure that your computer’s software is up to date.
Imagine that you’re leaving your house to go to work. Normally, you lock your door when you leave. However, you may occasionally forget to lock your door, making it possible for someone to simply walk into your home and breach its security. No one forgets to lock his or her door on purpose, but it happens anyway. It’s a mistake.
Software programmers also make mistakes. However, once the mistake is realized it is often patched, just as you might turn around and go back home if you remember that you didn’t lock your door. If you choose not to keep your software up to date, however, you’re choosing not to turn around and lock your door. You may be able to reduce your risk by placing valuables in a safe, keeping your curtains closed, and putting a big “BEWARE OF DOG” sign on your front lawn. The fact remains, however, that your door is unlocked – and since you haven’t locked it, anyone can walk right in.
Hopefully this illustrates why it’s important to keep software up to date. In my opinion, keeping software updated is the single most important security habit a person can cultivate. It is always possible that you’ll be one of the unlucky few hit by a security flaw before that flaw becomes known and is patched. However, most companies today are quick to react to security issues, so keeping your software updated significantly boosts your security.
4.5 Use Antivirus Protection
In a way, this tip might go without saying. Yet I’ve talked numerous times with fellow geeks who, in my view, thought themselves too cool for anti-malware applications. They’re just scams, they argued – you won’t get malware if you don’t do anything stupid.
Throughout the guide so far I’ve discussed why this assumption is wrong. The truth is that anti-malware protection is not as simple as avoiding email attachments and being careful about the websites you visit. Comprehensive PC security requires a comprehensive approach – and that includes anti- malware suites, firewalls and other programs. The security software available is as diverse as the threats they protect against, so let’s take a look at what’s available.
5.1 Anti-Malware Software
In chapter 2 we took a look at the various types of malware that might infect your computer. Of those threats, the first three are the ones anti-malware software is designed specifically to intercept and protect.
There are numerous anti-malware products on the market – too many to list here. However, these programs have a common purpose. They exist to detect, and then remove, malware that may have infected your computer.
They also try to limit the damage malware can cause by “quarantining” infected files the moment they are discovered.
Most anti-malware software goes about this in several ways. The first and oldest method is signature detection. This form of detection involves scanning a file and looking for code that is known to be used by specific malware. This method of detection is reliable, but it can’t deal with brand-new threats. A signature can only be detected after it has been added to the anti-malware software’s database of known threats, and a threat usually doesn’t become known until it has already been released.
So-called “real time” protection is also a popular method of catching malware in the act. This form of protection does not rely on signatures but instead monitors the behaviour of software running on your PC. If a certain program begins to behave oddly – if it is asking for permissions it should not be, or trying to make modifications to files that are unusual – this is noticed and action is taken to stop the program from causing any ruckus in your file system. Different companies implement “real time” protection in different ways, but the goal of catching malware in the act is the same.
Another, newer form of detection that has debuted in some products, like Panda Cloud Antivirus and Norton Internet Security 2010, is cloud protection. This method focuses on the origins of malware, such as specific files and links. If someone using the anti-malware software opens a file and is infected by a virus, this file name is recorded as a threat, and that information is made available. The goal is to prevent users from opening files or following links that may contain a security threat.
Once a threat is detected, it is usually “quarantined” to ensure that the threat can’t spread. You can then attempt to remove the threat. Anti-malware software is often incapable of removing every threat that it detects, but your security is usually intact so long as the threat remains in a quarantined state.
Most of the complaints levied against anti-malware software concerns new threats. Anti-malware software is a known element, and it can be circumvented by new malware. This is why anti-malware software is updated with extreme frequency – new threats are discovered constantly. This does not mean that anti-malware software is useless, however. The number of known threats far outnumbers those that are unknown.
You do need to be careful about the software you buy or download, however. There seems to be a large gap between the most and least effective products, and the rate of innovation is high. For example, Norton was terrible just a few years ago, but the Norton 2010 products were excellent. For current information and reviews about anti-malware software, check out AV-Comparatives (av-comparative.org), a non-profit organization dedicated to objectively testing PC security products.
A significant number of the most severe PC security threats rely on an active Internet connection in order to function. Having your hard drive corrupted is a huge pain in the butt, but you can protect against it by keeping a backup. If someone manages to obtain your credit card number or some other sensitive bit of personal information, however, the damage can extend far beyond your PC. This can only happen if malware installed on your PC makes your information available to a third party. This data is commonly transmitted the easiest way possible – the Internet.
It is a firewall’s job to prevent this. The firewall is software on your PC that monitors the data being sent to and from your computer. It can selectively block out certain information, or it can (usually) shut down your Internet connection entirely, severing the flow of information completely.
Firewalls are an important part of Internet security. So important, in fact, that Windows ships with a firewall by default. Without a firewall, malware will be able to freely transmit data to third parties, and malware that reproduces itself by sending copies to random I.P. addresses will be more likely to gain access to your PC.
Since Windows machines now ship with a firewall, you don’t necessarily need to purchase a third-party firewall. There are also a lot of free options – not only for Windows, but also for OS X and Linux operating systems. With this said, products known as Internet Security Suites usually include a firewall as part of the package.
Keeping a firewall installed on your PC is highly recommended. A firewall is often able to limit the damage caused by malware even when anti-malware software fails to detect or stop a threat.
5.3 Rootkit Killers
Anti-malware software is supposed to detect and quarantine rootkits just as it would any other malware threat. However, the nature of rootkits often makes it very difficult for a general anti-malware program to detect a rootkit. Even if the threat is detected, an anti-malware program may not be able to remove it if the rootkit has embedded itself into critical system files as a means of escaping detection and preventing removal.
That’s where dedicated rootkit killers come in. These programs are specifically designed to find and then remove a rootkit, even if the rootkit is wound up into critical system files. Perhaps the most well-known program of this type is MalwareBytes Anti-Malware, which became popular several years ago as the threat posed by this method of attack briefly entered tech news columns across the web. Since that time, MalwareBytes has become a more general anti-malware program.
There are also numerous rootkit killers that are built to remove a specific rootkit. This is sometimes required because of the complexity of some rootkits, which hide in system files that can’t be modified without damaging an operating system. Programs designed to combat a particular rootkit usually do so by restoring files to a default state or carefully deleting code known to belong to the rootkit.
Even these solutions, however, do not always succeed. Some IT professionals approach rootkits with a scorched-earth policy. Once a system is infected, they prefer to simply reformat the drive and reinstall the operating system. This is not a bad idea, and is another reason why you should always keep a backup of your files. Reformatting your hard drive and reinstalling your operating system is sometimes a quicker and easier process than attempting to remove a rootkit.
5.4 Network Monitoring
Having a home network can be incredibly useful. It can be used to transfer files between computers in a flash and provide Internet access to an array of non-PC devices, such as game consoles and Blu-Ray players.
Networks can also be vulnerable to intrusion, however, a PC security threat that relates to both malware and hacking. Wireless networks are particularly vulnerable, because a wireless network by definition broadcasts data across the airwaves in all directions. If this data is encrypted, it will be harder for people to read – but cracking encryption is not impossible.
Keeping tabs on your network will help you make sure that no strange devices appear connected to it. You can normally do this by looking at the MAC addresses that are connected to your router and comparing those to the MAC addresses of the devices you own (a MAC address is usually printed on the body of a device). However, it is possible to spoof a MAC address, and most routers don’t provide a detailed log of devices that have connected to your network in the past.
Some Internet security suites rectify this with networking monitoring software that can map your network, provide information about each device detected, and lay out this data on a network map that shows you precisely which devices are connected to your network and the means through which they’re connected. Networking monitoring software is also typically capable of restricting the access of any new devices, should they be detected, or limiting the access of devices commonly connected to your network.
Not everyone needs this kind of protection. Wired home networks rarely need to make use of it, and users who own only one computer don’t need it either (one computer does not make a network). Users with wireless networks or large wired networks, on the other hand, will likely find this software helpful.
5.5 Phishing Protection
As mentioned in Chapter 2, phishing is one of the newest and most serious security threats facing PC users today. Unlike most previous threats, phishing doesn’t target your PC. It targets you – your computer is simply the tool used to commit a crime against you.
Phishing works so well because the quality of the deception used by phishers is often excellent. Good phishing scammers can create a fake online banking portal that looks identical to the one that you normally use when you visit your bank’s website. If you’re not paying close attention, you may enter your personal information without thinking. Let’s face it – we all have off days. One slip up after you come home from a long day at work can result in all kinds of havoc.
The deception is never perfect. Phishers may be able to create authentic looking emails and websites, but they can’t actually send an email from your bank or use the same URL as the site they’re mimicking. To the human eye, distinguishing a fake email address or URL from a real one can be difficult – but software can make this distinction as quickly as you can blink.
Phishing protection is a relatively new field, but most Internet security suites now include anti-phishing software. The usefulness of this feature is usually dependent on the tech-savvy of the user. Be honest – if someone sent you a fake URL of your bank’s website by changing just one character, would you catch it? Do you know why some websites end with things like .php, and why that is important? Do you know the difference between http and https?
If the answer to these questions is “no” you should download free anti- phishing software or consider buying an Internet Security Suite with an anti- phishing feature. Just be sure to read a review of the software first. Since this type of protection is new, there remains much room for innovation – and room for error, as well.
6.1 What Products Offer What Protection?
In the previous chapter we discussed the most important forms of protection. Knowing what you need is one thing – however, finding it is another. The marketing surrounding PC security is part of the reason why the field can be so difficult for the layman to understand. Companies often call the same features by different names.
The most basic form of PC security software generally sold is known as antivirus. Antivirus products are usually marketed with a combination of the word Antivirus and the company’s brand name. Norton Antivirus, McAfee Antivirus, AVG Antivirus, and so on. Antivirus programs typically fit the definition of anti-malware laid down in this guide. Viruses, Trojans, rootkits, and other threats are all targeted. Most antivirus products do not include a firewall, and features like network monitoring and phishing protection usually aren’t included either.
The next step up is the Internet security suite. As with antivirus software, Internet security suites are usually sold with the term Internet Security alongside the company’s brand name. Internet security suites usually include a firewall and anti-phishing protection (which is sometimes instead called identity protection or identity security). Some also include a network monitor. Internet security suites can add anti-malware features that the basic antivirus product doesn’t have, such as an automatic virus scan on any file sent to you via email or instant messenger.
The final tier of protection goes by many names. Trend Micro uses the term Maximum Security, while Symantec calls its product Norton 360. If the Internet security product by a company lacked anti-phishing features or a network monitor, the third tier product usually adds that in. These products also usually advanced backup features designed to minimize the damage done by a virus that attacks your operating system.
So which should you buy? It’s hard to come down with a definitive verdict, because the features of these products vary from company to company. With that said, however, the average user is probably best served by the Internet security suite. If you’re not sure what a particular company’s product features, be sure to check their website. You’ll typically find a chart that lists the features each product does and does not have.
6.2 Free vs. Paid Security
Of course, there is some debate about the necessity of purchasing an antivirus solution in the first place. Antivirus software is fairly inexpensive, particularly if you wait for a sale. It isn’t unusual to see office stores literally giving away copies of antivirus software – sometimes with a mail-in-rebate, and sometimes without. Even if you do grab a copy of a PC security program for free, however, you’ll have to pay a yearly subscription fee. This fee is usually equal to the retail MSRP of the product.
Paying $40 a year isn’t a lot, but on the other hand, it is $40 you may not have to pay. Free antivirus solutions and firewalls exist, and they work quite well. For example, Avast! Free Antivirus has been tested in a number of AV- Comparatives roundups. While the free antivirus never came in first place, it was competitive with paid antivirus solutions. In an on-demand antivirus test it missed fewer malware samples than antivirus software from Symantec, Trend Micro, Kaspersky and other well-known PC security companies. (http://www.av- comparatives.org/images/stories/test/ondret/avc_od_aug2010.pdf)
Free firewalls are also available. Zone Alarm firewall has long been popular, and while it has lost its edge over time, it is still a good option. Other choices are available from companies like PC Tools, Comodo and more. Phishing protection and networking monitoring options are available for free, as well.
It is possible to provide adequate protection for your PC for free, and the benefit of that is obvious – you have more money to spend on other things. However, piecing together free antivirus, firewall and networking monitoring solutions isn’t everyone’s idea of fun. Free security software is also often a bit less comprehensive than paid options – indeed, this is sometimes an intentional design decision, as some companies that offer free options also offer paid upgrades. Avast! Free Antivirus, for example, can detect and remove viruses, but the Pro version includes better protection against web threats.
6.3 The Ideal Free Internet Security Suite
Reviewing the broad range of paid PC security options is beyond the scope of this guide. As stated previously, it is highly recommended that readers check out AV-Comparatives for the latest information about anti-malware effectiveness. PCMag.com and CNET are two other sites that consistently provide useful reviews of security software.
Information about free security software can be a bit harder to come by, however, and the low price point of free does have an effect on the general quality of the options available. There are some free options that I would never recommend to anyone. You also must be careful about options found through Google and other search engines, as these are not always legitimate programs. We’ve all encountered the pop-up ads proclaiming “Stop! We Have Detected 5 Viruses On Your Computer!!!” The software these ads promote is usually malware disguised as security software.
To help simplify things, I’ve come up with three free programs that will help you protect your PC against a variety of threats.
Avast! Free Antivirus or Microsoft Security Essentials
(http://www.avast.com/free-antivirus-download): There are several competent free antivirus programs available, but Avast! Free Antivirus comes out on top. This program has been tested by AV-Comparatives. It received an Advanced+ rating in the latest On-Demand test and an Advanced rating in the latest Proactive test. These ratings would not be bad for a paid program, and they’re excellent for software that is available for free. Avast! Free Antivirus is also relatively intuitive, so you shouldn’t have to spend much time trying to become acquainted with the program.
Avast performs very well in security software tests, but there could be some improvements to the interface. Microsoft Security Essentials is a great choice if you want something that feels more intuitive. It doesn’t rank as highly as Avast in AV-Comparatives testing, but it received an Advanced rating, which puts it on par with many paid antivirus solutions.
ZoneAlarm Free Firewall
(http://download.cnet.com/ZoneAlarm- Free-Firewall/3000-10435_4-10039884.html?tag=mncol): ZoneAlarm was a big deal a decade or so ago when the program first debuted. At the time, most users weren’t familiar with what a firewall was or why it may be needed. Since then, many competing free firewalls have come and gone, but ZoneAlarm remains one of the most popular. It is a strong, easy to understand firewall. The outbound protection offered is particularly important – this will prevent malware from sending information to a third party if it infects your computer. ZoneAlarm also includes an anti-phishing toolbar.
(http://www.bitdefender.com/PRODUCT- 2237-en–BitDefender-Anti-Phishing-Free-Edition.html#more_features): If you don’t like the anti-phishing toolbar included with ZoneAlarm you can try BitDefender’s option. This toolbar, for Internet Explorer and Firefox, provides real-time protection against websites that may be trying to phish your personal information. It also provides protection against links sent through MSN or Yahoo instant messengers.
7.1 The Importance of Backups
Implementing comprehensive PC security will protect you from the vast majority of threats. Most malware and other security threats exploit a specific avenue of attack, and once you know this, you can take counter-measures. Yet even the best defense is not impenetrable. It is possible that you may, for whatever reason, find yourself attacked by particularly clever hackers who can bypass your security and do harm to your PC. Or you may be hit by a zero-day attack, a security threat that rapidly spreads using a previously unknown exploit that has not been patched.
Whatever the case, it’s important to keep a backup of your critical information. A backup is a copy of important data that is placed in a separate digital or physical location. Copying family photos to your computer’s secondary hard drive is one way of backing up data. Placing those photos on a CD-ROM and then storing that CD in a bank lockbox is also an example of backing up data.
These two examples are polar opposites. One is extremely easy, but also not very secure, while the other is very secure but inconvenient. There are many options to consider between these two extremes.
7.2 Backup Options
At its core, backing up data is nothing more than creating a copy of data and placing it somewhere besides the original location. Simply placing files into a folder on a secondary internal hard drive is the easiest way to backup data. However, this isn’t very secure. Malware can easily infect the secondary drive and corrupt files there, should it be programmed to do so. This method does nothing to protect your files from being accessed through a Trojan, either.
When it comes to protection against viruses, isolation from your PC is important. The more isolated your backup is from your PC, the lower the chance that malware will be able to access the backup and harm it. With this in mind, there are a few backup options that stand out from the rest.
External Hard Drives
An external hard drive, or a thumb drive (if the size of the files you need to backup is small enough,) is a simple way to create a backup so long as the external hard drive is not actively connected to a PC. External hard drives provide fast transfer speeds, reducing the time required to transfer data, and can store huge volumes of information. Many external hard drives are now large enough to replicate all of the data on an internal hard drive, which makes recovery as painless as possible.
The main problem with an external hard drive is its plug-and-play nature. Plugging an external drive into a computer instantly creates a connection, which can then be used to transfer malware to the drive. If you use an external drive for your backup, you should run a malware scan on your PC before connecting it.
Although considered today as an old-fashioned method of data backup, CD and DVD-ROM discs remain one of the most secure backup options. If you create a disk as read-only, it will not be possible for anyone to write additional data to the disc in the future, which prevents malware from entering the disc without your knowledge. Of course, you’ll have to make a new disc every time you create a backup, but CD/DVD-ROM can be bought in packs of 100 for $20 at most electronics stores.
Storage capacity is the limitation of this choice. A standard CD can store about 650 megabytes of data, while a DVD tops out at nearly 5 gigabytes. Blu-Ray, the latest common format, can store up to 50 gigabytes on a dual-layer disc, but individual BD-R DL discs are between $10 and $20.
In the last few years a number of online backup services, such as Carbonite and Mozy, have appeared. Even online sync services, like Dropbox (/pages/download-using-the-magic-pocket-a-dropbox-guide) can be used for online backup. These services offer a secure off-site location for data storage. This provides a high degree of data security, as there is little chance of this information being attacked automatically by a malware infection.
On the other hand, online backup services are vulnerable to attack via a keylogger or Trojan. Anyone who discovers your username and password will be able to access your data. Virtually all online backup services can restore deleted data for a limited amount of time, so it’s unlikely that someone will be able to permanently destroy your files. However, they may be able to retrieve your files and read them.
The cost of online backup can add up over time. Carbonite’s (http://www.carbonite.com/ads/ppc/Google/TM/ProductShot/signup.aspx?ppc_campaign=CB%20-%20TM%20Handhold&ppc_group=carbonite%20-%20Exact&ppc_kwd=carbonite&Sourcetag=google&cmpid=PPC_TM_Product&s_kwcid=TC|6568|carbonite||S|e|5068921651&gclid=CJyV8b_O4KUCFcb sKgod6zco4A) backup plans go for $54.95 a year, while Dropbox charges $10 a month for just 50 gigabytes of storage.
Personally, I recommend a two-part strategy combining an external hard drive OR an online backup service with DVD-ROM discs. The DVD-ROM discs don’t have to carry all of your information – just the stuff you really could not afford to lose, such as business records. If you’re considering a hard drive, check out our Makeuseof.com article “4 Things You Need to Know When Buying a New Hard Drive.” (/tag/buying-hard-drive/)
7.3 Securing Files with Encryption
Another safeguard that can be used to backup and protect data is encryption. Encryption is the process of scrambling a file with the use of a specific algorithm. Once scrambled, the file is unreadable unless it is decrypted by entering the proper password. Encrypted files can be deleted, but they can’t be read. In most cases they’re secure even if they are transferred from your PC to the PC of a third party.
Encryption may or may not protect your information from a malware attack. Many malware attacks that do damage to the files on a PC attack files of certain formats. Malware might replace the contents of all word documents with the sentence “You’ve been hacked!!!” for example. If the files are encrypted, this sort of modification is not possible. On the other hand, encryption doesn’t prevent the files from being deleted completely.
If an external hard drive is a backup against data loss, encryption is a backup against data theft. It isn’t particularly hard to implement, either. Windows 7 Ultimate comes with a built-in encryption feature called BitLocker, and anyone can download and install TrueCrypt (/tag/encrypted-folders-truecrypt-7/), an extremely strong freeware encryption program.
Not everyone needs to encrypt their files. My grandmother, for example, does nothing on her PC but play solitaire and send emails, so she doesn’t need encryption. Encryption is recommended for users who store sensitive data on their PC for long periods of time. For example, it would be a good idea to encrypt past tax records if you keep copies of them on your PC. The information on these files would be very helpful to an identity thief.
7.4 How Often Should I Backup?
Buying something that can be used for a backup is the first step. The second step is actually backing up data. It’s common for users to do this once and then forget to do it ever again. As a result, the data they recover after a malware attack is no longer relevant, and much is lost.
The frequency with which you should backup depends heavily on how you use your PC. A family PC, which is not used to store important files and rarely contains sensitive information, can make do with a monthly schedule. A home office PC regularly used to handle client information, on the other hand, would benefit from a weekly or even daily backup.
If you’re following the two-step approach I recommended earlier, easy backups shouldn’t be difficult. Most external hard drives and online backup services come with easy instructions for backing up information that should make the backup process quick and painless. If you have purchased either of these backup solutions, I recommend running backups on a weekly to monthly basis.
Don’t forget to use an optical backup for your most important data, however. This can happen less often – say, once a month or less. In fact, a family computer may only need to do this type of backup on a yearly basis. I find that after tax season is usually best, as families often wrap up the previous year’s accounting once the taxes are finished.
Remember – an out of date backup is a useless backup. The schedules recommend here are general. Use your best judgment, and think about what would happen if you lost access to your files. If you’ve saved a new file that you simply can’t lose, it’s time to make a backup. Many a university student will share my thoughts on this one. Nothing is worse than having to redo work lost because of a malware attack.
Malware happens. If you’re smart about your PC’s security, and a little bit lucky, you won’t ever have to deal with malware taking over your PC or doing damage to your files. If you have been harmed by malware, however, all of the prevention in the world does little. It’s time to instead go into recovery mode – cleaning up after the mess the malware has made.
8.1 Reclaiming Your PC
The payload from a malware attack can vary substantially. Some malware will simply attempt to install a bloatware program or alter a few system settings, while other forms of malware will render a PC completely useless. The degree of damage will, obviously, dictate the response.
If you suspect or know you’ve been hit by malware, but your PC still operates, you can attempt to remove the malware using anti-malware software. Malware will often attempt to block the installation of programs that might remove it, but this is worth a shot. Malware, like PC security, isn’t perfect. Even if it is supposed to respond to attempts to remove it, it may not respond appropriately or may not be able to deal with recently updated anti- malware software.
You can also try to remove the malware manually. This used to be very effective, but it’s becoming more difficult as malware becomes more sophisticated. In order to do this, you’ll need to first discover where the malware is actually located. Anti-malware software might be able to point you to it, or you may be able to find the location by examining the programs running on your PC with a task manager utility. Once you’ve found the offender, delete it. In some cases you may be able to do this easily, but in most situations you will need to boot your system in a diagnostic mode, such as Windows Safe Mode. Even then, manual deletion is often difficult or impossible.
If the damage from the malware attack is more severe, a scorched earth approach is often the best response. Reformat the hard drive, reinstall your operating system, and replace your files from your backup. This can take an hour or two of your time, and is obviously a pain in the butt. With that said, this method of recovery is often quicker than trying to hunt down and delete everything that is infected. It’s also unquestionably more secure. Even if you believe that you’ve managed to remove a malware infection, you can’t be certain that you have done so. It’s all too easy for malware to hide in critical system files or disguise itself as an innocent executable.
8.2 Protecting Your Identity
Of course, some of the security threats outlined in this guide don’t attack your PC at all. Phishing attacks can do quite a bit of damage without every harming your electronics and any malware attack that successfully hooks its claws into your PC greatly increases the chance of an unknown party obtaining your personal information.
If you ever find that your computer has been successfully infected by malware, you should quickly reset all of your passwords from a second computer. This includes banking portals, email accounts, social networking sites, etc. It isn’t difficult for malware to log this sort of data while you are typing it in, and you shouldn’t underestimate what a person can do with these accounts. Losing control of a social media account, for example, can damage your personal relationships or put friends and family at risk, as your account may be used to spread the malware.
Having completed this, the next step is to put out a credit fraud alert. The three major credit agencies, Equifax, Experian and Transunion, can place a security alert or freeze on your credit report. This step will prevent others from obtaining your credit report, which will stop most attempts to obtain credit through your name. It is also wise to speak with the fraud prevention department of any credit card you’ve used online before. Many credit card companies provide a similar service that will prevent the usage of your card for a limited period of time. Contact your bank if your debit card is involved.
Finally, contact the Social Security Administration if you believe your SSN may have been compromised. Please note that these examples hold for my country of residence, the United States. Readers from other nations will need to contact their nation’s organizations.
If identity theft does occur, you need to act as quickly as possible. Contact the appropriate company or bank and ask to speak to fraud prevention. Let them know that unauthorized activity has occurred, and be sure to ask for a written copy of correspondence. You don’t want to be denied fraud protection because the first person you spoke to forgot to log your conversation.
It’s also important to file a police report if identity theft does occur. It is unlikely that the police will be able to catch the perpetrator, or even try, but filing a police report will make it easier to have the fraudulent charges taken off your credit report or card. Although most police departments are receptive to the filing of a police report, you may sometimes find one that doesn’t seem to think this is important. If that happens, contact a different law enforcement agency in your area. If you started by contacting the city police, for example, try contacting the county police instead.
8.3 Preventing Future Problems
Once you’ve deleted the malware or reinstalled your operating system, and you’ve done your due diligence in regards to securing your personal information, the next step is ensuring that you don’t have to face the issue again.
Typically, this is a simple matter of identifying areas where your PC security could use some beefing up and fixing them. Hopefully, this guide will have given you a good idea about what you need to protect your PC. Here is a quick checklist to remind you.
1. Install anti-malware software
2. Install a firewall
3. Install anti-phishing software
4. Install a network monitor
5. Update all software, including your operating system, to its latest version
6. Create a backup of your important data
Of course, you may not have been infected by malware because you made a mistake. You may simply have been targeted by the right malware at the wrong time, or you may have been hit directly by a clever hacker. This doesn’t not mean that prevention is useless, however – it just means you were previously unlucky.
9.1 A Summary of the Issues
We’ve touched on a lot of information in this guide. We’ve talked about malware threats, scams, the anti-malware software you need, freeware alternatives, and more. This is a lot of information to digest at once, but there are three points I’d like to reinforce.
1. It is important to protect your PC’s security. As I’ve stated previously, there remains a contingent of users who remain convinced that using “common sense” will adequately protect a PC. That’s simply not the case. It is possible for a malware threat to attack a PC without the user’s action, and some of the deception used in phishing scams is extremely difficult to detect.
2. It’s impossible to protect a PC against all security threats all of the time. Using anti-malware software, firewalls and other protection only reduces the chance of a problem. Full immunity isn’t possible. This is why it’s important to keep a current backup of important data.
3. You don’t have to spend anything on PC security software, but securing your PC is usually easier with a high-quality paid product. (Note: Not all paid PC security software is worth the money. Be sure to read reviews before buying.) If you’re an average user, the array of security software available may bewilder you. Make sure that you understand whatever solution you download or purchase.
It would be great to live in a world where PC security was simple. That’s not reality, however, and the issues surrounding PC security are likely to grow more complex. As time goes on, the techniques used by those who want to place malware on your PC will become more complex. This doesn’t mean that you should be scared, but it does mean that you should keep up to date with current PC security trends and (once again) keep a current backup of important data.
9.2 A Note About Mobile Threats
This guide concerns PC security. For now, PCs are broadly identified as desktops, laptops and netbooks. However, new devices like the iPhone and Android smartphones are changing the way that we look at PC security. So far, there have been only a handful of security threats targeted at these devices, but it appears as if there is room for these devices to be exploited, and considering their popularity, it’s likely just a matter of time before they become a common malware target.
Threats on these devices can also be a threat to your PC, assuming that you, like most people, at some point connect your device to your PC. Research into the protection of mobile devices is still in its infancy, and while there are some anti-malware programs available, their usefulness isn’t fully known. In any case, it’s wise to treat these devices with the care that you would treat a PC. Did you receive an unexpected email from your bank? Leave it alone until you can view it with your anti-phishing equipped PC. Refrain from downloading unknown files and visiting websites you’re unfamiliar with, as well.
9.3 Additional Reading
- 2 Apps To Easily Create Network Firewall Rules For Ubuntu
- 2 Free Antivirus Programs For Mac OS X
- 3 Free Firewalls For Windows
- 3 Smart Tips To Keep Your PC Secure When Downloading Files Online
- 3 Tools to Test Run Your Antivirus/Spyware Program
- 4 Elements Of Computer Security That Antivirus Apps Don’t Protect
- 7 Essential Security Downloads You MUST Have Installed
- 7 Top Firewall Programs To Consider For Your Computer’s Safety
- 10 Must Downloaded Free Security AND PC Care Programs
- BitDefender Rescue CD Removes Viruses When All Else Fails
- Manage The Windows Firewall Better With Windows 7 Firewall Control
- Public Computers Made Safe – Security Tools and Tips
Guide Published: April 2011