Antivirus, Security, and Protecting yourself online - last updated July 2012
General
There used to be a day where getting a virus/malware/scareware/et al was caused by going to a "dirty" site. We used to joke with people about it.
Well, that day is gone. It was gone about 4-5 years ago. Today there are many threats, many of which are behind the scenes. The days of a virus being something that redirects you to porn sites and causes your computer to make funny noises are gone. It's now a multi-million (in some estimates billion) dollar industry that is (largely) run from overseas.
They don't want to force you to look at porn anymore. They want to scare you into paying for bogus products, steal your identity, steal your credit card numbers, and gain access into your banking account.
To do this they sit quietly on your computer. They stopped giving you bizare popups - it doesn't do them much good. They'd rather record your key strokes quietly and send them back home. They'd rather pop up a window that looks like an antivirus program and claim that for $200 they'll remove all the viruses from your computer!
Furthermore, you can be hit by a virus by browsing a legit site that uses Google Ads. Google Ads is continually compromised with virus-laden Flash files, JPG's, and other items. Legitimate sites (CNN, Washington Post, etc) can give you viruses now if someone infiltrates their ad service provider.
You're a fool if you think you can 'smartly' use a computer with out getting a virus these days. Don't be a fool.
The internet is the new wild wild west. Do not underestimate it.
Updates
The first best setup is to keep your computer up to date. Every piece of software you install on your computer (over top of your operating system) becomes a possible attack vector. The most commonly exploited pieces of software include:
- Java Runtime Environment
- Adobe Reader/Adobe Acrobat
- Adobe Flash Player
These have regular patch cycles - normally quarterly releases and emergency patches here and there to address zero-day flaws as they are exposed.
These pieces of software account for 99.9% of the viruses I've had to remove in the last 6 years. So, tip #1 is to keep these pieces of software up to date. Every one of them has automatic update settings - enable it! And when you get that pestering pop up just do the install there. Of course it's annoying, and of course you have better things to do. The longer you wait, the more likely you are to get infected. Just run the update and be done with it.
By the same token you must keep your OS up to date. I don't care what linux distro, windows version, or apple product you're using. If there is an update available there's a good chance it closes a security hole - install it. Yes, there are updates that break things every now and again - you have to pick and choose what is important to you.
Anti Virus
Today there are many free antivirus programs. Some of them include Microsoft Security Essentials, Panda Cloud, AVG, AVast, and many more. There is no need to pay for antivirus anymore. Please don't.
I look for two things in an antivirus client:
- It effectively blocks Viruses. I don't care if it removes them, I want it to stop them from the start.
- It is not intrusive to my day-to-day activities.
By those standards I currently think Microsoft Security Essentials (
http://www.microsoft.com/security/pc-security/mse.aspx ) is the best for the windows client.
A close second is Panda Cloud Antivirus (
http://www.cloudantivirus.com ). Panda is my favorite for business clients, and I've enjoyed their cloud product.
I do not like Avast or AVG - I feel they are bloated. That said there are others who love them. Don't be afraid to try one - if you don't like it just remove it. Thats the beauty of them being free!
MAC Users - Panda Cloud Antivirus is the only one I've ever used. I recommend it, but it's not because I have a lot of experience with MAC antivirus clients.
Side note : Yes, you need antivirus if you run a mac. To think otherwise is extremely foolish. I'll leave it at that. I will, under no circumstance, entertain the idea of arguing otherwise.
Linux users - I don't have a recommendation for you. There's tons of free solutions, and depending on your distro it may be built into your OS. I run a few different Virtual Machines with linux on them for doing super awesome programming (LISP > * btw), but I don't have any experience with the AV software. If you're using Linux then odds are most of the information in this post you are already aware of.
If someone feels like contributing to the Linux AV section add it. I'll link to your post here.
UAC and Local Admin Accounts
(note: this section applies to Windows vista and Windows 7 (and likely windows 8))
Is the UAC annoying to you?
I bet it is. I bet you've
looked for ways to disable it.
DO NOT DISABLE IT.
When a virus tries to run on your computer it needs Admin rights. If it doesn't need to log in to get admin rights then it can run without you ever knowing it ran...
So. The first thing is to keep UAC enabled. Look, as part of my job I log in and out of things probably somewhere around a thousand times a day with somewhere between 20-30 different user names and probably between 30-50 different passwords.
I know how annoying logging into things is.
You have to pick security or laziness. If your interested in security you need to
at least enable the UAC.
Second, you should have your regular account not be an administrator. This way you have to type in separate username and password to do administrative tasks. This makes you think twice before you do things, and (more importantly) prevents a virus from running without you knowing about it.
Easiest way to do it is to have a user account, say: mike
and then set up an administrative account for you to use and just call it: !mike
If you need help enabling your UAC and setting up a user account, just ask.
Shopping
I don't care what protections your bank promises you. I don't care how long you've been with them. I don't care how you feel about 'credit'.
Using a debit/atm card to make purchases online is the most dangerous thing you can do while using a computer.
You don't even have to be on a compromised computer anymore. Something upstream (at the ISP, at the bank, at the telephone pole) can be compromised. It's beyond your control.
If you use a card that directly links to your bank account then if that card is compromised any money that is stolen is actually taken away from your account. It's gone. It's like someone reached in your pocket and took it out.
Will the bank work with you? Hopefully, depends on who you have.
But your ability to get those funds returned to your account may not be what you think it is. It may take weeks. It may take months. And it is entirely possible that you
never see that money again. Worst yet, the
entire time your money is
gone. Hope it wasn't your savings account, and I hope you have money in another account to pay your bills while you try to recover what was stolen.
I have family, friends, and coworkers that have all experienced this. Again, I don't care what your bank
says they will do when it happens, it is what they do when it actually happens that matters. Banks have a funny way of not living up to those commitments. Go figure.
USE A CREDIT CARD OR GIFT CARD FOR ONLINE PURCHASES.
If there is a fraudulent charge your credit card company fights the battle for you. Not a cent is removed from your account. You have much more protection this way, even with crappy credit card companies. You can fight the charges
without having the money gone.
As a side note - my family no longer uses debit cards at all. I'm actually close to cutting them up. In the Northern VA/DC/MD area skimmers have become relatively popular at gas stations, ATM's, and other places. It's just not worth the risk. If you can handle managing money I strongly suggest you move past using Debit/ATM cards. They are just incredibly dangerous.
SSL
Know when you're on an encrypted page and when you're not.
http://www.symantec.com/theme.jsp?themeid=how-ssl-works
I can write a book about SSL. The bottom line is you need to know when you're on an HTTPS (SSL) and when you're not. The S in HTTPS is one clue, so is the security lock in your browser (location is browser specific). Read up on it using google searches.
DO NOT LOG INTO FINANCIAL WEBSITES THAT DO NOT PROVIDE HTTPS:// AT THE START OF THE LINK
Password Generation
Password generation has become quite the joke over the last few years. Website/companies keep upping the 'requirements' and the results are terrible. Studies are showing that the more complex we (the IT staff) require your password to be the less secure it becomes. Mainly because you start writing them down because you can't remember them (often in an excel file on your computer called 'PASSWORDS' ...) and you start using the same password for every site.
So lets get some basic ground rules that will help you out. Yes, it's a pain in the ass to change your passwords. It's a bigger pain in the ass to recover money that was stolen from you or to repair your credit after your identity was stolen.
Take your pick.
Tip 1 - use a different password for everything. Come up with a scheme that makes sense. maybe it's something like:
name of my dog + first 5 letters of the website
So, if your dog was named dog, and you have an account at BGO, your password could be:
dogbgobs
Tip 2 - Use numbers in place of letters where you can. It's good to have a symbol in there too, some places require it.
But other places restrict which symbols you can use, so be careful. best to use things like !, which you can easily tack on the end.
So your password is now:
d0gbg0bs!
Those are zeros, not the letter o
Tip 3 - You're better off using two words put together than one complex word. In essence: house + car would make a better password than: Remuneration
So, now that we know dog isn't enough, lets make it dog and his favorite toy, bone. Maybe we'll put the second word at the end of our 5 letter, site based section. so now our password is:
d0gbg0bsb0n3!
you should have a capital in there, but you now see some basics for how you can form secure passwords.
Tip 4 - Change your passwords on a regular basis. If you stick to tip #1 this isn't nearly as important (thank god!) but if you're not going to stick to tip #1 (which no one does...) tshen at least change them every 6 months. Pain the ass I know, but again you have the luxury of choosing the outcome here. Once you've been compromised you don't get that luxury anymore.
Conclusion:
Now that you have a little site based part in it, you can easily have different passwords anywhere. Say you have an account at redskins.com.
Now you have a second password:
d0gr3dskb0n3!
Two different passwords, yet you only need to remember the scheme and be able to look at the site name to figure them out. You've added a little extra layer of security to your online use.
The bottom line is that companies, websites, banks, etc all dropped the ball on this big time and our current structure of username + password for everything has left us in this terrible situation. I apoligize on behalf of all IT related people out there. Until there is a better system (trust me, they are working on it) do the best with what we have.