Print
Mark. Sucker. Victim. Yeah, that’s you viewed through the monitor of a cybercrook sitting somewhere in A-holevania or Trashcanistan.
Call us cynical or hard-edged, but we frankly believe that the world is filled with hustlers, grifters, and crooks out to bamboozle us at every turn.
Those suspicions are doubled for our digital lives. For no longer do bunko artists need to trick you into buying that iPad box with a brick in it. Today, they can rip you off by auto pilot. With the deadliness and stealth of a UAV, these scumbags can steal your banking credentials, clone your debit card, or infect your computer.
Scared yet? Good. Fear is one of best motivators to getting people off of their lazy butts. It’s not all about fear, though. It’s also about information. Knowledge that can empower you and help you mount an effective defense against the multipronged attacks we all face today. Do you know how to thoroughly fortify your PC and network against enemy infiltration? How about your smartphone? Can you spot an ATM skimmer? What other potential threats should you be aware of? We’ll give you all of the deets, along with the opinions of two security experts.
Don’t worry about being too paranoid. From what we learned in the course of writing this story, there’s really no such thing as being overly vigilant when it comes to your digital security.
Installing strong, up-to-date security software is a given. But it takes much more than that to defend the epicenter of your digital life.
Could real people actually be as clueless as some of those characters we see in movies? Sadly, you need no more evidence of that cliché than the average computer user. Even though he or she knows that an OS update is as critical as, say, nailing boards over your windows in a zombie apocalypse, many choose to ignore the updates until something crawls in and eats their brains.
The most basic security step PC users should take—regardless of OS—is to install the latest updates. Yes, we know, it can be teeth-gritting—especially when the updates are larger than the original OS—but it’s necessary for patching holes being used by attackers to squeeze into your PC. \
Windows XP was a great operating system but it’s now pushing 10 years old and it’s a popular target for attacks. Why? It’s not as secure as its replacements. It’s also where the money is—literally—with 51 percent of computers on the planet running it. Many attacks specifically target XP and ignore Windows Vista and Windows 7 completely. Unless you like to wrench on your OS all day, we recommend that you give XP the retirement it has earned.
Even Microsoft haters have to admit the company has done an admirable job patching its operating systems in a reasonable amount of time. Because of this, many of the weak spots on a PC aren’t even the OS anymore, but rather the third-party applications. While Microsoft will patch its own products in Windows Update, it doesn’t do squat about anything else. With literally dozens of apps to check for updates every week, you can see where the problem lies. That’s why we run Secunia’s PSI Scanner (www.secunia.com). The free app runs in the background and checks your installed apps and plugins for available updates and then gives you a link of where to download the patch. The latest beta version will actually install some of the updates for you. The company also offers an online scanner but we don’t recommend it because it runs in Java.
Secunia’s free PSI app will monitor the dozens of applications installed on your machine for available security patches.
When a massive malware outbreak occurs, you can almost always expect to see these five shifty guys in the police lineup: Flash, Acrobat/Reader, QuickTime, Java, and JavaScript.
Normally we’d say just execute ’em, but it doesn’t always work that way. Yes, if you can, simply uninstall these offenders (save JavaScript), but if you must have them, there is a way to at least mitigate some of the damage.
Start by disabling Acrobat/Reader in your browser. In Firefox, go to Tools, then Add-ons, then Plugins, and disable the Acrobat plugin. While you’re there, you should also probably disable QuickTime, Java, and even the DivX Web Player if you want to be extra cautious.
Disabling plugins for Acrobat, QuickTime, and other media players can mitigate some of the damage from new zero-day exploits.
To disable these plugins in Chrome, go to Options, Under the Hood, Content Settings, Plugins, and select “Disable individual plugins.”
Now, go into the Acrobat app, go to Edit, Preferences, Trust Manager, and uncheck “Allow opening of non-PDF file attachments with external applications.” While you’re in Preferences, click the JavaScript option and uncheck “Enable Acrobat JavaScript.” Also click on Internet and uncheck “Display PDF in browser.” Or just dump the whole thing for Foxit Reader (www.foxitsoftware.com).
For QuickTime, start the player, dig into Edit, Preferences, QuickTime Preferences, Browser, and uncheck “Play movies automatically.”
To mitigate the damages from Adobe Flash, consider running the FlashBlock extension in Firefox and Chrome. This will prevent Flash from being displayed on a page. In its place will be a place holder that, when clicked, will play the Flash content.
Disabling JavaScript unilaterally can be problematic, as it breaks many sites. Still, for the paranoid, there is a way. The NoScript extension for Firefox is the leading contender. Chrome has no such extension, but you can go to Tools, then Options, then Content Settings, then JavaScript, and select “Do not allow any site to run JavaScript.” This will place a small icon in the address bar that will let only your favorite sites run JavaScript. Disabling JavaScript in Chrome can be wonky, but it’s worth investigating if you want to avoid one of the primary ways crooks are targeting you.
Since the vast majority of attacks are coming from the browser, one of the safest ways to surf the web is from a virtualized browser or a virtual machine. Dell offers its free KACE browser (www.kace.com), which virtualizes Firefox 3.6 along with Adobe Reader and Flash. Malware that exploits holes in Firefox, Reader, or Flash would be contained within the virtual machine. The bad news? If you do get an infection and need to flush the virtual Firefox, you lose all of your settings. That includes the numerous updates to Firefox that come out seemingly every month and any bookmarks and plugins you installed. An alternative is to build a virtual machine using either Virtual PC 2007 (www.microsoft.com) or VM Ware Player (www.vmware.com). Both are free, and both Microsoft and VM Ware offer free images that include browsers. Microsoft offers Vista and XP with IE8 installed and VM Ware offers Ubuntu with Firefox installed. Of the three options, VM Ware’s is the most solid but folks not used to Linux might be thrown for a loop. Microsoft’s images time out after three months, so you’ll have to download it again.
Do you really know if that file is truly untainted? Many malware writers are specifically crafting wares to avoid detection by antivirus suites. If you have a file that you need to run, we recommend that you incubate it for a few days or a few weeks if possible. This gives security software a chance to catch up to any new exploit. We then recommend that you get a second opinion from Virustotal.com. This website lets you upload a file to be scanned by two dozen AV engines. Just remember that malware writers are also using tools such as Virustotal.com to see if their wares can pass muster, so long incubations are key.
Shortened URLs can conveniently turn unwieldy web address into bite-size morsels, but they can also disguise a link to a malware-ridden site. Though many of the URL shortening services check for malicious websites, it’s usually better to verify a shortened URL’s destination. For that, we use Longurlplease.com. It supports 81 shortening services. As for cryptic shortened URLs, visit Virustotal.com to have the address checked by six URL analysis engines.
Although many URL shortening services claim to scan for malware, it’s probably best to lengthen those URLs before you click on them, using Longurlplease.com.
Running as an administrator in a Windows OS is a bit like giving someone the right to walk into your home and rummage through every nook and cranny. One easy way to avoid or greatly limit damage from malware is to always run with standard user rights. As with all things, this is no guarantee against harm. Some malware, even when executed in a standard user account, can grant itself administrator privileges and still run rampant through your PC, but running as a standard user minimizes risk.
Running in standard user mode in a Windows OS has proven to be useful in beating back malware attacks.
That Windows is the number one target for cybercrime and mischief is not news to any of us—naturally, owning 95 percent of the market makes it an obvious target. That’s why we agree with security journalist Brian Krebs (http://krebsonsecurity.com) that members of the most at-risk group should do online banking with a Linux Live CD. You can do your gaming and other Windows-based computing booted from your hard drive. But once you have to go into secure mode, whip out your Live CD and boot to it. Numerous Linux builds are available, but the most popular, and among the easiest, is Ubuntu.
So, you’ve created this incredibly secure moat, ringed with razor wire, claymores, and mines. And then you let your 14-year-old nephew play some Flash games or “check email.” Right. The best solution is to have visitors use a separate, secured guest PC. But if they must use your machine, make sure you have the guest account activated. Another option is to have them use a virtual machine. Once they’re done, simply shut down the VM and erase any trace of their activities. Or have them use your HTPC, where they’re working in the open instead of being left alone in your office.
Kensington’s new ClickSafe key lock makes it an easy one-step process to secure your laptop from snatch-and-grabs.
Obviously, all the same security risks and safety recommendations that apply to your desktop computer also apply to your laptop. But your laptop carries the added risk of being stolen. And let’s face it: If you haven’t encrypted all your sensitive data or been diligent about backups, the loss of your laptop could be mighty painful. One way to prevent the potentially dire consequences is to use a laptop lock.
The vast majority of notebooks have a slot to accommodate a physical locking mechanism—it’s usually designated by a padlock icon. The lock itself is attached to a reinforced cable which cannot be easily cut without the aid of a large and very noticeable set of bolt cutters. The cable is either bolted to the floor—in your office at work, for instance—or looped around a substantial or immovable object. Kensington is one of the biggest names in cable-lock makers, and offers both combination and key locks, priced at $25 and $50, respectively.
You think you’re immune to harm because you don’t go to piracy or porn sites, right? But putting all your faith in Goody Two Shoes browsing is like whistling past a graveyard. Like commercial fishermen, crooks are casting bigger nets to catch as many fish as possible. Here’s how they do it.
1. Crooks discover a new zero-day exploit using Adobe Flash, Adobe Reader, Oracle Java, Apple QuickTime, JavaScript, or the browser itself.
2. The crooks then hack into an advertising server or a web page to place the code. In some cases, the crooks masquerade as legit advertisers and buy time on mainstream websites. These ads, in turn, are actually hosted by the crooks’ servers to keep the company running the ads from knowing they’re tainted.
3. Users browsing the legitimate website receive the bad Flash or JavaScript, which then secretly installs a trojan on their PC.
4. The trojan then contacts another server that is controlled by the crooks and receives instructions on what to do.
Comments are closed on this article
mseyf
January 20, 2011 at 3:54pm
An article touting the insecurity of shortened URLs using shortened URLs.
ShyLinuxGuy
January 18, 2011 at 6:52pm
Firefox users: use BetterPrivacy to remove LSO cookies. LSOs can be a potential breach of privacy.
Internet Explorer users: use Firefox.
As far as webmail, as much as I like Gmail as a webmail provider, I am not liking the possibility of Google correlating searches with your mail/your name. That is why I thought about switching to another webmail provider. I'm enjoying GMX Mail (gmx.com), and I like it even better than Gmail. Think about that one when you do your next Google search while having a Gmail account too. (Same with Yahoo/Yahoo Mail, Bing/Hotmail, etc). I am not sure if search engines do this, but they have not mentioned anything about this, so be cautious, and use a webmail provider different from your search engine, if possible.
Google DNS--Great and fast, but could be a breach of privacy. So I now use OpenDNS on the router, so Google doesn't learn about me through search and Web activities.
Also, I have seen SO MANY XP installations with the Administrator account accessible from Safe Mode and through other means. Not good. Get into Safe Mode, and add a password for that Administrator account. Ubuntu also has this problem with the root account having no password until recently: make sure to create a root password. I'm not sure if Vista/7 has this issue (probably not; I'd have to check).
Backups with sensitive information can be protected by placing a zip file (containing the backups) inside another zip file, which is password protected. While not secure from persons knowledgeable with cracking passwords, this will prevent someone less knowledgeable from gaining access to your backups. Truecrypt should be an option if you're worried about someone cracking passwords, because it can encrypt a CD/DVD backup. I haven't used it yet, but I'll have to try it.
I'm AMAZED of how many people have unencrypted external hard drives! They should be encrypted.
