http://LauverSystems.com/

Security

An effective way to deal with predators is to taste terrible.
 

"A truly secure computer is one that has never been turned on."

When computers evolved from smart typewriters, they were just a better way to manage redundant technical work.  Then someone thought of connecting them, and the Internet was born for lofty academic and business pursuits.  But it wasn't long before it became a playground where, predictably, some people don't play well with others.

ThreatPost - Kaspersky Security News Google - Daily DDoS Attack Map Norse Corp - Cyber Attack Map SecureList - APT Targeted Cyber Attacks Logbook
Internet Storm Center Infocon Status

Today, the Internet is a vast trove of information, entertainment, products, and services; but it should be approached as a busy public thoroughfare, with caution and vigilance, not carelessly as a child's playground, because there are vipers in its midst.

Get your shields up and stay protected with system and application updates, strong security software, basic precautions and tests, and "street smarts" on the web.

For the updates mentioned below, you need a live Internet connection.
 

OS updates

Whether you're running the Windows, MAC, or other Operating System, make sure that its Automatic Updates feature is always turned on.  Manufacturers regularly issue patches for security vulnerabilities.

Up to Windows 7:  right click Computer > Properties > Windows Updates (> Settings) > Automatic > enable all appropriate settings > click OK.

Periodically check the update page on the OS manufacturer's website, in case you missed any.  To manually start it in Windows:  click Start > Programs > Accessories > System Tools > Windows Update.

In Windows 10 (yes, we're snubbing W8.x), access all update features by opening the Action Center (right-most icon in the system notification area) > All Settings > Update & Security > Windows Update.

 

Security software

Anti-virus software alone is no longer enough.  Install a full security suite from a major brand, such as Bitdefender, Kaspersky, Avira, Norton, Avast, NOD32, AVG, McAfee, or Trend Micro.

A full suite includes protection from data theft, phishing sites, spam e-mail, trojans, viruses, worms, and unauthorized system changes, firewall protection against intrusion over wired and wireless networks, cleanup of usage tracks and temporary files, real time and scheduled system scans, parental controls, and automatic updates.

Use only one security suite.  If two are running, they will obstruct each other and may cause system or network conflicts.  If you're using a patchwork of firewall, antivirus, antispy, antiphish, etc from various vendors, run only one of each kind.

Full security suites update themselves automatically by default.  Make sure this is turned on.  Updates typically occur daily.  Also, a full suite checks media, such as floppy and optical disks and USB drives, as soon as they are mounted; so make sure this feature is turned on as well.

Free security software, such as AVG anti-virus, is certainly better than nothing, especially with judicious use of the rest of these tips.  There are also system scanners such as Safer Networking SpyBot Search & Destroy.  Do what you can, but remember that you usually get what you pay for.

For a quick and safe test of your antivirus software, you can download an EICAR test fileThis is not a virus.  It was developed by antivirus vendors and the European Institute of Computer Anti-virus Research (EICAR) to test antivirus software.

As soon as this file lands on your hard drive, your security software should instantly react to it as a virus (such as deleting it or placing it in quarantine).

Never attempt to test with a real virus!  This is like setting your house on fire to test your fire alarm.

Note that some anti-virus software may lock the file in place to prevent access, and you may not be able to delete it.  Check your manual first, and don't download the EICAR test file where it could be permanently in your way, such as on the desktop.
 

Internet browsers

Make sure you're using the latest version (they're free) of a major brand browser, such as Google's Chrome, Mozilla's Firefox, Microsoft's Edge or Internet Explorer, Opera, or Apple's Safari.  The next few steps take place in your browser.

Generally speaking, you should set the browser's security for the Internet to the "Medium" or "Medium High" default settings.  On the browser's main toolbar, click Tools > (Internet) Options > Security tab.  Then look for Default settings.

Check the browser's options or security settings for an anti-phishing or anti-forgery feature and turn it on.  On the browser's main toolbar, click Tools.  If the feature isn't on this dropdown menu, continue to Options > Security tab.

Most users don't need Java (not the same as JavaScript); so if it's installed and you don't know why you need it, disable it.  Disabling JavaScript in the browser provides more security, but disables many useful features on legitimate websites.  Other security measures are more effective.

Most browsers can display a "status bar" at the bottom of the browser window.  If it's turned off, the browser can display one extra line of text; however, the status bar can display several kinds of useful information, including the actual destination of links on a web page (more about this later).  On the browser's main toolbar, click View, and turn on the Status Bar.
 

Software updates

Check important software which you use often for a manual or automatic update feature - usually found in Help > About.  If it doesn't have one, check the company's website.   Manufacturers regularly issue free updates for improved functionality and security.
 

Familiarity

Make a point of familiarizing yourself with the normal appearance and behavior of windows, message boxes, and other features of your operating system and applications.  Take note of formats, coloration, logos, etc.  Typically, designers style these items consistently for brand recognition.  OK, you knew that.

This helps you recognize when your system or programs are presenting legitimate windows and messages, and it can also help you recognize when malware is at work because it just doesn't look right.  Here's an example:

Mom and Dad bought a new computer.  We recommended installing a full Internet security suite from an excellent company.  They decided to install just the antivirus component (no network or other security) to save $30 per year.  To save time, they had only the original administrator account and didn't protect this account or the security software with passwords.  Administrator accounts have total authority over the computer, including the authority to install software.

They went on vacation for a week, leaving their teenage son Home Alone with the computer.  Through either social networking or other surfing, a program called "Personal Antivirus" (PAV) was downloaded to the computer and attempted to install.

PAV is malware which pretends to be security software:  the initial infector boldly and continuously announces that your computer is badly infected with other malware, and demands that you buy the full version of PAV to correct it.  If you buy it, it makes a much worse mess of your system, and also provides the scammer with your credit card number.  The point is PAV's sophomoric messages and belligerent behavior looked nothing like those of the legitimate antivirus software installed on the computer.

When PAV attempted to install, the real antivirus halted the installation, posted a message that it had stopped a potentially dangerous program, and offered options to permit or deny installation.  Having no familiarity with the real antivirus, the son instructed it to permit the installation and to make the new malware "trusted."

Mom and Dad returned to find those annoying messages from PAV, decided the legitimate antivirus was no good, and took the computer to a dealer to disinfect it (and likely replace an excellent antivirus with something less).  The simple solution:  open the real antivirus and delete the "trusted" entry for the malware; then when the antivirus prompts to remove the malware, make it so.

The bottom line:  lack of familiarity, combined with an at-risk configuration and a $30 savings, cost them about $100 and two to four days' time.

——————

System barriers

Make sure the Guest account on your computer is disabled.  It isn't possible to assign it a password and, while it has little authority, it provides an entry point from which a hacker can escalate his privileges on your system.  Open Computer > Control Panel > User Accounts > Change An Account > Guest > Turn Off the Guest Account.  This account is disabled by default in Windows Vista and above.

If you want to allow someone else to use your computer, create a separate Standard account for his/her use.  In fact, create one for yourself for surfing the Internet; if you encounter malware, it won't immediately have Administrator authority over your computer.  Modern Windows systems (XP and above) make it easy to switch between user accounts.

Make sure all available user accounts on your computer, and your login accounts on the Internet, have complex passwords.  Certainly it's much easier to log in without a password, both for you and an intruder.  By saving a few seconds, you could lose a mountain of money and time.

If having any password, let alone a complex one, seems problematic, here's more.

Don't use a single common word (like "test"), a string of the same characters (like "1111"), ascending or descending strings (like "abcd"), adjacent keyboard characters (like "qwerty"), any string less than 8 characters, all or part of your name, Social Security number, birth date, address, telephone number, company name, department, or login account name, or names which are popular in advertising, commerce, or entertainment (like "spiderman").

All such passwords are easily guessed using software which performs a "dictionary attack".  The ideal password is a mix of random letters, numbers, and special characters, and which is at least 15 characters long!  However, a good strong password should be a headache for an intruder, not for you.

Do use a longer string, known as a "passphrase", and mix upper and lower case letters and numbers together.  Some websites allow only letters and numbers in passwords.  Other sites, and your computer, allow special characters (like "$" and space).  If so, use them - as long as they are common keyboard characters.

Here is a passphrase that's easy to remember, and easy to guess:  "iseeclearly".

Here is an upgrade:  "eyeseaclearly".

Using upper and lower case doubles the character set and multiplies the guesswork for each (English) character by a factor of 26:  "EyeSeaClearlY".

Numbers increase the guesswork by an additional factor of 10 per character:  "Ey3SeaCl34r1Y".  Here, some letters are replaced by numbers which resemble them - 3 (E), 4 (A), and 1 (l).  Use zero for "o", and so on.

Special characters increase the guesswork by an additional factor of about 26:  "Ey3$ea_Cl34r1Y".  In this passphrase, each character position could be any of 88 different characters, and there are 14 positions.

To "crack" that passphrase, the intruder might need to guess 8814, or about 1.67 octillion, combinations.  Even using shortcuts, he probably doesn't have this much computing power or lifespan.  But since the world can see this example passphrase, don't use it!

For additional safety, computers normally encrypt the field where you enter your password (a "password box").  Typically, as you type your password, it is masked by "*" (asterisk) characters.

To simplify:

At minimum, pick something you're going to remember, which is at least 12 characters, and then mess it up a bit like we've shown.  Better yet, check out the LifeHacker article, "Weighing Security Against Convenience"

Keep multiple passwords in an encrypted file, like we mentioned in Change & Error Logs.  That way, you only need to remember the passwords to log on to your computer and to open the encrypted file.

It is recommended that you periodically change your passwords, especially if they are short.  Don't use the same password everywhere - it will work as well for a thief as it does for you.

You can test the strength of your password with the Kaspersky password checker - it does not collect, store, or transmit your information.

Avoid serving up all the details of your life on the Internet, such as in blogs and commentaries.  In doing so, you may unintentionally reveal private information which a hacker can use to access your banking, e-mail, or other accounts.

This relevant video is both amusing and scary in its implications:  Amazing psychic reveals his 'gift'

If you already have made your life public, you can still be creative, such as with those "challenge questions" for your accounts.  For example, "What is your mother's maiden name?"  Answer, "CoffeeCup".  These questions are intended to test your identity, not your honesty.

Make your logon password required to resume operation when the computer returns from Logoff, Standby, and Hibernate modes:  open Computer > Control Panel > Power Options (> Change plan settings) > Advanced > Require a password on wakeup (from StandBy) > enable as appropriate > click OK.

Encrypt your sensitive files.  If your hard drive is formatted with the NTFS file system, you can encrypt an entire folder.  However, encrypt only your own folders and files.  Never encrypt any system folders or files; otherwise, you may permanently disable your system.

Bear in mind that NTFS encryption is tied to the user account which applied the encryption.  If that account is corrupted or lost (it does happen), even if another account is created with the same name, the encrypted data will be unrecoverable.  Also, the most expensive versions of Windows (Vista and above) can safely encrypt entire hard drives with the BitLocker feature - before you try it, research it thoroughly and make sure you are prepared to recover from errors.

Disable the Telnet system service if present.  Click Start > Run > type services.msc into the box > click OK.  Scroll down the list of system services to Telnet > double click it > click the Stop button and wait for the service to stop > click the dropdown box at Startup Type > click Disabled in the dropdown menu > click OK.

While you're there, Stop the Messenger service (it's simply called "Messenger") if present and set its Startup Type to Manual.  The Telnet and Messenger services are not present in modern versions of Windows.  Generally, you should not alter system services unless you know their purposes and interdependencies.

——————

Physical barriers

Never reveal your passwords to anyone, except upon demand by a judge in a court of law, or upon threat of imminent bodily harm.  No one else - whether family, friends, coworkers, corporations, or scam artists - has any right or authority to demand your passwords.

If you must write down a password, don't leave it where it is accessible by others.  Lock it in a safe, or record it in an encrypted file.  Guard your Social Security number like a password, but never use it as a password.

If you have startup disks, USB security keys, or other physical "back doors" which can logon your account without requiring a password, lock them in the safe as well.

If you are about to enter a password on the computer and someone else is close enough to watch you type, ask him politely but firmly to move away while you enter your password.  If he continues to hover, just don't enter the password.

Avoid leaving your computer running unattended.  Lurking family, friends, coworkers, children, and elves await their window of opportunity.  Instead, take your computer out of active service:  click Start > (Shutdown >) from the menu, select Stand By, Hibernate, Log Off, or Shutdown.  If you will just step away briefly, press and hold the Windows key on your keyboard, then tap the "L" key to lock the computer.

If your Internet connection is always on, as is usually the case, then using a current, fully-enabled major brand full security suite is a requirement, not an option.  If you won't be using the Internet for a period of time, such as when you are doing creative writing, graphics work, or a printing project, consider disconnecting from the Internet to reduce the window of opportunity for intrusion.

Physically bar access to your computer by keeping it in a locked room.  If you will be away for an extended period, shut down the computer and lock it in a safe.

As external backups and storage hardware become obsolete, make sure all sensitive data is destroyed.

If the media is writeable, "wipe" the data using a secure deletion program which overwrites it with random patterns.  Ordinary deletion merely marks the file space as reuseable, but does not actually remove the files.

For read-only optical disks, physically destroy the disks so they cannot be read.  If you like expensive toys, you can buy a heavy duty shredder which will chew them up.  Otherwise, put on protective eyewear and carefully snap them into pieces in a waste basket - watch out for flying shards and foil.  Alternately, stack up several disks, bind the stack with mailing tape, and drill several holes through the stack.

If you are recycling your system drive, or the entire computer, you can just wipe the sensitive data, or use specialized disk wiping software to nuke everything on the hard drive.

If all else fails, pull out the hard drive, put on protective eyewear, grab a big hammer, and have some low-tech fun!

——————

Street Smarts

The Internet is Babylon in electronic form, and your computer becomes a window to that world.  While there are seemingly endless benefits, you should exercise the same caution that you would in a crowded street.

Like people, computers can portray factual information, arrange bits of color and sound in any order to create a virtual fantasy world, and blend fact and fantasy seamlessly.

Unless you're deliberately searching for trouble, most of the content you will find on the Internet is relatively harmless.  Use the following concepts and practices to help you avoid the occasional snake pit.

Our first tip is ridiculously simple:  just say "No".  While there is nothing new about advertising, the Internet makes it easy for you to accept every kind of offer (or demand) without even needing to get off your chair; but convenience alone is no reason to "Click Here".

Enable your browser's phishing or forgery filter to help prevent you from accessing known malicious websites.  Some of these sites are even dressed up to look like legitimate ones.

As you navigate the waters, you gradually develop a mental catalog (and a list of "Favorite" links) of trustworthy companies and their website addresses.  Make it a point to learn and/or list the website addresses of financial institutions with whom you do business online.  When you visit a site, its address is initially displayed in your browser's address bar so that you can verify it.

Visually inspect any forms you fill out for check boxes () or radio buttons () which are preselected (checked or otherwise marked) to indicate that you agree to receive communication from the company or owner.  Unmark them if you don't agree; otherwise, when you submit that form, you have automatically given your legal consent to a business relationship.  This implies your consent to receive unlimited quantities of their advertising and legally prevents you from reporting it as spam.  Look carefully, because these little "agreements" are often sized and placed so they are easy to overlook.  If the site has a privacy policy, read it carefully.

If you want to download software or other products, look carefully for PUPs (Potentially Unwanted Programs) offered as add-ons.  In most cases you should reject them because they tend to be meddlesome privacy risks and resource hogs.

Many websites are supported by third party advertisers.  The website you purposely visit may be quite safe, but its owner likely will not accept responsibility for anything that happens if you follow a link to a third party site.

——————

Before you click a link to a website, hover your mouse pointer over the link without clicking it - usually the actual address of the target site will be displayed in the status bar at the bottom of the browser window.  Be wary of addresses where the domain is an "IP address" (a set of four numbers from 0 to 255, separated by periods) such as "http://123.123.123.123/...".

If your curiosity exceeds your suspicion, go to http://whois.domaintools.com/ and use the form to find out who really owns that site.  The site's domain address is specified between the "http(s)://(www.)" and the next "/".

Common suffixes are .biz (business), .com (commercial business), .edu (school), .gov (government), .info (informational, usually advertising), .net (networking business), .org (non-profit business, but not always), and a long list of country codes, such as .cn (China), .de (Germany), .it (Italy), and .ru (Russia).

Given what we've explained so far, here's a test.  Hover your mouse pointer over the above link to whois.domaintools.com and look at the website address which appears in your status bar.  For comparison, check the status bar when you hover over the following link (but don't click it!):

MiserBankAndTrust.com

If you did click that link, don't worry:  we created a harmless example of a fraudulent web page, so it's actually a fake fraud!

What's behind this is a bit of code called an "anchor" tag:
<a href="hidden_address">visible text</a>
which allows a useful link to fit nicely in a flow of text, but may also be used to hide dangerous links simply by using the visible text to lie about the destination of the hidden address.

You can also get Website Safety Reports, as well as a browser toolbar, which advise whether a given site has weak security or is associated with code exploits, malware, fraud, spam, or sleaze.

We recommend installing the browser add-on from Web of Trust.  In addition to warning about, or optionally blocking, bad sites, this tool also marks the sites listed in Google search results pages with trust rating symbols.

If you're interested in digging deeper, we've made a list of Trusted Security Services and tools we use to audit websites.

——————

Would you like to be famous?  To spammers, you already are.  Once they get your e-mail address, they'll send you lots of notices which contain suspicious links and language like the following:

YOU (have been specially selected to) WIN (a chance at winning) MEGA$$$ - JUST CLICK HERE!!!

TAKE THIS SURVEY AND GET A FREE FINGER PUPPET!!!

(Story of tragic death goes here.)  Rich foreign heir desperately needs to transfer mega$$$ inheritance to your account so the government doesn't steal it, and promises huge compensation for your trouble. (the so-called "Nigerian" scam)

HELP FIGHT CONTINENTAL DRIFT!!!  CLICK HERE!!!

COMPUTERS, DRUGS, HARDWARE, JOBS, MAGIC BEANS, MINERALS, SHOES, SOFTWARE, STOCKS, WATCHES, 1,000% DISCOUNTS!!!

we had to upgrade our servers against fraud ... we found suspicious activity on your account ... your access will be / is blocked until you give us your account information

Very often the sender's e-mail address is "spoofed" so it seems like it came from a legitimate company - such as "service@paypal.com".  The e-mail message may even contain a legitimate company's logo.

Know this:  legitimate companies do not ask for sensitive personal information by e-mail.  Software companies do not send you software by e-mail.  Microsoft normally doesn't even send notices about software by e-mail.

Check the recipient's e-mail address.  It should be yours, but is it?  If it isn't, what is it doing in your mailbox?  Delete it!

When an e-mail contains a live link, hover your mouse pointer over the link.  Unlike a web page, your browser may display the actual link address in a small pop up line.  If it doesn't, you can right click the link, select Copy Shortcut from the context menu, then open your favorite text editor or word processor and paste the link address into the page.  If the e-mail seems legitimate but the link looks fraudulent (or you can't decide), do not click!

Even if the e-mail contains a button to decline the offer, or to stop receiving future offers, do not click - delete the e-mail.  Any reply to a spammer just confirms that your e-mail address is valid.

If a suspicious e-mail seems to be from a legitimate company with whom you normally do business, and if you feel that some action is warranted, look up the company's contact information in your own personal address or phone book or on their genuine website - do not use a number or link in the e-mail - then contact the company to find out the facts.

E-mail attachments are files sent with the e-mail - it's a common method of sharing documents and pictures.  If you receive an e-mail with an attached file, and if you cannot be completely certain that the sender is trustworthy, do not open, view, download, or "save" the attachment.

You can turn bad e-mail to good purpose by forwarding it to the Federal Trade Commission at spam@uce.gov.  Make sure the original e-mail is included in your forwarded message, but do not add comments or change anything in the message or subject line.  If you know how, include the e-mail headers above the message.

If the sender's e-mail address is spoofed to look like it's from a company you recognize as legitimate, you can do that company and its customers a favor.  Forward the e-mail to abuse@companydomain; for example: abuse@amazon.com.

Many companies won't reply.  Some may reply with a list of complex procedures and by whining that you haven't done enough.  Ignore them.  Others, such as Amazon.com and eBay.com (spoof@ebay.com) will encourage you to send more.

Passive Spam Hijack

Some invasive programs extract e-mail addresses from your address book or contacts list and secretly use them to spam people who trust you.

You can help hijack this process with no more effort than adding the e-mail address "spam@uce.gov" to your lists so spammers can report themselves!  This also makes it easier for you to report spam.

We even made a special page of email addresses just for spammers.

No matter how mad you get, don't reply to spammers - this just lets them know that your e-mail address is real.  Use a mail filter to throw their stuff into your "junk mail" folder.  You may also be able to have junk mail deleted automatically.  If you do, legitimate e-mail may be inadvertently deleted.  Remember to clean out your junk mail folder periodically; if it fills up your allotted space, no one can send you e-mail.

For more information about fraudulent e-mail messages and websites, and safely shopping and job hunting online, visit these Microsoft Security pages:

Recognizing phishing scams and fraudulent hoax emails
Email and web scams: How to help protect yourself
Job hunting and other phishing scams that target activities, interests, or news events

Tips on guarding your privacy, from The Netherlands:

Peter's Web Safety

U.S. government computing security info for the public:

OnGuardOnline.gov

——————

When you send e-mail, you should include a subject line.  Some mail filters will throw your message in the trash if the subject is blank or "no subject".  Especially if you're just sending a link, it's helpful to add a brief message to identify yourself.

When you send e-mail to a group (a list of several recipients), do them all a big favor.  Put only your own e-mail address in the "TO:" field, and put all of the recipients' e-mail addresses in the "BCC:" (Blind Carbon Copy) field.  There are a couple of good reasons for this.

Each recipient gets the e-mail showing only his, and your, e-mail address.  If he forwards your e-mail to others (who may forward to others), any one of them who is a spammer will not get a nice list of many valid e-mail addresses.  Also, you avoid offending anyone who is afraid his reputation will be tarnished through association with others on your group list.

——————

In a nutshell ...

You don't have to be a fly, caught in the world wide web.  Keep your software updated, your shields up, your eyes open, and your instincts sharp.  Above all, learn, and enjoy!


now reading: Security - Viruses, Intrusions, Scams - Common Sense Defense
© 2008-2017 Lauver Systems • Niles Michigan • 269 635-0721
 Print this frame ...