Security
An effective way to deal with predators is to taste terrible."A truly secure computer is one that has never been turned on."
When computers evolved from smart typewriters, they were just a better way to manage redundant technical work. Then someone thought of connecting them, and the Internet was born for lofty academic and business pursuits. But it wasn't long before it became a playground where, predictably, some people don't play well with others.
Today, the Internet is a vast trove of information, entertainment, products, and services; but it should be approached as a busy public thoroughfare, with caution and vigilance, not carelessly as a child's playground, because there are vipers in its midst.
Get your shields up and stay protected with system and application updates, strong security software, basic precautions and tests, and "street smarts" on the web.
For the updates mentioned below, you need a live Internet connection.OS updates
Whether you're running the Windows, MAC, or other Operating System, make sure that its Automatic Updates feature is always turned on. Manufacturers regularly issue patches for security vulnerabilities.
Up to Windows 7: right click Computer > Properties > Windows Updates (> Settings) > Automatic > enable all appropriate settings > click OK.
Periodically check the update page on the OS manufacturer's website, in case you missed any. To manually start it in Windows: click Start > Programs > Accessories > System Tools > Windows Update.
In Windows 10 (yes, we're snubbing W8.x), access all update features by opening the Action Center (right-most icon in the system notification area) > All Settings > Update & Security > Windows Update.
Security software
Anti-virus software alone is no longer enough.
Hint.1: If a security vendor isn't in those reviewers' lists, ignore it. Hint.2:
Oh no: For a special "low" price that automatically renews each year, your telecom company offers to fix your device if any malware slips past said security - because they know it's lame. Some malware can damage your device and/or your files beyond repair; so, no, they can't fix that.
A full suite includes protection from data theft, phishing sites, unsecured or bogus connections, spam email, trojans, viruses, worms, malware-like behavior ("heuristic" detection), unauthorized system changes, firewall protection against intrusion over wired and wireless networks, cleanup of usage tracks and temporary files, detection of system and app vulnerabilities, management of app updates, real time and scheduled system security scans, parental controls, and automatic updates. Generally speaking, a strong security suite neutralizes or deflects threats before they can enter your device. Antivirus can only defend you from malware that is already in your device.
Use only one security suite. If two are running, they will obstruct each other and may cause system or network conflicts. If you're using a patchwork of firewall, antivirus, antispy, antiphish, etc, from various vendors, run only one of each kind.
Full security suites update themselves automatically by default. Make sure this is turned on. Updates typically occur daily. Also, a full suite checks media, such as (floppy and) optical disks and USB drives, as soon as they are mounted (connected to your device); so make sure this feature is turned on as well.
Free security software is certainly better than nothing, especially with judicious use of the rest of these tips. Microsoft's own "Defender" app gets good marks. Do what you can, but remember that you usually get what you pay for.
As soon as this file lands on your hard drive, your security software should instantly react to it as a virus (such as deleting it or placing it in quarantine).
Never attempt to test with a real virus! This is like setting your house on fire to test your fire alarm.
Note that some anti-virus software may lock the file in place to prevent access, and you may not be able to delete it. Check your manual first, and don't download the EICAR test file where it could be permanently in your way, such as on the desktop.Internet browsers
Also check out our favorite browser defense extensions, listed as icons near the bottom of our About page.
The next few steps take place in your browser.
Find the browser's "Settings" feature - often from a "hamburger" icon ("☰" horizontal or vertical) or "gear" icon ("⚙"), or find a Tools, Options, or Settings link on the browser's toolbar. From there, find Privacy & Security settings. Generally speaking, you should set the browser's "Safe Browsing" security to the Standard (Medium) or Enhanced (High) default settings; the highest Strict setting may prevent most websites from running even minimally or at all. Conversely, the Low or Off setting is not recommended.
Disabling JavaScript in the browser provides more security, but disables many useful features on legitimate websites, some of which can't run without it; other security measures are more effective. Most users don't need Java (not the same as JavaScript); so if it's installed on your device and you don't know why you need it, disable it.
Most browsers can display a "status bar" at the bottom of the browser window. If it's turned off, the browser can display one extra line of text; however, the status bar can display several kinds of useful information, including the actual destination of links on a web page (more about this later). On the browser's main toolbar, click View, and turn on the Status Bar.Software updates
Check important software which you use often for a manual or automatic update feature - usually found in Help > About. If it doesn't have one, check the company's website. Manufacturers regularly issue free updates for improved functionality and security.Make a point of familiarizing yourself with the normal appearance and behavior of windows, message boxes, and other features of your operating system and applications. Take note of formats, coloration, logos, etc. Typically, designers style these items consistently for brand recognition. OK, you knew that.
This helps you recognize when your system or programs are presenting legitimate windows and messages, and it can also help you recognize when malware is at work because it just doesn't look right. Here's an example:
They went on vacation for a week, leaving their teenage son Home Alone with the computer. Through either social networking or other surfing, a program called "Personal Antivirus" (PAV) was downloaded to the computer and attempted to install.
PAV is malware which pretends to be security software: the initial infector boldly and continuously announces that your computer is badly infected with other malware, and demands that you buy the full version of PAV to correct it. If you buy it, it makes a much worse mess of your system, and also provides the scammer with your credit card number. The point is PAV's sophomoric messages and belligerent behavior looked nothing like those of the legitimate antivirus software installed on the computer.
When PAV attempted to install, the real antivirus halted the installation, posted a message that it had stopped a potentially dangerous program, and offered options to permit or deny installation. Having no familiarity with the real antivirus, the son instructed it to permit the installation and to make the new malware "trusted."
Mom and Dad returned to find those annoying messages from PAV, decided the legitimate antivirus was no good, and took the computer to a dealer to disinfect it (and likely replace an excellent antivirus with something less). The simple solution: open the real antivirus and delete the "trusted" entry for the malware; then when the antivirus prompts to remove the malware, make it so.
The bottom line: lack of familiarity, combined with an at-risk configuration and a $30 savings, cost them about $100 and two to four days' time.———•———
System barriers
If you have a "Guest" account on your computer, make sure it's disabled. It isn't possible to assign it a password and, while it has little authority, it provides an entry point from which a hacker can escalate his privileges on your system. Open Computer > Control Panel > User Accounts > Change An Account > Guest > Turn Off the Guest Account. This account is disabled by default in Windows Vista and above.
If you want to allow someone else to use your computer, create a separate Standard account for his/her use. In fact, create one for yourself for surfing the Internet; if you encounter malware, it won't immediately have Administrator authority over your computer. Modern Windows systems (XP and above) make it easy to switch between user accounts.
Make sure all available user accounts on your computer, and your login accounts on the Internet, have complex passwords. Certainly it's much easier to log in without a password, both for you and an intruder. By saving a few seconds, you could lose a mountain of money and time.
If having any password, let alone a complex one, seems problematic, here's more.
Don't use a single common word (like "test"), a string of the same characters (like "1111"), ascending or descending strings (like "abcd"), adjacent keyboard characters (like "qwerty"), any string less than 8 characters, all or part of your name, Social Security number, birth date, address, telephone number, company name, department, or login account name, or names which are popular in advertising, commerce, or entertainment (like "spiderman").
All such passwords are easily guessed using software which performs a "dictionary attack". The ideal password is a mix of random letters, numbers, and special characters, and which is at least 15 characters long! However, a good strong password should be a headache for an intruder, not for you.
Do use a longer string, known as a "passphrase", and mix upper and lower case letters and numbers together. Some websites allow only letters and numbers in passwords. Other sites, and your computer, allow special characters (like "$" and space). If so, use them - as long as they are common keyboard characters.
Here is a passphrase that's easy to remember, and easy to guess: "iseeclearly".
Here is an upgrade: "eyeseaclearly".
Using upper and lower case doubles the character set and multiplies the guesswork for each (English) character by a factor of 26: "EyeSeaClearlY".
Numbers increase the guesswork by an additional factor of 10 per character: "Ey3SeaCl34r1Y". Here, some letters are replaced by numbers which resemble them - 3 (E), 4 (A), and 1 (l). Use zero for "o", and so on.
Special characters increase the guesswork by an additional factor of about 26: "Ey3$ea_Cl34r1Y". In this passphrase, each character position could be any of 88 different characters, and there are 14 positions.
To "crack" that passphrase, the intruder might need to guess 8814, or about 1.67 octillion, combinations. Even using shortcuts, he probably doesn't have this much computing power or lifespan. But since the world can see this example passphrase, don't use it!
For additional safety, computers normally encrypt the field where you enter your password (a "password box"). Typically, as you type your password, it is masked by "*" (asterisk) or other characters.
To simplify:
At minimum, pick something you're going to remember, which is at least 12 characters, and then mess it up a bit like we've shown.
Keep multiple passwords in an encrypted file, like we mention in Change & Error Logs. That way, you only need to remember the passwords to log on to your computer and to open the encrypted file.
Don't use the same password everywhere - it will work as well for thieves as it does for you. It is recommended that you periodically change your passwords, especially if they are short. Conversely, rules that force frequent password changes tend to be annoying and tedious, leading some people to use simpler passwords that are easier to crack.
You can test the strength of your password with the Kaspersky password checker - it does not collect, store, or transmit your information.
This relevant video is both amusing and scary in its implications: Amazing psychic reveals his 'gift'
If you already have made your life public, you can still be creative, such as with those "challenge questions" for your accounts. For example, "What is your mother's maiden name?" Answer, "CoffeeCup". These questions are intended to test your ownership of secrets, not your honesty.Make your logon password required to resume operation when the computer returns from Logoff, Standby, and Hibernate modes: open Computer > Control Panel > Power Options (> Change plan settings) > Advanced > Require a password on wakeup (from StandBy) > enable as appropriate > click OK.
Encrypt your sensitive files. If your hard drive is formatted with the NTFS file system, you can encrypt an entire folder. However, encrypt only your own folders and files. Never encrypt any system folders or files; otherwise, you may permanently disable your system.
Bear in mind that NTFS encryption is tied to the user account which applied the encryption. If that account is corrupted or lost (it does happen), even if another account is created with the same name, the encrypted data will be unrecoverable. Also, the most expensive versions of Windows (Vista and above) can safely encrypt entire hard drives with the BitLocker feature - before you try it, research it thoroughly and make sure you are prepared to recover from errors.
If you only need to encrypt a few sensitive files, we strongly encourage you to buy ($47 / year in 2024) a subscription to AxCrypt.
Disable the Telnet system service if present. Click Start > Run > type services.msc into the box > click OK. Scroll down the list of system services to Telnet > double click it > click the Stop button and wait for the service to stop > click the dropdown box at Startup Type > click Disabled in the dropdown menu > click OK.
While you're there, Stop the Messenger service (it's simply called "Messenger") if present and set its Startup Type to Manual. The Telnet and Messenger services are not present in modern versions of Windows. Generally, you should not alter system services unless you know their purposes and interdependencies.
———•———
Physical barriers
Never reveal your passwords to anyone, except upon demand by a judge in a court of law, or upon threat of imminent bodily harm. No one else - whether family, friends, coworkers, corporations, or scam artists - has any right or authority to demand your passwords.
If you must write down a password, don't leave it where it is accessible by others. Lock it in a safe, or record it in an encrypted file. Guard your Social Security number like a password, but never use it as a password.
If you have startup disks, USB security keys, or other physical "back doors" which can logon your account without requiring a password, lock them in the safe as well.
If you are about to enter a password on the computer and someone else is close enough to watch you type, ask him politely but firmly to move away while you enter your password. If he continues to hover, just don't enter the password.
Avoid leaving your computer running unattended. Lurking family, friends, coworkers, children, and elves await their window of opportunity. Instead, take your computer out of active service: click Start > (Shutdown >) from the menu, select Stand By, Hibernate, Log Off, or Shutdown. If you will just step away briefly, press and hold the Windows key on your keyboard, then tap the "L" key to lock the computer.
If your Internet connection is always on, as is usually the case, then using a current, fully-enabled major brand full security suite is a requirement, not an option. If you won't be using the Internet for a period of time, such as when you are doing creative writing, graphics work, or a printing project, consider disconnecting from the Internet to reduce the window of opportunity for intrusion.
Physically bar access to your computer by keeping it in a locked room. If you will be away for an extended period, shut down the computer and lock it in a safe.
As external backups and storage hardware become obsolete, make sure all sensitive data is destroyed.
If the media is writeable, "wipe" the data using a secure deletion program which overwrites it with random patterns. Ordinary deletion merely marks the file space as reuseable, but does not actually remove the files.
For read-only optical disks, physically destroy the disks so they cannot be read. If you like expensive toys, you can buy a heavy duty shredder which will chew them up. Otherwise, put on protective eyewear and carefully snap them into pieces in a waste basket - watch out for flying shards and foil. Alternately, stack up several disks, bind the stack with mailing tape, and drill several holes through the stack.
If you are recycling your system drive, or the entire computer, you can just wipe the sensitive data, or use specialized disk wiping software to nuke everything on the hard drive.
If all else fails, pull out the hard drive, put on protective eyewear, grab a big hammer, and have some low-tech fun!
———•———
Fake Tech Support
Depending on your disposition, this scam can be pretty seductive, so we made a separate page for it. One fine day when you're just minding your own business, out of the blue you may get The Call: something is terribly wrong with your computer, and "Microsoft" is standing by to fix it. 😈
———•———
Street Smarts
The Internet is Babylon in electronic form, and your computer becomes a window to that world. While there are seemingly endless benefits, you should exercise the same caution that you would in a crowded street.
Like people, computers can portray factual information, arrange bits of color and sound in any order to create a virtual fantasy world, and blend fact and fantasy seamlessly.
Unless you're deliberately searching for trouble, most of the content you will find on the Internet is relatively harmless. Use the following concepts and practices to help you avoid the occasional snake pit.
Our first tip is ridiculously simple: just say "No". While there is nothing new about advertising, the Internet makes it easy for you to accept every kind of offer (or demand) without even needing to get off your chair; but convenience alone is no reason to "Click Here".
Enable your browser's phishing or forgery filter to help prevent you from accessing known malicious websites. Some of these sites are even dressed up to look like legitimate ones. For additional browser protection, check out the defensive browser extensions in the quick-access list near the bottom of our About page.
As you navigate the waters, you gradually develop a mental catalog (and a list of "Favorite" links) of trustworthy companies and their website addresses. Make it a point to learn and/or list the website addresses of financial institutions with whom you do business online. When you visit a site, its address is initially displayed in your browser's address bar so that you can verify it.
Visually inspect any forms you fill out for check boxes () or radio buttons () which are preselected (checked or otherwise marked) to indicate that you agree to receive communication from the company or owner. Unmark them if you don't agree; otherwise, when you submit that form, you have automatically given your legal consent to a business relationship. This implies your consent to receive unlimited quantities of their advertising and legally prevents you from reporting it as spam. Look carefully, because these little "agreements" are often sized and placed so they are easy to overlook. If the site has a privacy policy, read it carefully.
If you want to download software or other products, look carefully for PUPs (Potentially Unwanted Programs) offered as add-ons. In most cases you should reject them because they tend to be meddlesome privacy risks and resource hogs.
Many websites are supported by third party advertisers. The website you purposely visit may be quite safe, but its owner likely will not accept responsibility for anything that happens if you follow a link to a third party site.
———•———
Before you click a link to a website, hover your mouse pointer over the link without clicking it - usually the actual address of the target site will be displayed in the status bar at the bottom of the browser window. Be wary of addresses where the domain is an "IP address" (a set of four numbers from 0 to 255, separated by periods) such as "http://123.123.123.123/...".
If your curiosity exceeds your suspicion, go to http://whois.domaintools.com/ and use the form to find out who really owns that site. The site's domain address is specified between the "http(s)://(www.)" and the next "/".
Common suffixes are .biz (business), .com (commercial business), .edu (school), .gov (government), .info (informational, usually advertising), .net (networking business), .org (non-profit business, but not always), and a long list of country codes, such as .cn (China), .de (Germany), .it (Italy), and .ru (Russia).
Given what we've explained so far, here's a test. Hover your mouse pointer over the above link to whois.domaintools.com and look at the website address which appears in your status bar. For comparison, check the status bar when you hover over the following link (but don't click it!):
If you did click that link, don't worry: we created a harmless example of a fraudulent web page, so it's actually a fake fraud!
What's behind this is a bit of code called an "anchor" tag:
<a href="hidden_address">visible text</a>
which allows a useful link to fit nicely in a flow of text, but may also be used to hide dangerous links simply by using the visible text to lie about the destination of the hidden address.
You can also test with trusted security services, as well as browser extensions, which advise whether a given site has weak security or is associated with code exploits, malware, fraud, spam, or sleaze.
Local installations (on your computer or mobile device) from major security vendors generally include browser extensions which not only warn about or block bad sites, they also mark the pages listed in search engine results pages (SERPs) with safety rating symbols.
———•———
Would you like to be famous? To spammers, you already are. Once they get your email address, they'll send you lots of notices which contain suspicious links and language like the following:
YOU (have been specially selected to) WIN (a chance at winning) MEGA$$$ - JUST CLICK HERE!!!
TAKE THIS SURVEY AND GET A FREE FINGER PUPPET!!!
(Story of tragic death goes here.) Rich foreign heir desperately needs to transfer mega$$$ inheritance to your account so the government doesn't steal it, and promises huge compensation for your trouble. (the so-called "Nigerian" scam)
HELP FIGHT CONTINENTAL DRIFT!!! CLICK HERE!!!
COMPUTERS, DRUGS, HARDWARE, JOBS, MAGIC BEANS, MINERALS, SHOES, SOFTWARE, STOCKS, WATCHES, 1,000% DISCOUNTS!!!
we had to upgrade our servers against fraud ... we found suspicious activity on your account ... your access will be / is blocked until you give us your account information
Very often the sender's email address is "spoofed" so it seems like it came from a legitimate company - such as "service@paypal.com". The email message may even contain a legitimate company's logo.
Know this: legitimate companies do not ask for sensitive personal information by email. Software companies do not send you software by email. Microsoft normally doesn't even send notices about software by email.
Check the recipient's email address. It should be yours, but is it? If it isn't, what is it doing in your mailbox? Delete it!
When an email contains a live link, hover your mouse pointer over the link. Unlike a web page, your browser may display the actual link address in a small pop up line. If it doesn't, you can right click the link, select Copy Shortcut from the context menu, then open your favorite text editor or word processor and paste the link address into the page. If the email seems legitimate but the link looks fraudulent (or you can't decide), do not click!
Even if the email contains a button to decline the offer, or to stop receiving future offers, do not click - delete the email. Any reply to a spammer just confirms that your email address is valid.
If a suspicious email seems to be from a legitimate company with whom you normally do business, and if you feel that some action is warranted, look up the company's contact information in your own personal address or phone book or on their genuine website - do not use a number or link in the email - then contact the company to find out the facts.
Email attachments are files sent with the email - it's a common method of sharing documents and pictures. If you receive an email with an attached file, and if you cannot be completely certain that the sender is trustworthy, do not open, view, download, or "save" the attachment.
If the sender's email address is spoofed to look like it's from a company you recognize as legitimate, you can do that company and its customers a favor. Forward the email to abuse@companydomain; for example: abuse@amazon.com.
Many companies won't reply. Some may reply with a list of complex procedures and by whining that you haven't done enough. Ignore them. Others, such as Amazon.com and eBay.com (spoof@ebay.com) will encourage you to send more.
Some invasive programs extract email addresses from your address book or contacts list and secretly use them to spam people who trust you.
If you have a special email address for reporting spam, keep that address in your contacts so snooping spammers can automatically report themselves.
Spammers also scrape email addresses from websites, so we made a special page of email addresses for them, and to introduce you to spam tricks, management, and reporting.No matter how mad you get, don't reply to spammers - this just lets them know that your email address is real. Use a mail filter to throw their stuff into your "junk mail" folder. You may also be able to have junk mail deleted automatically. If you do, legitimate email may be inadvertently deleted. Remember to clean out your junk mail folder periodically; if it fills up your allotted space, no one can send you email.
For more information about fraudulent email messages and websites, and safely shopping and job hunting online, visit these Microsoft Security pages:
Recognizing phishing scams and fraudulent hoax emails
Email and web scams: How to help protect yourself
Job hunting and other phishing scams that target activities, interests, or news events
U.S. government computing security info for the public:
———•———
When you send email, you should include a subject line. Some mail filters will throw your message in the trash if the subject is blank or "no subject". Especially if you're just sending a link, it's helpful to add a brief message to identify yourself.
When you send email to a group (a list of several recipients), do them all a big favor. Put only your own email address in the "TO:" field, and put all of the recipients' email addresses in the "BCC:" (Blind Carbon Copy) field. There are a couple of good reasons for this.
Each recipient gets the email showing only his, and your, email address. If he forwards your email to others (who may forward to others), any one of them who is a spammer will not get a nice list of many valid email addresses. Also, you avoid offending anyone who is afraid his reputation will be tarnished through association with others on your group list.
———•———
In a nutshell ...
You don't have to be a fly, caught in the world wide web. Keep your software updated, your shields up, your eyes open, and your instincts sharp. Above all, learn, and enjoy!