If you tell enough stories, perhaps the moral will show up.


Barefoot Security Anti Malware

I do get asked for security advice, but not that often these days. Often, much more often, I want to tell people, to SAVE them. Yes.
So this a worked-up version of an email I send out. It's how to keep control of your computer, your data and your passwords by preventing malware on your PC. I'm aiming at the ordinary PC/Windows user with occasional notes about Apple and Linux. It's in rough priority order, and it's mostly advice I follow myself (though it's not all of the paranoid steps I take.)
If you think I should have put AV software top of the list, you should remember that I am a security Expert. Yes, and I have business cards which say just that.

Keep your Thinking Cap Securely ON  Why on earth would you click on THAT?
If the answer is "because THOSE sites are the ones I chiefly love looking at" then you need to pay close attention to the rest of this list.
And if you say "because I'm human and I'm not 100% focussed 100% of the time" then you should read on too.
Backup your Files  Anything you care about should be on media which you don't leave plugged in. There are some nasty malware infections which are simplest to eradicate with a format and restore, so backups are essential. (And there's always fire, flood, technical failure and stupidity, if malware doesn't worry you!)
It's a big topic. You need to think about having a regular system that will show you if copies get lost or aren't taken, about, testing your backups, satisfying any data protection obligations, encryption if you worry about people reading it, and keeping media out of the range of that fire/flood/whatever.
It's a shame that it's a top priority as it's none too easy. If you're in doubt about how to do this, I suggest you set up with a UK online backup services, test their software, check their prices and get value out of their support line!
Don't do PC Work as an Administrator  This is really just for Windows users as Mac and Linux set it up correctly anyway. Windows 7 and Vista are better, but you should still arrange to work as a non-admin.
In XP, go into the control panel and set up a new admin account. Then make your regular account into a limited user. Use the limited account for all browsing, email, word processing etc. Only use the admin account to install software, add new hardware, and set up users.
This simple trick stops a proportion of Windows malware, when malware programmers are lazy and assume you haven't taken this precaution -- as most people haven't. Even though attackers are wising up now, and plenty of password stealers and others will now install without admin, it's still an important precaution because it stops rootkits, and ensures that installed malware is easier to clean off.
The problem is that other programmers, especially games programmers, are just as lazy as malware authors so their stuff won't work. Software which insists on admin privileges to run (rather than to install) should be rejected as unfit. If you're stuck with it, investigate "run as".
Apply Security Fixes  Ensure that all security updates apply automatically. Malware uses unpatched vulnerabilities to install. Vulnerabilities are sometimes being exploited even before they are fixed, so ignore people who say you should wait a few days -- it's too complicated, and the risk of you forgetting or being exploited in those few days is much greater than that of a bad patch.
In Windows take a moment to turn the software firewall on, as that setting is nearby.
Keep your Auxilliary Programs Up To Date  Make sure that all of the extra stuff you need for the full experience (Adobe Reader, Flash, Shockwave, Quicktime, Java) are up to date. Secunia Inspector is a good way to check.
Most modern attacks arrive through these products. If you use Office, Photoshop or whatever make sure you get updates for that too.
Use a Less Common Browser  On Windows, don't use Internet Explorer (except for updates where it makes you do it.) On Mac, don't use Safari. Malware authors naturally target the common browsers.
On Windows, install and use Google Chrome browser because it can update itself as a non-admin (unlike Firefox). If you must browse as an admin, install Firefox and learn to use it with NoScript.
Also in Windows, take the time to keep IE up to date. Even if you think you're not using it, you don't want old versions on your PC.
Use AV Software  On Windows, Microsoft Security Essentials is good enough -- free, unobtrusive and good quality -- if you avoid admin browsing and email. Check that it is updating automatically.
I confess I don't run AV myself, but it seems like a necessity for people who like to test animated cursors or other oddments.
Disable the Big Adobe Reader Mistakes  Adobe stuff needs special attention. There's just so much malware targeting it, and it's not easy to keep up with the updates. PDF used to be a handy document format, now it's a malware magnet. Reader X (10) is an improvement, but it's still a bore. You have to switch off the idiot features that Adobe added.
Start the Adobe Reader and pull down Edit/Preferences…
  • Select Trust Manager in the list and clear the checkbox marked "Allow opening of non-PDF file attachments with external applications"
  • Select JavaScript and clear the checkbox marked "Enable Acrobat JavaScript"
You need to repeat for every user account that uses Reader. There are equivalent settings in Acrobat if you use that -- you'll need to find them yourself.
So will these make you secure? Well, no; nothing will. But they will stop you from being a soft target. If you have secrets to keep, there's a whole other journey about understanding the settings on your accounts, encrypting data and the rest. But that is another post.

No comments: