March 13, 2014
Securing your System
So what do I mean when I say “securing” your system? Surely I don’t mean strapping it to a desk with a padlock. Well, that’s one way you can lock your computer down but what I’m talking about is throwing up a potent defense that will halt most malware infections before they even get on your computer.
I refer also to the many browser extensions you might have installed, many of which may be spying on your surfing habits. And, of course there’s securing your system against prying eyes with strong passwords. Think of this lesson as the “motherly advice” part. Most of this stuff seems like common sense but it’s amazing how many users still fall for old tricks and engage in bad practices.
Avoidance is your Best Defense
Before I get to the concrete steps, let’s talk about something more pragmatic: avoidance. While I can blame the underbelly of the Internet for many of our malware woes, the fact remains, the user is still most often responsible for introducing malware to their systems. In a perfect world, it wouldn’t matter and I could just install whatever I want with no fear of consequences. But for whatever reason, be it sadism or profit, so-called hackers seem bound determined to ruin our days. But it’s not quite so doom and gloom. You do have some control over this and avoid “Death by Toolbar”.
Dodgy websites
How’s that site look? Does it look like the Internet equivalent of seedy dive bar? Fact is, most of the websites out there are just fine but every now and then, there’s that one that isn’t. When you have any misgivings about installing a program from a suspicious source, don’t. Take some time and research it, see if anyone has complained about it or if has been reported it as malicious.
Distrust e-mail
Stop if you’ve heard this one before: don’t open attachments or links from unknown or suspicious sources. Don’t even trust your friends and family. Spoofing email addresses is not a difficult task. While most people use webmail nowadays, which usually has virus scanning incorporated into it (for example, Gmail scans at the server level so malware is less likely to even reach you), if you have a business or regular ISP e-mail account, you still need to exercise care in case something slips past.
Insert with caution
Let’s say someone gives you a thumb drive with some important files they want to share. It’s fantastic now that I have little gigabyte+ drives that I can save hundreds of files to. But, just like CD-ROMs and floppy disks, removable media is inherently risky. Never simply open these files without at least first scanning them for malware.
Pop ups of doom
Have you ever seen those little pop ups while web browsing that suddenly appear telling you have viruses on your system? Or, that your system is too slow and needs fixing? These pop ups act like they’re trying to help you out, but what they really want you to do is help them get their malware or adware into your system. If those popups are in the web browser window, they probably aren’t real. Don’t fall for these scare tactics; close out that window and go about your business.
Sneaky bundling
A lot of software comes bundled with other software that you are tricked into mistakenly installing with a bunch of redirection and fakery. You may be accepting the licensing agreement for that piece of software, or you may simply be agreeing to install a bundled toolbar that tracks your web surfing habits.
When you’re installing anything, you don’t necessarily need to read all the fine print (only a few people really do) but you should at least know what you’re agreeing to. Are you agreeing to the actual program you downloaded, or is it some “search helper” or toolbar that you can never seem to get rid of? Bottom line, read carefully.
It’s also worth noting that you should really consider whether or not you need that freeware application in the first place. If you can’t think of a reason that you must have it, you should probably skip the installation process entirely.
What’s in a torrent?
If you download anything off a peer-to-peer network, you’re always at risk of getting more than you didn’t pay for. When at all possible, scan anything your get from these sources or simply download from a more reputable source.
Using anti-virus
Using an anti-virus program is step 1 in securing your system. Okay, picking a strong password is step .09 but I’ll get to that in just a bit.
Anti-virus? Don’t I mean malware? Technically, yes, we can define malware as any piece of software intent on causing harm to your system and the data contained therein. This may include, but certainly isn’t limited to, viruses, Trojans, keyboard loggers, adware, rootkits, and more. But, we all still call it anti-virus or AV, so I’ll leave it at that.
Your anti-virus software should fulfill a few requirements
- It should update automatically with the most current AV definitions.
- It should reside in your system’s memory and continuously scan for threats.
- And, in doing so, it shouldn’t detrimentally affect your system’s performance.
Almost all the AV software on the market will do the first two items perfectly well. In case of the last one, some AV programs create very little system overhead while others are pig-like. There’s also the matter of effectiveness, not all programs are created equally and some catch more malware more consistently.
So, which one?
Deciding on anti-malware protection can be daunting. After all, do a simple search for “anti-virus” or “malware protection” and you’re bound to get dozens of results.
There once was a time when I could simply recommend Microsoft Security Essentials for Windows 7 and Windows Defender for Windows 8.x. But recently even Microsoft admitted that MSE and Defender may not be completely effective and users are recommended to find a third-party option. So what are those third-party options?
When judging anti-virus (AV) software, AV Test does a fairly good job of laying out all the choices in a clear manner. Like I said, We have an abundance of choice but only a few are free. You’re more than welcome to peruse the list but let’s highlight some of the free stuff. After all, Windows costs quite a bit of money, I shouldn’t have to pay more to keep it running properly.
These are four of the higher rated AV programs on the market. Each come with a free, basic, anti-virus component.
Product | Platforms | Pay version | Free Trial | Download Page |
Ad-Aware | PC only | $24.00 to $48.00 | Yes | http://www.lavasoft.com/products/ad_aware.php |
Bitdefender | PC, Mac, Android | $69.99 to $79.99 per year | Yes | http://www.bitdefender.com/solutions/free.html |
AVG | PC, Mac, iOS, Android, Windows Phone | $54.99 | Yes | http://www.avg.com/us-en/free-antivirus-download |
Avira | PC, Mac, iOS, Android | $44.99 – $133.99 | Yes | http://www.avira.com/en/avira-free-antivirus# |
Disabling Windows Defender to Install New AV
On Windows 7, you have to install anti-virus manually so any of the above-referenced software is a great place to start. All of the free versions will be more than adequate to protect your system against most threats. It’s important to keep in mind that new malware appears every day, so there’s always the chance that some “zero-day” threat will infect your system but that’s honestly the chance you take by being online in the first place.
On Windows 8.x, Windows Defender is installed and enabled by default. In order to avoid having conflicts with any new AV software you install, you should first disable Defender and then immediately install your new AV.
To disable Windows Defender, open it from the Control Panel. Click on the “Administrator” option from the “Settings” tab. uncheck the box next to “Turn on this app” and click “Save changes”.
A box will pop up warning you to check your AV software in the “Action Center” control panel. You can simply dismiss this box and install your new software.
Use Malwarebytes for spyware
Whatever AV scanner you choose, you should always have some kind of back up, just in case something slips through.
No one anti-malware scanner seems to completely do the trick, however, you can usually get by with one and back it up with Malwarebytes.
Malwarebytes has been the go-to anti-spyware app of choice for geeks for as long as I can remember. I like Malwarebytes because it’s good at what it does, rooting out spyware that your regular AV program might have missed.
You can purchase Malwarebytes, which will extend other benefits. It can also serve well as your primary malware software, however I like that you can install it as a standalone app and run it as needed. This allows you regular AV software to function normally without any conflicts.
The full version does offer some nice features like real-time protection and scan scheduling, but the free version is more than capable of serving your needs.
Scanning Your System with Malwarebytes
When you start Malwarebytes, it may ask you to update your malware definitions. Click “Yes” to start the process, it should only take a few minutes.
The main scanner window has nine tabs but I want to concentrate solely on the “Scanner” tab for our purposes. The “Scanner” tab gives you three options. You can perform a “quick scan” that simply checks your system for malicious software. You can also do a “full scan”, which will allow you to select the drive or drive(s) you want to check. And finally, you can do a “flash scan”, which will check your memory and auto run (removable media such as flash drives). This last option is available only to users who buy the full program.
For most, the quick scan should be sufficient. As you can see in the following screenshot, it only took a few minutes to scan our system, and Malwarebytes found a total of 5 potential threats.
Click “OK” to see what the program found. Check off everything you want to remove (if it isn’t already selected) and click “remove selected” to clean your system.
Once finished, Malwarebytes will generate a log and save it in its program folder. This will allow you to later review your removal history, just in case you want to research the threats the program removed.
If necessary, you may need to restart your system to entirely complete the removal process.
Browser extensions and plugins
How much do you know about those browser extension and plugins you have installed? Well, as you may or may not be aware, many Google Chrome extensions are sold to malware distributors. According to this article published recently on How-To Geek, your browser extensions are basically spying on you, the gist of which is:
- Browser add-ons for Chrome, Firefox, and probably other browsers are tracking every single page you visit and sending that data back to a third-party company that pays them for your information.
- Some of these add-ons are also injecting ads into the pages that you visit, and Google specifically allows this for some reason as long as it is “clearly disclosed”.
- Millions of people are being tracked this way and they don’t have a clue.
The HTG article provides a great deal of invaluable information on how this happens but in sum:
- Many extensions insert ads into pages you visit and track you as you surf the Internet.
- Bad behavior is buried in tedious end user license agreements (EULA) and complicated privacy policies.
- An extension can often change hands or update without your knowledge or permission
- Some extensions include tracking code that is disabled by default, which can then be enabled remotely after you install the extension.
The long and short of it is that it’s all too easy to surrender a great deal of personal and personally identifiable information with just a few careless clicks of the mouse.
But What about Plugins?
Further complicating matters are plugins. Everyone knows what plugins are. Plugins have been around for as long as graphical Internet browsers (think Netscape Navigator) have been in existence. A plugin is basically a little helper that allows you to perform actions such as streaming video (Silverlight, Flash) or viewing documents (Adobe Reader) in your web browser.
For the most part, plugins are normally harmless and not usually associated with malware as much as they are for security exploits. Notably, Adobe Flash and Oracle Java seem to run into more than their fair share of problems. The biggest problem with plugins isn’t so much their insecurities, it’s their inherent usefulness and how much of a pain it is to surf without them. For example, without Flash, you can’t watch YouTube videos, without Silverlight you can’t watch Netflix movies, and Java, while seemingly useless 99% of the time, somehow manages to be that one plugin you need for that one specific task that you can’t accomplish any other way.
The good thing is, despite the risks associated with plugins and extensions, you can easily handle any problems, present and potential, with a few easy steps.
Auditing your Extension and Plugins
There’s no easy way to tell if your extensions are spying or if your plugins are insecure. Here’s a list of extensions that you can compare to your own, but it’s nowhere comprehensive. At last glance there are hundreds and hundreds of extensions available for Google Chrome, Mozilla Firefox, and Internet Explorer.
If you use any or all of these three browsers, and it’s likely you do, then you should know how to handle add-ons for each. Treat extensions and plugins like you would system applications, if you use an extension every day, or at least regularly, then you should keep it.
If you don’t use an extension, or you can’t remember why you installed it, or you don’t remember installing it, then you should by all means remove it, or at least disable it. Of course, if you have any doubts, do a simple Google search on whether anyone has cited it as spyware. If the extension has reviews, then you should read those too.
Plugins, on the other hand, should be kept updated and/or disabled unless you need them. Obviously you’re going to want to leave your Flash plugin enabled, it would be a pain to always have to enable it every time you wanted to watch a YouTube video. But, you still want to make sure it is always up-to-date.
Google Chrome
I start with Google Chrome because it’s our favorite and chances are you either use it or Internet Explorer. In Chrome, you can quickly access your extensions by typing “chrome://extensions” which will show the “Extensions” settings.
Very simply, if you want to disable an extension, uncheck the “Enabled” box and if you want to remove it, click on the trash icon.
Similarly, type “chrome://plugins” to see the “Plug-ins” installed on your browser. Note, you can quickly enable/disable by clicking the link. If a plug-in needs to be updated, it will give you an “Update” option (you should click it).
Internet Explorer
Internet Explorer doesn’t have as many add-ons but that doesn’t mean you shouldn’t know how to administer them. To open the add-ons settings in IE, click the small gear icon and select “Manage add-ons”.
IE lumps extensions and plugins together. To disable anything, right-click on the item and select “Disable”.
Mozilla Firefox
Mozilla Firefox does have a lot of extensions and many of those can be suspicious too. To open the “Add-ons” settings, click on the orange Firefox button in the upper-left corner.
The “Add-ons Manager” collects everything in one place. Click on the extensions tab to attend to those. As you can see, you simply need to click the appropriate button to disable or remove any extensions associated with your Firefox installation.
Plugins are a bit different. Firefox lets you decide whether to allow a plugin to ask, always, or never activate. This means, you can either leave a plugin enabled, completely disabled, or you can decide when the time comes whether you want to use it.
At the top of the plugins screen is a gear icon that allows you to choose your update methods. Note, “Update Add-ons Automatically” is enabled by default.
Passwords and securing your system
Stop for a moment and think about that laptop computer or tablet you carry around wherever you go. Pause and reflect upon your computer, slung across your shoulder like a modern day shield. You carry around your digital lives, storing phone numbers, addresses, shopping habits, friends and family photos, e-mail, and many more pieces of information that, even as little over a decade ago, I would have never thought of as possible.
Those little devices I take for granted contain a treasure trove of information. If left unprotected, they pave the way for cyber-thieves to access our most valued personal data: bank and credit card accounts, social security numbers, where I live, who I interact with, etc. These devices are a portal into our private worlds. You wouldn’t walk around with your address and phone numbers emblazoned upon your shirt but, leave your laptop or tablet behind somewhere and you might as well have done just that.
Luckily, there’s a very simple and practical way you can safeguard your data. It doesn’t require a major investment of cash or time, just a little thought and creativity. A strong password can easily place a virtually impenetrable firewall between you and even the most determined digital burglars. Passwords represent the first, and often last, line of defense between you and your piece-of-mind. But the keyword here is “strong”.
The strength of your password makes all the difference between foiling even the most determined of crooks and simply wasting a little bit of their time before they guess or hack their way in. Think of a password as a moat surrounding your castle. Will your moat be a watery canal that someone can lazily float across or will you stock it with piranha, crocodiles, and submerged hazards? How well you protect yourself is entirely up to you.
Creating Strong Passwords
First things first, to create a good, strong password you want to avoid some very common mistakes.
- Don’t use a dictionary word. One of the primary methods for cracking a password is a “dictionary attack”.
- Don’t use commonly misspelled words, abbreviations, or words spelled backwards.
- Don’t use a sequence of numbers or letters such as 12345678 or QWERTY.
- Never use personal information such as your name, pet’s name, your birthday, or any other similar information that can be easily researched or socially engineered.
- Never write down your password or share it with anyone.
Keys to Strong Password Creation
Knowing this, there are several keys to creating a strong password.
- A strong password should be a mixture of letters (upper and lower case), symbols, numbers, and punctuation.
- It should be at least eight characters. Short passwords are easier to crack.
- You should use a different password for every website. A cyber-thief can hack into a website with the weakest security and then use your information on ones with stronger security.
- Try to change your passwords at least once every three months. If you suspect your password has been compromised, change it immediately!
- While it is a good idea to substitute symbols for letters, most password hacking software will automatically account for many common conversions such as “and” for “&” and “to” for “2”.
- Take advantage of all the characters on your keyboard, not just the ones you use every day.
- Make things easier by using a password manager such as LastPass or KeePass. That way, you can have as many long, complex passwords as needed and you only need to remember one.
Now Create Your Own …
Now that you know what and what not to do, let’s create an example strong password that you can easily remember.
- Start with a simple sentence: Strong passwords are the best!
- Next, remove the spaces between each word: Strongpasswordsarethebest!
- Mix things up a bit by intentionally shortening or misspelling some words: Strawngpassw0rdsRtehBest!
- Finally, you can make the password even stronger by adding some numbers: Strawngpassw0rdsRteh2014Best!
And really, that’s all there is to it. You can check the strength of your password by running it through a password checker, which can be easily found online. By always following these simple rules and then utilizing these methods to create strong passwords, you can ensure that your personal information will be relatively safe and sound from prying eyes.
Security Questions Can Be Like Password Kryptonite
In recent years, many websites have started instituting security questions as a means of helping people remember or reset forgotten passwords. As first glance, this seems like a great idea. Answer a few simple questions, like the name of your favorite pet or the town where you were born, and you’re given the option of then resetting your password.
Security questions are an effective way of saving companies money on support costs because users no longer have to call in to reset their passwords. And, they are also safer than trying to identify a user over the phone. The biggest problem with this method is that answers to these questions can often be discovered with a little research and social engineering.
Unfortunately, there’s no easy answer to the security question problem. “Good” security questions shouldn’t be easy to guess and the answers shouldn’t change. Your favorite book at the moment may be “War and Peace” but say you read “Crime and Punishment” and it becomes your new favorite. A good security question then would not be “What is your favorite book?” because the answer can change over time.
Security Questions: Dos and Don’ts
Here are some handy tips you can use to overcome the inherent problems associated with security questions.
- Invent bogus answers that only you will know. This helps prevent someone from using social engineering to gain access to your account.
- Write down your question/answer combinations or better yet, use a password manager such as LastPass or KeePass to store them.
- Don’t pick the same security questions for every account. For example, don’t answer the mother’s maiden name question for your e-mail and your social networking account(s).
- Don’t answer questions that involve personal information or can be easily guessed.
- Answer questions such as you would when creating a strong password. Use special characters, numbers, and symbols instead of letters.
As risk-prone as they are, security questions currently represent the best available idea for easily resetting your password. Until someone comes up with a better solution, a user’s password security will only be as good as the questions that are asked, and the cleverness of the answers you provide