"A truly secure computer is one which has never been turned on." This subject is vast. Fortunately many have already done most of the work for you.
For the updates mentioned below, you need a live Internet connection.
OS updates
Whether you're running the Windows, MAC, or other Operating System, make sure that its Automatic Updates feature is always turned on.
For Windows: right click My Computer > Properties > Automatic Updates tab > Automatic (recommended) radio button > select Every Day in the dropdown list > select a time when the computer is normally running > click OK.
Periodically check the update page on the OS manufacturer's web site, in case you missed any. In recent years, the update process has become automated and secure.
To manually start it in Windows: click Start > Programs > Accessories > System > Windows Update.Security software
Anti-virus software alone is no longer enough. Install a full security suite from a major brand, such as BitDefender, Kaspersky, Microsoft Security Essentials, Avast, NOD32, AVG, Avira, McAfee, Norton, or Trend Micro.
A full suite includes protection from data theft, phishing sites, spam e-mail, trojans, viruses, worms, and unauthorized system changes, firewall protection against intrusion over wired and wireless networks, cleanup of usage tracks and temporary files, real time and scheduled system scans, parental controls, and automatic updates.
Use only one security suite. If two are running, they will obstruct each other and may cause system or network conflicts. If you're using a patchwork of firewall, antivirus, antispy, antiphish, etc from various vendors, run only one of each kind.
Full security suites update themselves automatically by default. Make sure this is turned on. Updates normally occur every day or two. Also, a full suite checks media, such as floppy and optical disks and USB drives, as soon as they are mounted; so make sure this feature is turned on as well.
Free security software, such as AVG anti-virus, is certainly better than nothing, especially with judicious use of the rest of these tips. There are also system scanners such as Safer Networking SpyBot Search & Destroy. Do what you can, but remember that you usually get what you pay for. Exception: Microsoft Security Essentials is highly regarded with excellent reviews.
Our recommendation: the Kaspersky Internet Security suite is magnificent.
As soon as this file lands on your hard drive, your security software should instantly react to it as a virus (such as deleting it or placing it in quarantine).
Never attempt to test with a real virus! This is like setting your house on fire to test your fire alarm.
Note that some anti-virus software may lock the file in place to prevent access, and you may not be able to delete it. Check your manual first, and don't download the EICAR test file where it could be permanently in your way, such as on the desktop.Internet browsers
Make sure you're using the latest version (they're free) of a major brand browser, such as AOL, Firefox, Internet Explorer, Mozilla, MSN, Opera, Safari, or Thunderbird. The next few steps take place in your browser.
Generally speaking, you should set the browser's security for the Internet to the "Medium" or "Medium High" default settings. On the browser's main toolbar, click Tools > (Internet) Options > Security tab. Then look for Default settings.
Check the browser's options or security settings for an anti-phishing or anti-forgery feature and turn it on. On the browser's main toolbar, click Tools. If the feature isn't on this dropdown menu, continue to Options > Security tab.
If you turn off Java and/or JavaScript in the browser, this provides slightly more security, but disables many useful features on legitimate web sites. Other security measures are more effective.
Most browsers can display a "status bar" at the bottom of the browser window. If it's turned off, the browser can display one extra line of text; however, the status bar can display several kinds of useful information, including the actual destination of links on a web page (more about this later). On the browser's main toolbar, click View, and turn on the Status Bar.Software updates
Check important software which you use often for a manual or automatic update feature. If it doesn't have one, check the company's web site. Manufacturers regularly issue free updates for improved functionality and security.Make a point of familiarizing yourself with the appearance of normal windows and message boxes and with normal behavior of your operating system and applications. Take note of formats, coloration, logos, etc. Typically, designers consistently stylize these items for brand recognition. OK, you knew that.
You may also know this helps you recognize when your system or programs are presenting legitimate windows and messages; and it can also help you recognize when malware is at work because it just doesn't look right. Here's an example.
They went on vacation for a week, leaving their teenage son Home Alone with the computer. Through either social networking (a prime virus vector) or other surfing, a program called "Personal Antivirus" (PAV) was downloaded to the computer and attempted to install.
PAV is malware which pretends to be security software: the initial infector boldly and continuously announces that your computer is badly infected with other malware, and demands that you buy the full version of PAV to correct it. If you buy it, it makes a much worse mess of your system, and also provides the scammer with your credit card number. The point is PAV's sophomoric messages and belligerent behavior looked nothing like those of the legitimate antivirus software installed on the computer.
When PAV attempted to install, the real antivirus halted the installation, posted a message that it had stopped a potentially dangerous program, and offered options to permit or deny installation. Having no familiarity with the real antivirus, the son instructed it to permit the installation and to make the new malware "trusted."
Mom and Dad returned to find those annoying messages from PAV, decided the legitimate antivirus was no good, and took the computer to a dealer to disinfect it (and likely replace an excellent antivirus with something less). The simple solution: open the real antivirus and delete the "trusted" entry for the malware; then when the antivirus prompts to remove the malware, make it so.
The bottom line: lack of familiarity, combined with an at-risk configuration and a $30 savings, cost them about $100 and two to four days' time.———•———
System barriers
Disable the Guest account on your computer. It isn't possible to assign it a password and, while it has little authority, it provides an entry point from which a hacker can escalate his privileges on your system. Open My Computer > Control Panel > User Accounts > Change An Account > Guest > Turn Off the Guest Account.
Make sure all other user accounts on your computer, and your login accounts on the Internet, have complex passwords. Certainly it's much easier to log in without a password, both for you and an intruder. By saving a few seconds, you could lose a mountain of money and time.
If having any password, let alone a complex one, seems problematic, here's more.
Don't use a single common word (like "test"), a string of the same characters (like "1111"), ascending or descending strings (like "abcd"), adjacent keyboard characters (like "qwerty"), any string less than 8 characters, all or part of your name, Social Security number, birth date, address, telephone number, company name, department, or login account name, or names which are popular in advertising, commerce, or entertainment (like "spiderman").
All such passwords are easily guessed using software which performs a "dictionary attack". The ideal password is a mix of random letters, numbers, and special characters, and which is at least 15 characters long! However, a good strong password should be a headache for an intruder, not for you.
Do use a longer string, known as a "passphrase", and mix upper and lower case letters and numbers together. Some web sites allow only letters and numbers in passwords. Other sites, and your computer, allow special characters (like "$" and space). If so, use them - as long as they are common keyboard characters.
Here is a passphrase that's easy to remember, and easy to guess: "iseeclearly".
Here is an upgrade: "eyeseaclearly".
Using upper and lower case doubles the character set and multiplies the guesswork for each character by a factor of 26: "EyeSeaClearlY".
Numbers increase the guesswork by an additional factor of 10 per character: "Ey3SeaCl34r1Y". Here, some letters are replaced by numbers which resemble them - 3 (E), 4 (A), and 1 (l). Use zero for "o", and so on.
Special characters increase the guesswork by an additional factor of about 26: "Ey3$ea_Cl34r1Y". In this passphrase, each character position could be any of 88 different characters, and there are 14 positions.
To "crack" that passphrase, the intruder might need to guess 8814, or about 1.67 octillion, combinations. Even using shortcuts, he probably doesn't have this much computing power or lifespan. But since the world can see this example passphrase, don't use it!
To really give that guy a headache, computers normally encrypt the field where you enter your password (a "password box"). Typically, as you type your password, it is masked by "*" (asterisk) characters.
To simplify:
Pick something you're going to remember, which is at least 8 characters, and then mess it up a bit like we've shown.
Keep multiple passwords in an encrypted file, like we mentioned in Change & Error Logs. That way, you only need to remember the passwords to log on to your computer and to open the encrypted file.
It is recommended that you periodically change your passwords, especially if they are short. Don't use the same password everywhere - it will work as well for a thief as it does for you.
You can test the strength of your password with the Microsoft password checker - it does not collect, store, or transmit your information.
Make your logon password required to resume operation when the computer returns from Logoff, Standby, and Hibernate modes: open My Computer > Control Panel > Power Options > Advanced tab > check Prompt For Password When Computer Resumes From Standby > click OK.
You can achieve more protection by requiring a password to turn off your screen saver: right click an empty area on the desktop > Properties > Screen Saver tab > check On Resume Password Protect > click OK. This can become annoying if your screen saver is set to begin after a short duration of inactivity.
Encrypt your sensitive files. If your hard drive is formatted with the NTFS file system, you can encrypt an entire folder. However, encrypt only your own folders and files. Never encrypt any system folders or files; otherwise, you may permanently disable your system.
Disable the Telnet system service. Click Start > Run > type services.msc into the box > click OK. Scroll down the list of system services to Telnet > double click it > click the Stop button and wait for the service to stop > click the dropdown box at Startup Type > click Disabled in the dropdown menu > click OK.
While you're there, Stop the Messenger service (it's simply called "Messenger") and set its Startup Type to Manual.
———•———
Physical barriers
Never reveal your passwords to anyone, except under the following conditions: upon demand by a judge in a court of law, or upon threat of immanent bodily harm. No one else - whether family, friends, coworkers, corporations, or scam artists - has any right or authority to demand your passwords.
If you must write down a password, never leave it where it is accessible by others. Lock it in a safe, or record it in an encrypted file. Treat your Social Security number like a password, but never use it as a password.
If you have startup disks, USB security keys, or other physical "back doors" which can logon your account without requiring a password, lock them in the safe as well.
If you are about to enter a password on the computer and someone else is close enough to watch you type, ask him politely but firmly to move away while you enter your password. If he continues to hover, just don't enter the password.
Avoid leaving your computer running unattended. Lurking family, friends, coworkers, children, and elves await their window of opportunity. Instead, take your computer out of active service: click Start > Shutdown > from the dropdown box, select Stand By, Hibernate, Log Off, or Shutdown > click OK.
If you have an "always on" Internet connection, it is not required to be "always on"! If you won't be using the Internet for a period of time, or if it becomes necessary to temporarily shut down your firewall, you can safely shut down or physically disconnect your modem or router. This reduces the window of opportunity for intrusion via the network. Keep in mind that your computer cannot seek or receive automatic updates while it is disconnected from the Internet. If you need to be "always on", then using a major brand full security suite with current automatic updates is a requirement, not an option.
Use a router which has a built in Network Address Translation ("NAT") firewall. This periodically changes your Internet address, reducing a hacker's opportunity to breach your system or analyze it for security holes.
Physically bar access to your computer by keeping it in a locked room. If you will be away for an extended period, lock the computer in a safe.
As external backups and storage hardware become obsolete, make sure all sensitive data is destroyed.
If the media is writeable, "wipe" the data using a secure deletion program to ensure the data cannot be retrieved.
For read-only optical disks, physically destroy the disks so they cannot be read. If you like expensive toys, you can buy a heavy duty shredder which will chew them up. Otherwise, put on protective eyewear and carefully snap them into pieces in a waste basket - watch out for flying shards and foil. Alternately, stack up several disks, bind the stack with mailing tape, and drill several holes through the stack.
If you are recycling your system drive, or the entire computer, you can just wipe the sensitive data, or use specialized disk wiping software to "nuke" the entire hard drive.
If all else fails, put on protective eyewear, grab a big hammer, and have some low-tech fun!
———•———
Street Smarts
The Internet is Babylon in electronic form. Your computer becomes a window to the world. While there are seemingly endless benefits, you should exercise the same caution that you would in a crowded street.
Like people, computers can portray factual information, arrange bits of color and sound in any order to create a virtual fantasy world, and blend fact and fantasy seamlessly.
Unless you're deliberately searching for trouble, most of the content you will find on the Internet is relatively harmless. Along with the advice on the rest of this page, use the following concepts and practices to help you avoid the occasional snake pit.
Our first tip is ridiculously simple: let's call it the "do nothing", or "just say 'No'" concept. While there is nothing new about advertising, the Internet makes it easy for you to accept every kind of offer (or demand) without even needing to get off your chair; but convenience alone is no reason to "Click Here".
Enable your browser's phishing or forgery filter to help prevent you from accessing known malicious web sites. Some of these sites are even dressed up to look like legitimate ones.
As you navigate the waters, you gradually develop a mental catalog (and a list of "Favorite" links) of trustworthy companies and their web site addresses. Make it a point to learn and/or list the web site addresses of financial institutions with whom you do business online. When you visit a site, its address is initially displayed in your browser's address bar so that you can verify it.
Visually inspect each page you visit for check boxes () or radio buttons () which are preselected (checked or otherwise marked) to indicate that you agree to receive communication from the company or owner. Unmark them if you don't agree; otherwise, when you exit that page, you have automatically given your legal consent to a business relationship. This implies your consent to receive unlimited quantities of their advertising and legally prevents you from reporting it as spam. Look carefully, because these little "agreements" are often sized and placed so they are easy to overlook. If the site has a privacy policy, read it carefully.
Many web sites are supported by third party advertisers. The web site you purposely visit may be quite safe, but its owner likely will not accept responsibility for anything that happens if you follow a link to a third party site.
———•———
Before you click a link to a web site, hover your mouse pointer over the link without clicking it - usually the address of the target site will be displayed in the status bar at the bottom of the browser window. Be wary of addresses where the domain is an "IP address" (a set of four numbers from 0 to 255, separated by periods) such as "http://123.123.123.123/...".
If your curiosity exceeds your suspicion, go to http://whois.domaintools.com/, open their WhoIs page, and use the form to find out who really owns that site. The site's domain address is specified between the "http://(www.)" and the next "/".
Common suffixes are .biz (business), .com (commercial business), .edu (school), .gov (government), .info (informational, usually advertising), .net (networking business), .org (non-profit business, but not always), and a long list of country codes, such as .cn (China), .de (Germany), .it (Italy), and .ru (Russia).
If the address contains the search character "?" followed by another web site address, it may be hard to tell where you'll end up, so double check that the initial domain address belongs to a company you trust.
Now here's a test. Hover your mouse pointer over the above link to whois.domaintools.com and look at the web site address which appears in your status bar. For comparison, check the status bar when you hover over the following link (but don't click it!):
If you did click that link, don't worry: we created a harmless example of a fraudulent web page, so it's actually a fake fraud!
You can also get Web Site Safety Reports, as well as a browser toolbar, which advise whether a given site has weak security or is associated with code exploits, malware, fraud, spam, or sleaze.
We recommend installing the browser add-on from Web of Trust. In addition to warning about, or optionally blocking, bad sites, this tool also marks the sites listed in Google search results pages with rating symbols.
———•———
Would you like to be famous? To spammers, you already are. Once they get your e-mail address, they'll send you lots of notices which contain suspicious links and language like the following:
YOU (have been specially selected to) WIN (a chance at winning) MEGA$$$ - JUST CLICK HERE!!!
TAKE THIS SURVEY AND GET A FREE FINGER PUPPET!!!
(Story of tragic death goes here.) Rich foreign heir desperately needs to transfer mega$$$ inheritance to your account so the government doesn't steal it, and promises huge compensation for your trouble. (the so-called "Nigerian" scam)
HELP FIGHT CONTINENTAL DRIFT!!! CLICK HERE!!!
COMPUTERS, DRUGS, HARDWARE, JOBS, MAGIC BEANS, MINERALS, SHOES, SOFTWARE, STOCKS, WATCHES, 1,000% DISCOUNTS!!!
we had to upgrade our servers against fraud ... we found suspicious activity on your account ... your access will be / is blocked until you give us your account information
Very often the sender's e-mail address is "spoofed" so it seems like it came from a legitimate company - such as "service@paypal.com". The e-mail message may even contain a legitimate company's logo.
Know this: legitimate companies do not ask for sensitive personal information by e-mail. Software companies do not send you software by e-mail. Microsoft normally doesn't even send notices about software by e-mail.
Check the recipient's e-mail address. It should be yours, but is it? If it isn't, what is it doing in your mailbox? Delete it!
When an e-mail contains a live link, hover your mouse pointer over the link. Unlike a web page, your browser may display the actual link address in a small pop up line. If it doesn't, you can right click the link, select Copy Shortcut from the context menu, then open your favorite text editor or word processor and paste the link address into the page. If the e-mail seems legitimate but the link looks fraudulent (or you can't decide), do not click!
Even if the e-mail contains a button to decline the offer, or to stop receiving future offers, do not click - delete the e-mail. Any reply to a spammer just confirms that your e-mail address is valid.
If a suspicious e-mail seems to be from a legitimate company with whom you normally do business, and if you feel that some action is warranted, look up the company's number in your own personal phone directory or on their genuine web site - do not use a number or link in the e-mail - then call the company to find out the facts.
E-mail attachments are files sent with the e-mail - it's a common method of sharing documents and pictures. If you receive an e-mail with an attached file, and if you cannot be completely certain that the sender is trustworthy, do not open, view, download, or "save" the attachment.
You can turn bad e-mail to good purpose by forwarding it to the Federal Trade Commission at spam@uce.gov. Make sure the original e-mail is included in your forwarded message, but do not add comments or change anything in the message or subject line. If you know how, include the e-mail headers above the message.
If the sender's e-mail address is spoofed to look like it's from a company you recognize as legitimate, you can do that company and its customers a favor. Forward the e-mail to abuse@companydomain; for example: abuse@amazon.com.
Many companies won't reply. Some may reply with a list of complex procedures and by whining that you haven't done enough. Ignore them. Others, such as Amazon.com and eBay.com (spoof@ebay.com) will encourage you to send more.
Some invasive programs extract e-mail addresses from your address book or contacts list and secretly use them to spam people who trust you.
You can help hijack this process with no more effort than adding the e-mail address "spam@uce.gov" to your lists so spammers can report themselves! This also makes it easier for you to report spam.
We even made a special page of email addresses just for spammers.No matter how mad you get, don't reply to spammers - this just lets them know that your e-mail address is real. Use a mail filter to throw their stuff into your "junk mail" folder. You may also be able to have junk mail deleted automatically. If you do, legitimate e-mail may be inadvertently deleted. Remember to clean out your junk mail folder periodically; if it fills up your allotted space, no one can send you e-mail.
For more information about fraudulent e-mail messages and web sites, and safely shopping and job hunting online, visit these Microsoft Security pages:
Recognizing Phishing Scams and Fraudulent Hoax Emails
Credit Card Fraud and Online Scam Resources
Online Job Hunting Scams and Online Phishing Scams
U.S. government computing security info for the public:
———•———
When you send e-mail, you should include a subject line. Some mail filters will throw your message in the trash if the subject is blank or "no subject". Especially if you're just sending a link, it's helpful to add a brief message to identify yourself.
When you send e-mail to a group (a list of several recipients), do them all a big favor. Put only your own e-mail address in the "TO:" field, and put all of the recipients' e-mail addresses in the "BCC:" (Blind Carbon Copy) field. There are a couple of good reasons for this.
Each recipient gets the e-mail showing only his, and your, e-mail address. If he forwards your e-mail to others, any one of them who is a spammer will not get a nice list of many valid e-mail addresses. Also, you avoid offending anyone who is afraid his reputation will be tarnished through association with others on your group list.
———•———
In a nutshell ...
You don't have to be a fly, caught in the world wide web. Keep your software updated, your shields up, your eyes open, and your instincts sharp. Above all, learn, and enjoy!