[Previous entry: ""] [Main Index] [Next entry: ""]

03/07/2004 Archived Entry: "Bulletproof computing: smart users"

This is what happens when you trust the government for your computer advice. According to the Internet Storm Center,

A recent advisory sent by the US Federal Trade Commission about a way to recognize "safe" websites when conducting sensitive transactions contained an incorrect statement. The statement implied if a Lock icon was visible then SSL was in use and that was a safe site. In this way is possible to recognize a site that is using SSL, but since this could also be a fraudulent certificate, it is not the possible to identify fake or real websites by the lock icon alone.

So when you see the little "lock" icon in the corner of browser window, it does not mean that you're talking to a legitimate site. Phony sites can use secure web pages too.

Am I too paranoid? A reader recently asked if it is even possible to safely connect a computer to the Internet, and if email is worth the trouble:

For a couple of reasons in addition to spam, I am becoming "alienated from email" - and computer use in general. My question is: What is the alternative to (effective) email use? Is there any?

And another question: I currently use broadband, which means my computer is open all the time. Frankly this makes me nervous, no matter how many firewalls I have on board. Must I forever have (at least) two computers, one connected to the Internet, the other not, in order to be absolutely sure that no one can get through to my files?


Short answer: for absolute, impervious, top-secret security, you use a computer that is never, ever, connected to a modem or a network. But unless you're a defense contractor, you don't need that level of security. We're online almost constantly, we use email heavily, and we've never had a successful intrusion. Here's how.

What we have is a layered defense:
1. Spam/virus filtering at the ISP.
2. Firewall at our router.
3. Secure operating system.
4. Secure email and web software.
5. Anti-virus software.
6. Informed and aware users.

I'm going to talk about all of these, but let me start with #6, because this is the most important line of defense. Almost nothing will protect you if you have careless or stupid users. But intelligent users who refuse to be duped are safe from maybe 80% of the threats out there. So teaching your users about email and web safety should be your #1 priority. (I'm assuming you have several people who use your computer system, either employees or family members, as the case may be. If not, think of yourself as the sole "user.")

Our first rule for email: never open an executable attachment. This implies learning to recognize an executable attachment. You can tell this by the file extension: among others, .exe .com .pif .bat .scr .vbs .shs are executable. If your email client doesn't show the file extension, or (worse) opens attachments automatically, GET RID OF THAT SOFTWARE and get something safe.

.doc and .zip files require care. .doc files (Microsoft Word documents) may contain "macro viruses." If you receive a .doc from an untrusted source -- which could include friends who aren't savvy about computer security -- disable Word macros before opening it, or better still, open it with an alternative word processor (like OpenOffice). .zip files are often used to send ordinary data, but lately have been widely employed by viruses. If you don't know how to safely view the contents of a zip file, it's best to not open it.

So far, that simple rule has protected us from infection. (We've received one .doc file from an infected associate, but I ran a virus scanner over it before opening it, and the scanner warned us in time.)

But with so many viruses snooping into address books are spoofing return addresses, we now have a second rule: don't open attachments unless you're expecting them. If you want to send me an attachment, it's best to first send me a plain email warning me that an email-with-attachment will follow.

Also remember: your bank, your credit card company, eBay, PayPal, your ISP, Microsoft, or any other software company will never send you at attachment you must execute. That's a clear tip-off of a scam. All legitimate companies will make files available for download from their web site, if you need them, and you shouldn't need them from anyone other than software manufacturers. (If an email from your bank says you need to install some software on your computer, be very suspicious.)

Also remember that links in email can be hazardous. We always send our links in plain text, but remember it's possible for a link to display one URL and yet link to another. Check the link before you click. (Usually as soon as you put the mouse pointer over the link, the "real" URL will appear somewhere on your screen.) Again, don't click on links from an unknown, untrusted, or suspicious source. Be careful of cryptic messages like "Check this out!" And use a safe browser -- many of the trick links are targeted at Internet Explorer flaws, which can be exploited by simply visiting a web site.

I've been suckered once. I got an email purporting to be from a greeting card company and from someone I knew, and it was near a holiday. There are several such companies and they all require you to click on the link to get your greeting card. Well, I clicked, and it was phony. Fortunately I was running Linux and using Mozilla, so I escaped unscathed.

Which is the whole point of layered defense: if one layer fails, the others can still protect you. More on this in the next installment. Meanwhile, here are some more tips for safe computing. Also revisit my previous blog on the subject, and this excellent advice on recognizing scam emails.

brad

Powered By Greymatter