How to Stay Safe on the Bleeping Internet

Amazing Spiderman Edition, Delta Version—April 20, 2013

It's getting to be a very crazy world out there. “Out there,” of course, is referring to the Internet, the “Web,” the biggest information network the world has ever seen. As with any new, exciting frontier there's so much to explore – and yet so much to be wary of. For within this wonderland of educational enrichment and endless entertainment lurk unscrupulous souls who wish to separate you from your money, your identity, and even your sanity. To stay safe on the Internet, you must be vigilant and maintain caution at all times. Whereas in the “real world” we can form strong, trusting relationships based on personal encounters, out in “cyberspace” it is too easy for bad guys to masquerade as something or someone that they are not. Therefore, when it comes to the Internet, it is better to maintain a healthy dose of cynicism, rather than to be too trusting and become easy prey for all manner of scams and ne'er-do-wells. It is my hope that by reading this pamphlet, you will come to better understand these dangers and thereby be able to prevent yourself from falling prey to them. The following are steps you should take to protect your computer in order to have a better and safer computing experience. 1. Install antivirus and security-suite software. If your computer's operating system (the main “program” that runs your computer) is Windows or Mac, the very first thing you should do is install or activate some sort of protection against malicious software. At a minimum this should include antivirus (and anti-malware) software and a firewall. Antivirus software is software that is alert and scanning your computer all the time, looking for viruses and other malware (software programs that do undesirable things to your computer). You say you have no money? It’s OK—there are still some decent freeware antivirus programs out there: Microsoft Security Essentials: Avira AntiVir Personal: http://www.microsoft.com/security_essentials http://www.avira.com/en/avira-free-antivirus

If you use an e-mail program that is installed on your own computer, like Outlook or Outlook Express or Windows Mail, then I strongly advise you to purchase a professional (i.e., not free) antivirus software program, because most of the freeware programs will not scan your e-mail messages and attachments for phishing (see section 3) and viruses and such. However, online e-mail sites (such as Yahoo, Gmail and Hotmail) do scan your mail and attachments automatically. There are many professional programs out there that include not only antivirus/anti-malware protection, but also a firewall, protection from phishing attacks and much more. The following are just a few examples:

1

Avira Premium Security Suite: http://www.avira.com/en/for-home-avira-premium-security-suite ESET Smart Security: http://www.eset.com/us/home/smart-security Kaspersky Internet Security: http://usa.kaspersky.com/products-services/home-computer-security/internet-security Norton Internet Security: http://us.norton.com/internet-security/ Reviews/advice on popular security products: http://www.pcmag.com/reviews/security-software Whatever antivirus software you choose, it’s always best to install your antivirus software right after you purchase your new computer, before you get a virus! Once you get a nasty virus, it will usually do everything in its power to prevent you from installing antivirus software. Darn viruses. But don’t worry if your computer is not “new out of the box”; if it’s still functional, try installing the antivirus program now. IF it’s able to load, it will try its best to remove all bad stuff from your computer *before* it installs itself. However, if it fails—if your computer is already too infected—you’ll need to take your computer to a technician who will either remove all the viruses and other bad stuff, or “restore” your computer to its original factory state. If they have to do a restore, you will LOSE all your personal data such as pictures and Microsoft Word documents unless you ask the technician to backup your data first (usually for an additional fee). Hiring a technician is expensive, so that’s why prevention is key! You will also lose any programs that you’ve installed after you bought the computer, and you’ll need to reinstall them again, so make it a habit to always save your program disks that you buy. For programs that you pay for and download from the Internet, make it a habit to print out and put in a safe place all license keys (sometimes called “unlock codes” or “download keys”) for the downloaded software. By the way, even the best antivirus programs don't catch everything. If you ever want a second opinion about a file that looks particularly suspicious, you can double-check it simultaneously against 40 different online antivirus programs at VirusTotal.com. A firewall is a program that is designed to keep intruders and hackers from “breaking into” your computer and stealing information or using your computer to do harmful things to other people and/or companies on the Internet. Some firewalls are hardware devices (e.g., some network routers include a firewall), but most consumers don’t have hardware-based firewalls, and it’s never a bad idea to have a software-based one in addition. If you use Microsoft Windows, your
2

computer already comes with a software firewall. To make sure it’s on, click the Start button and in the text box at the bottom, type “Windows Firewall.” Click on the item that says “Windows Firewall” (the one that says “Windows Firewall with Advanced Security” is more than you need) and just make sure to turn it on if it is not already turned on. There are also some free third-party firewall programs: http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-firewall.htm http://personalfirewall.comodo.com/ Of course, most commercial security-suite software—usually with the words “Internet Security” or “Security Suite” in its title—come with its own firewall, which will be enabled by default; such a firewall will replace Windows Firewall’s functionality (and exceed it) and so Windows Firewall will be shut off. Imagine a firewall as a barrier between your private computer and the very public Internet. You don’t want bad stuff on the Internet to get into your computer from the Internet, and you don’t want bad programs (if there are any) getting out from your computer to the Internet, where they could, for example, send your private credit-card information to some thief. The firewall sits in between your computer and the Internet and makes sure that only those programs and services that should be able to get through the firewall are allowed through. 2. Don’t trust your e-mail. It’s become a regular occurrence for me now: Every six months or so I get e-mail that’s been sent to me, purportedly from me. That’s right—according to these e-mails, I sent myself a spam message about the latest Botox treatment or get-rich scam! Well, of course I didn’t send myself such an e-mail; a hacker (a bad person on the Internet) has faked or spoofed my e-mail address, pretending to be me. Actually, it’s incredibly easy to fake a “from” e-mail address, so never, ever trust an e-mail just because it says it came from “so and so”—even if the name given is that of a trusted personal friend, a coworker, or the President of the United States. More important than the “name” of the person that sent it is the actual e-mail address it was sent from; but you cannot know that information by simply reading the normal part of your email. You must look at what’s called your e-mail header. Most online e-mail websites (Yahoo, Gmail, Hotmail) and offline e-mail programs (Outlook, Windows Mail, Thunderbird) offer a way to look at your email’s header information, so learn how to look at headers in your particular e-mail website or program. When there is any question as to whether an e-mail is trustworthy, you want to examine the headers to find the actual e-mail address it was sent from and the e-mail server (the “location”) it originated from. The headers will tell you the truth about the sender, whereas the default “from” name and e-mail address may be out-and-out lies. It gets worse: Your friend or colleague may have been hacked, and his or her address book may be compromised. Some nasty programs read a person’s address book (his list of e-mail addresses
3

of people who are his friends and associates) and then send dangerous e-mails to everyone on the list—using your friend/colleague’s own computer and Internet connection! So even if the e-mail you’re wondering about did indeed come from your friend’s e-mail account, that friend’s email account may have been compromised. Examine the content of the e-mail and if it seems strange and contains any links for you to click on (or even pictures to click on), DON’T CLICK THEM! Contact your friend/colleague immediately (by phone, preferably) and verify that they really did intend to send you that particular e-mail. Often the reply will be, “Oh, I was hacked. That e-mail isn’t really from me!” Remember—if you click on an e-mail from someone whose email account has been hacked, you’re the next victim! 3. Be careful what you click on. Links can be text or pictures Be careful of where you click your mouse, because you might click on a link that takes you to a website that immediately infects your computer. Remember that links (also called hyperlinks or URLs) can be pictures as well as text. Any time that your cursor (the little symbol that your mouse “moves,” which is usually either a small arrow pointing to the NW corner of your screen or a small vertical line) changes into a pointing hand (or into some other symbol you told your OS to use for links), that means there’s a link there. If you then “left click” (if you press on your mouse's leftmost button) while your cursor is pointing at that link, it will take you immediately to the website this link points to. If the website is infected with what is called a “drive-by download,” your computer may be immediately infected—you'll have no chance of stopping the malware once you click on the link! So be careful where you click your mouse. Some websites may be extra sneaky and prevent your Internet browser's or e-mail program's cursor from changing at all; they could even deceive you with a reprogrammed (fake) status bar and fake right-click behavior in your browser. To prevent this from happening, disable JavaScript in all new (untrusted) websites (see Section 7 for instructions on how to do this). Assuming that the current web page you're on can be trusted, you'll want to pay attention to your browser's status bar. The status bar is a line at the very bottom of your browser’s/program's window. When your mouse is resting over a link (called “hovering”), the status bar will change to show you the destination of that link. That status bar is there to protect you against something called phishing. Watch your browser's status bar to avoid phishing scams Imagine a hacker sitting out in a boat on a lake somewhere, with a fishing rod and reel and his line plumbing the depths of the lake—and you’re the sucker fish he’s looking for! Phishing is when a hacker spoofs a web link: In the normal text of your browser or e-mail program, the link says “http://www.yahoo.com”, but at the bottom in the status bar (if you're paying attention) it says “http://infect-you.com” or whatever the real web address is. If you left-click on this link, it will take you to the website given in your status bar, not the one in your browser's or e-mail message's main text!

4

The best way to prevent a phishing attack is by hovering your mouse cursor over the web link in question—BUT NOT ACTUALLY CLICKING ON IT!!!—and again looking at your browser’s or e-mail program’s status bar. If a text-based or picture-based link says it will take you to “http://www.yahoo.com” but the status bar at the bottom reports a different link (often something close, like “http://yahoo-searchsite.com”) then it's a phishing scam, and if you click on the link there is an excellent chance your computer will get infected. Right now, Adobe Reader and Acrobat software seem to be the most popular subject matter of phishing scams, but phishing e-mails can be about anything. The bad guys don’t care; they just want to get you to click so that they can get your credit card info, or take over your computer, or achieve any number of other nefarious schemes. Phishing e-mails or phished web pages will often have misspellings or bad grammar, but this is not always the case. Avoid being “phished” by following the safe practices described in this document. Avoid clicking directly on links The best advice I can give you is to never click directly on any link. If there's a link on some web page or in some e-mail message that you want to go to, then right click (not left click) the link and copy and paste the link address (called the “URL”) into your browser's address bar, where you can examine it one last time before hitting the Enter key and going there. Some of you may wonder why it's not good enough to simply examine the address in your program's status bar and then proceed to left-click on the link if it matches. While a discrepancy between the two is enough to identify a phishing scam (i.e., the link address doesn't match the status bar address), a “match” is not enough to confirm it's safe. Here's why: For one thing, if the link is a long one, the status bar will often not show the entire link address, but instead will show ellipses (…) to indicate that part of the address could not be displayed. In Chrome, if you wait a second, it will then display the full address, but only up to the width of the browser window, so you still may not be able to visually verify that the intended address is a safe one. Secondly, some characters look alike but are not the same. For example, “YAHOO.COM” and “YAH0O.COM” look similar but are not the same; the first has two capital letter O's and the second has a number zero followed by a capital letter O. By copying and pasting the link, you give yourself a second chance to carefully look over the link address and make sure it really is safe before you actually go there. Search engines have redirected links If you type “surfing” into Google's search page, it will give you links to websites about surfing, and if you have JavaScript enabled, the displayed web addresses will even match the status bar addresses even though they are not the same! Apparently Google thinks it's OK for itself to use JavaScript to “fake” the status bar address, while admonishing others for doing the same thing
5

(albeit for more nefarious phishing schemes). Google is “fooling” the user because it wants you to actually click directly on the search results because that's how Google makes money. The real link begins with “https://www.google.com/...” and embeds the target site's address within it; you'll see this if you actually copy and paste the link, or if you disable JavaScript for “google.com.” Now, Google does validate its own search results and, in general, Google can be trusted. But if you want a “second opinion,” you can move your mouse's cursor to the start of the displayed address (not the one in the status bar) and highlight and copy the text there, and then paste that text into one of the validator sites mentioned above. After you're satisfied it's safe, I recommend returning to Google's search page and then clicking directly on the link there; that way, you're not “stealing Google's lunch,” so-to-speak. (Those “redirected” links are how Google gets paid, and are what allows them to provide their great search-engine service to all of us free of charge.) But Google programmers please take note: You should play fair with your browser's status bar. Be consistent and show the user the actual link in the status bar, even for your own search results. Actually, here's an even better idea: Never let any website reprogram the browser's status bar or right-click behavior. We need those two features—unaltered!—so that we can stay safe on the Internet! Watch out for any other source of redirected links It's one thing to trust Google—and by the way, if you look at Google's “redirected” links, you can still see the actual destination website “embedded” within them—but it's all together another matter to trust some unknown “list management” or “e-mail marketing” company. Many reputable websites—websites that you trust and whose newsletters and marketing campaigns you're willing to subscribe to—have their newsletters and marketing campaigns run by third-party companies. These marketing companies want to get paid, too, and so they, too, embed redirected links in the e-mails that they send to you on a trusted company's behalf. This is a breakdown of security, too, because you are likely to associate the trust you have for the company that you subscribed to with the mailer of this newsletter or marketing e-mail, and that trust is undeserved. To make matters worse, they (1) unlike Google might not embed the actual destination link in their own redirected link, and (2) may try to fool you by using the trusted company's name as a subdomain. Let me now give an example. Suppose you love the products of a company called “Super Awesome Cookies” that has a website called “SuperAwesomeCookies.com.” So you subscribe to their weekly newsletter, and once a week you get a newsletter that says it's from SuperAwesomeCookies, but actually it's from “AcmeMarketing.com,” whom SuperAwesomeCookies hired to do its newsletter. The links in their e-mail newsletter, if you hover your mouse over them, may point to

6

“SuperAwesomeCookies.AcmeMarketing.com/...” If you're not looking carefully, it almost looks like the links go to “SuperAwesomeCookies.com,” but they don't. This is a redirected link that Acme Marketing wants you to click on so it can track customer flow, but usually such companies do not deserve your trust; in fact, one such company that I investigated had a rate of 10% malware infections in their links according to Google SafeBrowsing, including infections as current as the date of my inquiry. This may or may not be their fault—perhaps all the infections were on the destination pages—but the point is, why should we trust them? We users have no direct relationship with these marketing companies. Do yourself a favor and do not click on anything in these newsletters or marketing missives; instead, if you see something interesting, go directly to the target site (in this case, “SuperAwesomeCookies.com”) and search their site for the information or article that interests you. You could also do a Google search for the same information. My advice to these marketing companies: Do not redirect the links of companies you are representing. Our trust is not in you; you are there to provide a service to the company, and the company is there to provide a service to us. Arrange with your clients for them to host pages on their sites that give credit for incoming clicks to you, perhaps by passing a parameter to them. Watch out for shortened or abbreviated links Sites such as tinyurl.com, bit.ly, t.co, goo.gl, and others will tell you that they offer a much-needed service by taking a long URL and shortening it into just a few characters, but such a shortened link breaks security by not showing you the actual link's destination address. Never click directly on a shortened link because you don't know where it's going! Instead, use the preview functions of these “link abbreviator” sites (see the link below) or use “longURL.org,” a site that lets you enter a shortened URL and gives you back the actual URL. http://longurl.org/ http://security.thejoshmeister.com/2009/04/how-to-preview-shortened-urls-tinyurl.html
4. Be especially wary of “publicly writable” links found in e-mail, bulletin boards, forums,

Craigslist and eBay postings, instant messages, and public chat rooms. By a publicly writable medium, I mean one that anyone can post or write to. Can anyone post to eBay? Yes they can. Can anyone post to Craigslist? Yes they can. Many websites also have forums; anyone who registers (hacker or not) can post a message. When hackers post a comment on a YouTube video, or sign on to your favorite online video game and join in the chat, they do not announce, “I am a hacker! Beware of me, ye fools!”

7

Think about your e-mail address for a second. Can anyone who knows your e-mail address send you an e-mail message? You bet they can. And if they’re a hacker, they can include a nasty link in that message that will do nasty things when you click on it. Make it a habit to NEVER click directly on links posted on publicly writable web media. If you think the links might be legitimate and useful to you, then…CHECK THEM OUT FIRST. 1. Hover your mouse over the link and check the status bar to make sure that the two links match. If they don’t, DON’T GO THERE. It’s a trick. Stay away! Stay far, far away!
2. If the links match, it still has a chance of being legitimate. But it must be some place

you’ve never visited before, or otherwise you would have known it was safe and just copied it or typed it into your browser and gone there. (For example, we all know that “http://www.yahoo.com” is generally safe and so we’d just put that in our browser and go there.) Since the link’s address is unknown to you, you need to verify that’s it not a website that will infect your computer and steal your information. So you need to Validate an Unknown Web Address (usually an unknown website). I’ll explain how to do that next. 3. If validated, then type or copy the address into your browser and go there. If validation failed (it’s a known bad website!) then for sure don’t go there! And if validation status is unknown (no information about that site is available, good or bad) then you can use a “sandbox” to go there while minimizing risk, if you want to take a chance. (More on that later.)
5. Validate unknown websites and other Internet media.

The good news is that Google’s web crawling robots (called “spiders”) automatically screen the Internet for “bad” websites containing phishing attacks, malware and other bad stuff, so if you click on a link that’s included in the results of a Google search you probably won’t get infected. Notice the word PROBABLY. While Google does its best, it cannot scan every page on the web every single day. They are just too many pages on the gigantic Internet. So even if you're looking at Google search results, it's better to get a second or even a third opinion on the safety of the presented links. Browser extensions such as TrafficLight and Web Of Trust (WOT) “validate” links in search results (and on other web pages) before you click on them, putting a little icon next to them to let you know that the link is safe (or unsafe): TrafficLight: http://trafficlight.bitdefender.com/ Web of Trust: http://www.mywot.com/ Even if you get an “A-OK” from these validators, I still recommend that you copy and paste the link address into a new browser tab or window, just to give it one last look to make sure it's OK.

8

Sometimes validators like TrafficLight and WOT will have no opinion on a particular link. In other words, they won't be able to declare a particular link as either good or bad; the link's status will be simply be deemed “unknown.” In that case, there are validator websites you can consult, such as Norton's Safe Web, McAfee's Site Advisor, and Google's SafeBrowsing. (Note that WOT also has a validation website at http://www.mywot.com/, but we're assuming at this point that WOT's browser extension has already indicated it has no conclusive data on the site in question.) Safe Web: http://safeweb.norton.com Site Advisor: http://www.siteadvisor.com/ Google SafeBrowsing: http://www.google.com/safebrowsing/diagnostic?site=yahoo.com For Norton Safe Web, there’s a text box on the screen, next to which it says “Is this site safe?” Simply type the *root* of the domain name you want to go to. So if the link is “http://newsite.com/free_gold.htm”, just type in “newsite.com” and press the search button (a small magnifying glass). McAfee Site Advisor works the same way, but you have to type the root domain into the box where it says “View a Site Report.” For Google SafeBrowsing, replace “yahoo.com” in the link above with whatever website you wish to analyze. For both Safe Web and Site Advisor, make sure to read community comments as well (at least read the summary of community ratings of the site) because occasionally Safe Web and Site Advisor will give an “OK” rating to a site that is actually dangerous—mostly because the automated systems they use to scan these sites are very good but not perfect. Safe Web and Site Advisor also offer other solutions to keep you safe online—usually via programs that you download to your computer, some free and some not—but the options listed above are free and don’t require you to download a thing. Google SafeBrowsing will let you know of any recent detections of malware on the site in question. However, some sites will have been scanned by Google in the last 90 days, and some sites won't. If the site hasn't been scanned recently, a declaration of “no detection of malware” doesn't mean the site is safe. And for search-engine sites (like Yahoo.com and Google.com) it is common for Google SafeBrowsing to find several links to malware simply because search-engine sites serve up so many, many search results, some of which inevitably prove dangerous. Still this is a rather small fraction of the total search results served, so you should nevertheless feel reasonably safe in using major search engines. After all is said and done, Safe Web, Site Advisor and Google SafeBrowsing may indicate that the site's safety is “unknown.” In that case, you may wish to do a quick Google search to see what others have said about the site. Say, for example, that your unknown link is “http://questionable.newsite.com/pages/free_gold.htm.” Go to Google.com and do the following searches: “Site: http://questionable.newsite.com +virus” and

9

“Site: http://questionable.newsite.com +malware” Look at the results of each search. If many people are complaining of viruses or malware on the site with that link address, and posting their complaints to reputable websites, then the link is probably dangerous and you should not go there. If on the other hand there are few or no reports, the result remains uncertain. If you want to take a chance, or for some reason have to go to this link (for job-related reasons, for example), I suggest using some sort of sandbox.
6. Use a sandbox for unknown links that you must go to and cannot validate.

Think of a sandbox as the place where you played when you were a kid—you could play all day long in the sandbox, and if you fell down you wouldn’t get hurt. Basically, a computer sandbox is a kind of program that makes it almost impossible for you to get an infection from a bad guy’s website. Note that I said almost, and thus if you don’t have to go to an unknown website or other unknown Internet medium, then don’t go there. A sandbox can't turn an unsafe web page into a safe one, but rather it attempts to prevent an unsafe web page from having any “permanent” negative effect on your computer. A sandbox lets the web pages you visit download information to your computer, but it confines all of that downloaded information to a very restricted part of your hard drive, and when you exit the sandbox, it all gets erased. The files that the bad web page tries to put on your computer never really get to the important parts of your computer; they’re held in a digital “purgatory,” if you will, but the offending website never knows that. When you exit the sandbox, those files are gone. (Note: Some sandbox systems let you “choose” what to do with these purgatory files before you exit; always, always, always ERASE them! You can configure the sandbox to do this automatically.) http://en.wikipedia.org/wiki/Sandbox_(computer_security) There are three kinds of sandbox programs available to you. The first is a very clever program called Sandboxie that is only available for Windows. You can download it from http://www.sandboxie.com. There is a free version and also a paid version. The free version works just fine but has a short delay before the program starts. The second kind of sandbox program is called a virtual machine, and these are available for many different kinds of computers and operating systems (including Linux and Apple’s OS X operating system). A virtual machine (VM) is like a computer within a computer; the VM “fakes” (we say emulates) the hardware of a computer and then runs its own operating system (OS) on top of the emulated hardware. The result is a virtual computer inside your real computer, such as running Microsoft Windows on an Apple iMac computer. If you own an iMac and run an Internet Browser (like Google Chrome) inside a Windows VM, when you close the VM all traces of anything you downloaded are gone (provided you configured the VM that way). Two popular makers of virtual machines are VMWare (http://www.vmware.com) and Parallels (http://www.parallels.com/). Like Sandboxie, they offer both free and commercial versions.
10

Unlike Sandboxie, they are more complicated (and more powerful) and so require a little more time to learn how to install and use properly. The third kind of sandbox is any computer that has no permanent storage (like a hard drive), or perhaps has permanent storage but doesn’t use it. The premise here is that there is no way for a virus or piece of malware to infect files (system or personal) that no program has access to. For example, Live Disks (also called Live CDs or Live DVDs) provide a great way to stay safe while surfing the Internet. A Live Disk is a pre-burned, non-rewritable disk such as a CD or DVD that contains a whole operating system. This “operating system on a disk” loads itself completely into, and runs entirely from, temporary RAM memory, regardless of whether the computer itself has a hard drive in it or not. Any data files created during a Live Disk “session”—as well as any system files loaded into memory—are destroyed the moment the computer is powered off or restarted. Note that there are some Live Disks that give users the option of accessing hard drives or thumb (USB) drives attached to the system, and there are some Live “thumb drives” that run from USB (thumb drive) storage, but these options defeat the security benefits of the Live Disk sandbox by allowing access to permanent storage that malware could potentially infect. Examples of Live Disks include Linux Mint, Knoppix, PC-BSD, and WinBuilder. See the following links for much more information: http://en.wikipedia.org/wiki/Live_CD http://en.wikipedia.org/wiki/List_of_live_CDs http://www.linuxmint.com/ http://www.knopper.net/knoppix/index-en.html http://www.pcbsd.org/ http://reboot.pro/forum/22/ (WinBuilder packages) Linux Mint, Knoppix and PC-BSD are all based on the Linux or Unix operating system. WinBuilder uses versions of Windows to create Windows-based Live CDs/DVDs. Regardless of the operating system used, any Live Disk can browse the Internet with its integrated Web browser. In order to make these disks, you will need to download the files from one of the websites above, and then “burn” them to a blank CD/DVD. You should use a write-once disk such as a CD-R, DVD-R or DVD+R—not a rewritable one (i.e., not a “CD-RW” or a “DVD-RW”). To burn the files onto the disk, you’ll need burning software such as Nero (which costs money) or freeware burning software such as ImgBurn or CDBurnerXP: http://www.nero.com/enu/ http://www.imgburn.com/ http://cdburnerxp.se/ Once you create your Live Disk, insert it into the drive, reboot (or turn on) your computer, and follow the prompts to boot it without hard-drive support. If your aim is to surf to a potentially
11

dangerous website—as was the original point in this section, ahem!—then do NOT use USB (“thumb”) drives, and of course if the option comes up during boot to either install the operating system to disk, or to mount (enable) a hard drive, don’t do it. For the ultimate in security and convenience, you can have a separate computer (with a Live Disk in the optical drive) that you use only to surf the Internet with a very high level of safety. You could even pay a technician to remove all hard drives and USB ports. Chromebook: A cloud-based laptop with sandboxing (and other protections) built in When I wrote the first version of this document, Google's Chromebooks (which run an operating system called the Chrome OS) had just started to become available for purchase. That was back in September 2011. Today, in 2013, the Chromebooks have proven themselves as security-minded, cloud-based laptops with built-in protections such as sandboxing and verified boot. A key idea behind the Chromebooks—and a fundamental paradigm shift in traditional computing —is that all applications become “cloud based.” Essentially, traditional programs are replaced with web-based ones. Because most of the programs you'll use on a Chromebook are essentially websites, very few programs (with a few exceptions, such as native apps) are actually installed onto your computer's hard drive. The programs you'll be using reside on the Internet (in the “Cloud”), and this is why it's hard to infect Chromebooks, and why no antivirus software is required. Of course, this also means you must be connected to the Internet to get full use out of your Chromebook, but most of us are connected all the time anyways. It seems that Internet access has become a necessary utility, much like electricity or water. So with your applications and data living in cyberspace, and a built-in sandbox to protect you, your Chromebook can’t get infected—right? Well, almost… There are “native applications” that you can download that let you work offline; the price of this convenience is a decrease in security, although Google tries in other ways to vet programs and prevent/inhibit malware. And of course data files can always be stored locally, and they could be potentially infected (although infection of data files is less likely than infection of program files, and again the Chrome OS tries to stop/inhibit such infected files from harming the system). There are still some other considerations: All your data is still stored somewhere on the Internet, which means you must trust the cloud services you use to protect and secure your data from hacks, infections, and thievery. Believe it or not, hackers have already found a way to break into cloud data at least once. Also, operating system files are stored on the internal hard drive, so these, too, could be subject to attack, but Google has taken valiant measures to protect against attacks on the OS, including verification of boot files. Overall, Chromebooks (and the related desktop versions called “Chromeboxes”) have proven to be above-average in terms of security and hassle-free computing. Based on what I have seen so far, I highly recommend them. http://www.google.com/intl/en/chrome/devices/ http://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview
12

Note that there is a difference between getting infected and staying safe online. Even if a hacker cannot infect your PC, he or she may be able to intercept your communications, steal passwords or financial data, or wreak other havoc. Like every other computer, Chromebooks are not immune to this, so even if you buy a Chromebook or use a sandbox/virtual machine/Live CD, be sure to read the upcoming section on staying safe in public settings. 7. Choose a secure Internet browser and configure it properly. Choose a secure browser Google's Chrome browser seems to be the most secure among all major browsers and I highly recommend it. It is free and available for Windows, Mac and Linux platforms; and it is incorporated as part of Chrome OS in Google Chromebooks and Chromeboxes. At a "hacking contest" (called “Pwn2Own”) a few years ago, Chrome remained unscathed while Internet Explorer, Firefox and Safari were all ransacked. However, at the most recent most recent Pwn2Own contest, only Safari survived (with no attempted hack). (I still feel Chrome is the strongest, as the Chrome hack depended on a vulnerability in the OS it was running on.) Whatever browser you use, make sure you use its security features to the fullest. That means turn on (or don’t turn off) any anti-phishing and safe-browsing features. Use link validators Two excellent browser additions, as mentioned in a prior section, are BitDefender's TrafficLight and WOT Services' Web of Trust (WOT). Both of these are available as extensions for Google Chrome; you can search for them in the Chrome Web Store under Extensions. TrafficLight: http://trafficlight.bitdefender.com/ Web of Trust: http://www.mywot.com/ Chrome extensions: https://chrome.google.com/webstore/category/extensions Disable dangerous features I recommend that you disable JavaScript and all plug-ins (including especially the Java plug-in) by default. This is to protect you from what's called a “drive by” malicious download, in which the moment you visit an infected website, your computer gets infected. In spite of your best intentions and due diligence (validate links before you click on them, right?), you might click on a link to an infected website. By not having JavaScript and plug-ins enabled for every website, you prevent these infected sites from being able to use JavaScript, Java and other browser features/plug-ins to automatically infect you the moment you visit them. Use your browser's settings to disable by default your browser's JavaScript, Java and plug-in features. You can always add exceptions for websites you know are safe, such as those you visit
13

frequently. In the Chrome browser, click on the menu icon, which is the “three little lines” at the top-right corner of the browser window. Choose Settings → Show Advanced Settings (at the very bottom) → Content Settings (under Privacy). Under JavaScript, choose “Do not allow any site to run JavaScript”. Under Plug-Ins, choose “Block all”. Now when you visit a website you've never visited before, Chrome will block all JavaScript and plug-ins (including Java) by default. If you trust the site and want to enable JavaScript, you can click on the symbol at the top right that looks like a scroll with an “X” through it, and choose “Always allow JavaScript on [website name]”. You'll then need to refresh the page (hit F5 or click the refresh icon at the top-left corner) to make the page load with JavaScript active. If you visit a site with a blocked plug-in, you'll see an icon at the top-right corner that looks like a puzzle piece with an “X” through it. If you trust the site and want to let it run all plug-ins, click the icon and choose “Always allow plug-ins on [website name]”; or if you just want to enable the plug-ins to run this one time, choose that option instead. You'll then need to reload the page to make the plug-ins active. If you use a browser other than Chrome, use your browser's methods for turning off JavaScript and plug-ins (especially Java) by default. Even though you may trust a particular website, I recommend that if you don't need a particular browser feature (such as JavaScript or Java), then don't enable it. Today's popular, safe website may be tomorrow's compromised one. Better safe than sorry. Don't install toolbars Avoid the temptation of installing third-party toolbars in your browser. At best, they reduce your valuable screen real estate, and very often they are malware. Just say NO to toolbars. 8. Keep your OS and programs (including browser and antivirus software) up to date Your firewall and security software are your first and most important lines of defense, and they need to be kept up-to-date to continue keeping your computer safe. Very often hackers will gain entry into your computer by using what are called exploits—known problems (“bugs”) in popular software including Internet browsers (such as Chrome), file readers (such as Adobe Reader), and so on. When such an exploit is discovered, the company that makes the software will typically release a “fix” for the exploit in a new version of their software (which is almost always made available for free). Be sure to keep your software up-to-date to avoid being attacked by bad guys looking for these exploits. This includes keeping your system software up-to-date as well, so make sure to turn on Automatic Updates in Microsoft Windows or whatever OS you use, and when your OS or known good programs tell you they have updates that need to be downloaded and installed, go
14

ahead and do it. By keeping your operating system and programs up to date you greatly decrease your chances of being hacked. Note to software companies: When we installed your software, we decided that we trusted you enough to let your program reside on our computers. If at a later date you discover a security hole in your software, you already have our permission to go ahead and fix it automatically, seamlessly, behind the scenes—just get it done! We don't need dangerous software on our machines, and that's what your software is when it has security flaws. Moreover, when we see messages that say “such and such a program needs updating,” we wonder whether it really is your program or just malware pretending to be your program that needs us to push a Windows “OK” button to get past OS validation of new software. (OS makers, your cooperation may be required here as well.) Another security-related note to software companies: Don't use nonsensical names for your software. HP used the name "Rebecca.exe" for it's official recovery program on some computers. That's just begging to be viewed as malware. Please make your file names correspond to the purpose of the file. 9. Use strong passwords, HTTPS, VPNs, and two-factor authentication Use STRONG passwords for everything Did you know that a bad guy does not need to infect your computer to “break into” it? That’s what your firewall is all about. Your computer “talks” to the Internet on certain channels called “ports”. Think of ports as doors. Sometimes those doors need to open—for example, a useful program on your computer needs to be able to talk to your Internet provider. Your firewall does its best to identify the good guys from the bad guys, letting the good guys through the doors and keeping the bad guys on the outside, but it's not perfect. If your firewall gets “fooled” and let’s a hacker in, your second best line of defense is a strong login password. Even if the hacker gets “through the door,” to do most anything they want to do they’ll need your password. Make sure that all accounts on your computer have passwords—and disable any guest accounts (accounts that have no password). When a hacker encounters a password-protected login, program, or website, they will try to figure out that password, either by guessing or by using trial and error (often using a password “cracking” program). Hint: Don’t make it easy for them. Believe it or not, the following are NOT, I repeat NOT, good passwords:

15

password wordpass drowssap (password spelled backwards) hello welcome letmein 1234 or 4321 or 1111 or 9999 (any pattern of digits) windows microsoft billgates <any curse word> <your name or name of anyone you know personally> <your birth date or family member’s birthday> <name of the website or program the password is for> <subject matter of the website or program the password is for> <your username for any program or website> Capitalizing any of these does not help. The idea is for you to create a password that cannot be guessed. You SHOULD do the following:
-

Use a different password for each program and website Use combinations of upper and lowercase letters, numbers, and punctuation marks if the website or program allows them Make passwords at least eight characters long and preferably longer Store all your passwords in a safe place both digitally (as a computer file) and in paper form AWAY from your computer. Use a password manager (explained next) to store your usernames and passwords for your programs and websites in a secure digital format in multiple secure places, and periodically make a physical printout of this list and store it in a secure place as well. Make sure these digital and physical copies of your username/password info are stored in different secure places (like a secure local hard drive/flash drive, a secure online cloud service, and a safe deposit box at your bank). Redundancy is a good thing, because should anything happen to one of these three sources, you still have two others to fall back on.

This advice goes for all passwords, not just for your Windows (or other OS) password—and DO password protect all programs and accounts that give you the option to do so. Do NOT give out your passwords, or reuse the same password on every website, or use them constantly as catch phrases or expressions in conversations with coworkers, or put them on a piece of paper you attach to your computer. Use a password manager. Password managers are software programs that manage your many passwords for you. If you use your computer in public places, you don't want to have to be manually entering password after password for every program and website you use, with people around you looking on. Even at home, you'll appreciate the convenience of not having to type all
16

your passwords over and over. A password manager lets you log into it with a master password, and thereafter the password manager program automates the entry of passwords for your various websites and programs in a secure way. You have many options when it comes to password managers. Chrome (as well as most Internet browsers) has a rudimentary password manager built in, so if you allow it, it can remember all websites' passwords for you and input them automatically when you visit those sites. Furthermore, it can sync your passwords across all your Chrome-using devices, including your computers, tablets and mobile phones. The downside is that the security is not particularly strong (while logged into your browser, you or a “man-in-the-middle” hacker can easily view all your passwords), it works only for websites (not local programs), and many of the features of other password managers are missing. For Chrome, your “master password” is your browser “sync” password (and any additional encryption password you may have specified). There are also web-service-based password managers such as LastPass and Roboform that manage your online passwords, but give you more robust security and features. Some of these password-management systems are free and some are not. Lastly are more traditional “standalone” programs such as KeePass (free) that can manage both online (website) and local (installed program) passwords but lack some of the seamless syncing and online-backup features of the web-service password managers just mentioned. Whatever password manager you choose, it's important that you learn it thoroughly and do all that you need to create and maintain (i.e., not lose) a secure master password and backups (online and offline) of all your passwords. Remember that if you forget or lose your password manager's master password, you will lose access to all of your passwords. That's why it's important that you backup any password files and periodically make a plaintext printout of all your passwords that you keep in a safe-deposit box or some other secure place. http://lifehacker.com/5944969/which-password-manager-is-the-most-secure http://www.pcworld.com/article/208113/Best_Password_Managers_Top_4_Reviewed.html http://www.theverge.com/2012/12/19/3699286/how-to-manage-passwords-online http://www.pcmag.com/article2/0,2817,2407168,00.asp http://keepass.info/ https://lastpass.com/ http://www.roboform.com/ https://agilebits.com/onepassword https://www.dashlane.com/ http://www.mylok.com/ (hardware-based password manager) Avoid using single websites as “password hubs” Recently, websites such as Facebook have decided to ignore all traditionally accepted notions of password security and appoint themselves “password holder in chief”. This is great for Facebook (in terms of getting your Internet traffic and marketing stuff to you and others), but horrible in terms of your security. Understand that Facebook is not a password manager application and that by letting Facebook be your “password access” to a multitude of other websites (currently
17

there are too many to list) you are essentially choosing one password for ALL your websites, which explicitly violates the unique, strong password for each website rule. Thus if a hacker gets your Facebook password, they now have access not only to your Facebook account but also to ALL websites that use your Facebook account to log you in. DON'T DO IT. Most of these “Facebook enabled” websites will also let you choose your own unique username and password created expressly for their website rather than logging in via Facebook. Do that instead. Do not allow Facebook to have access to all your websites, or when your Facebook account gets hacked, all your other (Facebook enabled) accounts will get hacked as well. This same advice goes for any website that attempts to be a “password hub” (e.g., Twitter allows this to some extent) although Facebook is currently the most notorious of these. Make sure security-related web pages use HTTPS When you login into an online account, or do financial or banking transactions online, or conduct any important confidential business on the Internet, transactions between your browser and the intended server on the Internet must be encrypted: The information that is sent over the wire (or wirelessly) should be “scrambled” in order to make it difficult for anyone other than your browser or the server to read your confidential information. Hackers who manage to intercept your encrypted information will not be able to understand it, and so it will be useless to them. When your communications are encrypted, your browser will say “https” in its address field rather than the usual “http”, and will also show a small padlock symbol. If you DON’T see the “https” (if you see a mere “http” with no “s” on the end) and a padlock symbol when doing something confidential online, YOU HAVE BEEN PHISHED! Do NOT proceed. A hacker is trying to steal your password or credit card info or other confidential data. Close the browser and re-open it and try again, this time typing in your trusted website’s web address. (You did validate the web address to make sure the site should be trusted in the first place, right?) Mostly hackers are interested in stealing your financial data. But if you want to use a public Wi-Fi connection, or feel you might be a specific target (e.g., of corporate or governmental espionage), then you need to protect all your computer’s communications from spying and intrusion by using a VPN. See Section 11 for more information. Use two-factor authentication whenever available Two-factor (or “multi-factor”) authentication means that you are using more than just one authentication technique. Typical authentication involves a password; almost every authentication system (such as a login webpage) uses one. The problem with this is that if a bad guy manages to get hold of your password, they're as good as “in”. Two-factor authentication
18

adds another layer of security so that even if a hacker gets your password, they still can't get in. Multi-factor authentication involves multiple modes of authentication and is typically described in terms of something you know (like a password or passphrase), something you have (like a cell phone or a smart card), and something you are (referring to biometric data like your fingerprint or iris scan). In a way, biometric data is like something you always have because it's a part of you. Biometric input devices are still not as common as they should be, but many prominent websites such as Google Mail and Yahoo Mail now offer two-factor authentication in the form of something you have by sending a “one-time password” (OTP) via text message or phone call to your cell phone. For example, you can configure Gmail so that when you log in, you have to both (1) enter your password and (2) enter a code sent to your cell phone. After you enter your password, Gmail sends a random six-digit number (the OTP) to your cell phone (e.g., via text message), which you must then enter before being allowed to log in. A hacker who had only your password, or only your cell phone, could not break in. Two-factor authentication is thus doubly secure and highly recommended. Use it whenever and wherever it is offered. 10. Watch out for “foistware” (piggybacked junkware). If you've been reading carefully so far, you may have noticed a theme running through this document, which is that profit-mindedness and user safety often seem to be in conflict, and apparently some companies are willing to sacrifice some of the latter for the former. A very bad trend that's been going on for some time now is called “piggybacked junkware” or “foistware.” Company A decides to make extra cash by “bundling” (or piggybacking) Company B's software into their own, so that when you install Company A's software, there's a very good chance you may end up installing Company B's as well. Now technically, they can't install someone else's software on your computer without your permission, so in the middle of the usual litany of installer-program message windows there will be one window (or a portion thereof) that casually mentions that Company B's software will also be installed unless you “uncheck” the pre-checked checkbox. As if, by default, we all wanted Company B's software when that isn't what we were trying to install in the first place! Most people, tired of the laborious install process, will simply click every window's Next button without reading each screen so they can get past all the installation crap and get on with their lives. They'll never notice that they just installed a piece of “foistware” along with their desired software. Don't be one of those people. Moral of the story: SLOW DOWN and read everything when you are installing a new program, regardless of whether it’s been virus and malware checked or not, regardless of whether or not you trust the company in question.
19

The most common foistware is TOOLBARS that get added to your browser. NEVER INSTALL TOOLBARS. Your browser doesn’t need any more toolbars! They take up valuable screen real estate, slow down your browsing experience and are just plain BAD. 11. Be extra careful when using your computer in public settings! The most dangerous game: computing out in the great wide open It's very popular these days to walk into a Starbucks, sit down with a copy of coffee and start surfing the 'Net on your laptop. From a computer safety perspective, however, nothing could be more dangerous. Believe it or not, there are actually criminals armed with laptops that peruse coffee shops, cafes, restaurants, bookstores, and anywhere else there is free, public Wi-Fi, looking for naïve computer users. When you use your computer in public, you open yourself up to all kinds of problems. Don't type or enter passwords in public! If you type in your passwords by hand, rather than use a password-managing program, criminals can literally watch what you type and take note. Even if you're a phenomenal typist—and even if the criminal is conveniently away from his table at the moment—if his laptop's camera or a secret hidden camera is near enough to you, he can record a video of the keys you press when you enter your username and password, and then play it back slowly, at his leisure, frame by frame, identifying every single keystroke you made. If you cut and paste your password from some plaintext file, and your screen is publicly visible, they can record a video of your screen. Bottom line: If you enter your password by hand (by typing) and anyone can see your hands, anyone can get your password; If you copy and paste your password from a plaintext file, and anyone can see your screen, anyone can get your password. You do not know the strangers who are around you in public places. They may look kind, but I personally have seen and experienced criminals hard at work fleecing the unaware. There is a lot of money to be made, and these enterprising thugs do it every day. Don't be a victim. Use a password manager and enter your master password (1) using a hardware device (e.g., a thumbprint reader) or (2) using a privacy filter + virtual keyboard. Do NOT type passwords on a keyboard in public. (For more on privacy filters, virtual keyboards, and biometric devices, read on.) Use a password manager. Password managers (explained previously) are software programs that manage your many passwords for you. If you really must use your computer out in public, you don't want to have to be manually entering password after password for every program and website you use, with people around you looking on. The fewer passwords that you have to actually enter, the better. A password manager lets you log into it with a master password, and thereafter the password manager program enters the passwords for your various websites and programs in a secure, automated way, with onlookers unable to see the passwords as they are entered. See Section 9 above for more information.
20

Use hardware-based input. There's still the matter of entering your password manager's master password, and you don't want to be typing that on your keyboard in public. To enter your master password, you're best off with some sort of hardware device such as a biometric (“body measuring”) input device. There are many types of biometric interfaces, including fingerprint readers, which are special devices that scan and use your unique fingerprint as a password. The Yubikey (below) is a special hardware device that you lets you populate your master password into a password field with the push of a button. https://www.yubico.com/products/yubikey-hardware/yubikey/ http://www.apricorn.com/products/hardware-encrypted-drives/aegisbio3.html http://www.ironkey.com/en-US/secure-portable-storage/index.html http://www.authentec.com/Products/TouchChips/Eikonmini.aspx http://www.zvetcobiometrics.com/Products/P2000/overview.php http://secugen.com/products/peripherals.htm http://www.digitalpersona.com/biometrics/overview/ http://www.biometricupdate.com/service-directory/fingerprint-recognition/ The advantage of using a hardware-based input device in a public Wi-Fi setting is simply this: There is nothing to see. Anyone can see you push a button, or watch you swipe your finger on a fingerprint reader, but unless they can actually get your Yubikey or your fingerprint, your password remains your secure. Your password is something you have rather than something you know. The Yubikey works with almost all platforms; unfortunately, turnkey (i.e., ready-to-use out of the box) fingerprint systems are currently only available for Windows and Mac platforms. However, fingerprint devices are more secure because if they're lost, they're unusable without the user's fingerprint. Use a screen filter and a virtual keyboard. If you plan on doing any public computing at all, get yourself a good privacy filter for your screen. 3M is one company that makes privacy filters; there are others as well. Most banks use them now on tellers' computer screens. The privacy filter polarizes the light from your screen so that the screen is only viewable, more or less, by you (i.e., from someone sitting directly in front of it). Passers-by will see only a dark screen. Someone sitting very close to you at a nearby table may be able to see part of your screen, so don't rely on this completely, but rather as an indispensable part of public computing. Note: If you're using a laptop, remember to remove the filter before closing the laptop so as not to damage the laptop's screen. You can use a virtual keyboard together with a screen filter to have a reasonably secure way of entering passwords in public. A virtual keyboard is also called a software keyboard; it literally displays a “picture” of a keyboard on the screen, and you use your mouse to click on the virtual keys on the screen. When you click on the keys (e.g., a picture of the letter “A”) it actually enters the letter “A” into the password field of your OS or program. It's as if you typed the letter “A” using your real physical keyboard, but instead you're using a program to do it. The advantage is that no one can see your fingers hitting the individuals characters of your password on a physical keyboard.
21

There is still the possibility that someone may record your mouse and hand (or finger on touchpad) movements as you use the virtual keyboard, but without them being able to see the keyboard on your screen (because you're also using a privacy filter), it will be difficult for them to “estimate” what keys you're actually entering, especially if you hover your mouse over “non-key” areas, or enter some wrong keys and do backspaces, or move the virtual keyboard itself around the screen, etc. Some virtual keyboards even have some advanced features like “hover” entry (just having your mouse over the key for a certain amount of time causes the key to be entered) and other anti-hacking features. Even if you already have a biometric input device, privacy filters are still useful when you just want to keep private data private: for example, if you're viewing a bank statement or composing a confidential e-mail. However, I advise you to avoid doing financial or sensitive transactions in public places, if you can help it. Use a Virtual Private Network (VPN) to avoid being hacked! Even without giving away your passwords, you may still end up getting hacked. There is something called an Evil Twin scam (also called a “Rogue Access Point” or “Trojan Access Point” scam) in which a criminal sitting close to you sets up his computer or wireless access point (“WAP”) so that it pretends to be the public Wi-Fi you're trying to sign on to. So, for example, you may think you're logging on to Starbucks' free Wi-Fi, but in actuality you're logging into a nearby criminal's computer, which is intercepting every message your computer transmits. The criminal can do this because his computer or WAP is physically closer to you than Starbucks' WAP and so the signal is stronger. Once you log into the criminal's WAP, he will see everything you see, including all passwords, banking information, and so forth, and more importantly, the harmless file you think you're downloading may actually be malware that the criminal will use to control your computer. An Evil Twin attack makes it possible for a criminal to do what's called a Man In the Middle Attack, where the criminal “sits in between” the communications between your laptop and Starbucks WAP, and for a while just “forwards” on those communications so that everything looks normal to you, but at just the right time, intercepts some of those communications in order to take over your browser (and, for example, send your confidential credit card data to himself) or wreak other mischief. The sky is virtually the limit for the criminal, because he's inserted himself into the middle of what should be secret communications between you and Starbucks. What's the “right time” for the Man in the Middle criminal to launch his attack? When you're not looking, of course! So before you look away from your computer to attend to other matters, disconnect the Internet! Learn how to “disable” your computer's built-in wireless adapter and do so before you take your eyes off your computer screen. Better yet, log into public wireless with an external wireless adapter (e.g., a USB wireless adapter) and physically unplug it when you have non-computer matters to attend to. It is especially easy to do an Evil Twin/Man in the Middle attack when the public Wi-Fi has no password at all (when it's “unsecured Wi-Fi”); but currently, even with a password and the best available Wi-Fi encryption scheme, the Evil Twin attack can still be carried out. The only way you can stay safe is to always use a VPN in public Wi-Fi settings.
22

A VPN (Virtual Private Network) is a security mechanism that encrypts an entire connection (called a “tunnel”). With it, all communication between your computer and the VPN server is encrypted. http://en.wikipedia.org/wiki/Virtual_private_network http://www.hidemyass.com http://openvpn.net/ https://secure.logmein.com/products/hamachi2/ https://strongvpn.com/ http://www.cisco.com/en/US/products/ps10884/index.html VPNs cost money, and the connection is usually a bit slower (it takes time to encrypt/decrypt all that info being sent and received), but when you really need it, it's time and money well spent. By the way, Chromebooks and other sandboxed environments are not immune to the Evil Twin attack. But there is a VPN called “HideMyAss.com” (see above) that works with Chromebooks. Note that even if you do have a VPN, someone with an “Evil Twin” setup can still become the “Man in the Middle” if they're physically close enough to you, but since all communications between you and the intended WAP will be encrypted, the criminal won't be able to understand or decipher any of it. Thus they won't be able to hack you, but if they just want to wreak mischief, they can still do what's called a DoS (“Denial of Service”) attack where they send all your computer's communications into the virtual “trash bin” and you end up getting slow or no Internet service at all. This is the risk you take when you compute in public, but a lack of Internet service is far better than being hacked and having your credit card or other information stolen, or your computer infected. Although nowhere near as good as a VPN, there is a good extension for the Chrome and Firefox browsers called https everywhere. This extension automatically takes your browser to encrypted (https) versions of websites you wish to visit, when both encrypted and unencrypted versions exist. So, for example, if you type “mail.yahoo.com” into Chrome, it might take you instead to “https://mail.yahoo.com”. Your connection to an “https” website is indeed encrypted. Unfortunately, most websites do not offer “https” (SSL/TLS encrypted) access, but rather only regular, unencrypted “http” access. (A VPN would protect you regardless because the entire connection is encrypted.) Remember that a login webpage or a financial/banking website should ALWAYS be encrypted with https. If it's not, the site in question is probably not genuine; do NOT proceed. The second most dangerous game: Using public Wi-Fi in “non-public” settings You might think you're safer using a hotel's Wi-Fi instead of Starbucks' Wi-Fi (because you're not out in the open), and you are somewhat, but danger still lurks. You're still using public Wi-Fi, which goes through walls, windows, ceilings, and so forth. The bad guys can't see you, but if they're close enough (for example, in a nearby hotel room) and using a powerful enough WAP, they can still pull off Evil Twin and Man in the Middle attacks! Therefore most of what I said in
23

the previous section still applies. You definitely still need to use a VPN when using public Wi-Fi, regardless of whether you are out in the open or not, and a password manager with a biometric interface is not a bad idea, either. By the way, for corporate and government types, who might have secrets that powerful bad guys really, really want, you should know that both screens and keyboards have EM (electromagnetic) signatures. EM waves go right through walls, windows and ceilings. If the bad guys have sophisticated equipment, they can intercept these EM waves and thereby “see” what's on your screen and what you are typing on your keyboard. They do make special screens and keyboards that are shielded against EM—as well as physical “EM enclosures”—so if you are traveling and need to protect important corporate or government secrets, definitely invest in these. Bad guys who are really dedicated can “bug” rooms, so using a privacy screen (or that EM enclosure) may be in order as well. Watch out for the camera and microphone If you do get hacked (and I hope you don't), the bad guys can remotely turn on your built-in camera and microphone and record everything you do and say. A simple piece of removable tape (e.g., painter's tape) over your camera's lens will do the trick. You may need tape over cloth or foam to dampen the microphone port, or in the worst case an air hose blowing air across the microphone port (for example, with a fish tank aerator). Try to record yourself via the “muted” microphone to see if you have successfully muted it or not. I have heard that high tech laser devices can “read” sound from the vibrations of your window panes, and that a fish tank air hose blowing air against the pane works in that case as well. 12. Know your odds before doing something risky. You should know a little about the kinds of troublemakers out there so that you can better assess potential threats. Bad guys tend to come in three basic varieties: A. Thieves and con men They just want to get rich at your expense. They want to: - Send you annoying spam in hopes that you’ll click it, whereupon a fraction of a penny goes into their bank account. - Steal your identity and credit card information to purchase things for themselves with your money. - Trick you into actually sending them your hard-earned cash. - Infiltrate your computer and use it to send spam and conduct exploits so they can make even more money (while remaining anonymous) NEVER send hackers money or your credit card info no matter what they say. If your computer ever becomes infected, take it to a computer professional who can remove the
24

malware. NEVER EVER try to “buy your way” out of the problem. The criminals will just take your money and leave the malware in place in hopes of extorting even more money from you. EVEN IF they removed the malware, by paying their “ransom” you're simply encouraging the criminals to continue to commit their crimes. B. Pranksters, saboteurs and ne’er-do-wells These guys don’t care about anyone else’s happiness or feelings. They want to make your computing experience (and your life) harder just because it makes them laugh, or gives them a feeling of power, or because they hate the world. They want to:
-

-

-

Infect everyone’s computer with software that turns your screen upside down (so that words and pictures are all upside down) or makes your mouse move in the opposite direction (so the mouse cursor moves left when you move the mouse right) Steal your online passwords and then lock you out of your own website or other online media, and then taunt you Infect everyone’s computer with a virus that renders the computer inoperable, or makes it constantly or randomly reboot, or causes other vicious mayhem Turn your computer into a robot that they can then use to attack other people’s, corporations’ and government’s computers

If you're not competent to remove such malware, take your computer to a professional. C. Vigilantes They’re on a self-appointed mission from God (or some other authority) to stop you, sinner, from doin’ wrong. They want to:
-

-

Setup fake porn sites, infect real ones, and make sure your computer gets infected because you were looking at (or trying to look at) pornography, you heavy-breathing, tight-fisted yankophile! Infect you for surfing to a gambling website where you would have gambled away the baby’s milk money, you no-good selfish bastard! Infect you for uploading or downloading pirated music, movies, video games, operating systems or other software. People are supposed to pay for those files, you sticky-fingered klepto!

Recently a new crop of criminals has engaged in the above behavior not for reasons of vigilantism but to extort infected users for money. Called ransomware, the scam uses an infected fake or real pornography/gambling/pirated goods website to extort money by telling users they have “committed a crime” by trying to view the pornography, or gamble, or download the files in question, and that they must “pay a fee” to some supposed government agency to regain control of their computers. NEVER PAY THE RANSOM! Remove the infection yourself or take your computer to a professional. As mentioned in part A above,

25

even if you pay they'll often leave the infection in place, and even if they remove it, by paying you're encouraging them to continue to harm others. A similar exploit called scareware aims to trick you out of your money by pretending to be an antivirus program that has detected “multiple infections” on your computer and needs you to “pay up” (usually by inputting your credit card) so that it can remove all the viruses/infections. In fact, IT is the infection! It is the disease, not the cure – you've already been infected, and if you give them your credit card or pay them money, they'll probably just try to extort more money from you, or leave the infection in place. Again, NEVER pay money to hackers. Take your computer to a professional. There are also attackers out to wage corporate or governmental espionage, or even cyberwarfare, but such threats represent a relatively much smaller number of attacks compared to the mass-scale attacks described above, and probably won’t affect you unless you work in government or for a targeted corporation. Some Things You Should Know -

-

There’s not really a Nigerian (or British, or Arabian) prince (or princess, or rogue military officer) who needs your help to transfer $16.7 million in U.S. currency That e-mail you just got from your old classmate “John” (or “Mike” or “Jane” or “Sally”) probably isn’t really from an old classmate You can’t really get a free computer, mobile phone or iPad just for clicking on an Internet link… but you can get a free virus! That Craigslist post with an apartment whose rent is half the price of all comparable apartments in the same area, with lots of beautiful pictures but no specific address given, isn’t actually looking for a renter That Craigslist post offering a job with an unbelievable salary and asking you to send intimate details about yourself—including your social security number—isn’t really looking to fill a job vacancy

In general, if it seems too good to be true… It probably is! Beware! 13. Use OpenDNS There's a system called DNS—short for Domain Name System—that takes a website’s name (like “HouseOfEvil.com”) and turns it into a numerical address (like “66.66.66.66”) that's required in order to retrieve a website’s data. DNS servers are like oracles that hear your intended site’s name and give you back a number called an IP (Internet Protocol) address. Often, your DNS server is assigned to you automatically by the Internet provider you use. But in this world of roaming wireless connections and providers of unknown source and reliability, the possibility of being exposed to a hacked DNS server that takes you to “www.InfectYouNow.com” when you really typed in “www.yahoo.com,” is REAL.

26

What you need are DNS servers that you can rely on. The good folks at OpenDNS make it their business to NOT be hacked and to offer FREE DNS servers that are up-to-date, trustworthy and online (available) all the time. Not only that, but they offer free filtering services, so if you don’t want young Johnny going to “SuperPorno.com,” you can block that. OpenDNS is a great service that I highly recommend. http://www.opendns.com/ 14. Secure your home wireless network Secure your home wireless network by giving it a password or passphrase. Doing so will help to ensure a certain level of encryption and privacy, and also decrease the likelihood of strangers using up your Internet connection’s “speed” or bandwidth without your permission. It is highly recommended that you use the latest security standards such as WPA2-AES. Do not leave your home network unsecured, or secured with WPA (i.e., WPA “1”) or TKIP. While you're at it, put a password on your router and disable remote router access. This will also go a long way toward discouraging hackers. 15. Use anonymity when appropriate Some people want to remain anonymous on the Internet, and for good reason: They are corporate whistleblowers, or they want to tell the world the truth about their corrupt government (which doesn’t want them to tell the truth). Still others want to do mayhem anonymously. The bottom line is this: You can do things anonymously—to a certain extent. There is no such thing as perfect anonymity on the Internet. Let me repeat that. There is no such thing as perfect anonymity on the Internet. Assume that anything you do on the Internet will eventually be found out and traced back to you. Knowing that, you can decide whether or not what you’re doing is honorable and important enough for you to take your chances. Most browsers have some “incognito” or “anonymizing” function built into them these days, but while such functions are useful and welcome, they are not perfect. Another, better option is a combined software-and-network solution called Tor. Just bear in mind that there is no such thing as perfect anonymity on the Internet. If what you want to do is something foolish and stupid—like filming yourself (disguised) dropping a flaming bag of dog poop on your neighbor’s doorstep and uploading the results to YouTube—you can EXPECT to get caught. You’re not saving the world, you’re just being an idiot. Don’t do it.

27

16. Separate your data files from your system files, and backup both Separate your data files from your system files Every functional personal computer runs an operating system (OS). The OS is the “main program” on top of which all your other programs (application and utility programs) run. The files on your disk that comprise the OS, application programs and utility programs are called your system files. Your data files are all the other files on your disk drive. These include your music files, your pictures, your videos, your Microsoft Office documents (including Word, Excel and Powerpoint) and other documents, your databases (if you have any), your text files, and any other files you would normally think of as “information.” Your data files are the files that are particular to you or your company, and as such they are normally more important to you than your system files. System and program files can normally be re-installed from disk or re-downloaded from the manufacturer. But if your personal or corporate data file is lost, and there is no other copy of it, it will be lost forever. I strongly encourage you to keep your data files on their own external hard drive or thumb drive . Most infections affect your system files and reside on the same physical disk as your system files. If your data files also reside on the same drive as your system files, then you will not be able to simply erase your system drive and start over (i.e., reinstall your OS and programs) without losing your data files or having to go through a complicated “search and rescue” mission to back them up first. By keeping your data files on a separate drive, if your computer ever does get infected, it's a simple matter of erasing your system drive and re-installing the OS and programs. Regular backups also become easier, because you only need to tell your backup software to backup your entire data drive. You do not have to “separate the wheat from the chaff” (isolate your data files) as you would if your system and data files were mixed on the same logical or physical drive. Lastly, if you keep your data files on a separate physical drive from your system files, and your system drive has a physical hard-drive crash, your data files remain unaffected. Note that in the case of an infection or hard disk crash, you'll need the original disks for your OS and programs to re-install them, so be sure to keep them in a safe place. If you downloaded any programs from the Internet, you will need those downloaded installation files along with any license key or passcode files necessary to install them. Such downloaded files, in this case, should be backed up onto optical disks so that they, too, can be restored. At least backup up your data files Regardless of where you store your data files, be sure to back them up regularly. Hard drives (unless you buy the solid-state kind, which are expensive) are mechanical devices, and mechanical devices wear out over time. They just do. (Even solid state devices—though much more durable than mechanical hard drives—can fail because of a power surge, electrical short, or severe physical disaster.)

28

A (mechanical) hard drive has a read/write head that is designed to sit very, very close to the disks (platters) it magnetically reads data from and writes data to—while never actually touching them. Over time, because of heating and cooling and mechanical wear, the head may get closer and eventually touch—or crash—into the data platters. And then you’re really in trouble— unless, of course, you backed up your data. If the hard drive your data files reside on fails because of a disk crash—a very common occurrence—you’re looking at $1500 to have professionals open it up and try to recover your data, and there’s no guarantee they’ll recover all of it or even half of it. You’re either gonna be very poor or very sad, or both. Your data can get destroyed by a virus or other malware just as surely as it can by a hard-drive failure. Bottom line: BACK UP YOUR DATA. You have absolutely NO EXCUSE for not backing up your data! Nowadays most operating systems come with backup software built-in, and there are many good, free backup programs out there: http://windows.microsoft.com/en-US/windows7/products/features/backup-and-restore http://www.todo-backup.com/products/home/ http://www.2brightsparks.com/download-syncback.html http://www.educ.umu.se/~cobian/cobianbackup.htm Heck, you don’t even need backup software to backup your key files. Burn ’em to a CD or DVD (using the freeware mentioned in the Live Disk section), copy ’em to a flash (USB/thumb) drive, zip ’em and upload them (if they’re small) to an online e-mail account—there are many ways. Just back up your data on a regular basis! There are also many online backup solutions. Online backup solutions automatically backup your important files to online servers every time you’re on the Internet. The peace of mind you get is worth the price. https://en.wikipedia.org/wiki/Comparison_of_online_backup_services https://www.box.com/ http://www.carbonite.com/ http://www.crashplan.com/ https://www.dropbox.com/ https://drive.google.com Just remember this: If you don’t back up your data, sooner or later, you’re gonna be sorry. Better to be safe than sorry. Back up your data.

29

17. Conclusion: Just Who or What Can I Trust?

There is no Internet website or medium that you should trust 100% all of the time. Even the best can get hacked, so always be vigilant. That said, some web locations deserve more trust than others. Trust the sites you know well—the ones you’ve already established as being trustworthy. Bookmark those sites so you don’t forget them. Big-name sites like Yahoo (and Google and McDonald’s and so on) tend to be more trustworthy because they have larger computer-support staffs and bigger budgets to fight hackers and malware attacks. Trust the links on trusted sites that are not publicly writable much more than those sites (trusted or not) to which anyone can post a link. Sites that Norton Safe Web or McAfee Site Advisor (and their community ratings) report as being trustworthy tend, in fact, to be more trustworthy.

-

-

-

For more useful information, check out the following links: https://www.google.com/goodtoknow/ http://www.microsoft.com/security/default.aspx http://windows.microsoft.com/en-us/windows7/Understanding-security-and-safer-computing http://www.cert.org/tech_tips/home_networks.html http://www.stopbadware.org/protect-your-pc http://www.fbi.gov/scams-safety/computer_protect http://nakedsecurity.sophos.com http://arstechnica.com/security/ http://arstechnica.com/feature-series/ars-security-guide/ http://krebsonsecurity.com/ Stay safe out there. Mike Matloff April 20, 2013

30