Preventing Unauthorized Access
How To Protect Yourself — Security Basics
Stop. Think. Connect.
You can prevent a lot of problems if you follow StaySafeOnline.org's advice and Stop to Think before you Connect.
- STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
- THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
- CONNECT: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.
Take the time to determine if the message is legitimate even if it comes from someone you know.
- It is easy to copy images and use them to commit fraud or identity theft.
- If you're asked for your password in ANY email that is a warning sign.
- Don't trust the linked text in an email or on a website. It can be faked.
- Be wary of phone calls or emails that ask for personal information or insist you to go to a website to fix a problem — these calls are scams, no matter who they say they are.
Take Care in What You Share
Only share online what you'd like others to share about you. Once posted, that information is “in the cloud” forever. In an instant you could ruin someone's reputation — even yours.
Security Isn't Just a Technical Issue
What's The Incentive?
We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: the people who could protect a system are not the ones who suffer the costs of failure.
— Bruce Schneier's Crypto-Gram
Microsoft Products More Vulnerable
Microsoft has placed the emphasis on ease-of-use rather than on making their software secure. Not only Windows, but Office and other software is designed to easily exchange information. That ease allows vulnerability in one component to affect ALL the others.
Hacking Windows: Easier Than You'd Think
Hacking Vista: Easier than you'd think is an instructive video on YouTube that shows how a hacker can gain access to a computer without the user being aware of it.
What is particularly interesting is how the user can misinterpret the “infection” incident so that the hacker gained total access in a very short time.
If Microsoft bore the cost of security failures in their Windows and Office software, as Ralph Nader forced the auto industry to accept responsibility for their failures, fewer vulnerabilities would exist or be allowed to continue unchecked. Instead, we are spending large amounts of money annually on security programs.
Other Systems Also Vulnerable
Other operating systems have experienced fewer security problems because they are not as vulnerable nor targeted as readily. This is changing for Mac users as Apple products like the iPhone, iPad and Mac computers gain market share.
Running Older Windows?
If you are running a version of Windows older than Windows 7, you should upgrade. Such upgrades are best done on newer hardware as the system requirements (the speed, storage and memory needed to run them) are more demanding.
- Be sure the latest Service Pack is installed as well as all critical updates.
- Support for XP ended on April 8, 2014 and XP will be increasingly unsafe to use. More…
- Learn about Microsoft's End of Support Guidelines
If your computer is not capable of running Windows 7 or later, you might want to consider using an alternative like the free Linux-based Lime or its variations.
- Linux is free to download, install and use (you can also purchase support if needed).
- The system requirements are lighter than the newest Windows versions so you can continue to use your current hardware.
- Lime automatically installs most of the software the average person uses, including an alternative to Microsoft Office.
- Linux is more secure than Windows by design (it allows you to run your system while keeping out unauthorized users yet you can perform administrator tasks by providing the Administrator password).
Lime updates itself in a similar manner to Microsoft Update (you need to download and install newer versions but not updates to the installed version). If you are a typical user, it will work better than the Windows currently installed on your existing hardware.
False Confidence Deadly
If you think you're protected, consider the findings of one study that reported a large number of security incidents:
Nevertheless, almost three quarters of those surveyed reported believing that their PC is very secure or moderately secure.
— AOL/NCSA Online Safety Study
Close Security Loopholes
Windows is full of security loopholes and we're exposed to many others if we give precedence to convenience over security.
- Symantec has notified users in 2012 that their pcAnywhere remote connection software had been compromised.
- Windows Remote Access is enabled by default — an unnecessary security hole because few users ever need it.
Restrict Access to Computers & Networks
Create a security policy for the computers in your home or office. This will provide guidelines in making security decisions and help your family or employees understand the need for security.
Restrict access to business computers:
- Only employees with significant understanding of the risks should have administrative rights and your policies should indicate what software they can or can't add or remove without express permission.
- Software, security and Windows updates are best done by you so that you know your computers are protected.
- Access to personal social media sites like Facebook or personal software on business computers can lead to security risks for your business.
- You'll also want to be careful with business use of these accounts as it is just as easy to unLike you if something goes wrong.
- The use of unsafe media like USB thumb drives can infected computers on your network as well as the one that was initially accessed.
Restrict access to home computers:
- Your children should not have Administrator rights on their computers.
- Your children should not be running software on your business computers. Why put your business data at risk?
- Your children should not allow their friends to make changes of any kind to the family's computers.
- Use passwords and answers to security questions that aren't based upon information posted on social media sites like Facebook or easily guessed by others.
It is important that anyone servicing your computers is knowledgable and trustworthy:
- Get professional help from a reliable source.
- While an employee or the kid across the street might know more than you, they might not know enough.
- Your policies should indicate how servicing is to be carried out and by whom.
Ensure that everyone using your computers understands how to evaluate risks. It is very common to receive warning by phone or email indicating your computer is “infected.” ALL are scams. Watch for these signs:
- Simply opening an infected image or other attached file can be enough to endanger the data on your computer. More….
- Any warnings that appear on your screen, particularly if they indicate that you have hundreds of infections, are scams. Know how your security software reacts to an infection.
- Do NOT follow instructions given by an unsolicited email or phone call. These calls are scams, no matter who they say they are. Just hang up.
- There are logs on Windows computers that show errors even when they are operating normally. Scammers may try to use these logs to convince you that your computer is infected.
- If you provide the caller with access to your computer so they can “fix a problem” you'll end up with an infected computer, an excessive credit card bill or both.
Children and employees should be instructed NOT to respond to such ploys. If you're concerned, call the person that maintains your computers.
Key Elements of Security
To enhance the security of your computer(s) and computer networks, you need to include the following components in your protection plan:
- Wise choice of programs
- Effective security software
- Firewall protection (a router & software backup)
- Strong Passwords
- Protect Your Email Address(es)
There is more information about each of these, either on this page or on other pages on this site. Follow the links in each of these subsections to learn more.
Choosing Your Programs Wisely
The choice of software to use on your computer affects how vulnerable you are to security-related attacks. This is particularly true for Windows users, specifically in regards to your choice of web browser and email client.
If you're determined to use Internet Explorer, be sure to use the most recent version available to you and install all critical updates. Firefox is strongly recommended.
Universal Microsoft = Universal Vulnerability
Standardization of Windows using the built-in Internet Explorer and Outlook Express was seen by many as a way to make it easier for managers to find “trained” employees.
Unfortunately, it has also made us more vulnerable to inappropriate uses of that technology, including viruses, hacking, phishing, and more such as the GDI+ Windows vulnerability for JPEG images which was exacerbated because of the widespread use of Microsoft Office.
Java, Reader and Flash Most-exploited Windows Programs
A recent study indicated that Java, Adobe Reader and Flash are the most-exploited Windows programs. These programs are so widely installed that they make an attractive target for malware.
- Regularly check to see if your Firefox plugins are up to date.
- Adobe Flash is frequently updated and is rapidly losing ground to HTML 5's native rendering as well as Microsoft's Silverlight.
- Adobe Reader has tried to include everything and as a result is bloated and more vulnerable. Try alternatives like Nitro PDF Reader which provides more features.
- Oracle's Java should be checked for updates regularly and all older versions removed. Take advantage of Adobe's online service to check for older versions. More….
Free Software Can Cost You
Many of the free utilities, screen savers and similar programs available on the Web are either adware/malware or install third-party software along with the main program that collects information about you.
Search for what others have said about a program using the program name or executable file as the search criteria. Blogs often provide interesting insight to the usability of such programs and their relative merits.
Use Peer Sharing Carefully
Peer-to-peer (P2P) sharing can be useful, but that depends upon what is being shared and what service is being used.
The attraction of downloading free music, movies and more using peer-to-peer oftware have created problems for many users.
- You're exposing your computer to any viruses and malware on the computers you're connecting to.
- Most file-sharing programs automatically create an upload of files from your computer making you subject to fines for illegal sharing.
- The owner of the Internet connection is liable for any activity on their account.
What you need to know about peer-to-peer file sharing includes the following suggestions (see the article for explanation):
- Before you start, make sure your computer's security software is up-to-date
- Stick to legal file-sharing services
- Use your computer's security software to scan downloads
- Don't upload (or download) copyrighted material
- Pay attention when you install P2P programs
- Close the P2P connection when you're finished
- Refrain from using P2P file sharing at work
- Make sure your kids understand the risks
if you have any doubts, just don't do it.
Toolbars Compromise Privacy
Toolbars provided by vendors like Yahoo! and others are often installed without your permission or as part of another installation. These toolbars may be convenient, but also provide their vendors with information about your surfing habits and tend to clutter your browser and reduce the size of the display window.
Effective Security Software
Traditional security products, firewalls, security suites, antivirus, and antispyware products, are made to fight PC-based threats, but you also need to worry about web-based threats which can develop very quickly.
Threats are no longer simple viruses (or “worms”) but multifaceted attacks on several fronts at once. You need to protect yourself with a security suite that protects you simultaneously from all possibilities and is constantly updated to deal with the threats you face when surfing the Web.
Be sure that it can do the job without degrading your computer's performance too much. I strongly recommend ZoneAlarm's Extreme Security for the most extensive protection including keylogging (the capturing of data entered via the keyboard).
Your privacy has never been under attack as intensely as it is today. You need to protect yourself using legitimate privacy tools. All current security suites and most antivirus software contains some form of antispyware protection.
An effective firewall is an essential part of your protection, particularly if your computer accesses a broadband connection or is connected via wireless (and most of us are today).
Effective Protection is Multifaceted
You need two kinds of firewall protection:
- A router provides hardware firewall that secures your high-speed access to the Internet and allows you to share it between various hard-wired (LAN) and wireless (WLAN) computers, laptops, tablets, smartphones, game consoles, and TVs.
- An effective software firewall protects you from outgoing as well as incoming attacks and should be part of your security suite.
More and more we connect our devices to third-party wireless services in coffee shops, the mall and elsewhere. Since we don't control the hardware portion of the firewall (the router) it is essential that your security suite be up to the task of protecting you as best as possible.
Passwords are an essential part of Internet life today. They are used for everything from access to your email to the millions of websites and forums that require you to identify yourself using a user name and password combination on a daily basis.
Passwords and encryption can be effective tools only if you use them correctly.
Long and Strong
Make your passwords long and strong using random upper and lower case letter, numbers and symbols (some symbols are not permitted by some sites or vendors). Generally, the longer your passwords, the harder they are to hack.
We don't generally think of Wireless connections in this category, but you need to secure your wireless connections. WEP and newer variants like WPA & WPA2 use a similar format to how we access email from out ISP.
The wireless key provides security like an email account password:
|Account Type:||User Name:||Security:|
|Wireless (WEP or WPA)||SSID||Security Key|
|The Smith's WLAN||Smith||5D969892AF|
|Email Account||User name||Password|
In both wireless networks and email accounts, at least part of the information is public:
- The SSID is the public name of a wireless network which is broadcast unless the router is configured not to (making it harder for new computers to connect to it).
- The email user name is public because it is placed before the @ symbol (e.g. the jsmith in email@example.com) and some use the entire email address for the user name.
- Only the WEP or WPA2 key provides security just like your email account's password does.
Protect Your Email Address(es)
Increasingly, sites are using your email address as your identity, making it very easy to hack your other accounts if you use weak passwords or use the same combinations on site after site.
Hackers use social engineering to gain access. People naturally want to trust people that they know and businesses they use. Hackers use this and social media “friends” to gain their trust (essentially usurping that trust for malicious purposes).
Because of this tendency, you need to be particularly careful to examine any messages before opening them, their attachments (JPG images can be infected as can ZIP files and others) or clicking on the links.
Another method is to send a message telling you there is a file to download and provide realistic-looking images with links to a fake site where they request you login with your email address and password “to gain access” to the file. This is a phishing attempt and will compromise your email account.
Instead of hacking your password, the “lost password?” option on a site can provide a much easier place to obtain access to your email account.
People post much personal information about themselves on public places including social media sites like Facebook that can be harvested for the answers to typical security questions. The nature of these questions are such that many are easily known by friends and family such as:
- your favourite sports team(s)
- your favourite author or movie
- your best man
- your first address
How Your Email Account Could be the Weakest Link to Your Online Accounts provides more detail about this vulnerability.
So how do you protect yourself?
You can add a second method of authenticating your email passwords, preferably something that is always with you and inaccessible to potential hackers.
Two-factor authentication provides additional security that isn't available with even a strong password. As implied by the name, two-factor authentication has two components:
The second device could be a cell phone number (recommended) or a specially-design hardware authentication device (like the YubiKey) or a second email address (less secure as it too could be hacked).
There is more about two-factor security on the Passwords page.
Good Security Practices
Ensuring a secure computing experience involves all of the following:
- Choose your software with care, particularly your web browser and email client.
- Purchase and use a current security suite that includes reliable anti-virus software. Some products are free for personal use.
- Both a hardware and software firewall are an essential part of your protection.
- Check regularly for spyware on your system.
- Passwords and encryption can be effective tools only if you use them correctly. Ease of use is contrary to good security, although there are some tricks that can help you retain security while remembering complex passwords.
Keep Everything Updated Frequently
Because things change so fast on the Internet, it is important that you both keep your antivirus, firewall and anti-spyware security software current (install all updates).
One study indicated that the time from the discovery of a vulnerability to when it is exploited is now four days or less. More recently that window of discovery has narrowed to less than a day.
- Check for updates at least daily.
- Weekly scans are a bare minimum.
- Real-time scanning is critical for today's threats.
Updated information about security issues can be found here:
- TechWeb Security features security news.
- Crypto-Gram is a free monthly email newsletter from security expert Bruce Schneier. Each issue is filled with interesting commentary, pointed critique, and serious debate about security.
Updated: September 26, 2014