In the world of comic books, every bad guy is an evil genius. On the Web, hackers, spammers, and phishers may be evil, but they're not required to be geniuses. They can make a healthy living just by exploiting known security holes that many users haven't bothered to patch. Or by relying on the propensity of millions of people to do things they've been told over and over not to do.
The silver lining is that you don't have to be a genius to avoid these common attacks either. Implement a few simple fixes, and you'll avoid most of the bad stuff out there.
[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
Fix 1: Patch Over the Software Bull's-Eye
Have you turned off automatic updates for Windows and other programs on the rationale that "if it ain't broke, don't fix it?" Then consider this: Your programs may be very, very broken, and you don't know it. The days of big splashy viruses that announce themselves to PC users are over. The modern cybercriminal prefers to invisibly take control of your PC, and unpatched software gives them the perfect opportunity to do so.
Today, a hijacked Web page--modern digital crooks' attack of choice--will launch a bevy of probes against your PC in search of just one unpatched vulnerability that a probe can exploit. If it finds one, better hope your antivirus program catches the ensuing attack. Otherwise you likely won't even notice anything amiss as it infects your system.
Luckily, you can completely block the majority of Web-based exploits by keeping all your programs--not just the operating system or your browsers--up-to-date. Attack sites ferret out holes in seemingly innocuous applications such as QuickTime and WinZip as well as in Windows and Internet Explorer. So turn on automatic update features for any software that offers the service--it's your quickest and easiest option for getting patches.
Fix 2: Find the Other Holes
If every program used easy automatic updates--and we were all smart enough to use them--the thriving malware business would take a serious hit. Until then, a free and easy security app from Secunia can help save the day.
The Secunia Personal Software Inspector, available as a free download, scans your installed software to let you know which out-of-date programs might be making your PC unsafe. But it doesn't stop there--for each old program it finds, it offers quick and easy action buttons such as one labeled Download Solution, which retrieves the latest software patch without you even having to open a browser.
The program also gives you links to the software vendor's site as well as Secunia's full report about the vulnerability on your system. You can choose to block future warnings about a particular program (but you should, of course, be careful before doing so).
Secunia PSI isn't perfect, and doesn't always make it easy to update unsafe program components. But for most apps it provides a quick--and very important--fix.
Fix 3: Let the Latest Browsers Fight for You
The most insidious hijacked Web pages are nearly impossible to spot. Tiny snippets of inserted code that don't display on the page can nevertheless launch devastating behind-the-scenes attacks.
Trying to avoid such pages on your own is asking for trouble, especially since crooks like to hack popular sites--attacks against sites for Sony games and the Miami Dolphins are just two well-known examples. But new site-blocking features in the just-released Firefox 3 and Opera 9.5 browsers provide some shielding.
Both browsers expand on the previous version's antiphishing features to block known malware sites as well, whether they're hijacked pages on legitimate sites or sites that were specifically created by bad guys. Neither browser completely eliminates the risk of landing on such pages, but every additional layer of protection helps.
Microsoft plans to add a similar feature to Internet Explorer 8, but this version won't be ready for prime time for a good while. For more on the browsers' improved security, see "New Browsers Fight the Malware Scourge."
Fix 4: Sidestep Social Engineering
The most dangerous crooks use clever marketing to get you to do their dirty work for them and infect your own PC. Lots of social engineering attacks are laughably crude, with misspelled words and clumsy grammar, but that doesn't mean you should dismiss the danger. Every now and then, a well-crafted attack can slip past your defenses and lure you into opening a poisonous e-mail attachment or downloaded file. A targeted attack might even use your correct name and business title.
To fight back, turn to a simple but powerful tool: VirusTotal.com. You can easily upload any file (up to 10MB) to the site and have it scanned by a whopping 35 different antivirus engines, including ones from Kaspersky, McAfee, and Symantec. A report tells you what each engine thought about your file. While some (such as Prevx) are prone to false alerts, if you get multiple specific warnings that include the name of the particular threat, then you almost certainly want to delete the file.
A lack of warnings doesn't guarantee a file is safe, but it does give you pretty good odds. Use VirusTotal to check every e-mail attachment and download you're not 100 percent sure about, and you'll avoid insidious social engineering.
If using VirusTotal starts to become a habit (not a bad idea) and you want to make sending files for scanning to VirusTotal really easy, download the free VirusTotal Uploader. Once you've installed the utility, just right-click a file, and you'll see an option (under Send To) to upload it to the VirusTotal site.
Fix 5: Get the Jump on Fast-Moving Malware
Traditional, signature-based antivirus software is getting snowed under by a blizzard of malware. Attackers try to evade detection by churning out more variants than security labs can analyze. So besides signatures, any antivirus program worth its salt today uses proactive detection that doesn't require a full signature to spot sneaky malware.
One promising approach uses behavioral analysis to identify malicious software based solely on how it acts on your PC. But your antivirus software by itself may not be enough. ThreatFire, a popular free download from PC Tools, adds such a layer of behavior-based protection. In recent tests, it correctly identified 90 percent of malware based on its behavior alone.
PC World's ThreatFire review provides a thorough analysis of the program and a quick download link (as well as a warning about installing too many security programs on one PC). And for more on behavioral analysis and proactive virus detection, see "When a Signature Isn't Enough."
Note: If you use the AVG Free antivirus program, hold off on trying ThreatFire until PC Tools releases a new version. The current 3.5 version conflicts with AVG, but PC Tools says it's working on a fix.
Fix 6: Rescue Your Inbox From Spam
Spam filters are getting better, but some junk still makes it through even the best of them. Instead of resigning yourself to hitting delete for all those hot-stock and Viagra come-ons, try disposable e-mail addresses.
Such an address is something you create every time you encounter an online shopping site, forum, or other service that requires you to enter an e-mail address. If that address gets flooded with spam, you can terminate it. That's a better system than the alternative, creating a free Web mail account that you use only for purchases and Web signups. With a single separate account, you have to throw the baby out with the bathwater and cancel the whole account if it gets too much spam.
Yahoo Web mail users can opt for the $20-a-year Plus service, which includes the AddressGuard disposable e-mail service (among other benefits). With it, you can click a bookmark to create a new, disposable address for any given site in about 10 seconds.
Gmail users can simply append "+ whatever" to their regular e-mail address before handing it out, but if that address starts to receive spam you can't simply turn it off. You'll have to create a filter in Gmail to block all mail to that address.
For everyone else, we suggest a good, free service from Spamgourmet.com that's quick and easy to set up and use; it allows you to create disposable addresses on-the-fly that will forward e-mail messages to your regular address.
Fix 7: Develop an Antiphishing Habit
The dastardly practice of phishing for personal information is still alive and well, and many fake sites can be hard to distinguish from the real ones. But a few simple practices can ensure you'll never be snagged by a phishing hook.
The best approach, and the most straightforward, is never to click a link in any e-mail message to access your financial accounts. Instead, always type the URL or use a bookmark. That one habit will protect you from almost every phishing attack.
If you can't make that change, then at least use the latest version of Internet Explorer, Firefox, or Opera to browse the Web. All have built-in features to block known phishing sites (and, as described in Fix 3, Opera and Firefox now also block known malware sites). Avoid Safari, which lacks any built-in antiphishing protection.
Finally, keep an eye out for the common phishing tactic of using URLs like "http://adwords.google.com.d0l9i.cn/select/Login." If you glance at the URL (an actual recent example listed by Phishtank.com), you might think the site's domain was google.com. In fact, it's heading to d0l9i.cn, a site in China where operators are standing by to swipe your personal details.
Internet Explorer 8 will use an innovative feature called Domain Highlighting that will make spotting such trickery easy. But until it becomes available, watch URLs carefully.
Fix 8: Keep Your Own Site Safe
It's not a good time to run a Web site. The Web may look like a digital wonderland, but behind the scenes it's a war zone. And the guns are trained on your site.
Crooks use automated tools to search sites for the most common vulnerabilities. If they find one, they blow the hole wide open to plant harmful code that will attack your loyal visitors.
To help keep your site safe, start with some quick, free scans that ferret out the most obvious problems. First, fill out a form at Qualys.com to request a free scan of one IP address.
Next, download the also-free Scrawlr tool from HP. After a quick install, use Scrawlr to scan your site for SQL injection vulnerabilities (a type of hole targeted in a recent Sony site hack).
Fix 9: Make Your Passwords Secure -- And Easy to Remember
Online passwords are starting to seem about as safe as tissue paper protecting a bank vault. The supply of stolen logins is now so huge that crooks can hardly make any money selling them unless they add other ripped-off data, like addresses or Social Security numbers, according to security researchers. And thieves don't stop with stealing logins to financial accounts--the bad guys regularly pilfer access information for Web mail accounts as well. In one recent case, a scammer broke into Web mail accounts and sent messages to the victim's friends asking for money.
Experts say we should use strong, unique passwords for all our accounts. But they don't tell us how we're supposed to remember them, so most of us end up using the same, not-so-safe password at all our accounts.
Here's an easy fix that allows you to remember just one password, yet still have a strong, unique password for each site you use. The Password Hash (or PwdHash) add-on for Firefox and IE takes that simple password you type and runs it through an algorithm that uses the site's domain name as part of the calculation. The utility subs in the resulting strong password before you send it to the site. All you have to do (after installing Password Hash) is hit the F2 key in a password box before you type.
For a download link and more info on this useful tool, head to the PC World Downloads page.
Fix 10: Get Extra Cleaning Help for Stubborn Infections
Sometimes even the best antivirus program misses an infection. And once a virus or Trojan horse gets in, removing it can be incredibly tough. If you suspect some nasty got past your defenses, then it's time to bring in extra help.
Many antivirus makers offer free and easy online scans through your Web browser. The scan will take time, as the scanning service will need to download large Java or ActiveX components before it can get started, but they're easy to kick off. You can run them in addition to your already-installed antivirus application for a second (or third, or fourth) opinion. Here's the lowdown on your options.
Trend Micro HouseCall: Will detect and remove malware; works with both IE and Firefox.
BitDefender Online Scanner: Detects and removes malware; requires IE.
Kaspersky Online Scanner: Detects malware, but doesn't remove it; works with IE and Firefox.
F-Secure Online Virus Scanner: Detects and removes malware; requires IE.
ESET Online Scanner: Detects and removes malware; requires IE.
PC World is an InfoWorld affiliate.