I’m an avid listener of Security Now! with Steve Gibson and Leo Laporte. Especially for important websites (like a blog) it is prudent to keep yourself safe from being hacked. Use strong passwords for your login. Strong passwords can’t be easily remembered, because they are long (at least 22 characters) and use random numbers and letters.
Now I use a Mac, so for that platform 1Password by Agile Web Solutions is the best software solution for strong password generation and management. On Windows the best solution seems to be Roboform. Both programs offer maximum protection against hackers guessing your password and using your presence on the Web for their evil purposes.
To manage my passwords across different operating systems and computers (I have two computers hooked up to the Internet, and on one I have three operating systems running), I use the Foxmarks add-on for FireFox. On FireFox 3, this add-on stores both bookmarks and passwords on their servers. The passwords are safely stored in an encrypted format, using a key only you know, so only you can decrypt the passwords into cleartext.
These applications make security somewhat more manageable, but security in general will always be somewhat of a nuisance. You don’t want to make it easy to guess your password, because, otherwise, it would make it too easy for the bad guy with his password cracking tools. Security and convenience seem to be opposites.
Windows makes it even more complicated, because except trying to gain access to your stuff on the web, bad guys also want to take over your computer to do their evil bidding, preferably without your knowledge. I’m talking about viruses, worms, spyware, in short malware, which is short for malicious software.
Of course, you can install a virus scanner, and virus catchers. However, the real danger are the newest viruses and spyware, which haven’t been detected by the vendors of anti-virus and anti-spyware. Nowadays, you only have to visit a maliciously crafted website to get bit by a bug in your operating system and malware being installed surreptitiously on your Windows box.
At least, you’ve got to keep your system, your third party software and your virus definitions patched and up-to-date. Of course, this not only applies to Windows systems, but to any operating system, such as Mac OS X and Linux desktop. These systems have become so complex that it is impossible to exclude coding errors (called bugs) and vulnerabilities.
Even if you keep your operating system (etcetera) updated, you’re not sure if you’re protected against methods of compromising the security of your system (someone breaking into your computer and stealing your information, or using it as a zombie computer for spamming and to extort gambling websites). Does that mean the bad guys have won, and we should just give up? Of course not! It is an ongoing arms race, and you just have to keep it hard enough for the bad guys to break in and look elsewhere for a system that is easier to get into. If the lock on your door isn’t good enough anymore, change the lock.
Because Windows seems to be the main target at this moment, let us concentrate for a moment on that. So you keep your Windows OS updated, and still your computer could be overtaken by malware. What could we do to prevent that? What is our next line of defense? Enter Sandboxie.
Sandboxie is a Windows service that can be installed on your system, and creates a sandbox around your web browser (or any application you run on your Windows system). This sandbox prevents the program from changing your system. Once in the sandbox, the program cannot modify your system in any way, unless you tell Sandboxie it is OK.
Sandboxie was originally created for Internet Explorer, but nowadays it can be used for any piece of code, even programs that don’t touch the Internet at all (run locally). This means you can download an application in a sandboxed browser session, run it and see if it behaves. If it does, yes can run it in its own sandbox for a while (a few weeks) to see if it keeps behaving. If it does, you can let it roam free on your Windows system without the sandbox.
It is a great solution.
Of course, Sandboxie won’t protect you from websites trying to trick you from revealing your credentials, or even maliciously letting you click on invisible buttons (called clickjacking), possibly to “free” you of the money in your bank account, unknowingly letting you gift products on Amazon to strangers, or something else you don’t want to happen without your knowledge. For this you need to change your behavior. Simply log out of your accounts every time you’re leaving a website you’ve logged in to. Don’t just close the window, but actively log out, by clicking on the log out button.
Clickjacking is browser and operating system agnostic. This means it applies to Windows, Mac OS X and Linux OS desktop users alike, and it doesn’t matter which web browser you use. Invisible layers are part of the web specification and can’t be undone. To make matters worse, some websites have started to use invisible buttons to make fanciers user interfaces.
Luckily, there is a fix. If you use FireFox with the NoScript add-on, you are automatically protected against clickjacking. You can give permission to a website to allow clickjacking if you think it is part of their user interface, or just pass on it, and don’t use that particular part of the user interface.
However, NoScript opens another can of worms. It means you have to become security aware, which means you have to know a little bit about the dangers of the Internet, and put some effort into keeping abreast of the latest tricks of the bad guys. Most people I know are not willing to do that. They are proud they know how to operate the web browser and the various websites they visit. That is as far as they are prepared to go with this brand new technology. Any further and they fear becoming just as geeky as I am.
So, here is my advice to people who want to practice safe computing:
- keep your operating system updated, turn on automatic updates
- don’t open e-mail attachments and don’t click on links in e-mails
- don’t use peer-to-peer services like Limewire and don’t visit shady websites (you know which websites I mean)
- be skeptical about what comes from the Web; if something sounds too good to be true, it probably is; it is called “social engineering”, trying to trick people into clicking on links and visit websites they really shouldn’t
That is all.
Oops, that wasn’t all, because you need to remember to:
- backup your data, both on an external hard disk, and on a separate location (off-site)
- test your backups, to see if your data can be restored in case you need to
Now that is all!