10 Basic Online Security Rules

These are measures which every Windows user should apply.

Like Netiquette, this page exists so I don't have to keep sending the same advice to my friends. Although this is aimed at Windows users much of it also applies to other net users. I'm no guru, so if you are one and know better, please let me know :o)

  1. Keep your patches up-to-date
  2. Keeping your virus scanner up-to-date
  3. Be cautious of attachments
  4. Install a Personal Firewall
  5. Some essential system settings
  6. Test your defences
  7. Spyware detection and removal
  8. Other security issues
  9. Don't trust Microsoft products
  10. Stay informed

1. Keep your patches up-to-date

Treating email attachments with suspicion used to be #1, but after the NIMDA worm the rules have changed.

Many programs, and particularly anything produced by Microsoft, are riddled with security holes when they are released. Effectively the public are used as the last step in testing a product (which is cheaper than rigorously testing in-house prior to release). Whenever a security issue comes to light, the software maker issues an update or a patch. By issuing the patch, they are also alerting the wrong-doers to the vulnerability of unpatched systems. The result is that today a pristine installation of, say Windows 98 and Internet Explorer 5 is unprotected from a number of known and well-publicised methods of attack.

One particularly alarming security hole in Internet Explorer allows Email attachments to be executed automatically. This has been exploited by a number of viruses, the most widespread and most damaging being the recent NIMDA worm. Had you received it, as millions did, on the day of its release (and therefore before any anti-virus programme could recognise it), caution about opening e-mail attachments and virus-protection would not have saved you if you hadn't installed the relevant patch. So keeping your patches up-to-date is now #1 on my list of essential security measures.

ACTIONS TO TAKE:

There is one essential and easy to use FREEWARE tool - Big Fix - which will check for available patches and scan your system to check which ones you need. Not only does BigFix check your update needs, but it can alert you to, and help you fix, some other potential problems on your system. But note that BigFix is not 100% reliable and should really be used in conjunction with (and not instead of) other measures.

As well as Microsoft's own Windows Update and (for Office users) Office Update services, which require ActiveX and even then sometimes don't work, you can download patch installation files directly (for archiving or network installation) from Microsoft Download Center: Windows (Security & Updates) and Microsoft Office 2002 Download Center.

Fortunately, you are not 100% dependent on M$ for your patches, since there exist several other web pages dedicated to listing updates and containing essential advice you won't hear from Microsoft, such as which updates cause more problems than they solve. The following links are liable to change, so if they don't work try searching Google

AXCEL216's FREE WinDOwS Software ESSENTIALS
ERPMan's Windows 2000 & XP System Updates Page
WSNine OS Updates

Finally....in December 2002 I was trying to find a source for downloading M$ updates without using WindowsUpdate, and came across these:

Overclockers guide to Updating Windows Without Windows Update
3DSpotlight TechSpot | OS Updates


  Back to top    Back to top

2. Keep your virus scanner up-to-date

Viruses have now become so widespread, and so sophisticated that avoiding coming into contact with them is now impossible. You may have your system patched and you may know not to open attachments, but does everyone else who uses your computer/network? In the slow old days, when running an anti-virus programme in the background noticeably affected the performance of your machine, the choice to turn automatic virus protection off was sometimes the only way to get any work done. But now it is just foolishness.

Most anti-virus software works by detecting viral 'signatures' - the bits of code which are unique to each virus. When scanning for known viruses they refer to a database of signature definitions. Since new viruses are released every day this database must be updated regularly. The most prevalent viruses tend to be recent releases which catch out users who think they are protected just because they are running anti-virus software but who haven't updated the signature definitions recently enough.

ACTIONS TO TAKE:

Get a good anti-virus programme and configure it to (at least) scan every file as it is created or downloaded.

Update your virus signatures regularly. You'll know if this is happening, because it generally means downloading and then running a file which will be at least 2.5 Mb. Generally it is recommended that you do this at least once a week, and certainly you should do it at least once a month, no matter how much you use the 'net. If you set up your protection to be always on, your antivirus program *should* remind you when your signatures need updating. If (as I recommend below) you subscribe to a virus alert newsletter, you might also choose to update your signatures when there is any outbreak of a rapidly spreading new virus.

For Norton Antivirus 2000 running under Windows 9x (and a few other Norton products) the signature files can be found at symantec.com.


  Back to top    Back to top

3. Be cautious of attachments

This used to be the first rule of email, and you should already know this. The vast majority of viruses arrive as attachments to emails. Most of them are harmless until they are opened - (UNLESS you are not diligent in keeping your patches up-to-date in which case you may be vulnerable to a flaw in Internet Explorer which allows Email attachments to be executed automatically; see Microsoft Security Bulletin (MS01-020) for details of this vulnerability).

Do not trust any attachment to be what it claims to be or the message it comes with claims it to be. All of the information in the header of the email, including the identity of the sender, can be forged (I once received a virus in a message which claimed to come from MYSELF!) and the true identity of the attached file may also be disguised (see Show file extensions below), so until you have scanned them and are sure they are safe it is best to treat ALL incoming attachments as suspicious.

Do not trust an email to be from who it says it's from. Most viruses spread by automatically (and invisibly) forwarding themselves to addresses they find in the address book or in messages stored in the inbox of an infected machine, so you CANNOT assume that just because a message (says it) comes from a friend it is innocent. Even 'innocent' files which you are expecting from known senders may be infected either by a virus residing unidentified in their machine or even (theoretically) en route.

So here are some golden rules:

ACTIONS TO TAKE:

1. NEVER OPEN ANY ATTACHMENTS without scanning them for viruses first.

2. NEVER OPEN ANY ATTACHMENTS unless you are expecting them, know who they're from and have scanned them for viruses first. If you are in doubt, do not open the attachment - contact the sender asking them to confirm what they have sent you (and why).

3. NEVER OPEN ANY ATTACHMENTS directly from within your email client. Always save attachments to disk first and then scan them before opening them. It is best not to assume that your virus scanner is set up to scan incoming email correctly. Doing it manually, so you can see that it is working, is the safest way.

4. Avoid opening .doc files in Word. Always use a file viewer or WordPad to read files with a .doc extension. If you want to keep the file, start up Word and then copy and paste the contents of the attachment from the viewer to a new .doc. (see also Sending (Word) .DOC attachments below).

5. Set up 2 filters to put all incoming mail with attachments and all suspected spam containing attachments into 2 separate folders. Doing so will not actually make you more secure, but it will be easier for you to remember to be extra cautious when dealing with any messages in those folders. (For details of how to create these filters see Spam fighting)


  Back to top    Back to top

4. Install a Personal Firewall

Very simply, a firewall comes between you and the net, monitoring what comes in and what goes out. By configuring your firewall to disallow all traffic except what you are aware of and have specifically permitted, you can protect yourself from both hostile intruders and information leaks. A firewall is such an essential part of your on-line security that I'm not going to go into any more detail... just GET ONE NOW!

ACTIONS TO TAKE:

Download and install a personal firewall such as Zonealarm or Agnitum Outpost. In tests these FREEWARE personal firewalls have proved more effective than some big name commercial ones.

Immediately after installing your firewall you may be frustrated to find you can no longer connect to the 'net - not using your browser, not using your email client - not with anything. This is good - it means the firewall is working exactly how it should. When any app tries to connect, you decide whether to allow it or block it. After a while all your regular programs will be allowed, and you will only be alerted when something new tries to connect.

More personal firewalls are discussed by Fred Langa at Secure Your PC Online, Part Two


  Back to top    Back to top

5. Check these essential system settings

5.a Show all file extensions in Windows Explorer

By default, Windows 9x hides certain file extensions. The result is you can't always tell what a file really is and may accidentally run a dangerous email attachment. For example, the 'love-bug' virus arrived as an email attachment named 'iloveyou.txt.vbs'. The '.vbs' part was hidden from many users who, believing it to be a harmless text file, opened it...

ACTIONS TO TAKE:

1. Open Windows Explorer.

2. Click Tools > Folder Options > View and under 'Files and Folders' make sure that 'Hide file extensions for known file types' is UNCHECKED.

3. While you're there you might also want to CHECK 'Show all files' under 'Hidden files'.

5.b Turn OFF your preview pane

It's an inconvenience but the bottom line is that virus-writers target the HTML parsers of email clients, and some exploits can cause code to be executed on some systems simply by viewing the message - i.e. without the attachment being opened.

5.c Check your network bindings

By default, Windows 9x machines are set up for connection to LAN (Local Area Network)s. The protocols for LAN use are less restrictive than those on the 'net, so it is important to separate the two by ensuring that the Internet protocal (TCP/IP) cannot be used to access things which should properly only be available on your LAN. OK so I don't really know what I'm talking about here, but check out the 'One Minute Primer in Networking Basics' on Fred Langa's article Four Myths of Online Security for a more technical explanation and then (if you're on a dial-up connection) follow these steps:

ACTIONS TO TAKE:

1. Make sure you have your Win9x installation CD available (as you may need it to complete these changes, particularly if you have a network card).

2. Open Control Panel > Network.

3. Double-click 'Dial-Up Adapter'. Double-click 'Bindings'. UNCHECK anything except TCP/IP. Click O.K.

4. Double-click 'TCP/IP -> Dial-Up Adapter'. Cancel the warning. Double-click 'Bindings'. If they are present UNCHECK 'Client for M$ Networks' and/or 'File and printer sharing for M$ networks'. If you get a warning 'TCP/IP is no longer bound to any drivers' select 'No'.

5. If you have any network cards, for each card click on the TCP/IP label and then follow the same procedure for TCP/IP -> Dial-Up Adapter (in the step immediately above).

6. If you are on a LAN and do want to share files and printers locally you need to set up a non-internet protocol - ISP/SPX or NetBEUI. Again, the procedure for this is described in Four Myths of Online Security.


  Back to top    Back to top

6. Test your defences.

Whenever you open a connection to the net you open many channels, and these openings (of which you may not be aware) can be used by hackers to get control of your machine.

ACTIONS TO TAKE:

1. Install a good personal firewall like the free Zonealarm or Agnitum Outpost (see above).

2. Test your system by visiting Shields Up, Steve Gibson's hugely informative (but rather poorly designed) site and do whatever he advises. While on the subject of testing sites you can check your system & net connection for speed and get optimisation recommendations from PcPitStop.


  Back to top    Back to top

7. Detect and remove SPYWARE

Many programs claim to be freeware, but without giving you any warning they install an invisible system for collecting information about your surfing habits and reporting it back to their base. These are known as 'spyware'. Usually these systems are used for targetted advertising, which may (arguably) be harmless but they have the potential for more sinister uses and there is no reason to tolerate their existence on your machine.

ACTIONS TO TAKE:

1. Get, install and periodically run Ad-aware and Spybot Search & Destroy.

2. To prevent reinfection by Aureate/Radiate - search for advert.dll on your system. If it's there and if you can, delete it (Ad-aware will do this for you). Then create an empty text file, name it advert.dll, make it read-only and save it in your Windows/System directory. Then configure Ad-aware (version 5 or later) to ignore advert.dll.


  Back to top    Back to top

8. Consider these other security issues

O.K. I haven't got round to finishing this article yet... here I intend to address myths and genuine security issues relating to Javascript, Cookies and ActiveX. The detail will have to wait, but here's a quick low-down:

Javascript itself is generally safe - although it can be a pain when pop-up windows explode all over your screen, or a badly written script paralyses your browser, or you get redirected to (usually) some porn site or ten. There are measures you can take to avoid these nuisances becoming damaging, but turning off Javascript would seriously reduce the net's functionality, so it's not a realistic option.

Cookies are not inherently dangerous, but they should be managed. The latest version of Internet Explorer includes some cookie management facilities or you can download a freeware/shareware application to do this.

ActiveX is another story completely. ActiveX is simply NOT safe. So where does that leave Flash? As far as I'm concerned - nowhere. Since ActiveX controls CAN be dangerous, and to view a page using Flash you have to say yes to ActiveX, but the dialogue does not tell you which ActiveX control it is asking permission for - I never view pages with Flash.

ACTIONS TO TAKE:

1. In Control Panel click 'Internet Options' (or in Internet Explorer click 'Tools > Internet Options'. Click the 'Security' tab, select the 'Internet Zone', click 'Custom Level' and make sure that under 'ActiveX controls and plugins' everything is marked either 'Prompt' or 'Disable'.

2. Install the freeware ScriptSentry to monitor the behaviour of Windows Scripting Host scripts, ShellScrap documents (hidden SHS/SHB extensions), HTA files, REG files, and more.


  Back to top    Back to top

9. Don't trust Microsoft products

I'm not saying that Microsoft itself is evil... far from it - the success of their products has been a major contribution to the growth of the wonderful worldwide web. But that success has also made them the prime target for creators of malware. And the fact is, while Microsoft's record for building and releasing secure systems and applications is risible, it's the vast numbers of users which attracts the vast numbers of analysts (both well and ill intentioned) who discover the vast numbers of security holes which have led to the release of the vast numbers of patches...

One might argue that security flaws also exist in other applications (and they have been found in all Microsoft's leading rivals - both Opera and Netscape browsers, Eudora email, and even the Mac and Linux OSs) but that these do not attract the publicity of, for example, a serious security hole being found in WindowsXP within a month of its release.

One might argue that older but still worthy Microsoft products (such as Windows98 and Internet Explorer 5) are actually safer than anything else around because they have now been thoroughly probed and tested in the real world and patches are available for all known security holes.

One might even be so cynical as to suggest Microsoft's 'Safe Computing' campaign is a smoke-screen for incompetence and mendaciousness on a scale unprecedented in the history of capitalist endeavour, and that since the American judicial system so comprehensively failed to punish their illegal past practices all their recent initiatives have been motivated by a desire not just to competely control the PC market but to also invade the privacy of its users for their own profit.

Or, put another way, in the light of the spyware contained in Internet Explorer 6, the whole user-unfriendly Product Activation thing and the threats contained in their latest EULA (you agree to M$ installing software which may disable parts of your system) one might become so suspicious of Micros**t's intentions as to consider the learning curve of Linux a fair price to pay for the security of escaping the evil empire.

One might... I couldn't possibly comment (or resist the lawsuit if I did).

So I'm really undecided and frankly I think there's no way of ever knowing for certain which version of which browser and email client is the safest... It's an ever-changing scene, in which the only constant is that you should not unquestioningly TRUST any software maker, but assume that all the software you have is flawed and the onus is on you to keep an eye out for updates and patches...

... and be very wary of the latest release from Microsoft. Love them or hate them, the bottom line is - biggest market equals biggest target.

 

  Back to top    Back to top

10. Stay informed

The net is ever-changing and so are the risks. Subscribing to just a handful of newsletters and bulletins can help you keep alert to the latest dangers.

ACTIONS TO TAKE:

1. Subscribe to Fred Langa's newsletter and receive twice weekly a highly informative roundup of net news. I subscribe to the 'Plus!' (paid for) edition, which at 7 p.a. is a bargain!

2. Subscribe to Microsoft Security Bulletins for the earliest notification of the discovery and fixes available for M$'s notoriously insecure software.

3. For advanced warning of live viruses, subscribe to Symantec AntiVirus Research Centre Newsletter / Trend Virus Info / McAfee Dispatch and Sophos Email notification.

4. Read the following articles:

Sophos Guidelines for safer computing

Four Myths of Online Security (and protocol settings)

Secure Your PC Online, Part Two (personal firewalls)

Secure Your PC Online, Part Three (a hardware firewall)

Secure Your PC Online, Part Four (other stuff)

{Printed from http://www.georgedillon.com/web/security.shtml on Tue, 21 Nov, 2017 @ 23:20:31}