Yes, I realize that’s an ambitious title for a blog post about staying secure online, but there are a handful of basic security principles that — if followed religiously — can blunt the majority of malicious threats out there today.
Krebs’s Number One Rule for Staying Safe Online: “If you didn’t go looking for it, don’t install it!” A great many online threats rely on tricking the user into taking some action — whether it be clicking an email link or attachment, or installing a custom browser plugin or application. Typically, these attacks take the form of scareware pop-ups that try to frighten people into installing a security scanner; other popular scams direct you to a video but then complain that you need to install a special “codec,” video player or app to view the content. Only install software or browser add-ons if you went looking for them in the first place. And before you install anything, it’s a good idea to grab the software directly from the source. Sites like Majorgeeks.com and Download.com claim to screen programs that they offer for download, but just as you wouldn’t buy a product online without doing some basic research about its quality and performance, take a few minutes to search for and read comments and reviews left by other users of that software to make sure you’re not signing up for more than you bargained. Also, avoid directly responding to email alerts that (appear to) come from Facebook, LinkedIn, Twitter, your bank or some other site that holds your personal information. Instead, visit these sites using a Web browser bookmark.
Krebs’s Rule #2 for Staying Safe Online: “If you installed it, update it.” Yes, keeping the operating system current with the latest patches is important, but maintaining a secure computer also requires care and feeding for the applications that run on top of the operating system. Bad guys are constantly attacking flaws in widely-installed software products, such as Java, Adobe PDF Reader, Flash and QuickTime. The vendors that make these products ship updates to fix security bugs several times a year, so it’s important to update to the latest versions of these products as soon as possible. Some of these products may alert users to new updates, but these notices often come days or weeks after patches are released. I try to help readers stay on top of these fixes by posting alerts for the major packages, but even I can’t keep up with them all. A wonderful resource for anyone feeling update fatigue is Secunia’s Personal Software Inspector, a free tool that periodically scans for and alerts users to outdated security software. The latest version of the PSI also can be set to update such products automatically. FileHippo also has a nice, free update checker, available here (requires Microsoft .NET).
Krebs’s Rule #3 for Staying Safe Online: “If you no longer need it, remove it.” Clutter is the nemesis of a speedy computer. Unfortunately, many computer makers ship machines with gobs of bloatware that most customers never use even once. On top of the direct-from-manufacturer junk software, the average user tends to install dozens of programs and add-ons over the course of months and years. In the aggregate, these items can take their toll on the performance of your computer. Many programs add themselves to the list of items that start up whenever the computer is rebooted, which can make restarting the computer a bit like watching paint dry. And remember, the more programs you have installed, the more time you have to spend keeping them up-to-date with the latest security patches. For example, Java is a powerful program and Web browser plugin that most people have on their machines but seldom use (the bulky program also adds itself to the startup menu in Windows every time you update it). Meanwhile, attackers are constantly targeting systems with outdated versions of this software. If you don’t need Java, uninstall it. You can always reinstall it if you find it is needed for some Web site or third-party application. If you can’t bring yourself to completely remove Java or if you have desktop programs that require it, consider unhooking it from the browser by disabling the Java add-on in whatever browser you use.