Yes, I realize that’s an ambitious title for a blog post about staying secure online, but there are a handful of basic security principles that — if followed religiously — can blunt the majority of malicious threats out there today.
Krebs’s Number One Rule for Staying Safe Online: “If you didn’t go looking for it, don’t install it!” A great many online threats rely on tricking the user into taking some action — whether it be clicking an email link or attachment, or installing a custom browser plugin or application. Typically, these attacks take the form of scareware pop-ups that try to frighten people into installing a security scanner; other popular scams direct you to a video but then complain that you need to install a special “codec,” video player or app to view the content. Only install software or browser add-ons if you went looking for them in the first place. And before you install anything, it’s a good idea to grab the software directly from the source. Sites like Majorgeeks.com and Download.com claim to screen programs that they offer for download, but just as you wouldn’t buy a product online without doing some basic research about its quality and performance, take a few minutes to search for and read comments and reviews left by other users of that software to make sure you’re not signing up for more than you bargained. Also, avoid directly responding to email alerts that (appear to) come from Facebook, LinkedIn, Twitter, your bank or some other site that holds your personal information. Instead, visit these sites using a Web browser bookmark.
Krebs’s Rule #2 for Staying Safe Online: “If you installed it, update it.” Yes, keeping the operating system current with the latest patches is important, but maintaining a secure computer also requires care and feeding for the applications that run on top of the operating system. Bad guys are constantly attacking flaws in widely-installed software products, such as Java, Adobe PDF Reader, and Flash. The vendors that make these products ship updates to fix security bugs several times a year, so it’s important to update to the latest versions of these products as soon as possible. Some of these products may alert users to new updates, but these notices often come days or weeks after patches are released.
Krebs’s Rule #3 for Staying Safe Online: “If you no longer need it, remove it.” Clutter is the nemesis of a speedy computer. Unfortunately, many computer makers ship machines with gobs of bloatware that most customers never use even once. On top of the direct-from-manufacturer junk software, the average user tends to install dozens of programs and add-ons over the course of months and years. In the aggregate, these items can take their toll on the performance of your computer. Many programs add themselves to the list of items that start up whenever the computer is rebooted, which can make restarting the computer a bit like watching paint dry. And remember, the more programs you have installed, the more time you have to spend keeping them up-to-date with the latest security patches.
Bravo Bravo!! 🙂 Good Work Krebs
I like the three rules–but I would have thought one preceded these: create and use a “limited” or “standard” user account for internet browsing. Has the UAC in Windows 7 rendered this one obsolete?
I debated whether to include a bit on the standard user/non-admin advice, and it certainly is solid advice. I wanted to keep it relatively simple, and have each of these three follow from one another.
Per your question, I think that at least as it relates to UAC, if one follows Rule #1, then the UAC should be allowed to do its job (i.e., “Are you sure you want to install this program?”, “Well, no, I didn’t ask to install any program!”)
I agree with keeping it very simple, Brian. Most of the general users I talk to about staying safe would not have the slightest idea what I meant by using limited accounts but those rules you listed they can understand. And the new malware MacDefender on the MAC can be avoided with your rule #1.
I second the comment by Dennis. I’ve always run as limited user. It took a little tweaking for some programs on Windows XP but with Windows 7 there is no longer any excuse not to run as a limited user.
Agreed that there is no excuse to avoiding admin accounts except for the fact that Windows *still* creates an admin account *by default* upon installation. There is also no excuse that this remains true this far down the road. This is not the case with competing desktop operating systems like Mac and Ubuntu.
I’m not sure I get your point, Bob. When you install Windows, you get an Administrator account created automatically, just as on Linux and Mac OS X a “root” account is created automatically. The only real difference is the name. The default account created when you install Windows, OS X, or Linux has access to administrator permissions. On Windows, that access is controlled through UAC. On OS X, it’s through the administrator prompt. If I’m remembering right, it’s the same thing on Linux as OS X (or similar in appearance).
Maybe I am missing some subtlety of your point, but there needs to be an administrator account (regardless of the name you call it) on a system. You don’t have to (and shouldn’t) use it for routine daily tasks, but you kind of need it if you want to install software, change system settings, etc.
Every desktop OS I’ve ever used creates some kind of administrator account by default, and with good reason.
My point is that nothing tells the average user activating / installing Windows to create a separate non-admin account for everyday usage. On both OS X and Ubuntu, the average user defaults to using a non-admin account. (The ‘root’ account on Ubuntu is disabled by default. You can’t login with root. AFAIK, Mac OSX is similar) I suspect that the vast majority of Windows 7 users are running in the default admin account that is created upon installation activation.
Do you have any reason to believe that the majority of Windows users are NOT running under admin accounts?
The “administrator” account is disabled by default on Windows 7. When you install the O/S, it asks you to make a username/account (NOT “administrator”).
> CW
> When you install the O/S, it asks you to make a >username/account (NOT “administrator”).
That default Windows 7 username/account you create is of type ‘Administrator’ not ‘Standard User’.
So I repeat, by default Windows 7 does NOT put you into the recommended account type. And since nothing, by default, tells you to create a ‘Standard User’ account, most of the world is running under an Administrator (type) account.
Great and Exactly: “If you didn’t go looking for it, don’t install it!”
I know people who have installed many useless things and when I ask “Do you need all this stuff?” they answer me “I dont know, on FB someone was saying me to download it and I did it”.
This is the “Social” trick used to allow many hackers to create a network of Zombie computers and sadly people should really pay attention when downloading something asking, as you said, “do I need it?”.
But think it: Is it free? “Ah! It’s free, I dont know if I will ever use a VPN client but hey, it’s free maybe one day I will use it” – A friend of mine, personally said me “No I dont need all this applications but when my friends come and see how many applications I have they say Wow!”
A “all-you-can-eat” buffet, hard to say no… right? But guess what… who is going to maintain updated tons of applications?
Your post give the answer. I am going to re-tweet this.
My problem with users is getting them to understand that they have to be looking for it first!
Plenty of them understand not installing things without wanting to install them. But it seems like when they get the prompt to update their codec, that qualifies as a “New thing, now I’m looking for it.”
I had one tell me that he was trying to keep his system up to date when he got those prompts. I couldn’t get him to understand the difference between downloading program updates from a manufacturer and just downloading “codecs” from any other source.
You forgot one thing, the majority of folk out there panic and click like mad if a pop up occurs, “Winfix” is a prime example! Facebook is the main culprit, all those horrible apps kicking around, but yes your 1,2,3 basic rules are great advice for the novices!
Well done sir. I think something like this should be required reading before you’re allowed to operate a machine!
On Slashdot.org today, they had a question about security on the smartphone. The answers were not satisfying. I would like to hear your words of wisdom in this arena. What are your rules of security for smartphones?
I’ll take a pass at providing some input in this area:
First thing, all three rules in the article above still apply. If you use your phone with the same caution you *should* be using your computer, your off to a pretty good start.
The other tip I might give at this point is to choose your phone to minimize your exposure. Right now Android devices are looking to be the most susceptible to widespread abuse. They have a large install base, and a very open process for applications. In my opinion only, these factors are combining to make it the most attractive target for attackers.
At this point I would also look for a phone that is easy to update, and actually receives regular updates. iPhones aren’t a bad choice at the moment, in part because of their vetting process (walled garden) for apps. Take advantage of the encryption features available and ensure you have a password (not pin number!) on the device is possible.
Otherwise good luck, smartphone security still looks like a mess to me overall.
Hi Mike. That’s a great idea for another post. For now, I’d say that these three rules apply to keep you out of most trouble, regardless of which OS or browser you’re running.
I assume you have already written, and can link us, to an earlier post about security needed BEFORE you connect to the Internet.
If you don’t have security against viruses, hackers, power surges, etc. then you won’t have a working PC for very long.
Allowing one’s computer to be unprotected, while connected to the internet, can be compared to owning a handgun and putting it out on your doorstep every night, in case a passing robber might be in need of one.
Another one I tell people all the time is to keep your computer use professional. Take your computer seriously!
If you’re going to mess around on the internet, use any file sharing programs, use pirated software, look at adult materials, look at funny internet videos and websites, you should do that on a separate computer that you don’t mind reinstalling, or bringing into the shop to get serviced every month or two. If you can’t afford that, or can’t afford a second computer, then don’t take the risks.
There is true, substantial costs to goofing off on your computer. Be ready to pay them. If you mix business and pleasure on the same computer, you run a very high risk of making your business a part of that cost.
I guess I should clarify a bit – by “business” I mean important things related to your real life activities, but excluding most socializing. This usually would mean email, managing any website you own, work-related activities, homework, school-related activities, communicating with a small circle of professional or educational associates, etc. Basically anything that would impact your life if they got hijacked, destroyed, or lost.
Although some people form the damndest associations with their facebook gardens…. sigh.
I think you nailed this. If “four” where as magic a number as “three”, then I’d add 1 more thing.
4. Automatic, reverse-incremental, validated, daily backups.
If you have 30 days of system backups, perhaps a user could recall *about when* all the funny things started happening and restore from a backup before that time. Obviously, the flaw with this method is the user needs to recognize “something funny” before the older backups roll off storage.
Some friends have recently been hacked by clicking attachments in emails from friends’ hacked webmail accounts. They knew it immediately, but it was already too late. Most of them have gotten backup religion now, but it sure would have been helpful if they’d gotten that religion **before** the click.
Recommended addition: DNS Security suggestions
OpenDNS, Google DNS, etc.
Keep it simple is great. Be prepared to go deeper. Some will ask questions, great questions too! Others won’t. Those who don’t will still need help. Those who do will ask more. I charge more of the ones who don’t ask.
Very nice. Basic as in “easy to follow” and basic as in “requires no computer knowledge”. Plenty of people who use Windows every day would balk at creating a new user.
Brian.. ya NAILED it bud.
Thanks for all you do.
KRFSSO #3 corollary: “If you don’t need it right now, disable it”
I apply this rule by disabling all Firefox add-ons (extensions and plugins) when I’m not actively using them.
I took the time to remove items from the startup menu upon first buying my laptop, but did realize that installed programs can automatically place themselves in startup. After reading this I took a look and was suprised to see all the garbage in the startup programs. I removed the unnecessary items and it made a huge difference in boot time. Thanks. Occasionally while surfing the internet on a seemingly safe site I will be redirected to a page for recommended computer scan and appearence of a task bar. I immediately close the window and download nothing, could that still problems?
I think “If you didn’t go looking for it, don’t install it!” should actually be :
“If you didn’t go looking for it, avoid it!”
Since many attacks do not seem like an install. They jsut require a click or interaction.
It’s a nice list with good recommendations, but I don’t think it’s enough. I’ve found that many users understand some of these common sense principles for staying safe but the details trip them up. It’s like the second they face an unusual technical situations, their minds freeze and start doing dumb things. So, I give them general advice like you outlined and specific warnings.
One thing that should probably be added specifically is not opening attachments or following links in emails, especially emails with friends’ names and only links in their body.
Another warning I give is to never download pirated software. There’s currently a Mac botnet out there that was created by trojaned, pirated Mac titles. I also advise AV scanning any movies, music or pictures people download. Finally, I recommend a HIPS like DefenseWall, Comodo Security+ or AppGuard because they can nullify many zero days.
The three rules are a nice start. The average user needs just a little more advice to be safe from there.
A good point about the email. If I were to add a 4th rule, it would your suggestion about email. I recently had 2 people, not techies, ask me to look at a strange email they got from a friend. Sure enough it was a bot on their friend’s computer and they were smart enough to not click on the link. I also got an email from a friend which was obviously from a bot on their computer. The most obvious thing I tell people to look for is an email with a link that appears to be sent to everyone in the sender’s address book and it is not the type of email usually sent by their friend.
I also tell them if they are suspicious of an email to google the subject of the email. Phishing email subjects lines will often have already been reported.
Yes, I thought an advisory about email messages should be included. Even normally Internet-savvy people can be hoodwinked by phishing email messages.
@Heron, that advice is included in #1:
“Also, avoid directly responding to email alerts that (appear to) come from Facebook, LinkedIn, Twitter, your bank or some other site that holds your personal information. Instead, visit these sites using a Web browser bookmark.”
… or have a look at the links:
For example, you receive an email that Claims to be from Twitter and they ask you to click a link, let’s inspection it a bit:
If it’s something like http://twitter.com/!/yogem – You can see that the link is genuine but:
http://twitter.freehosting.com/!/yogem – You can see that the link is NOT genuine at all – Can you imagine Twitter running on a free hosting service? O_o
Luckily, there are mail clients like Thunderbird and webmails like gMail that WARN the users regarding bogus links usually saying something like ” This email is a fake” (In italian: Questa email potrebbe essere una frode.” – Thunderbird.
If we CLICK without knowing what we are going to Click, if we don’t have a look at urls that are strange (again, will you trust twitter.freehost.com?) well, maybe we are really going to be part of this game, but if we start trying to understand what we are going to visit I am sure that this kind of treats are going to slowly disappear or becoming just minor problems.
I just want to answer regarding movies, music and pictures: You should scan archived files that are claimed to include movies, music and pictures! A file dot mov, cannot include scripts, a dot jpg/png/gif (and so on) cannot include scripts, a mp3 file cannot include scripts but after you deflate an archive you don’t know what is going to be inside: doubt of auto-deflating archives, doubt of images with an extension that finish with .exe/.bat/.com (in windows cases) exe files can have also icons that resemble a picture, on mac if you try to open an image that in reality is an application, the system will warn you asking if to run it or not.
But again, a well studied phishing/hacking attack can convince people to do stupid things so again:
1) “If you didn’t go looking for it, don’t install it!”
2) “Great, you installed it and it’s safe!? Now, update it.”
3) “Don’t need it anymore? Remove it!”
Brilliant – exactly what is needed for naive users. Thanks.
Two points: firstly, a reminder that PSI is for personal use only – use in a commercial environment is strictly prohibited by the licence; secondly, PSI uses Java (on Firefox anyway) so do not uninstall Java if you wish to use PSI.
Peter,
Thanks for the kind words. Just FYI: PSI does *not* require Java. That’s only if you want to run their Online Software Inspector.
Oops! Yes, of course you are right – I was thinking of the online version (hence the reference to Firefox). Sorry…
“If you didn’t go looking for it, don’t install it!”
I agree. But you should still screen your files or installers even if you got them from a very reputable download repository, such as Download.com.
I used to be a software reviewer and I’ve downloaded thousands of files from Download.com. 20% of all my downloads are either corrupted or infected with viruses (even if the website certified that the software is spam, malware, or virus-free).
How do I know? I use a crowdsource antivirus system, like VirusTotal.
Not to be rude but doesn’t that define the term disreputable.; how is that acceptable? 1 in 5 downloads will infect your computer?
I always try to go to the software website or something like sourceforge. As far as I know I have never had one infected file due to application installs.
The fact that 1 in 5 downloads “may” infect your computer it’s true, the problem is the average usage of a computer, I mean: Who operate the computer and how?
If you are searching for porn, games, nulled software you can have also 5 in 5 downloads as infected.
Obviously if you search for open source applications, like in source forge, or applications that are reputable and installing just the applications you really know and trust… well you are a particular “part” of the audience and I am sure that like me you are going to have 5 in 5 downloads NOT infected and not a treat at all.
Let’s imagine this 3 rules just for newbies and/or for people that can be potentially “tricked” by suspicious ADs all over the internet.
I was referring to the original post which stated that the download.com was reputable AND 1 in 5 apps are infected. Something’s wrong there.
I don’t think I’m very advanced. When I see an interesting program I go to the developer’s site out of curiosity. If I’m interested that’s where I’ll download it from.
Oh… ok, sorry!
Regarding Download.com.. it’s not a reliable source! Many applications are linking websites that are not available anymore and someone with bad intentions can decide to do something like this:
Searching a popular application with a not working link, checking if the domain is expired, if yes buying it – compiling a malware, creating a download with the same name, in the same position as specified on Download.com and ta-da! You have a new malware spreading in town…
So the best source is, as you stated: developer website.
I’ve always found one rule that trumps them all and provides the best protection:
Learn critical thinking skills and utilize them in all that you do, to the point it’s a habit you don’t even realize you’re doing.
This allows you to stop and think about things before acting, analyze and observe what is before you and question assumptions, then make appropriate decisions that keep your safety in check.
I’ve noticed for years now that many, many people fail at a basic level to do this and they subsequently suffer the consequences. Yet, in the end, instead of looking at how their own actions or inactions contributed to the problem, they point fingers elsewhere (the victim mentality).
I think if you’re actually successful at accomplishing this with users who have had technology thrust upon them, you may be in the wrong profession.
“technology thrust upon them”
To me, that sounds like an excuse. Granted learning new things can be difficult. I’ve found it so as I’m getting older. But, there is no excuse for not taking the effort to learn something, at least enough to make it benefit you, instead of the opposite. I don’t know a whole lot about a great many things. But, I take the time and effort to ask questions, make observations, and learn about those things that may have an impact on my life so I can then take appropriate steps to protect myself. I’m not a car mechanic, electrician, plumber, etc. But, I’ve learned enough about these things to understand their inherent dangers and how best to avoid them, while at the same time I have the ability to do some of my own repairs on such systems and know when it’s time to call in the professional. Is it so difficult for the average person to do the same in learning how best to operate a computer? Are computers really that scary? Are people just that lazy or stupid? We shouldn’t have to beat these security rules into people’s heads over and over time and again! At what point do people stand up and take some responsibility for their own actions?
@xAdmin
When I got my first computer I had to put it together myself. This was before the IBM PC or the Apple I or the Radio Shack Model I. I was just fascinated by computing. Not everyone is like me. Not everyone is like you.
Many smart people are not fascinated by computing but are very talented and use “critical thinking” in other fields.
Today, the computer has become almost a necessity. Everyone wants your email address. When you need information on something they will give you a web address, or they will tell you to ‘google’ it. Technology WAS thrust upon them. Instead of being just a tool to help them with their other work it has become a major task all on it’s own.
The rapidly changing technology in the computer field is not the same as the automobile or plumbing. If it was we wouldn’t even need this blog. We don’t have constant critical upgrades to apply to the layout of the dashboard, the transmission, the clutch, etc. to the car we just bought last year. We don’t have monthly patches to apply to keep our car or our water safe and keep hackers out.
Maybe many of the people you have dealt with use it as an excuse, but I would be hesitant to label all people who have trouble dealing with computers/software as lazy or stupid.
@xAdmin, I need to agree with Aminof because yes, maybe the computer now is a fundamental tool, something we cannot miss, if you have a look… computers surround us.
Dual Core Mobile Phones, Computers in our Cars, Computers inside TV (or Computer disguised as TV) and so on but labeling people as Lazy and Stupid is too much.
I remember when I was a Kid, I was already dealing with Backdoors on Windows 95 while my dad was asking me help to use the VideoTape recorder, he was not able to switch from TV to AUX, one day he also recorded over a show I was supposed to watch, but no one ever said “Old generation is stupid because cannot use well a videotape player”.
Now, after 20 years our parents are the same, they call us just to know why there’s no internet, why there’s no audio, why they got a virus… but they are not stupid or lazy.
I know how to deal on this things, as well many of the followers of this blog… because we are into tech, because we love this kind of topics, because! And we live our life…
Others have a normal life too, maybe some are doctors dealing with cancers as every day rule but totally ignorant about computers. They still save people while we save computers – So, are you sure are lazy or stupid? I dont think a Doctor will point his finger on you saying “Stupid or Lazy” because you are not able to cure a patient with a terminal cancer!
I should’ve avoided referring to people as lazy or stupid, as that has obviously detracted from my main point(s). For example, let’s take the latest Mac malware issue.
Mac malware spreads via Facebook links
http://nakedsecurity.sophos.com/2011/05/31/imf-boss-rape-video-mac-facebook-users-hit-by-a-sick-scareware-attack/
Now think about all the steps that are needed here and how critical thinking or lack thereof comes into play on a mulitude of levels:
1. You’re on Facebook. That in and of itself has all kinds of implications. Just kidding 😉
2. You see a comment from a friend on your wall linking to a seemingly seedy video. Did they mean to post this? Is this really from your friend? Do you hover the mouse over the link to see where it goes or just click on it?
3. You couldn’t resist and clicked the link and now you’re on some website that pops up security warnings that your computer is infected. Do you take that at face value and proceed as directed?
4. You decide to proceed (you really want to see that video) and are prompted to step through the installation process. If prompted for your credentials, do you provide them? Do you continue and finish the installation?
5. The installation is complete and now you are prompted to enter your credit card information to “clean” your system? Do you enter that information?
6. You’ve entered your credit card information and still cannot see the video. Do you realize the implications now? Do you know how to remove the malware? Do you contact your credit card company?
Ugh! What a mess! Now, if you were skilled in using critical thinking, you would’ve never even completed number 2! Or had to rely on Krebs Number One Rule! 🙂
I think the 3 basic rules listed here give a non-technical user the basic questions to ask themselves which is what you’re actually saying the user should be doing. Whether you would consider this “critical thinking” or not, I don’t know, but it appears to me that the rules are more specific as to how the user should get started in identifying possible dangerous actions.
Good article. Keeping it simple is always a good thing. But what about the latest Facebook likejacking scam. That is, how do I know it wouldn’t happen to me when I clicked on YOUR link from Facebook? (Rhetorical question)
Below is the link that describes the problem. Conversely, do you trust a link from a stranger? (Rhetorical Question)
http://nakedsecurity.sophos.com/2011/05/27/baby-born-amazing-effect-no-another-facebook-likejacking-scam/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29
“[D]o you trust a link from a stranger?”
No, Gigi, not even those in your post! Brian has us well trained.
@JBV Yes, I can understand your not wanting to click. I am a stranger. But with Facebook, people are all too trusting because they perceive a friend’s link as being “safe”. That is precisely how this “likejacking” thing seems to spread. It is like a vicious combination of phishing and viruses. Social media is being infiltrated the same way email was say 7 years ago. I am hoping that Brian, the expert, can confirm the validity of what I am posting.
I think it’s important to keep a perspective on this stuff. Likejacking is usually done when one is actually ON Facebook. Also, in the few times I’ve purposefully tried to click on a likejacking link, NoScript has blocked the attack or warned that something was seriously fishy. In fact, I think the last time I tried to click a likejacking link I ended up having to disable the add-on and restart Firefox before I could even get the dang clickjacking thing to load. It appears to be pretty handy in this regard.
I’m probably not the best person to ask about Facebook, because I don’t really use it that much (mostly I find it to be a time-suck). I spend far more time on Twitter. But I make the Facebook link available on my site for people who prefer to follow my blog that way.
Thanks for responding.Yes, likejacking is specific to Facebook. I am just concerned because I see mobile devices and social media being infiltrated in much the same way as websites and email have been. Anyway, as a security expert, perhaps you know my husband, David Glosser? He runs a free site: DNS-BH – Malware Domain Blocklist Malware Prevention through Domain Blocking. (Just Google Malware Domains, and his site comes up #1 organically.) All the best, Gigi
BTW, xAdmin has a link to the same site I am linking to. He is describing “Mac malware spreads via Facebook links”, which is similar to what I am writing about…
I’d like to through my 2 cents in…
Far to many people think there is just one OS, Microsoft. Here is an idea. Run something other then that…
My computer shop depends on MS getting hit but I run Linux (Mandrive 2008.1) and have yet to be hit. Mac and Linux don’t get the bugs like Microsoft does 🙂