Safety essentials: 10-step security revisited, 11 years later
Last week, my sister mentioned that the Chrome browser on her PC was acting funny – she wasn’t able to move, resize, or close one browser window that displayed some weird system-type message. She used Windows’ Task Manager to close Chrome completely, and then she used the free Malwarebytes program to scan for viruses.
The scan turned up 43 suspicious files. This even though my sister had an up-to-date antivirus program running that claimed to offer real-time scans for malware. Keep in mind, the best security programs catch only about 70 percent of viruses in the wild, according to an October 15, 2015, post on Quora by Symantec security researcher Robert Shaker.
The detection rate for zero-day exploits – viruses that target unpatched flaws in software – range from 20 percent to 68 percent, according to Wikipedia’s “zero-day” essay. That’s why you need one antivirus program for real-time protection, and another for conducting the occasional manual virus scan (there’s more on Windows’ built-in security below).
One more thing to keep in mind is that there are many ways your computer (or smart phone) could become infected with malware. Visiting an infected website or opening the wrong email remain the most common methods of spreading viruses, but mobile infections are on the upswing, according to research conducted by security firm Check Point Software. A McClatchy report on the research was posted on the Security InfoWatch blog on September 26, 2016.
Check Point also found that ransomware attacks rose 30 percent in August 2016, in large part because many businesses are choosing to pay the ransom when they’re victimized. Giving in to the criminals may be the most convenient approach in the short run, but doing so only tells the crooks that they’ve found a lucrative revenue stream.
Note that the FBI no longer recommends that people hit with ransomware pay the bad guys for the key that will decrypt their data, as ThreatPost’s Chris Brook reports in a September 16, 2016, article. Instead, simply wipe the affected machines and restore your data from your most recent backup.
Much better not to become a victim in the first place, eh?
A long-overdue update to 2005’s ‘10-step Security’
While I was helping my sister disinfect her computer, I was reminded of what is probably the single most popular article I ever wrote: 10-Step Security, which appeared in the November 2005 issue of PC World. Before I reread it, I thought the tips would still be relevant. Turns out, I wasn’t even half right, but that has more to do with today’s software being inherently more secure than the programs back in 2005. That goes triple for Windows.
Still, there remain many serious threats to our data. Fortunately, there are also several oh-so-easy actions we can take to protect our computers and devices, though most people simply aren’t doing them. If you’ve got 10 minutes to spare, you can increase considerably the chances that you will not be the malware purveyors’ next victim.
Always use a standard Windows account: This above all things for Windows users – even more important than automatic updates and real-time virus scanning (see below), which are also vitally important. When you’re signed into a standard account, Windows will prompt you to enter an administrator-account password each time you attempt to install a new program or make a system change. This reduces tremendously the chances that some rogue program will install itself and/or alter your settings.
Think about it: How often do you add a program or change a setting? A couple times a year, maybe? How long does it take to enter a password and press Enter? A couple of seconds? While you still could be social-engineered into installing a program that isn’t what you expect it to be, having this extra layer of security puts the odds against being hit by malware decidedly in your favor. For the record, I’ve been using standard Windows accounts for so long I don’t even think about it anymore.
To create a standard account in Windows 10, press the Windows key, type “user accounts,” and press Enter. Select “Manage another account,” then “Add a user account,” and step through the account-creation wizard. The new account is “standard” by default. If you’ve got more than one administrator account on the system, you can switch one to a standard account by selecting it in the “Change an account” window and choosing “Standard.”
Bonus tip #1: Did you know that Windows 10 has a “hidden” administrator account? This comes in handy for troubleshooting when your one-and-only administrator account gets fouled up. Instructions for accessing this hidden account are provided on Into Windows.
Set all your software to update automatically: There was a time not so long ago when the Windows experts recommended waiting before applying updates because the patches often caused more problems than they fixed. With the proliferation of zero-day exploits out there, it is more important to apply updates as quickly as possible. That’s the default setting for Windows and for most other programs, the noteworthy exception being Apple, which continues to prompt before updating iTunes, iCloud, and other apps. Since I don’t consider Apple programs essential, I don’t mind postponing updates until I’m good and ready to apply them.
I used to recommend the free Secunia Personal Software Inspector, but as Windows Secrets’ Tracey Capen points out (in an article that requires a paid subscription to access), the program was acquired by Flexera Software last year and hasn’t been updated since December 31, 2015. Aside from the irony of an out-of-date software-update program, Tracey points out that because nearly every program of note now automatically applies patches and such, there’s less need to do any manual update checks.
Always, always, always use antivirus software: Most people do not need to spend for a third-party security program for their Windows setup – Windows Defender and Windows Firewall, both of which are built into Windows 10, should provide all the protection they need. Combined with a standard Windows account, these tools will meet most people’s security requirements.
Beware of links in emails – still: Three of the 10 steps in the 2005 article related to email, and all three are out-of-date because email programs now build in the protections: attachments are scanned for viruses automatically, the preview pane is no longer displayed by default, and messages from addresses not in your contact list are opened without “active” content enabled until you indicate that you trust the sender. If your email program/service of choice isn’t set to do these three things, go into the app’s settings and look for options to do so. Just viewing infected emails is all that’s required for many malware payloads to do their dirty work.
Block the trackers: You probably know there’s a whole lot of tracking going on – on the web, in the real world, and everywhere in between. Web sites and services hate ad-blocking software because the programs cut into the companies’ revenue. However, web ads pose a serious security threat, not only because of the tracking and snooping they do, but also because they are a major source of malware delivery. InfoSecurity Magazine’s Terry Seal reports on a recent malvertising attack on Answers.com visitors.
You simply can’t trust web ads, so blocking them should be part of your online-security strategy. For many years I have recommended the free AdBlock Plus, and I continue to use the program despite the controversy surrounding the vendor’s acceptable-ads policy, which allows ads it has approved to be displayed. (The Guardian’s Olivia Solon reports on the matter in a September 13, 2016, article.) Other popular (and free) tracker-blockers are Ghostery and the Electronic Frontier Foundation’s Privacy Badger.
A relatively new ad-blocking option is the Brave browser, which I’ve been trying out for the past couple of weeks. There’s a lot to like about Brave, but I was surprised that the browser fails to block some pop-ups, and it lacks some of the convenience features of Firefox. Still, I think Brave is a step up from Google Chrome, a browser that is showing its age.
(I’m also a fan of the Opera browser, which recently added an automatic VPN option, as the Verge’s James Vincent reports in a September 21, 2016 article;. I’m testing this program too, and will write about it in a future Weekly.)
Bonus tip #2: If you’re one of the 500 million people whose Yahoo IDs and passwords were leaked back in 2014 (though we just found out about the breach last week), you might want to enter your ID at HaveIbeenpwned?, which will search its extensive database of leaked IDs to determine whether yours is one of them. When I checked my Yahoo ID, the site indicated it had been comprised not once, not twice, but four times. Yes, I changed my passwords.
You’re not finished quite yet
Okay, so maybe I exceeded my self-imposed 10-minute limit, but any time you spend preventing a malware attack and preparing for the inevitable loss of your personal information is a worthwhile investment.