How to stay safe on the dangerous internet

I get asked a lot of questions about viruses (virii?), malware, and computer security by friends, family, & co-workers. I like to try to keep my advice as simple as possible for people who don't really want to learn all the complexities of computer hardware, software & networks - not that I could know every detail myself, anyhow.

I summarize it with 3 bullets. Here's how I stay safe on the dangerous internet:

1. Don't open file attachments that you aren't expecting.
   
2. Don't click links provided in emails that you aren't expecting.
3. If a website or popup requests you to click somewhere, close it with ALT-F4.

I'll elaborate now on the details, but for those of you who need it simple, those bullets will go a long way.

Regarding item 1, Virus protection: I keep hearing people saying "only open attachments from your friends." Here's why that's foolish: when a virus infects a computer, it can replicate itself by emailing it to everyone in your contact list. That means an attachment is almost more likely to be a virus if it's from your friends than otherwise.

I say "only trust attachments that you are expecting." I mean that you are safest if you've already had a discussion with someone in person, on the phone, in IM, or in email that says "I've got that file you need. I'll email it to you." If that hasn't happened, be wary.

You have more leeway if you know how to spot dangerous attachments. As of September 2008, the only real dangerous attachments are files that contain executable computer instructions: i.e., files that end with .exe or .scr (and perhaps also .com and .bat - if these are still executable on modern windows operating systems). That list could grow if exploits are found in other software products (see JPEG virus attack), and it could include Microsoft Office documents if your macro security is too low. Try not to fall for the double-extension trick, though. A file called britney.jpg.exe is an EXE, not a JPG. The final extension always wins, even when it is invisible.

Regarding item #2, phishing protection: I just got another great phishing scam email today. It was from equifax, a company I have done business with. It was from a good email address (possible because of spoofing), it made a reasonable request (log in and update information), and it provided a link to eport.equifax.com, a valid website. However, if I read the HTML email source, I find the link lies about what it links to. It actually links to eport.equifax.file3.com - which is a completely different host owned by scammers collecting personal financial data. If you don't know how to examine URLs to recognize URL spoof attacks, it's safest to follow #2 and avoid clicking emailed URLs you're not expecting. If you want to click a untrusted link, instead try opening your browser and typing in the desired website directly - you're less likely to be redirected to phishers that way.

Don't let emotions block reason. The ILoveYou virus and the common "You've received an eCard from a friend!" emails play on people's emotional desires to have positive social interaction. A good eCard site should at least provide the name & email of the card sender before they ask you to click links, to help validate the message. Also, be logical - if your birthday isn't for 8 months, who would send an eCard today?

Regarding item #3, malware protection: when websites popup windows asking you to click anywhere, they may be trying to get your authorization to install malware, whether or not they say it. Clicking anywhere on these windows is dangerous, because sometimes they are imagemaps that pretend to be windows with closeboxes but actually act like a big hidden "OK" button. Using the keyboard to close them (ALT-F4 in windows, CTL-F4 if it's a tab in a tabbed browser) is much safer than clicking anywhere on them.

It's also good to note that malware often comes bundled with "free" software. You should question any free software product available on the web, especially if it's advertised. Where does a company get money to pay for advertising for a product that's given away for free? They get money from malware writers that pay them to infect your computer and collect your data, and/or send you popup advertising even when you're not browsing. Gator was a company that was expert at this; now they've changed their name to Claria to flee bad press.

If you're unsure, err on the side of caution. Do you really need that custom browser toolbar or the little weather application? Is it worth risking your security?

Wrap-up: I considered adding more bullets to the list. Item #4 might be "keep your software up-to-date". I'm trying to be concise, though. A lot of home users aren't running professional operating systems with web services running, so they are less exposed to worms. I could add items like "set your boot priority list to boot only from hard disk", but the goal is internet security, and not many people are still getting infected from removable storage media.

Good luck and happy safe browsing.

Comments? Suggestions? send them to matt@mattmullen.net.