Today I am going to show a number of ways that you can reduce your risk of contracting malware and spam email online. This article is not for the faint of heart, I will likely upset a lot of your beliefs about internet security, but remember, knowledge is power. A lot of the information here is just for awareness but there are also many actual steps that you can perform to help you stay safe online. I will be starting off with the easy stuff and progressing to the more involved steps.
The first part of being safe is to understand your enemy. Many people just accept that if you visit a malicious site you get infected. The wiser people will wonder how that site can infect them, and why their browser and operating system can’t prevent it. In theory you can’t visit a virus from visiting a web page, your web browser is supposed to run and display the website in a restricted environment where it can’t access sensitive information or the rest of your computer. Unfortunately there are ways around this.
You web browsers are pieces of software, written by people like you and me. While they attempt to restrict the website properly they are very complex and often contain mistakes in the code. These bugs cause security vulnerabilities that can be exploited in order to gain privileges that they aren’t supposed to have. Often, if these issues are found by a scrupulous individual they will be reported to the creators of the software in private, so that they can be fixed. Unfortunately there are also nefarious people who are looking for these vulnerability to exploit themselves, or sell to others. The sad truth is that there are companies and black markets that are holding security vulnerabilities in common pieces of software so that they can sell them for profit. Make sure you always have the latest versions of software so that as many of these issues are fixed as possible.
It is worth noting here that free Open-source software is often less vulnerable to these issues because more people can look at the code and find them. It is also much harder for a backdoor to be added on purpose as the public would be able to see it. However, this is not the place for a full discussion of the benefits of open-source software.
As well as vulnerabilities in the browser itself, most browsers allow third party plugins to be accessed by web pages, common examples of this are Adobe Flash, Adobe Reader and Oracle’s Java. These three plugins are not only the most popular but also the most common attack vectors for viruses. These three programs are notorious for security vulnerabilities. My first piece of advice for reducing your risk is to disable all of your browser plugins when you aren’t using them. You will probably find that you don’t need them that often. Unfortunately many sites still require flash but the number is shrinking, and by not using flash you can help lower the number of sites that use it (websites won’t use it if no one has it installed). Personally, I have both flash and java disabled and only enable them if I want to use them on a trusted site. I use the QuickJava addon for Firefox to easily enable and disable both flash and java.
Up until now I have been talking about drive-by downloads where you can get infected just by visiting a site. This method is the hardest to defend against because it is exploiting vulnerabilities in software you trust but it is not the most common cause of infection. The largest security flaw on most systems is the user. While you can restrict what a site can do the user has to have permission to read their own sensitive data for obvious reasons. phishing is referring to a variety of tactics that are used to trick a user into installing malware on their own system, or giving our their own sensitive information.
The best way to avoid falling for phishing attacks is to be aware. Always check your browsers URL bar before giving sensitive information to a website and never give one site your password for another site. You need to know what you can trust and what you can’t. I will be going over a number of these things and ways to mitigate them. The story at the end of the day is that while software can try to protect you from these issue it is up to you to give or deny these programs permission to run, and once you give them permission once, they have it forever and can run other programs. There is a lot of weight on these decisions to which many people just click “yes” without thinking about the potential consequences.
One common misunderstanding is that if you see a site’s URL in the
location bar you are accessing that site. This is not true, due to the
way the internet works it is not guaranteed that you are actually
getting unmodified content from the site you are requesting, or that you
are accessing that site at all. There is a way around this though and
that is HTTPS, or HTTP over SSL. SSL does two things, it encrypts the
traffic and it verifies where the information came from. This means if
you try to connect to
https://example.org and you get a valid
certificate (don’t worry, your browser checks this for you) you know
that you have connected to
https://example.org and the traffic hasn’t
been modified. Unfortunately, most sites don’t use HTTPS by default.
But, while they don’t use it by default most sites do support it and it
is up to you to ask for it. This can generally be done by changing the
http:// in front of the URL to
https://. This may seem like a lot of
work but it gains you a ton of extra security. There are also browser
extensions that will do this for you. I use HTTPS
Everywhere to automatically give
me the HTTPS versions of sites that are known to have HTTPS. I also use
try and detect other sites that support HTTPS and asks me to add a rule
to HTTPS everywhere if one is found.
Email is another common source of malware. It is a message that can conveniently have files attached to it. This looks great to people who want to infect your computer. Many people know not to open emails from people they don’t know, but how do to know who sent the email? The answer is you probably don’t. Basic email does not have any way to verify the sender. If you want proof check out this service that will allow you to send and email “from” any email address. These are trivial to set up as the “from” address in an email is just a field the sender fills in, to any value he wants. In an ideal would everyone would set this to their own email address but unfortunately not everyone is of good heart.
Fortunately there is a way around this, however it does take some work. There is a standard called PGP (stands for Pretty Good Privacy) which allows you to sign and encrypt messages. This allows you to send messages that only the intended recipient can read as well as the recipient can be sure of who sent it. I would highly recommend signing your every day emails using PGP as it does no harm and is free to use (free as in freedom) and you should be signing all important information. Remember, anything you receive in an email can not be trusted unless it is signed.
The internet is an amazing technology that lets you move information around the globe (and to space) in seconds. While many people enjoy and embrace this service many people see it as a way to to unethical things on a large scale. While there are many standards and software that try to maintain your privacy and your computers it is up to you to make sure you compute as safely as possible. All software has bugs, but it is up to you to try to make those problems irrelevant by restricting access where you don’t need it. The other largest problem is verifying what you are getting, the internet has no built in mechanism for ensuring that you are getting the information you asked for from who you tried to get it from, fortunately there are many steps that you can take to get this level of trust from the internet.
I have covered many topics that can help you get a basis on internet security, if you have any questions please comment below and if I have made any mistakes please tell me so that I can fix them. If you want a more in depth look at any topic mentioned please let me know and I will gladly make a post about that in the future.