Software It
Resume:
Protecting the PC
Many agree that Windows computers need to be protected with a strategy
called defense in depth. This is not just for fighting off viruses.
Clearly, computer/security and Internet Explorer also need defense in
depth.
The most important thing to do to protect your computer is to be
skeptical.
Start with the assumption that you are being lied to. No software can
protect someone who lets the bad guys continually scam them.
For example, that email message may not have come from the visible
FROM address. Even if it did, the senders email account may have been
broken into and the message could be from a scammer. Same for instant
messages.
Many tricks can be played with links to make them appear to go one place
when they actually go somewhere else, and that was before link shorteners
made hiding the true destination even easier. You probably don't need to
install a new codec to see that enticing video. Your computer is probably
not infected with 314 viruses. Even notices about updating software to
install the latest patch may not be legit.
Software-wise, techies are always advising to keep up to date on
patches for your installed software.What doesn't get said often
enough is that this is an all but impossible task for Windows users.
Thomas Kristensen of security company Secunia reported recently "that in
order for the typical home user to stay fully patched, an average of 75
patches from 22 different vendors need to be installed [every year
Without a standard pipeline through which all these companies can funnel
patches, Windows users are forced to deal with many different and
inconsistent patch delivery systems. It's a brutal mess, and one not likely to
have a good solution for a very long time.
Secunia offers three patch related products. To me, the best bang for the
buck is offered by their freeOnline Software Inspector. I wrote about this in
depth recently (Check (All) Your Windows Patches: Secunia) . Their other
products check more software, but the online service checks the most
popular applications, offers a very simple and easy-to-read report and
includes links to the latest software updates.
Windows users should avoid Internet Explorer. You can't delete it, but
you can ignore it.
IE suffers both from having a target painted on its back, because it's so
popular, and from Microsoft's being slow, in general, to issue patches. Plus,
it has its fair share of bugs and design flaws. I run Internet Explorer once a
month on my XP machine, just for Windows Update. Independent security
expert Steve Gibson does this too.
Firefox is my preferred browser, but I also use Chrome. In both cases, I opt
for portable versions fromportableapps.com. A normally installed copy of
Firefox can not be updated by a limited/standard Windows user, but the
portable version can.
The Adobe Reader also best avoided. Like Internet Explorer, the
Adobe Reader is extremely popular, so bad guys focus on it.
Like Microsoft, Adobe is slow in issuing bug fixes. At least Microsoft issues
IE patches monthly, Adobe thinks that every three months is a good idea.
You are safer using software that is updated when bugs are found, not
when corporate needs dictate.
Among alternatives, the Foxit PDF Reader is probably the most popular. I
also like the free and portableSumatra PDF Reader because it seems to be
a low end product. Fewer features means fewer bugs and a smaller attack
surface. Plus, by being relatively unpopular, bad guys have no reason to
exploit any bugs the Sumatra Reader may have.
Malicious PDFs are very common. If someone sends you a PDF, stranger
or not, you are much safer opening it with the Sumatra PDF Reader than
with the Adobe Reader. Turn off autorun.
The ability to automatically run programs when inserting a CD or USB flash
drive was a huge security mistake on the part of Microsoft. Making this
worse, in the many years since, they have modified the rules over and over
and issued multiple bug fixes to the software enforcing the rules. Anyone
who thinks they understand the rules for how autorun works and can
explain it to you, doesn't understand the rules.
The good news is that you can bypass the quicksand of
autorun completely. Every variation and iteration of Microsoft's rules boils
down to a file called autorun.inf. There is a simple registry update that tells
Windows never, no matter what, ever pay attention to any autorun.inf file.
It's ironclad safety.
Protect your WiFi network from snooping.
The big issue with securing wireless networks is making sure that good
encryption is used for all data traveling over the air. Never use WEP
encryption. If that is the only option in your router, buy a new router. WPA
encryption is good enough. There have been two holes discovered with it,
but experts consider them minor. WPA version 2 (WPA2) is the best
encryption and should be your first choice, assuming all your wireless
devices support it.
Technically, the last paragraph is not true. What people call WPA encryption
really refers to TKIP and what is called WPA2 encryption really refers to
AES. I mention this because if you opt for WPA2 and then chose TKIP to
use with it your security is the same as WPA.
Another possible problem with WPA, WPA2, TKIP and AES is the
password. Bad guys can record WiFi transmissions over the air, and then
try to crack the encryption later. If the WiFi password is short, or a word in a
dictionary, your private transmissions will no longer be private. Don't think
password, think pass sentence. Since the wireless password is typically
entered only once per computer, something over 20 characters would
serve you well and not be a constant annoyance. Nothing wrong with
writing it on a piece of paper and taping it, face down, to the router.
If you have a router, open up the front and close the back.
By open up the front, I mean insuring that you can get into the routers
internal website to make changes. To do so, you need to know three things:
the IP address of the router and the userid and password for logging into
the internal website.
Every computer on the LAN knows the IP address of the router, it's the
default gateway. Windows users can enter the command "ipconfig" from a
command prompt to learn the IP address of the default gateway. Enter this
IP address into your web browser and you should be prompted for a
userid/password. New routers will have the default userid/password
somewhere in their documentation. Never use the default password. Like
the WiFi password, it's probably a good idea to write this information on a
piece of paper and tape it, face down, to the router.
By closing the back, I was referring to the firewall in the router. You can test
how well the firewall is protecting your LAN with Steve Gibson's Shields
Up! Service.
Anti-malware software:
Rather than re-tread well worn advice, the only point I'll make here is about
the choice between dedicated antivirus/antispyware/antimalware software
and a suite of protection software that includes this along with many other
types of defensive software. Avoid the suites.
Contact this candidate