The same Internet connection that lets you reach out and touch millions
of Web servers, e-mail addresses, and other digital entities across the
globe also endangers your PC and the information it contains about you.
Here's how to stymie the three gravest Internet risks.
Threat #1: IE
Internet Explorer heads the list of top Internet security attack
targets in the most recent joint report of the FBI and security organization
SANS Institute. One reason: As
the most widely used browser, IE provides the biggest payoff for malicious
hackers who set out to exploit its flaws.
The biggest problem with IE is its reliance on Microsoft's ActiveX
technology, which allows Web sites to run executable programs on your PC via
your browser. Security patches and upgrades, including Windows XP's Service
Pack 2 and the recently released IE 7, make ActiveX safer, but the
inevitable flaws that allow malware to circumvent those security
measures--combined with the reality that we computer users are often a
credulous lot--make ActiveX a risk not worth taking. Happily, with very few
exceptions (such as Microsoft's Windows Update site), you can browse the
Internet effectively without ActiveX.
To disable ActiveX in IE 6 and 7, choose
Tools, Internet Options,
Security, Custom Level, scroll to 'Run ActiveX controls and plug-ins',
and select
Disable (see
Figure 1: Deactivate ActiveX controls in Internet Explorer 6 and 7 to put
drive-by browser hijacking on ice.). Click
OK,
Yes,
and
OK to close the dialog boxes. To enable ActiveX on a known and
trusted site, click
Tools, Internet Options, Security, choose
Trusted Sites, click
Sites, enter the site address in the text
box, and click
Add. Uncheck
Require server verification
(https:) for all sites in this zone, and click
Close and
OK.
If you leave ActiveX enabled, you may quickly encounter malware-harboring
sites and e-mail attachments that ask you to let them install their ActiveX
controls on your system. Unless you're 100 percent certain that the control
is safe and legitimate, don't allow it.
Regardless of which browser is set as the default on your system, always
keep Windows (and IE) updated to minimize your risk. To keep Windows XP
up-to-date, visit
update.microsoft.com (you'll have to use Internet Explorer) and install
Service Pack 2, if you haven't already. Next, choose
Start, Control
Panel, System, and click the
Automatic Updates tab. Select
Automatic (recommended) If you trust Microsoft implicitly,
Download
updates for me, but let me choose when to install them if you trust the
company a little bit, or
Notify me but don't automatically download or
install them to play it safest. (Click "
Don't
Let a Windows Update Bring You Down " for more on Windows updates.)
Whichever option you choose, click OK to download and install the
most recent security patches. If you stick with IE, upgrade to version 7,
which improves ActiveX security. Still, the best way to reduce your PC's
vulnerability to ActiveX exploits is to download and install another
browser, and set it as your default browser. Mozilla's Firefox is the most
popular IE alternative. Unfortunately, Firefox's growing popularity has
enticed malware authors to exploit its own flaws. While no software is
perfectly secure, many experts (including me) think the Opera browser is
safer than either IE or Firefox.
Threat #2: Phishing and Identity Theft
You've probably seen your share of phishing attacks, which look
like communications from your bank, PayPal, eBay, or another online account.
The message may ask you to click a link that leads to a bogus Web page,
complete with realistic user-name and password log-in fields, or it might
ask for a credit-card number. The fake address often resembles the real
institution's URL--'citibank.fakesite.com' in place of 'citibank.com',
for example. The phisher's site and e-mail message may even load images from
your bank, or have links to the institution's own Web site.
When you take the bait, the phisher harvests your data, and either sells it
to someone else, or uses it to drain your account right away. A variant
called spear phishing identifies you by name in the lure message or Web
site, making the sham even harder to spot. Typo-squatting is a related trick
in which phishers set up a fake site at an address slightly different from
the real one ('www.amazom.com' instead of 'www.amazon.com', for example) in
hopes that fast-typing customers will land there and not notice their typo.
You may have read that your bank will never send you an e-mail asking you to
log in to your account, and it shouldn't, though it does happen on occasion.
The vast majority of messages that appear to come from financial
institutions are phishing attacks, so assume that such messages are bogus
and avoid opening them at all, let alone clicking any links they contain. If
you are concerned that the bank or other service is really trying to notify
you of a problem with your account, open your browser manually and log in to
the site directly, or better yet, pick up the phone and call a customer
service agent (if you can find one via the bank's automated phone system).
The place you're most likely to notice that your credit card or bank account
has been compromised by a phishing attack or identity theft is on the
statement you receive from them via mail. Check it carefully for
unauthorized charges, and report any to the institution immediately.
Both IE 7 and Firefox 2 include new antiphishing settings that can compare
links to databases of known phishing sites before displaying the page. (As
we went to press, Opera planned to include a similar feature in the Opera
9.1 browser.) IE 7 asks you a couple of times if you'd like to enable its
phishing filter during installation; say yes. To enable this feature, choose
Tools, Phishing Filter, Turn On Automatic Website Checking, and
click OK.
Many firewalls and other security programs include identity-protection
features that scan the stream of data leaving your PC for sensitive
information, such as passwords or social security and credit card numbers,
and then block the unauthorized transfers. For more information on these
products, see "
All-in-One
Security."
Resist the temptation to post personal information on your Web page, blog,
or social site (Facebook/MySpace) account. Identity thieves, spammers, and
online predators are always on the lookout for such data. Browse to "
Safeguard
Your Reputation While Socially Networking" for an explanation of the
risks to both adults and children, and for tips on what you can do to avoid
the dangers.
Threat #3: Malware
Every day, virus, spyware, and adware creators come up with new,
ingenious ways to gain access to your PC. These steps will help keep you
safe:
Think before you click
Attached files that end with .exe, .com, .bat, and .scr, as well as
scriptable document files, including .doc and .xls, can infect your PC with
a single click. Many e-mail programs block access to executable-file
attachments.
Use a spam filter
Though some malware makes its way onto your computer via drive-by
browser hijacking (see "
Threat
#1"), e-mail is its other main source. Install a junk-mail filter to
reduce your chances of activating malicious scripts embedded in messages.
Update your antivirus software
Allowing your antivirus software to continue running after its
subscription has expired is actually worse than using no antivirus software
at all: Not only do you lack the crucial virus signature database updates,
but you expose your system to malware that targets known flaws in antivirus
software. My personal favorite free antivirus app is Grisoft's
AVG Anti-Virus Free. Go to
our
Top Antivirus Software
chart for our antivirus-software recommendations.
Download with discretion
Any program you download and run on your system could potentially
result in a lethal infection or zombification. Download software only from
reputable online sources (such as PCWorld.com's Downloads section) that
first scan all of their download files for any malware.
Use a bidirectional firewall
Windows XP and Vista each come with a firewall that blocks incoming
attacks; it's enabled by default in Windows XP Service Pack 2 and later. For
the best protection, you'll also want to block unwanted outgoing connections
made by malware on your PC that attempts to either connect to a remote
server or send out spam. Vista's firewall can be set up to do that, but
configuring it is not a job for the average Windows user. Instead, get one
of several free bidirectional firewall programs, such as Zone Labs'
ZoneAlarm Free, or
Agnitum's Outpost Firewall Free.
Most commercial security software suites also include a firewall program.
Use antispyware
Spyware, adware, and some browser cookies slow down your system,
cause crashes, and track your online activity. Antispyware utilities work
much like antivirus software, detecting and removing the unwanted software
from your PC. We picked Webroot's Spy Sweeper 5 ($30 per year) as our
favorite in our "
Spyware
Fighters" antispyware roundup.
Upgrade from XP
Service Pack 2 makes Windows XP much safer, but the operating
system still has security holes, and it remains a top target for malware
authors. Windows Vista's new user access controls ask your permission before
launching new programs, which reduces the chances that malware can leap from
the Web to your PC automatically, though some Vista bugs have already been
found. Both the Mac OS and Linux offer even stronger safeguards against
program launching, and they are rarely the targets of malware attacks, which
makes it very unlikely that Web-hosted attacks--or any other kind--will
afflict computers running those operating systems.
