Foiling the Bad Guys

by Tom McNichol

The good news is that computers continue to get smaller, faster, and cheaper. The bad news is that threats to computers have become bigger, faster, and more insidious. Today, there are many types of malicious software programs—or malware—each targeting a specific vulnerability in a computer network. Viruses spread from computer to computer by infecting their software. Spyware can steal passwords and other personal information. Adware launches obtrusive pop-up ads and slows computers down. Keyloggers record every keystroke you make. Scareware pretends to be security software when it's really designed to breach a computer's defenses.

Here are some tips for keeping your information—and your clients' data—out of the hands of the bad guys.

Avoid Easy-to-Guess Passwords
The problem with many computer passwords is that they're far too common and therefore easy for hackers to guess ("123456" won't cut it). How, then, do you come up with a password that's complex, but not so complicated that you'll forget what it is? One recommended technique is to take a sentence or phrase that you're sure to remember and turn it into a password made up of both letters and numbers. For example, the phrase "one small step for man" could become an alphanumeric password such as "1smallst4M." Longer passwords are more secure than shorter ones, and adding numbers and capital letters makes them even harder to crack. As a further hedge against hackers, security experts advise that you change your passwords regularly.

Secure Your Password
A surprising number of people take the time to choose a hard-to-crack password, only to write it down on a Post-it note that's stuck on their computer monitor in plain view. It's always a bad idea to write a password down on paper—you might as well leave your wallet out on your desk with a note reading "Help Yourself." If you're afraid you won't remember your password, you can write down a coded version of it. For example, if your password is the alphanumeric string derived from the phrase "one small step for man," write down "Neil Armstrong" as your clue.

This much should go without saying: Never give anyone your password; never email your password, even to yourself; and never enter a website password directly from a link in an email message. If you have any doubt at all that it's really, say, Bank of America emailing you to ask for your password, go to the bank's website using your browser and enter your password through that secure server.

Beware of Phishing
Phishing attacks typically use email to gather personal information from you by posing as a trustworthy friend or organization. You might receive emails that appear to be sent by Amazon, Facebook, or your credit card company asking you to "verify" your account information. But no reputable firm will ever ask you to verify any information via email; odds are that the sender is phishing for information that can be used to gain access to your accounts.

Phishers often take advantage of current events to tailor their appeals and bring a sense of urgency to their entreaties. Thus, after a widely reported natural disaster, you may receive emails from supposed charities asking you to contribute to relief efforts-and supply a credit card number. Election time increases the number of politically minded phishing attacks; tax season brings various financial scams to millions of in-boxes. Never surrender any information to these requests. If you want to contribute to a particular charity or cause, go directly to its website.

The popularity of Facebook and Twitter has given rise to a number of clever phishing attacks involving social media. Some hackers manage to discover the names of your Facebook friends (it's not that hard) and then send you an email message pretending to be one of those friends, with a note that usually says something like "I thought of you when I saw this website. Check it out!" The link provided then launches a malicious attack on your computer.

Similarly, attackers can gather the names of the people you're following on Twitter and write a seemingly personal email to you that instructs you to click on a link. Remember, just because you recognize the name in the "From" field of an email doesn't mean the message was sent by that person.

Be Cautious with Wi-Fi
Almost every coffee shop these days features Wi-Fi, but depending on the network in use, your personal information may be flying around Starbucks for everyone to see. That's because http—the protocol used by many websites—is not encrypted. Only websites that use a security system known as SSL are truly safe to visit in a public Wi-Fi setting. Most banks and major Internet commerce outlets use SSL by default, but Facebook, Twitter, and some smaller merchants don't.

All major Web browsers include an icon near the address bar that signifies whether that particular site is secure, usually a small picture of a padlock. If you don't see the lock, you can sometimes access a secure version of the website by adding an s to the address in the bar. Thus, if you replace www.google.com with https://www.google .com, you'll be taken to an encrypted version of the search engine.

Don't Let Scareware Scare You
Internet hoaxes are as old as the Internet, and anyone who's still falling for the Nigerian email money scam probably deserves what's coming. But hackers have come up with a much more convincing hoax in the form of scareware, which presents itself as legitimate security software. Sometimes, the hoax appears as a pop-up window with a message something like "A virus has been detected. Click here to run an antivirus scan." The link provided, of course, is what launches the promised virus.

Never run a purported virus scan or security program directly from a pop-up window. If a message you receive seems the least bit suspicious, quit all of your open programs and launch your own security software. Which brings us to our final tip ...

Get Good Malware Defense
A complete suite of security software is the best single protection against malware, since it combines antivirus protection with a firewall that blocks unauthorized access. But there are many stand-alone antivirus utilities that will give you an extra layer of protection (for example, Norton AntiVirus, Spyware Doctor, McAfee AntiVirus Plus, and Microsoft Security Essentials). All of these products are good at keeping malware off your computer, but are somewhat less effective than a suite for cleaning up an infected system.

In computer security, as with the law, an ounce of prevention is worth a pound of cure.

---