2024-02-28; Version 22

Home Computer Security Advice

Tom Van Vleck

Here is a long list of things to do about security for your home computer:

Briefly:

Be suspicious.
Back up daily.
Don't reuse passwords.
Use a Mac.
  1. Links in mail messages may be fake.

    (Dec 2023) I got mail that said my Amazon account was expiring and that I should click something. The mail Subject was "Service Amazon" and the From address was at great-site.net. Fake, don't click. (The mail body was actually a PDF file that had an embedded JavaScript that did who-knows-what. I just blocked great-site.net.)

    (Nov 2023) I see several phishing mail messages a day that use confusion between the capital letter I and lowercase letter l, which are indistinguishable in sans-serif fonts. Many seem to be sent from servers in India.

    (Nov 2023) Brian Krebs writes about phishing and malware installers hidden behind .us domains . Be cautious clicking on links that look like (garbage).us/garbage.

    (Sep 2023) Getting a lot of email messages with subject Your private information has been stolen because of suspicious events. These are scams. Ignore them.

    (Jan 2023) Getting a lot of email messages saying that "your account has been charged..." or "McAfee expired" or "password expiring". but they are all scams. Don't panic, don't reply, don't click, don't call them on the phone. (Many of these were sent from Gmail accounts.)

  2. Mac: Don't install MacKeeper.

    (from Slashdot) Elastic Labs has found surprisingly that 50% of malware comes from one app: MacKeeper, ironically. Ironic in that MacKeeper claims to "keep your Mac clean and safe with zero effort." MacKeeper also has a tainted reputation for being difficult to completely uninstall and as a malicious antivirus. (Malwarebytes can help uninstall it.)

  3. Links in mail and web pages can infect your computer.

    Of all the bad things that could happen to your computer, a malware infection is the most likely. If you get mail with a link in it, DON'T CLICK unless you are sure the link goes to a safe page. (In most browsers and mail clients, you can hover over the link to see where it points; but it takes some skill to interpret Web addresses.)

    QR codes on signs can be faked also. Scanning one with a smartphone may send you to a fake web page that pretends to be a company or bank. Scammers print stickers with their QR code and put them over real codes. See (4) below for all the bad things the fake page could do. This is called Quishing.

  4. Electronic mail, web pages, text messages, and telephone caller ID can be forged.

    Don't assume that a mail message was sent by the person named in the From field.

    If you get mail that appears to be from a bank, or eBay, or the traffic court, or Paypal, or Dropbox, or whatever, asking you to sign in, click on a link, or supply personal information, it's probably a scam. Some viruses infect a target computer, read its Address Book, and send fake mail to everyone listed, hoping to get them to open an infected document or go to an infected website. Telephone caller ID can also be faked.

    Banks, Amazon, Apple, Microsoft, and government agencies will never call or text you and ask for personal info or account numbers.

    Forged mail or text messages may try to get you to click a link. For example, I got a fake message claiming to be from Apple that said "the password for your AppleID has been reset. If this wasn't you, go to this link and set it back." Of course, it wasn't sent by Apple and the link didn't go to Apple. There are lots of messages saying "your (whatever) account needs to be verified: open this web page and log in." Don't. Also messages saying "your email is full/suspended: open this web page and supply your password." Don't.

    If iPhones had a Messages option named "disable links in Messages" I would set it and tell everyone to set it. The Bad Guys can send text messages that appear to be from anybody. I get a lot from banks I don't have an account at. If the Bad Guys hack somebody else's phone or email, they might get your mobile number and send you a fake text message with a link in it. ... and if you click this link, a web browser on your phone will open a fake page of theirs. That page can infect your phone with malware, spyware, ransomware. Spoil your day/week/month.

    (Aug 2022) email scams: mail that appears to be from PayPal is a scam.

    (Nov 2021) The "Zelle scam" starts with a fake "fraud alert" text message from a bank, as reported by Brian Krebs. If the user replies, they then get a phone call from a scammer pretending to be the bank, with fake caller ID. The scammer asks the user for their online banking ID, and to read back a one-time code sent to their phone. The scammer uses the code to change the user's online banking password using the "lost password" feature, and then drains their account.

    Because lots of email messages are actually scams trying to get you to click a link, it's a good idea to filter out as much spam as you can. Some email providers, like Gmail, do this for you. Or you can sign up for third party spam filtering services. Or you can build your own spam filters. (How I filter spam.)

  5. Web pages may not be what they seem.

    There are a lot of crooks out there trying to get your credit card and bank account numbers. Consider this 2008 report of a Windows financial-data-stealing Trojan horse program that was undetected for three years. People viewed a web page that secretly installed a malware program on their computer; the program waited till they used their online banking website, and modified the user's view of the bank's web page to ask for extra info that got sent to the bad guys. Surf carefully. Understand the meaning of your web browser's "lock" indicator and that bad guys may try to counterfeit it. Never click through a certificate mis-match warning.

    There have been many attacks via the Facebook web site, using Facebook Apps or postings with a link to a malicious web page, ostensibly posted by a friend. The malware can attack computers running Windows, Mac, and Linux, steal confidential information, and install a back door that lets the bad guys take over your computer.

    Fake content is posted on Facebook and other social media in order to harvest your political leanings, so that scammers can harvest your email and send you spam, malware, or just general email newsletters. If you view or click on postings on these media, you will see more "news" items tailored to the preferences you revealed. They may mention well-known politicians in sensationalist headlines, or use phrases like "And you won't believe what happened next" or "One weird trick." Sometimes these items are exaggerated, one-sided, unproven, or completely made up. I have given up on Facebook and Instagram. Too many ads.

    Look a this: bad guys can use letters from other languages' alphabets to fool you. You click on a URL and it looks perfectly OK, but it goes somewhere else. The security indicator shows it's OK. But it's fake.

    An extremely bad thing that could happen when you click a link is that your computer gets infected with Ransomware. This software encrypts all the files on your computer, and then demands money to decrypt them. A friend got infected this way: he ended up paying lots of money to get his files back. (He had been backing up his files, but not all of them.) Sometimes the ransom demand is a fake, and your files are not actually encrypted. Sometimes the files are encrypted, and you send the payment, but then you never get the decryption key.

    If you get an alarming pop-up window in your web browser that tells you "viruses have been detected," or asks for your ID and pasword, this is a scam, sometimes called Scareware. Don't click anything. Close the window, if it will let you. Restart your browser. Find a web browser setting that limits or disables popups.

    Many web sites include advertising and graphic features supplied by many sources. If one of these suppliers gets infected, visiting a page may infect you, even though the site you think you're visiting is not damaged. For example, banner ads on some web pages are put up by advertising networks; these networks can be tricked into sending out ads that infect visitors. Installing an ad blocker in your browser will reduce this danger.

    Many online store web sites use trackers to build up a profile of what you shop for and buy. They (e.g. Google) sell your personal info to other sites to target ads. If you search for shoes at one online store, you'll see lots of shoe ads from then on. You can add blocking software to your browser, or use a web browser like Brave to limit tracking. (On iPhones, you can reset your "advertising identifier" every so often. I do this and it helps.) A VPN will also help.

    Keep your browser up-to-date (I said that already). Some attacks exploited holes in Flash and Java in web pages. Most web pages don't use either any more and most browsers don't allow it.

  6. Electronic mail can be snooped.

    Your electronic mail travels across the Internet unprotected; strangers can read and change it, so don't send personal details, valuable passwords, or credit card numbers in regular e-mail. Rich Mogull wrote a nice article about this.

    If you get mail that appears to be from a friend who is stranded in a foreign country, be very suspicious. I got one a while back, but I knew my next-door neighbor wasn't in London.

    (Phone calls can be forged too, including Caller ID. Some people have been tricked by bad guys who called them on the telephone and said they "detected viruses on your computer," or "your credit card has been stolen, what's your account number, PIN, and CVV," or "there is a problem with your bank account, what is the number and password." Sometimes the scammers claimed they worked for Microsoft, or your bank, or the FBI. Just hang up.)

  7. Use the cloud sensibly. Putting information in cloud storage decreases some risks and adds other new risks.

    We all use cloud services every day, including email providers, web services, and data storage. This is great until you get hacked. Bruce Schneier wrote a nice essay.

  8. Back up your data to removable media. Copy your data so that everything you care about is stored in at least two places.

    This isn't just about security from bad guys: your hard disk might crash, or your computer might be damaged or stolen. Hard drives are made to last only a few years.

    If you have a CD or DVD burner, burn a backup disc often; or attach an external drive and back up your hard disk files to it. If you have a Macintosh, attach an external drive and turn on Time Machine, and your data will be backed up hourly. (You can also copy your files over the Internet to offsite storage in the cloud.) See my Macintosh Backup article.

    In October 2008, my 10 month old computer made a funny noise and wouldn't boot. All my files were lost! I got a new drive, restored from backup, and didn't lose a thing. If you have any important data that's stored on just one computer, you should feel nervous.

    Your computer could be damaged, lost, or stolen. (This has happened to people I know.) If you have a backup, then at least you can get your data back. And if you have a login password on your computer and your storage is encrypted, a thief won't be able to get at your private information.

  9. Install security patches from your software providers regularly. Keep your operating system and applications up to date.

    Recent bugs in smartphones, computer operating systems, browsers, and applications make this really important. This is important, because many computers are infected by viruses that exploit old weaknesses for which patches have been available for months. (You can't count solely on these patches for security, because the patches come out after the holes are found.)

    You have to keep your hardware devices up to date too. Install firmware updates to computers, smartphones, Internet routers, and devices connected to the Internet such as printers and "smart home" devices. This includes things like video doorbells, baby monitors, smart fridges, smart speakers, games and toys, and even sex aids. Check your manufacturers' websites to make sure that you have the latest firmware.

    (2014) Some Internet routers can be "hijacked" by attackers. Check the support website for your router to see if there are security issues, and install updates if they are available. Make sure your router has a strong non-default password and cannot be administered from outside your house. Set your DNS servers for both Ethernet and WiFi to Google Public DNS (8.8.8.8, 8.8.4.4) or OpenDNS (208.67.222.222, 208.67.220.220), so that an infected router cannot redirect your communication.

  10. Don't run or install programs from strangers on your computer or phone. You'd think this is obvious, but many people are too trusting, or don't understand that clicking on an email attachment often runs a program on your computer: they get an email message claiming to be a picture, or whatever, and click on it, and their computer gets all messed up.
    Be careful about opening email attachments, even if they appear to be from someone you know, because email can be forged easily (see above).
    Don't install programs sent to you in email, instant messages, social networks, or web pages. You may be installing "spyware" or "adware" or programs that silently steal your bank account details, or use your computer to mail spam to others. Forged mail from UPS, banks, etc with ZIP attachments have infected many users recently; don't open such attachments.

    (Jan 2022) Hackers are sending USB sticks in the post, with forged messages from Amazon or government or the CDC. Don't plug untrusted USB devices into your computer. These sticks can install ransomware.

    Sometimes people take a work laptop home, and let their family members install "cracked" games, or tools for downloading files like BitTorrent, on the work computer. And guess what, the computer gets infected with malware that then spreads to other family machines, or to computers at work. The safest thing is to use the work laptop for WORK ONLY.

    (Jan 2014) Some users of the Chrome browser who installed third-party extensions were being flooded with spam, which including ads that sent the user to infection sources. Spammers bought the rights to a formerly-trusted extension from its developer, and posted an update adding the spamming to the Android store so that it was automatically installed on the user's browser.

    There are Facebook apps that try to steal your data, raid your address book to spam your friends, post messages in your name, or take over your web browser and computer.

    Malware can be concealed in files you might think are "data files" rather than programs. For example, there have been macro viruses in Microsoft Word, Excel, and PowerPoint files for many years. PDF files may also contain malware: just opening a malicious PDF can run a virus program that can take over your computer. If you get a suspicious message from someone asking you to open an attached document, be cautious. (Sometimes scammers call you on the phone, pretending to be a bank, or the FBI, or whatever (with a faked caller ID), and tell you that you have to open a document on your computer RIGHT AWAY, and disable macro virus protection in Word, or Excel, or whatever. Just hang up.)

    Another tactic that bad guys use is to send a pointer to a "video" or a data file that asks you to install software so you can see it. If you install the software, your computer gets infected. (People try to view sports events online and are told that they need to install a "video codec" or similar. Nope, don't do it.)

    There have been a number of attacks concealed in supposed pirated versions of commercial software, including games, graphics programs, and anti-virus software. If you download and install such an item, your computer gets infected.

    Some software download sites, such as CNet, provide convenient access to download free software, but they also hijack your browser's search engine, and install adware that pops up ads and tracks what pages you view.

    Hotel business center computers and hotel WiFi services have been infected with software that copies everything you do and sends it to bad guys. Don't use machines or hot spots you don't trust for any private information.

    Here is a nice article by Brian Krebs about many bad things a hacker can do with your computer.

  11. Use a firewall if you have a cable or DSL line.
    Get a combination NAT and firewall box, or router, which should cost about $50. I use an Apple AirPort Express; I used to use a Linksys box. Even if you have only one computer, a router/firewall helps isolate your computer from the bad guys on the outside, kind of like a surge protector. (You can also enable software on your computer to act as a firewall, but a separate device gives more protection: if a virus gets on your computer it can disable the software protection silently.) Make sure your firewall's software is kept up to date.

  12. Use passwords sensibly. Use strong passwords to protect valuable assets. Don't use the same login ID or password for multiple services, especially if any have a credit card attached.
    If your access to one service gets cracked, or shoulder surfed, or eavesdropped, or intercepted over wireless, you don't want the attacker to be able to get into your other accounts. The password databases of some large web sites were hacked in the past year or two, and attackers then tried these passwords on other services and were able to hijack mail accounts.

    Don't input any password to a hotel PC or other machine you don't trust, or send it over an insecure wireless connection, like a coffee shop or hotel.

    Some social media websites ask you for your mail user name and password, so they can read your address book. This is too risky for me. I don't join services that require it.

  13. Don't run as administrator for everyday use.
    Set up a non-administrator account on your computer, and use it for your normal mail reading, web browsing, and so on. When you need to install software, switch to the administrator account. You'll have to take a few extra steps once in a while, but if a sneaky piece of malware gets into your computer, it won't be able to take over your system as easily.

  14. Install a virus checker and keep its definitions up-to-date, especially if you are using Windows.
    You should have a virus checker program, even though fast spreading viruses can hit you before you update. Windows users also need to obtain and use "adware" and "spyware" checkers. On a Mac, a virus checker can detect viruses in Microsoft Word, Excel, and PowerPoint files.

  15. If you have a laptop, install tracking software that will locate it if it is lost or stolen.
    Find My Mac comes with on Macintosh machines.

  16. Use encryption wisely.
    Enable full disk encryption if your system supports it. (I enable FileVault on Macs.) Keep sensitive data in an encrypted container.

  17. Use a Mac if you can.
    Macintoshes have fewer security problems. According to a report on Mac security for 2011, Macs had "only 58 new malware variants (according to F-secure) when compared to more than a million new variants per year for the rest of the PC industry." (Numbers of attacks are probably not very useful: what's important to you is how likely you are to encounter one that will infect your computer, and by this measure, Macs are currently safer.) As Macs become more popular, and Windows holes are closed, attackers will look for holes in the Mac.

    (Frankly, I am not really enthusiastic about any of the popular operating system choices. The Macintosh is my choice, but it's by no means perfect. Windows, macOS, Linux, and other Unix descendants are all written using the C language and ad hoc processes. Brilliant programmers have failed to produce secure systems using this approach in many years of trying. We should do better: there is a worked example now of a secure verified microkernel.)

  18. Use good passwords: Correct Battery Horse Staple.

Further Reading

(2024) NIST (used to be the Bureau of Standards) has written a series of documents on Cybersecurity. One good one is the Small Business Quick Start Guide to Cybersecurity.

Brian Krebs wrote a nice article in October 2012: Tools for a Safer PC.

The Digital Defenders Project has published a lengthy site describing what to do if you get hacked.

James Fallows wrote a nice article in 2011 for The Atlantic titled "Hacked," which describes his wife's experience of having her Gmail account password stolen, and all her messages and photos lost. It describes what Google did to help her recover her mail. Probably this breach occurred because she had used the same password on Gmail as on other sites, one of which was hacked.

Wireless

Wireless is cool, it's convenient, and it's also risky: a neighbor can download a program that will crack a WEP key in about an hour, and you'll never know... till you get your bank statement! I sometimes use wireless connections while traveling, but at home I stick to wire. If you really want to use wireless, you have to take responsibility for security. Nobody else will.

There are two issues: securing your network so strangers can't connect to it, and securing your communication so that strangers can't intercept it.

Securing your network

If outsiders can connect to your WiFi network and use your bandwidth, they could:

You can deal with strangers attempting to use your network by;

(By the way, do not configure your router to hide the network ID (SSID). This actually decreases security.)

You may detect outsider use by noticing that the modem lights are blinking even when your computers are idle. (But some legitimate software checks periodically for new versions, don't panic.)

If you buy "internet enabled" or "smart home" gadgets that use your Wi-Fi, make sure that you set strong passwords on them, and check for and install security updates to the devices. Do you want to advertise whether you're home or not to people driving by?

Preventing Interception

Interception of your data is undetectable, until someone uses the intercepted information. The WPA-2 encryption standard fixes a lot of problems with earlier protocols, and WPA-3 improves on it. At home, use only WPA-2 or WPA-3, choose a long random passphrase, and change it occasionally. Turn wireless off on your computer unless you are using it. Use a wired connection whenever possible. Remember that even if the connection from your computer to the access point is encrypted, electronic mail will then pass over the Internet unprotected. You should still use application security, like SSL, whenever possible.

Using Others' Networks Safely

Using "free" wireless is tempting. You may be traveling and find a free access point that requires no password -- but that access point may be set up by someone who wants to observe your credit card numbers and banking passwords. Your hotel may provide wireless access that requires a password, but a malicious person with access to the hotel's setup could still tap your communications. I often see fake hotspots, or "Evil Twins," set up with an attractive name, in an airport or hotel district. The person running a network can observe what addresses you connect to, and see the packets you send and receive. Wireless routers can be hijacked by malicious firmware that silently redirects, copies, or alters communication. Only use wireless access points that you trust. Company wireless systems can also be tapped by people with inside access.

If you are using an untrusted internet connection, and get a popup suggesting you update some software, this may be an attempt to infect your computer. The FBI has warned of faked update services on hotel WiFi servers. Wait until you get to a connection you trust to update software.

If you are using a wireless access point run by someone else,

(If you don't know what this means, maybe you shouldn't use wireless.)

A well-recommended book on wireless is Tyler Wrightson's Wireless Network Security A Beginner's Guide.