Home Computer Security Advice

Tom Van Vleck

Date: 02/01/13; Version 13

Here is a short list of things to do about security for your home computer:

Briefly:

Back up daily.
Be suspicious.
Don't reuse passwords.
Use a Mac.

  1. Back up your data to removable media. Copy your data so that everything you care about is stored in at least two places. This isn't just about security from bad guys: your hard disk might crash, or your computer might be damaged or stolen. Hard drives are made to last only a few years. If you have a CD or DVD burner, burn a backup disc often. If you have a Macintosh, hook up an external drive and turn on Time Machine, and your data will be backed up hourly. (I also back my files up over the Internet to offsite storage.) (Seagate has a product for Windows, Replica, that supposedly works like Time Machine. I haven't tried it.)

    Of all the bad things that could happen to your computer, a disk crash is the most likely. In October 2008, my 10 month old computer made a funny noise and wouldn't boot. All my files were lost! I got a new drive, restored from backup, and didn't lose a thing. If you have any important data that's stored on just one computer, you should feel nervous.

    The next likely bad thing is having your computer lost or stolen. (This has happened to people I know.) If you have a backup, then at least you won't lose your data.

  2. Understand that electronic mail and web pages can be forged and snooped easily. Don't assume that a mail message was sent by the person named in the From field. If you get mail that appears to be from a bank, or eBay, or the traffic court, or Paypal, asking you to go to a website and fill in your personal info,  it's probably a scam. Your electronic mail travels across the Internet unprotected; strangers can read and change it, so don't send personal details, valuable passwords, or credit card numbers in regular e-mail. Rich Mogull wrote a  nice article about this. Some viruses infect a target computer, read its Address Book, and send fake mail to everyone listed, hoping to get them to open an infected document or go to an infected website.

    Web pages may not be what they seem. There are a lot of crooks out there trying to get your credit card and bank account numbers. Consider  this 2008 report of a Windows financial-data-stealing Trojan horse program that was undetected for three years. People viewed a web page that secretly installed this program on their computer; the program waited till they used their online banking website, and modified the user's view of the bank's web page to ask for extra info that got sent to the bad guys. Surf carefully. Understand the meaning of your web browser's "lock" indicator and that bad guys may try to counterfeit it.

    In 2012 and 2013, there were attacks that exploited holes in Flash and Java in web pages. Disable these features in your web browser, except for trusted web sites.

    There have been many attacks via Facebook, using Facebook Apps or  postings with a link to a malicious web page, ostensibly posted by a friend. The malware can attack computers running Windows, Mac, and Linux, steal confidential information, and install a back door that lets the bad guys take over your computer.

    According to Cisco, clicking on ads in web pages is more likely to trigger an attempt to infect your computer than visiting porn.

    When I worked from home for a company that was serious about security, they provided me with a CheckPoint firewall that supported a Virtual Private Network (VPN) connection to the company's resources. This meant that file access and company mail were protected by encryption.

  3. Don't run or install programs from strangers. You'd think this is obvious, but many people are too trusting, or don't understand that clicking on an email attachment often runs something. People get an email message claiming to be a picture, or whatever, and click on it, and  their computer gets all messed up. Be careful about clicking on email attachments, even if they appear to be from someone you know, because email can be forged easily (see above). Don't install programs sent to you in email, instant messages, social networks, or web pages. You may be installing "spyware" or "adware" or programs that silently steal your bank account details, or use your computer to mail spam to others.

    There are Facebook apps that try to steal your data, raid your address book to spam your friends, post messages in your name, or take over your web browser and computer.

    Malware can be concealed in files you might think are "data files" rather than programs. For example, there have been macro viruses in Microsoft Word, Excel, and PowerPoint files for many years. PDF files may also contain malware: just opening a malicious PDF can run a virus program that can take over your computer. If you get a suspicious message from someone asking you to open an attached document, be cautious.

    Another tactic that bad guys use is to send a pointer to a "video" or a data file that asks you to install software so you can see it. If you install the software, your computer gets infected.

    If you get mail that appears to be from a friend who is stranded in a foreign country, be very suspicious. I got one a few months ago, but I knew my next-door neighbor wasn't in London.

    There have been a number of attacks concealed in supposed pirated versions of commercial software, including games, graphics programs, and anti-virus software. If you download and install such an item, your computer gets infected.

  4. Use a firewall if you have a cable or DSL line. Get a combination NAT and firewall box, which should cost less than $50. I use an Apple AirPort Express; I used to use a Linksys box. Even if you have only one computer, a router/firewall helps isolate your computer from the bad guys on the outside, kind of like a surge protector. (You can use software on your computer to act as a firewall, but a separate box is better: if a virus gets on your computer it can disable the software protection silently.)

  5. Use passwords sensibly. Use strong passwords to protect valuable assets. Don't use the same login ID or password for multiple services, especially if any have a credit card attached. If your access to one service gets cracked, or shoulder surfed, or eavesdropped, or intercepted over wireless, you don't want the attacker to be able to get into your other accounts. The password databases of some large web sites were hacked in the past year or two, and attackers then tried these passwords on other services and were able to hijack mail accounts.

    Don't input your password to a hotel PC or other machine you don't trust, or send it over an insecure wireless connection.

    Some social media websites ask you for your mail user name and password, so they can read in your address book. This is too risky for me, and I don't join services that require it.

  6. Don't run as administrator for everyday use. Set up a non-administrator account on your computer, and use it for your normal mail reading, web browsing, and so on. When you need to install software, switch to the administrator account. You'll have to take a few extra steps once in a while, but if a sneaky piece of malware gets into your computer, it won't be able to take over your system as easily.

  7. Install a virus checker and keep its definitions up-to-date, especially if you are using Windows. You should have a virus checker program, even though fast spreading viruses can hit you before you update. Windows users also need to obtain and use "adware" and "spyware" checkers. On a Mac, a virus checker can detect viruses in Microsoft Word, Excel, and PowerPoint files.

  8. Install security patches from your software providers regularly. Keep your operating system and applications up to date. This is important, because many computers are infected by viruses that exploit old weaknesses for which patches have been available for months. Once again, though, you can't count solely on these patches for security, because the patches come out after the holes are found.

  9. Use a Mac if you can. Macintoshes have fewer security problems. According to a report on Mac security for 2011, Macs had "only 58 new malware variants (according to F-secure) when compared to more than a million new variants per year for the rest of the PC industry." (Numbers of attacks are probably not very useful: what's important to you is how likely you are to encounter one that will infect your computer, and by this measure, Macs are currently safer.) As Macs become more popular, and Windows holes are closed, attackers will look for holes in the Mac.

    In April 2012, many Macs were infected with the Flashback malware before a fix was released. This attack used a weakness in Oracle Java. Other recent attacks have employed holes in the Adobe Flash plugin. For Macintosh-specific security advice, see  Security: For My Friends With Macs.

    (Frankly, I am not really enthusiastic about any of the popular operating system choices. The Mac is a good choice, but by no means perfect. I used to warn folks not to use Microsoft Outlook and Internet Explorer, based on their history of exploits, but there have been many fewer vulnerabilities found in these products recently. Windows, Mac OS, Linux, and other Unix descendants are all written in the C language using ad hoc processes. Brilliant programmers have failed to produce secure systems using this approach in many years of trying. We should do better: there is a worked example now of a  secure verified microkernel.)

Further Reading

James Fallows wrote a nice article in 2011 for The Atlantic titled  "Hacked," which describes his wife's experience of having her Gmail account password stolen, and all her messages and photos lost. It describes what Google did to help her recover her mail. Probably this breach occurred because she had used the same password on Gmail as on other sites, one of which was hacked.

You may also be interested in how I filter spam.

Older Stuff

CMU CERT has a (somewhat dated) tutorial article about  Home Computer Security.

Here's a good, but depressing, article from 2003 about the situation by Scott Granneman:  Joe Average User is in Big Trouble. He also wrote  A Home User's Security Checklist for Windows.

If you insist on using Windows, Terry Gleidt wrote a nice how-to article on  Coping With Windows, and Gina Trapani wrote an article in 2010 about  how to get rid of fake XP Anti-Spyware.

Wireless

Wireless is cool, it's convenient, and it's also risky: a neighbor can download a program that will crack your WEP key in about an hour, and you'll never know... till you get your bank statement! I sometimes use wireless connections while traveling, but at home I stick to wire. If you really want to use wireless, you have to take responsibility for security. Nobody else will.

There are two issues: securing your network so strangers can't connect to it, and securing your communication so that strangers can't intercept it.

Securing your network

If outsiders can connect to your WiFi network and use your bandwidth, they could:

You can deal with strangers attempting to use your network by;

You may detect outsider use by noticing that the modem lights are blinking even when your computers are idle. (But some legitimate software checks periodically for new versions, don't panic.)

Interception is undetectable, until someone uses the intercepted information. The WPA-2 encryption standard fixes a lot of problems with earlier protocols. At home, use only WPA-2, choose a long random passphrase, and change it occasionally. Turn wireless off on your computer unless you are using it. Use a wired connection whenever possible. Remember that even if the connection from your computer to the access point is encrypted, electronic mail will then pass over the Internet unprotected.

Using Others' Networks Safely

Using "free" wireless is tempting. You may be traveling and find a free access point that requires no password -- but that access point may be set up by someone who wants to observe your credit card numbers and banking passwords. Your hotel may provide wireless access that requires a password, but a malicious person with access to the hotel's setup could still tap your communications. I have seen fake hotspots, or "Evil Twins," set up with an attractive name, in an airport or hotel district. Company wireless systems can also be tapped by people with inside access. The person running a network can observe what addresses you connect to, and see the packets you send and receive. Only use wireless access points that you trust.

If you are using a hotel's internet connection, and get a popup suggesting you update some software, this may be an attempt to infect your computer. Wait till you get to a connection you trust.

People have been arrested for using others' wireless without permission, even if that wireless router had no access control.

If you are using a wireless access point run by someone else,

(If you don't know what this means, maybe you shouldn't use wireless.)

A well-recommended book on wireless is Tyler Wrightson's Wireless Network Security A Beginner's Guide.

Copyright (c) 2003-2013 by Tom Van Vleck

Home | SE Stories | Tools | Java | Resume | Multics | Stories | Personal
Mulvaney | Mushrooms | Photoshop | Feijoada | Security | CTSS | Borges