Thursday, December 30, 2010

I Gotcher Security/Privacy Checklist for 2011 Right Here, Pal

Another year, another cou-ple dollars, another couple or three or six hundred serious security flaws in Windows/MacOS X/*nix/Adobe Reader/Adobe Flash/Photoshop/Microsoft Office/Internet Explorer/Safari/Firefox/JavaScript/etc/etc that have been (and in many cases, still are) leveraged by the crooks to separate you from your money and personal/private information.

With the roller coaster ride known as 2010 winding down, I thought I'd summarize many of the things I've posted about thus far in a "yearly review" item - let's call it the 2011 12-Step Internet Security and Privacy Checklist:

1. STOP USING IE. Assuming you're a Windows user - surely you're not still using Internet Explorer as your default browser? (Mac-o-philes need not smirk here - I will predict that Safari will become more and more targeted by the criminal world; you have been warned.) I suggest Firefox + the NoScript plugin, or possibly Google Chrome + its NotScript plugin - although I have far less experience with Chrome so I can't unequivocally recommend it.

2. STAY UPDATED. No matter what your operating system is, make sure it's always got the latest updates. Windows can be configured to automatically download and install priority updates, or just download them and let you know that they're ready. I suggest at least the latter. The same goes for whatever browser(s) you use. (Chrome doesn't give you a choice - it updates itself transparently whenever a new version is published.)

3. FIX YER ACROBAT/READER SOFTWARE. If you use Adobe Acrobat or Adobe Reader to view .pdf files, (a) update to the latest "X" version, and then immediately do this:
  • open Edit > Preferences
  • in the JavaScript part, turn off "Enable Acrobat JavaScript"
  • in the Trust Manager part, turn off "Allow opening of non-PDF file attachments with external applications"
If you're running version 9 and don't want to update to version X*, please do still do the above steps.

Adobe continues to doggedly leave these things turned on by default in each new version of Acrobat and Reader, which is just plain irresponsible on their part.

* that link points at an installer that doesn't require you to first load the !@#$% Adobe Download Manager. Just say NO to ADM.

4. Another thing about Acrobat and Reader - there are alternatives. I have tried FoxIt a couple times but the rendering quality is noticeably poorer than what Adobe does. More recently I've started using the Google Docs Viewer for reading PDF files in Firefox (it works in all of the other browsers as far as I know).

5. WEAR PROTECTION. For Windows users - now that Microsoft has its free MS Security Essentials anti-malware software available, there is no excuse to not be running some kind of antivirus/antimalware protection. I will go further and say that I personally see no reason to pay anyone for this kind of functionality - e.g. Symantec, McAfee, etc. By all accounts MS does a very good job with MSSE.

6. CONNECT SECURELY. There is another nice utility plugin for Firefox called HTTPSEverywhere. If you do financial stuff on-line, you might've noticed that your browser's address bar will (hopefully) say something like "https://www.yourbank.com" when you're logged into the financial site... The "s" in "https" means "secure". Many other non-financial sites support the https protocol, as well as the usual "http" protocol.

Here's what HTTPSEverywhere does for the sites it knows about, that can support https connections: It will force you to connect with https rather than http. At the moment the list includes Facebook, Google Search, Twitter, Meebo, NY Times, Washington Post, bit.ly, Hotmail, Microsoft, Wikipedia, Wordpress.com, Google APIs, and quite a few others. When you are connected via https your connection cannot be snooped, which is very nice if you're connected to the 'net using an open wifi hotspot that does not provide a Virtual Private Network connection to the Internet.. In general you always want "https" if it's available, no matter what you're doing.

7. BE SELFISH. Turn off any unnecessary "network shares" on all of your computers.

8. USE PASSWORDS. Make sure every machine on your network is login password-protected.

9. MASSAGE YOUR ROUTER. Make sure your router (or modem/router - i.e. the box that you got from your cable or phone company that hooks you up to the internet) is properly configured.

Typically the router configuration is accessed through a mini-web server that is built into the router - and typically it will have an address of something like 192.168.1.1.

In that particular case, you can go to your browser and type in "http://192.168.1.1" and the web interface will show up. (Other addresses are possible; consult the router or router/modem manual for more details about your particular box.) Here are some things to keep in mind:
  • Change the default administrative password for the router. E.g. for Linksys routers, all of the ones I've used have a default password of "admin". If you don't do anything else, do this.
  • Make sure that you're using at least WPA encryption if your router has wi-fi capability. WPA2 is better, WEP is sorta kinda better than nothing, but not much. IMO the wireless interface of a router is its weakest link in terms of people getting onto your network and possibly stealing private (e.g. financial) information from other computers connected to your network.
  • turn off anything that says "Plug and Play".
  • Make sure the NAT firewall is enabled. It might just say "Firewall".
  • Don't have any more ports (holes) opened in your firewall than absolutely necessary. If you open one or more up and then stop using whatever program needs them open, close them.

10. USE "LASTPASS". I continue to love this free, secure, backed-up-in-the-cloud password and private data manager product. I won't go into it here since I already did that not too long ago.


11. BACK UP YER STUFF. This is a huge topic, and I won't go into detail, but - do you have at least two, recent backup copies of all of the stuff on your computer(s)/mobile devices that you can't live without? E.g. photos, financial data files, the latest version of the Great Novel that you're working on, critical account information for on-line resources that you use (LastPass can help here), address book/contact database, etc. I say two backups because many people would tell you that if you only have one copy "somewhere", you're not really backed up. You need to have two copies of all of the important stuff, ideally on different kinds of media (DVD-R, CD-R, CD-RW, USB memory stick, cloud backup....), and certainly not in the same location - i.e. carry one of the copies in your car or keep one at your mom's house or something.

12. DONT EVER CLICK ON A LINK IN AN EMAIL. E.g. if you get a notice that seems to be from Microsoft or Adobe or whoever (whomever?) that you need to update something, don't click on the link that is provided. Instead, navigate to the vendor's website in your browser and find the update - if it actually exists - yourself. You might even try googling it - e.g. "acrobat x update".

OK, that's your twelve steps. I'm sure I left something important out - there are so many things to worry about when you're toodling around the World Wide Web - but any and all of these things will help at least a little bit in keeping you and yours safer in the new year to come.