 Who says safe computing must remain a pipe
dream?
By Bruce
Schneier - www.schneier.com
December 9, 2004, 4:00 AM PT
I am regularly asked what average Internet
users can do to ensure their security. My first answer
is usually, "Nothing--you're
screwed."
But that's not true, and the reality is more complicated.
You're screwed if you do nothing to protect yourself, but
there are many things you can do to increase your security
on the Internet.
Two years ago, I published a list
of PC security recommendations. The idea was to give
home users concrete actions they could take to improve
security. This is an update of that list: a dozen things
you can do to improve your security.
General
Turn off the computer when you're not using it, especially
if you have an "always on" Internet connection.
Laptop security
Keep your laptop with you at all times when not at home;
treat it as you would a wallet or purse. Regularly purge
unneeded data files from your laptop. The same goes for
PDAs. People tend to store more personal data--including
passwords and PINs--on PDAs than they do on laptops.
Backups
Back up regularly. Back up to disk, tape or CD-ROM. There's
a lot you can't defend against; a recent backup will
at least let you recover from an attack. Store at least
one set of backups off-site (a safe-deposit box is a
good place) and at least one set on-site. Remember to
destroy old backups. The best way to destroy CD-Rs is
to microwave them on high for five seconds. You can also
break them in half or run them through better shredders.
Operating systems
If possible, don't use Microsoft Windows. Buy a Macintosh
or use Linux. If you must use Windows, set up Automatic
Update so that you automatically receive security patches.
And delete the files "command.com" and "cmd.exe."
Applications
Limit the number of applications on your machine. If you
don't need it, don't install it. If you no longer need
it, uninstall it. Look into one of the free office suites
as an alternative to Microsoft Office. Regularly check
for updates to the applications you use and install them.
Keeping your applications patched is important, but don't
lose sleep over it.
Browsing
Don't use Microsoft Internet Explorer, period. Limit use
of cookies and applets to those few sites that provide
services you need. Set your browser to regularly delete
cookies. Don't assume a Web site is what it claims to
be, unless you've typed in the URL yourself. Make sure
the address bar shows the exact address, not a near-miss.
Web sites
Secure Sockets Layer (SSL) encryption does not provide
any assurance that the vendor is trustworthy or that
its database of customer information is secure.
Think before you do business with a Web site. Limit the
financial and personal data you send to Web sites--don't
give out information unless you see a value to you. If
you don't want to give out personal information, lie. Opt out
of marketing notices. If the Web site gives you the option
of not storing your information for later use, take it.
Use a credit card for online purchases, not a debit card.
Passwords
You can't memorize good enough passwords any more, so don't
bother. For high-security Web sites such as banks, create
long random passwords and write them down. Guard them
as you would your cash: i.e., store them in your wallet,
etc.
I'm
suspicious to the
point of near-paranoia
about e-mail attachments
and Web sites. Never
reuse a password for something you care about. (It's fine
to have a single password for low-security sites, such as
for newspaper archive access.) Assume that all PINs can be
easily broken and plan accordingly.
Never type a password you care about, such as for a bank
account, into a non-SSL encrypted page. If your bank makes
it possible to do that, complain to them. When they tell
you that it is OK, don't believe them; they're wrong.
E-mail
Turn off HTML e-mail. Don't automatically assume that any
e-mail is from the "From" address.
Delete spam without reading it. Don't open messages with
file attachments, unless you know what they contain; immediately
delete them. Don't open cartoons, videos and similar "good
for a laugh" files forwarded by your well-meaning friends;
again, immediately delete them.
Never click links in e-mail unless you're sure about the
e-mail; copy and paste the link into your browser instead.
Don't use Outlook or Outlook Express. If you must use Microsoft
Office, enable macro virus protection; in Office 2000,
turn the security level to "high" and don't trust any received
files unless you have to. If you're using Windows, turn
off the "hide file extensions for known file types" option;
it lets Trojan horses masquerade as other types of files.
Uninstall the Windows Scripting Host if you can get along
without it. If you can't, at least change your file associations,
so that script files aren't automatically sent to the Scripting
Host if you double-click them.
Antivirus and anti-spyware software
Use it--either a combined program or two separate programs.
Download and install the updates, at least weekly and
whenever you read about a new virus in the news. Some antivirus
products automatically check for updates. Enable that
feature and set it to "daily."
Firewall
Spend $50 for a Network Address Translator firewall device;
it's likely to be good enough in default mode. On your
laptop, use personal firewall software. If you can, hide
your IP address. There's no reason to allow any incoming
connections from anybody.
Encryption
Install an e-mail and file encryptor (like PGP). Encrypting
all your e-mail or your entire hard drive is unrealistic,
but some mail is too sensitive to send in the clear.
Similarly, some files on your hard drive are too sensitive
to leave unencrypted. If
the secret police wants to target your data or your communications,
no countermeasure on this list will stop them.
None
of the measures I've described are foolproof. If the secret
police wants to target your data or your communications, no
countermeasure on this list will stop them. But these precautions
are all good network-hygiene measures, and they'll make you
a more difficult target than the computer next door. And even
if you only follow a few basic measures, you're unlikely to
have any problems.
I'm stuck using Microsoft Windows and Office, but I use
Opera for Web browsing and Eudora for e-mail. I use Windows
Update to automatically get patches and install other patches
when I hear about them. My antivirus software updates itself
regularly. I keep my computer relatively clean and delete
applications that I don't need. I'm diligent about backing
up my data and about storing data files that are no longer
needed offline.
I'm suspicious to the point of near-paranoia about e-mail
attachments and Web sites. I delete cookies and spyware.
I watch URLs to make sure I know where I am, and I don't
trust unsolicited e-mails. I don't care about low-security
passwords, but try to have good passwords for accounts
that involve money. I still don't do Internet banking. I
have my firewall set to deny all incoming connections. And
I turn my computer off when I'm not using it.
That's basically it. Really, it's not that hard. The hardest
part is developing an intuition about e-mail and Web sites.
But that just takes experience.
biography
Bruce Schneier is one of the world's foremost security
experts. His latest book is "Beyond
Fear: Thinking Sensibly About Security in an Uncertain
World."
» More Perspectives
|
