Home Computer Security

How PC users can avoid the risks of losing money, time, or reputation.

When you connect your PC to the Internet, you are opening a door which can be exploited by unscrupulous people. The November 2004 government and private sector initiative www.MakeITSecure.ie was set up to make people aware of the risks.

Be aware of these danger signs

Does your internet browser start up with a different home page than your normal one?

Do you see an increase in advertising pop-ups?

Does your computer seem much slower or prone to crashing than before? (Admittedly this can be due to many causes, not all of them malicious!)

If you call up a list of running tasks (right-click an empty space on the taskbar, and then click Task Manager) have new tasks appeared that you do not recognise?  

Seven Steps to Safety

These tips are intended for home users. If you are working from home ask your company system administrator to check whether the vendor of the security products at work offers free home use of their product.  However excellent commercial PC security software is, and I use it myself in my business, a common problem is that too often home users don't renew it once their initial license expires. They have forgotten what it is to be unprotected, and foolishly hope that a one-off purchase will secure them indefinitely.

The purpose of this article is to give you a list of programs that are free for non-commercial use, and say why each is necessary. The reason they are free is that they provide just one feature, and the vendor hopes you will upgrade to the full product. Sometimes two products can interfere with each other. You can decide for yourself if the price of the software is worth the ease of having a "one-stop-shop".

What these programs cannot do is protect you from the consequences of naïve behaviour, so exercise caution when you don't really know who you are dealing with.

There is not room here to discuss detailed setup instructions. You should follow those given on each of the web pages shown below.

1. Ensure your Operating System is up to date and safely configured

• Windows 2000, XP or ME can be set to download security updates automatically and prompt you for permission to install them.

http://windowsupdate.microsoft.com/

• Other operating systems such as Linux and Mac pose less of a target for attack.
• Microsoft's XP Service Patch 2 can conflict with other firewalls, so follow their instructions for ensuring that only one firewall is active.
• In Windows, be sure to show file extensions so you can recognise when a .exe (program) file is hiding as a .txt (text) file. Use Tools, Folder Options, View, uncheck "hide extensions for known file types".
• Make sure the security settings on your Web browser are at medium or high. If you are using Internet Explorer this can be done by going to Tools>Internet Options>Privacy.
• Consider using a more secure browser such as Firefox or Opera. A possible downside is that unfortunately some web sites, even banks and government sites where you would expect an accessible design, may have features that only work in Microsoft Internet Explorer.

2. Check your system for viruses

A virus is so called because it reproduces itself by using the facilities of the host PC to copy itself to removable media and attach itself to emails, without your knowledge. There are variants which may be technically characterised as worms or Trojans, but you don't want any of these. Most commonly you get one by opening an email attachment or copying (from deceptive software on the Internet or a bootleg CD) a program containing the virus, on to an unprotected PC. They take over the compromised PC and either trash your data or use your PC like a zombie to send hundreds or thousands of emails containing copies of itself, and/or spam, maybe with copies of your confidential data, to everybody in your address book.

There are many virus checking services offered free by the various Anti Virus vendors, such as House Call from Trend Micro:

http://uk.trendmicro-europe.com/consumer/products/housecall_launch.php

These checks are only effective during the time that they are run and do not provide continued protection afterwards.  You will need to install an Anti-Virus package for continuous protection. It is very important that it is updated regularly, ideally every day.   I use AVG version 7:

http://free.grisoft.com/freeweb.php

Another free offering is from Avast

http://www.avast.com/eng/free_virus_protectio.html

3. Install a Firewall

A personal firewall blocks unauthorised network connections from either entering or leaving the computer. This helps protect you either from malware entering your PC, or using it to attack others. I use ZoneAlarm:

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

Prevx is an alternative:

http://www1.prevx.com/prevxhome.asp

Windows XP Service Pack 2 includes a personal firewall. It's somewhat irritatingly obtrusive, but if you don't use another firewall, it's a lot better than being like "Oh, hi, you're the new burglar, come on in, here's the keys…"

When you DO install a firewall, you will quickly learn to turn off automatic alerts of attempted intrusions. It is common to find the first probes arriving within minutes of connecting to the internet. That shows you how open you were before installing the firewall!

4. Protect your child's surfing

If you have children you will understand the concerns over unrestricted Internet access. A "Net Nanny" restricts access to certain pages with explicit content, which may also offend charities and the elderly. Businesses will of course want to restrict employee access to non-work-related web sites. Quite apart from the time wasting involved, it may stimulate behaviour that results in harassment lawsuits. We-Blocker is a free tool that doesn't base its restrictions solely on keywords. 

http://weblocker.fameleads.com/

5. Block SpyWare and Identity Theft

"Spyware" is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet, it gathers information such as email addresses, passwords, phone numbers, and credit card numbers, and relays it to advertisers or other interested parties. It is not to be confused with "Cookies" which are small files that contain a record of the last time you visited a web site; many ecommerce sites require their use to recognise returning visitors.

Ad-aware is a free product that will search for Spyware and report items found.

http://www.lavasoftusa.com/software/adaware/

'Hijack This!' is somewhat techy but if you know how to use Task Manager you should be able to cope. It shows you what programs are launched automatically on startup and you can mark them to identify new arrivals:

http://tomcoyote.com/hjt/

6. Practice safe computing

• Make sure that if you’re sending sensitive personal information that your connection is secure; a closed padlock item appears on the status bar and the address will start with https:// rather than http://
• Use passwords to protect access to your PC and do change them regularly.
• Make and check frequent back-up copies of your data and store in a safe place.
• DON’T open e-mail attachments if you don't know what's in the attachment.
• If someone tells you that you have sent them a virus or spam, by all means check, but be aware that many virus or spam programs fake their source email addresses by using addresses they have obtained elsewhere, perhaps making some variations on the spelling.
• If a website asks you to download a special viewer or dialler to access the site’s contents, it may be a Modem Hijack. This program then disconnects your existing Internet session and reconnects using the International or premium rate telephone numbers, adding hugely expensive long distance charges on your phone bill. Always check your itemised telephone bill.

7. Be vigilant to protect your privacy

• Identity theft can ruin your credit rating and take months of effort to recover from. Exercise caution in your business affairs.
• If you receive an email allegedly from your bank, or Ebay, PayPal, FedEx, etc, asking you to verify your credit card data, it is almost certainly a scam, called "phishing".  Sometimes it is inexpertly done and the web site address is not the real address but some variation on it. For example, ebay-accounts.com rather than ebay.com; or yourbankname.kr rather than yourbankname.ie. Report such attempts to the financial institution involved.
• Actually read the privacy policy and terms and conditions of a site before you give them personal data. Look for the check box that sometimes says "Allow third parties to send me emails" and sometimes "I do not want my address given away". Legitimate companies will allow you to unsubscribe from an e-mail list by replying with 'remove'. Best practice is not to send unsolicited commercial email at all. But never reply to spammers, as your reply verifies that they have found a valid e-mail address, and you’ll be on their list and everyone else's that they can sell that verified address to.
• If you are plagued by spam, change your email address and in future be more careful about how you give it out to people. Do not post it on public forums, newsgroups, chat rooms, web directories, or mail lists.
• Use an ISP (Internet Service Provider) who provides spam and virus filtering. Some Irish email hosting companies include it as part of their standard package, some charge for it; shop around. MakeITSecure.ie has an ad on every page for Eircom's spam blocker which costs 2 euro per month (although the link to the service did not show the cost).  A system of paying small amounts on the phone bill is less likely to be cancelled.
• If you read of an offer that is too good to be true, you should know what that means, like those scams that offer you shares in the millions salted away by African despots. Or if you're an artist and you receive a request to send goods abroad in exchange for a "guaranteed" bank draft that later bounces. More contemptible are the begging chain letters that purport to come from sufferers, which touch the hearts of good people and open their wallets to thieves.

The next step: get certified!

NetAssure.ie from ICS-SKILLS is a stand-alone, to-the-point training course that focuses on the key aspects of PC security and safe computing. NetAssure equips PC users with the knowhow to choose and operate the right security methods and tools in today's world of malware, spyware and spam. Successful completion of the course leads to the award of the NetAssure Certificate – a qualification valued both by individual recipients and the organisations for which they work. NetAssure requires only a basic level of PC and Internet knowledge that is similar in standard to that certified by the EqualSkills programme.

You can take a sample test on their website and see how you do:

Acknowledgements

Thanks to Andy Cuff for his list of free software for home use at

http://securitywizardry.com/homeuse.htm

The Author

Patrick O'Beirne, B.Sc., M.A., FICS is a computer consultant living in Tara Hill, Gorey. He is currently working on a book on how to develop high-quality spreadsheets, aimed at the ECDL market. Website: Systems Modelling Ltd: http://www.sysmod.com

This article first appeared in the Christmas 2004 issue of Gorey Link magazine