Internet Security: Chapter 1

Well, I promised a post on Privacy and Security online, and it’s been long in coming. I’ll admit that’s because for all that I’d love to waffle on ad infinitum, I haven’t done enough research to know that everything I’m saying is up-to-date.

So, to strike a nice middle ground I’ll split the post instead. In this installment, rather than offering “active” advice (such as what to install and how to browse), I’ll offer the groundwork and the basics of how to “passively” be more secure online and how to preserve your security.

Later posts will advise on everything from which computer and Operating System to use (not necessarily what you expect, especially from me!), to which software, to how to configure your browser and settings to preserve your identity and security.

Internet Common Sense

This might be old news to those old hands of the Internet, but the best way to stay safe and secure is to just know where the threats are. You can divvy them up nicely for ease of understanding;

  1. Those that are sent to you,
  2. Those you come across, and
  3. Those you encounter entirely by chance.

The former are almost always email scams or viruses, the next are usually viruses or spyware you encounter while browsing, and the latter are viruses you get due to using windows or outlook, or having a friend’s infected pen-drive in your computer (laugh away, it’s a real problem).

Email Threats: Phishing

The most common form of scam on the internet is called “Phishing”, and attempts to gain access to email accounts, bank accounts, ebay accounts etc. by posing as the service in question and stealing your account details. The way this works varies; at its most simplistic, a phishing scam is done entirely by email. A supposed customer care person either requests or demands your username and password, alleging that it’s needed to prevent your account being frozen or to prevent fraud. When you provide the details as requested, the scammer logs into and takes control of your account, possibly stealing a lot of money in the process or using you as a springboard to scam your friends.

This can be a little more sophisticated, however; phishers and scammers often use their own websites to copy the login page of your bank, and refer you there. So, you’ll see what seems to be a link to your bank but in fact you are directed to their own site, where your login details are recorded as you try to log in. In fact, the clever ones will refer you then to your real bank and help log you in, so you don’t suspect you’ve been scammed.

The best way to avoid being caught by a scam like this is to bear in mind the simple fact; nobody will ever, ever ask for your password by email. Part of this is just common-sense; they have your password already on their server so why ask? The other part is security, as emails are not usually encrypted in any way while being sent, so anybody with the right know-how might intercept your emails and get your passwords (I’ll deal with email encryption later; it’s quite easy with gmail).

Additionally, never ever log in from links provided in an email, even if it’s almost certainly the real deal. Because of the risk that the emails are falsely labelled (this is sometimes called “spoofing”, and refers to a very wide swath of false information attacks against computers and internet browsers), you can never truly trust an email link. So, if ebay contact you with some jibber-jabber about your account, log in from the web interface at http://www.ebay.co.uk and NOT from the email.

Email Threats: 419 Scams

Phishing might be the most common attack, but one of the most dangerous is the 419 scam. This is the classic “Nigerian Bank Manager/Exiled Royalty” scam, where someone offers you a bucketload of money if you help conceal or launder it. Part of the problem with this scam is that people don’t fully understand how it works, and the other half of the problem is pure human psychology.

The common misconception is that the scammer will try to get your bank details and rip you off that way, but in fact that’s rarely how they get your money. The 419 is a scam of escalating payments. The scammer will promise you the moon and apparently come close to providing you with some sort of starting payment, but then a snag hits; an official needs bribing, perhaps. Or maybe the scammer claims he needs a passport registered so he can send you the money. So, if you provide a small bit of money, say €50, then he can release the funds of €60B right away. But oh, after you send that money by Western Union (which isn’t traceable or refundable), something else happens. With just a little more money, your investment will pay off! Promise! This time it’s €120!

This carries on, the payments getting larger and larger. And it works, because there’s a little malign circuit in the human brain that demands a payback on an investment; the same circuit that I’m certain makes MMORPGs more successful than their gameplay alone should account for because of the payment schemes. Once someone has payed a little money to the scammer, it becomes reasonable to pay a little more to at least get the first investment back. After a few more payments, the person starts to need the money to pay back all he has sent over already.

Of course nobody ever gets the money, and the transactions often occur privately (the scammers always demand secrecy). People are ripped off thousands of Euro over these scams. But, it’d be unfair to make it seem like all of these scams involve money; the 419 scam can be anything, and although the prevailing sort might seem petty or greedy (so victims get less recognition), there are those that seem really charitable too; the funds might need releasing in order to pay a charity organisation and only you can help, for example. I read about one where some puppies were being offered for free to a good owner, but if not taken they would be destroyed. The poor victim was charged for vet fees in order to get an expensive animal transfer license, etc etc, only to find a few hundred dollars later that there were never any poor puppies in the first place.

It’s natural that when you’re offered a load of money for free, you start salivating. Money can be used for anything, and we all want something, whether for our own good or someone else’s. So it’s easy to fall for this sort of thing when it’s framed cleverly, but don’t be fooled. Especially on the internet, you will never get something for nothing. Ignore 419 emails, except where they are a source of amusement.

Another basic way to avoid scamming? Don’t let them even send you the first page of their scam-plan. Don’t post your email anywhere public online, or the scammers and spammers will get it and fill your inbox with rubbish. If you have to provide an email for a website you don’t trust, have a “throwaway” email account for just that purpose which you only use for probable spammers. If you keep your personal email between you and your friends/family/coworkers, you’ll get far less spam and scams.

Things You Catch: Viruses

This may sound controversial, but I don’t believe in antivirus software. I find that the amount of time the software takes out of your life due to slowing down your computer, asking loads of questions, corrupting installations, and barring some normal internet activities is actually greater than a virus would ever inflict.

My philosophy, with which you’re welcome to differ, is that it’s a much better idea to simply avoid viruses, which isn’t as hard as it sounds, and to have a regular backup of your stuff so if you ever do get a virus, you can just reinstall your Operating System. Did that sound drastic? Sorry, but you’re only going to get a virus if you’re using Windows, and Windows is often never the same after even a single virus infection. The best way to deal with it is just to reinstall and start afresh.

How to manage this easily? Well, first we work on avoidance. Avoid viruses by never opening email attachments. Ok, sometimes you have to. So let’s tone it down. Never open an email attachment that comes in an empty or vapid email. If the email came from a friend, it could still have been sent by a virus, so unless it is clearly both from them and intended for you, don’t open it without confirming that they sent it.

Even after that, it’s often a good idea not to open it anyway. Especially if it’s a microsoft document: Word, Excel, Powerpoint, etc.; these files are birthing pools for viruses. For these, use Gmail’s built-in reader to view them.

Other ways to pick up viruses: Browsing the wrong places. Looking up cheats for games is a common one, as the cheat websites are often riddled with malware. Others are lyrics-sites and other sites that fit that profile; you’ll notice a kind of generalised appearance between these penny-a-dozen sorts of website that are thrown together for quick profit, and it’s a good warning sign.

If you must browse these places, never download anything from them unless a more reputable site can attest to the safety of it. Never click banner ads (this is good advice for everywhere, really). Never log in or set up an account to get at something requiring one; often the item isn’t there at all, and they just want your email address and favourite password.

Of course, the best way to stop viruses is to simply be immune. No, not Antivirus. If you use any alternative to Internet Explorer, that’s a huge jump in security right away; upwards of 50% of browser-based viruses can safely be ignored. If you use Firefox and keep it updated, that’s fairly secure. Google’s new “Chrome” browser, though I haven’t used it much personally, looks to have a very secure architecture too; I suspect it’d be a great one for avoiding viruses.

Better still, why not just use a computer that can’t get viruses? Anything Unix-based is very tight against viruses. Not to say they don’t exist, but they’re so rare they are practically not a real concern. This means one of two operating systems; Macintosh and Ubuntu. The former is only easily available on a Mac computer, but if you ask me they’re always, always worth the extra money because of how well-built and perfectly integrated they are. The latter is available for free, and can be installed on any PC alongside windows. So you can keep Windows for games, and use Linux for everything else; word processing and internet. You won’t ever suffer from virus fever again, and you’re pretty strong against direct hackers, too. Oh, and it’s hella faster than Vista.

Things You Catch: Spyware

Spyware is also a big problem nowadays. Spyware is everywhere; it’s built into Windows, practically, for Microsoft. In fact, the next version of windows looks set to have GPS support built-in in such a way that Microsoft and anyone else will be able to track you as soon as you enable it. Many of the measures you take to protect against viruses will work against spyware too, but only the auto-install, invasive sort. The rest is stuff you install willingly.

Limewire, Kazaa, and many other download clients, possibly even including the New Azureus and certainly including the new uTorrent all come with degrees of spyware. The former programs just totally override your systems with spyware. The latter spy on your usage, I think.

Games, too: Anything with SecuROM (Sims and Spore are good examples here), or other “Disc Protection Systems”. They do nothing to protect against Piracy (Evidenced by readily available, spyware-free torrents immediately after game release and sometimes before), and instead install as root-kits in your computer that not only spy on your actions, but act as unwitting gateways to other threats and viruses. Thanks for that, Will Wright. You wrecked Spore, and introduced spyware to my PC. Good job.

These are hard to “Passively” ignore, but a later post will include information on blocking the messages this kind of software sends to and fro. Again, if you’re using Linux and to a lesser degree Mac, you’re safe from this carry-on.

The last type of Spyware though affects anyone online; cookie spyware. Right now, go and download Ablock Plus for your firefox install. It’s a one-click install that’ll not only make the internet more bearable (it automatically filters out practically every advert, once you pick a list after install; I recommend the ListeFR+Easylist combo), but allows you to block anything, not just ads, based on information in the URL it comes from. The most important thing to immediately do is go to Tools>Adblock Plus, double-click “Add Filter” and add “doubleclick.net”.

All the jazz about evil cookies online came from this one company, who abuse the incredibly handy “Cookies” system which allows you to stay logged into things easily in order to track everything you do online. By blocking them, you’re simultaneously ignoring the most annoying ads on the net, and making a huge step in protecting yourself.

While you’re at it, go to your internet settings in your browser, find the settings for “Cookies”, and disable “Third Party Cookies” if you can. They’re rarely needed, and are often used maliciously.

I know those steps don’t sound “Passive”, but once setup you can ignore them and browse more safely.

As a footnote, although there are technically lots of distinctions, Spyware = Trojans = Back-doors = Root-kits = Worms. These words all mean “Something which invades your computer and lets other people access your private data”. So I’m talking about all of them.

Things you get randomly: All of the Above

If you’re still using Windows, prepare to just get viruses no matter what precautions you take. All it takes is one friend with a virus and a USB stick; they’ve become one of the easiest ways to catch a virus offline. If you’re on a network at home, too, one infected Windows machine means many infected Windows machines.

It’s not actually random, but it’s often outside of your control. So the final precaution, which I’m sure I’ve said already, is to back up regularly. This isn’t as tedious or boring as it sounds, it’s as simple as being tidy. Just keep all your things organised in one folder, whether “My Documents” or somewhere else. Never put anything important anywhere else; have a maze of subfolders if you like as long as they’re all in one place. Keep this place away from the “Program Files” and “Windows” directories, to lower your chances that a virus decides to live in that folder randomly. Try to keep programs out of that folder.

Then, backing up your stuff is as simple as burning the folder onto a DVD/DVD9, or copying it onto a Hard Drive.

Here’s the tricky bit: if you’re backing up because you’ve got a virus, the virus will possibly just infect your USB Hard Drive or DVD. So in order to safely copy your files, it’s best to do this through Linux or with the help of a Mac friend. If you’ve got several backups, use one from a time you know you weren’t infected first, and try to recover files from between then and now using a Linux PC as an intermediary; copy the files onto the Linux PC and onto a different disc or freshly wiped USB stick, and use that.

By keeping your files and backups tidy and easy, it’ll make the inevitable decision to wipe your Windows PC much easier. Because don’t kid yourself; you will have to wipe that PC before long.

Next up: Tor, Firewalls, Encryption

Next post, which will hopefully be less lengthly, will cover active measures for protecting yourself online. I suspect it’ll be easier because it will, after all this, require less explaining.

On the agenda is TOR, a system that will protect your identity and browsing habits online, Firewalls, which though annoying can certainly help prevent spyware from doing any harm, and Encryption, which effectively (when used correctly) protects your data/emails from intrusion without your say-so.