The same Internet connection that lets you reach out and touch millions of Web servers, e-mail addresses, and other digital entities across the globe also endangers your PC and the information it contains about you. Here’s how to stymie the three gravest Internet risks.
Threat #1: IE
Internet Explorer heads the list of top Internet security attack targets in the most recent joint report of the FBI and security organization SANS Institute . One reason: As the most widely used browser, IE provides the biggest payoff for malicious hackers who set out to exploit its flaws.
The biggest problem with IE is its reliance on Microsoft’s ActiveX technology, which allows Web sites to run executable programs on your PC via your browser. Security patches and upgrades, including Windows XP’s Service Pack 2 and the recently released IE 7, make ActiveX safer, but the inevitable flaws that allow malware to circumvent those security measures — combined with the reality that we computer users are often a credulous lot — make ActiveX a risk not worth taking. Happily, with very few exceptions (such as Microsoft’s Windows Update site), you can browse the Internet effectively without ActiveX.
To disable ActiveX in IE 6 and 7, choose Tools, Internet Options, Security, Custom Level, scroll to ‘Run ActiveX controls and plug-ins’, and select Disable (see Figure 1 ). Click OK, Yes, and OK to close the dialog boxes. To enable ActiveX on a known and trusted site, click Tools, Internet Options, Security, choose Trusted Sites, click Sites, enter the site address in the text box, and click Add. Uncheck Require server verification (https:) for all sites in this zone, and click Close and OK.
If you leave ActiveX enabled, you may quickly encounter malware-harboring sites and e-mail attachments that ask you to let them install their ActiveX controls on your system. Unless you’re 100 percent certain that the control is safe and legitimate, don’t allow it.
Regardless of which browser is set as the default on your system, always keep Windows (and IE) updated to minimize your risk. To keep Windows XP up-to-date, visit update.microsoft.com (you’ll have to use Internet Explorer) and install Service Pack 2, if you haven’t already. Next, choose Start, Control Panel, System, and click the Automatic Updates tab. Select Automatic (recommended) If you trust Microsoft implicitly, Download updates for me, but let me choose when to install them if you trust the company a little bit, or Notify me but don’t automatically download or install them to play it safest. (Click ” Don’t Let a Windows Update Bring You Down ” for more on Windows updates.) Whichever option you choose, click OK to download and install the most recent security patches. If you stick with IE, upgrade to version 7, which improves ActiveX security. Still, the best way to reduce your PC’s vulnerability to ActiveX exploits is to download and install another browser, and set it as your default browser. Mozilla’s Firefox is the most popular IE alternative. Unfortunately, Firefox’s growing popularity has enticed malware authors to exploit its own flaws. While no software is perfectly secure, many experts (including me) think the Opera browser is safer than either IE or Firefox.
Threat #2: Phishing and identity theft
You’ve probably seen your share of phishing attacks, which look like communications from your bank, PayPal, eBay, or another online account. The message may ask you to click a link that leads to a bogus Web page, complete with realistic user-name and password log-in fields, or it might ask for a credit-card number. The fake address often resembles the real institution’s URL — ‘citibank.fakesite.com’ in place of ‘citibank.com’, for example. The phisher’s site and e-mail message may even load images from your bank, or have links to the institution’s own Web site.
When you take the bait, the phisher harvests your data, and either sells it to someone else, or uses it to drain your account right away. A variant called spear phishing identifies you by name in the lure message or Web site, making the sham even harder to spot. Typo-squatting is a related trick in which phishers set up a fake site at an address slightly different from the real one (‘www.amazom.com’ instead of ‘www.amazon.com’, for example) in hopes that fast-typing customers will land there and not notice their typo.
You may have read that your bank will never send you an e-mail asking you to log in to your account, and it shouldn’t, though it does happen on occasion. The vast majority of messages that appear to come from financial institutions are phishing attacks, so assume that such messages are bogus and avoid opening them at all, let alone clicking any links they contain. If you are concerned that the bank or other service is really trying to notify you of a problem with your account, open your browser manually and log in to the site directly, or better yet, pick up the phone and call a customer service agent (if you can find one via the bank’s automated phone system).
The place you’re most likely to notice that your credit card or bank account has been compromised by a phishing attack or identity theft is on the statement you receive from them via mail. Check it carefully for unauthorized charges, and report any to the institution immediately.
Both IE 7 and Firefox 2 include new antiphishing settings that can compare links to databases of known phishing sites before displaying the page. (As we went to press, Opera planned to include a similar feature in the Opera 9.1 browser.) IE 7 asks you a couple of times if you’d like to enable its phishing filter during installation; say yes. To enable this feature, choose Tools, Phishing Filter, Turn On Automatic Website Checking, and click OK.
Firefox 2’s phishing filter is enabled by default, but it uses a static downloaded list of known phishing sites. To query Google’s more up-to-date Phishing Protection service instead, choose Tools, Options, Security and select Check by asking Google about each site I visit (see Figure 2 ). Note that you’ll have to accept the service’s licensing agreement.
Many firewalls and other security programs include identity-protection features that scan the stream of data leaving your PC for sensitive information, such as passwords or social security and credit card numbers, and then block the unauthorized transfers. For more information on these products, see ” All-in-One Security .”
Resist the temptation to post personal information on your Web page, blog, or social site (Facebook/MySpace) account. Identity thieves, spammers, and online predators are always on the lookout for such data. Browse to ” Safeguard Your Reputation While Socially Networking ” for an explanation of the risks to both adults and children, and for tips on what you can do to avoid the dangers.
Threat #3: Malware
Every day, virus, spyware, and adware creators come up with new, ingenious ways to gain access to your PC. These steps will help keep you safe:
Think before you click: Attached files that end with .exe, .com, .bat, and .scr, as well as scriptable document files, including .doc and .xls, can infect your PC with a single click. Many e-mail programs block access to executable-file attachments.
Use a spam filter: Though some malware makes its way onto your computer via drive-by browser hijacking (see ” Threat #1 “), e-mail is its other main source. Install a junk-mail filter to reduce your chances of activating malicious scripts embedded in messages.
Update your antivir