Update Your Browser
Running a malicious file is no longer a cybercriminal's only invitation to access your PC. Visiting a compromised site is now enough to contract a case of unwanted software.
The primary way to stop those "drive-by downloads" is to keep your browser patched against the latest threats. Not all browsers are created equal either. In a hacking contest known as Pwn2Own in March, contestants were able to compromise Apple's Safari browser in just minutes, while no one managed to exploit Google's Chrome browser, even after several days.
Update Your Browser's Plug-ins
Just as important as keeping your browser immunized is updating the programs that run within the browser, plug-ins like Adobe Flash, Apple Quicktime or Microsoft's ActiveX. Vulnerabilities in those programs can offer a path from the Web to your PC's vitals just as quickly as flaws in your browser. In fact, cybercriminals often set b00by-trapped sites to try exploits using vulnerabilities in several different programs in the hopes one will work. Last year, four out of five Web attacks used vulnerabilities in Microsoft's ActiveX, according to the count of IBM's Internet Security Systems.
Don't Trust Your Friends
In April several worms ripped through Twitter and spread from one account to another, sending messages seemingly authored by users' friends. So far, those contagions have been mere experiments by young hackers trying to embarrass the site's administrators. But true cybercriminal worms are no doubt in the works. Given that spammers and cybercriminals have compromised Facebook and MySpace just as often, users should remember that generic messages from "friends" might not be as friendly as they seem.
Check Your DNS
The Domain Name System acts as the Web's directory assistance, converting names of Web sites into the IP addresses where they're hosted. But in August of last year, cybersecurity researcher Dan Kaminsky showed how that address system can be easily hacked to send users to look-a-like sites bent on stealing financial information or installing malicious software. According to a Georgia Tech study in February, one in five DNS servers still haven't been patched against that flaw. You can check your broadband provider's DNS at Doxpara.com. If it's still unpatched, switch to a custom, free DNS service like OpenDNS.
Check Sites' SSL Certification
That "padlock" icon on your browser doesn't mean as much as it used to. For the past several years, hackers have been coming up with various tricks for spoofing Secure Socket Layer certification, the system that assures users that secure sites are secure by displaying that icon. In February, hacker Moxie Marlinspike showed off a tool called SSLstrip that can be used to invisibly substitute an insecure site for a secure one, potentially stealing credit card information or passwords. But no hacker has successfully spoofed another symbol of a site's security: A site's address bar glows green to indicate it's safe. Look for that symbol before entering critical info online
Block Ads
Digital ads, like the rest of the Web, are becoming more dynamic and gaining access to more of your PC's resources than ever. In other words, even if the site you're visiting isn't secretly planting malicious software on your machine, its ads might be. The safest way to protect against that threat is to simply block those banners and pop-ups. Firefox plug-ins like Ad Block Plus do the trick. Another, more pleasant option is Add-Art, which replaces ads with works from featured artists--both prettier and safer than the average banner ad.
Block Scripts
One of the most common avenues for exploitation on the Web are scripts, programs that run automatically on Web pages through plug-ins. Many cybersecurity researchers recommend turning off javascript, for instance, to prevent those programs from grabbing your PC. But a defter tool might be Firefox's No-script plug-in, which allows you to choose which sites should and shouldn't be allowed to run scripts when you visit them.
Maintain Your Antivirus Software
If a malicious file manages to bypass all your other safeguards and install itself on your computer, antivirus protection may be your last line of defense. Keep it updated to filter out the latest round of files identified as unsavory. Better yet, use an antivirus program that uses behavioral filtering rather than mere signature-based filtering, an advance in AV systems designed to identify malicious software based not on whether it resembles known culprits, but on how it acts, a technique that theoretically should more effectively catch new strains. In the most recent proactive filtering trials run by the German firm AV-Test, antivirus programs built by ESET and F-Secure scored highest.
Use Two Browsers
Some Web attacks, such as Cross Site Scripting and Cross Site Request Forgery, are designed to steal "cookies," the tracking files downloaded to your browser by the sites you visit. Those tricks can give cybercriminals access to every site you've recently surfed with the same browser. The solution? Use two browsers. One program can be used for everyday, insecure browsing, while the other is reserved for banking and e-commerce. If that trick sounds like more trouble than it's worth, remember: One Web user's paranoia is another's common sense.
Assume Your Webmail Is Insecure
Another rule that falls in the "possibly paranoid" category: Avoid using Web-based e-mail services to send or store any important data. Jeremiah Grossman, a Web security researcher with the firm Whitehat Security, cautions that every Webmail service, including Yahoo! Mail and Gmail, is subject to occasional security lapses that can jeopardize users' data. At the very least, they can always be subpoenaed by the government--sometimes with no notice given to the user whatsoever.
0 comments:
Post a Comment