Keeping Safe Online
Last week, the New York Times (via Yahoo) posted an article
on five ways to keep safe online. They have blurbs and excerpts on each one,
but here they are with my summaries.
Use a secure browser. The article suggests that because
Internet Explorer and Firefox are the most popular browsers, they are the most
targeted. That’s true, and they go on to suggest that you should use the most
recent version and install security updates. Again these are both good pieces
of advice.The NYT then says it can help to use a more obscure browser
like Google Chrome. Because it’s not as popular, it’s not as targeted. That’s
essentially security by obscurity and the theory is that since it is not used as
often, it is not worthwhile being targeted by malicious actors. There’s some
truth to that, but psychologically if you think that nobody is going to target
you and therefore you don’t need to take security precautions (cough, Mac users,
cough), you could end up being even more vulnerable. The reason is that having
no coverage at all means that the most glaring security exploits go unchecked by
you and eventually, you get hit simply due to the prolific nature of malware on
the web.Get Adobe updates. Adobe’s software has suffered in recent
years with a perception for being insecure. Given that Adobe Acrobat has as
wide a footprint on users’ computers as Microsoft’s Windows, and that’s a large
user base for malicious actors to target (Flash is also quite ubiquitous –
except on iPhones and iPads – and it runs in browsers, see point
1).Luckily, Adobe has adopted a security model similar to Microsoft’s in
that they have a predictable patch schedule. So long as you agree to install
the updates when it is finished downloading (and you should), these auto-updates
lower your risk.Be careful of malicious ads. When you do search results on
a search engine like Bing or Google, sometimes, the ads on the side are
malicious. For example, if you search for “antivirus software”, sometimes the
paid search results look like anti-virus programs but are actually malicious
software (malware) that actually do nothing for you except flip your computer
into a botnet or steal personal information.It’s a little unfair to
expect the end user to beware of malicious ads on search engines; a good portion
of the user base doesn’t understand how to recognize them. My own perspective
is that Google and Microsoft should be aggressively hunting these things down
and removing them as quickly as they can detect them. The NYT does advise users
to run Microsoft’s MSRT tool, so that’s a good thing.Beware poisoned search results. This is similar to the
above where a spammer or malware author will do black search engine optimization
to get their pages to the top of a search list (such as exploiting the top
search terms of the day). Most browsers today have URL filters built into them
that update frequently that are able to scan the link that the user browses to
and indicates that the site is malicious.My perspective here is similar
to the above. Internet browser maintainers need to partner with URL reputation
organizations to protect their end users.Be careful who your friends are. While the NYT article
says to beware all social media sites and calls out Twitter, they specifically
allude to Facebook and advise you to only friend someone whom you know. The
reason is that some malicious actors will use Facebook to gain your trust and
blindly add them to your friends list where they can either access your data, or
get you to install applications that steal data from you.Facebook is an
interesting case study because it does so much, but is also attracting the ire
of legislators. I don’t think that Facebook was prepared for its rapid growth
in popularity and is dealing with the growing pains.