Internet Explorer 8, Firefox 3, Google Chrome 4, Apple's Safari 4, and Opera 10 include features that block sites known to host malware and malicious downloads. All but Opera also let you browse without leaving any tracks. But just as important as these protections is ensuring that whichever browser you use is thoroughly patched.
Filtering out bad sites
Firefox's built-in antiphishing tool claims to update its bad-site database 48 times a day, according to Mozilla's Firefox security page. Firefox 3 uses Google's Safe Browsing service to automatically block sites that are known to host malware. The Google Code site describes how Safe Browsing works in Firefox.
To verify that attack-site blocking is enabled in Firefox, click Tools > Options > Security and make sure "Block reported attack sites" is checked.
Firefox will prevent known-bad sites from opening when "Block reported attack sites" is checked.
(Credit: Mozilla Foundation)The same feature is built into Google's own Chrome browser. You can ensure that malware-site filtering is on in Chrome by clicking the wrench icon in the top-right corner, choosing Options, and selecting Under the Hood. "Enable phishing and malware filtering" should be checked. The Google Chrome Help site describes the feature. (Hint: This page looks very similar to the description on the Google Code site.)
Google's Chrome browser blocks known-bad sites when "Enable phishing and malware protection" is checked.
(Credit: Google)The SmartScreen technology in version 8 of Internet Explorer blocks known-malicious downloads as well as bad URLs. Other new security features in IE 8 include automatic blocking of click-jacking and cross-site scripting attacks, automatic crash recovery, and highlighting of the actual domain name in the address bar. The Microsoft Security site describes the SmartScreen Filter and includes links to a SmartScreen FAQ and information for site managers.
Apple's Safari browser added phishing and malware blocking in version 3.2, which was released in late 2008; read about this and other security features in Safari 4 on the Apple Safari site. Likewise, Opera's Fraud Protection predates the phishing and malware filters in IE and Firefox and is enhanced in the latest version 10. But attack-site blocking is only one of Opera's many security features, which you can read about on the Opera site.
Browsing in private
To activate private browsing in Firefox 3, click Tools > Start Private Browsing, or simply press Ctrl-Shift-P. You can set Firefox to start in private-browsing mode by clicking Tools > Options > Privacy and check "Automatically start Firefox in a private browsing session." The Mozilla support site provides more information about this feature. Likewise, put IE 8 in private-browsing mode by clicking Safety > InPrivate Browsing, or by pressing Ctrl-Shift-P. You can also open a new tab and click either Browse with InPrivate or Open an InPrivate Window.
IE 8 also lets you control the information about your browsing habits that's shared with Web tracking services. To activate this feature, click Tools > InPrivate Filtering Settings and choose "Let me choose which providers receive my information." This opens the InPrivate Filtering settings dialog, where you can turn filtering off, choose which services to block from tracking you, or automatically block all trackers.
Internet Explorer 8's InPrivate Filtering lets you block some or all Web tracking services.
(Credit: Microsoft)You can open an incognito window in Google Chrome by clicking the wrench icon in the top-right corner and choosing "New incognito window," or simply press Ctrl-Shift-N. The incognito icon (a shadow figure in a fedora and glasses) appears in the top-left corner of the browser window. The Chrome support site offers a more detailed description of this feature.
Opera lacks an equivalent private-browsing capability but does offer private searching and other identity-blocking features, as described on the Opera site. To activate private browsing in Safari, simply click Safari Settings Menu > Private Browsing.
Automatic and not-so-automatic browser updates
Patching is a way of life with nearly all software, but especially with browsers and the media players associated with them: Adobe Reader, the Flash Player, Apple's QuickTime, and Sun's Java, among others. All of a browser's security features can be rendered useless by a piece of malware that takes advantage of an unpatched hole in the program.
Firefox 3 alerts users to the presence of an update and now also notifies you when your Flash Player is out-of-date. Internet Explorer 8 updates via the Windows Update/Microsoft Update services. Google Chrome made a splash by being the first browser to update itself in the background without requiring any prompting from users. Safari updates automatically via Apple's update service, which also serves up patches automatically for QuickTime, iTunes, and other Apple software. Opera also notifies you automatically when a new version is available.
But updating is too important to leave to others. Back in April, I described Secunia's Online Software Inspector and downloadable Personal Software Inspector, which identify out-of-date programs on your PC. The programs mentioned in that post have all been updated since, but Secunia's services should point you to the most recent versions.
(Note that Secunia sometimes reports a program as being out-of-date when in fact you have the latest version. On my PC, it continually reports my up-to-date Flash Player as being in need of an update, for example. But the free service Secunia provides is worth putting up with this and similar minor annoyances.)
There's no way to reduce to zero your risk of picking up some piece of malware while browsing. You need layers of security to keep viruses, Trojans, and botnets at bay—the more layers, the safer your browsing. (Of course, the more layers, the slower your browsing, too, so don't get carried away.)
Much emphasis has been placed on the enhanced security features of the latest versions of the popular browsers. Whether one is any safer than another is anybody's guess, but no browser gives you more ways to thwart a Web-based attack than Firefox via its wealth of security add-ons.
Link checkers add warnings to search results
Search results are often difficult to trust, even when the URL looks familiar. Phishers are adept at planting dangerous links that look like harmless ones. Link checkers provide you with an indication of the trustworthiness of sites before you click their links. (Note that several of the products are available for Internet Explorer as well.)
Some of the programs, such as McAfee's SiteAdvisor, give the thumbs-up or thumbs-down based on a single company's research. Web of Trust (WOT) bases its recommendations on the collective intelligence of a network of volunteers. LinkExtend is a link-check aggregator that combines the analyses of eight different services.
McAfee SiteAdvisor adds a safety indicator to Web search results.
(Credit: McAfee)While the recommendations of link checkers are helpful in identifying safe sites, you can't take their yeas and nays as gospel. For example, sites that offer downloads of system utilities may be flagged as dangerous because the programs require access to the operating system and thus could do major damage in the wrong hands.
Track the trackers
You know popular Web sites download software that tracks your activities on their sites, but do you know who's doing the tracking? Find out with the Ghostery add-on that pops up the names of the trackers as the page opens. The program puts a small "ghost" icon in the bottom-right corner of the Firefox window that turns orange when trackers are present. Click the link that appears to the right of the icon to find out more about the trackers and block them individually or entirely.
The Ghostery Firefox add-on lets you know who's tracking your activities on the site.
(Credit: Ghostery)
View encryption specs
When you open an encrypted Web page, a lock icon appears in the bottom-right corner of the Firefox window and the URL in the address bar begins with "https." But there's more than one form of encryption, and knowing which type and strength of encryption in use can be handy.
The CipherFox add-on puts in the bottom-right of the Firefox status bar the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cipher and keysize currently in use. Double-clicking the entry opens the CipherFox dialog box, where you can disable RC4 encryption and display partial SSL/TLS. (Note that the developer accepts donations to support the product.)
Take charge of Web password management
Firefox's built-in password manager lets you create a master password and remember passwords for specific sites, but if you want to get serious about managing your passwords, get LastPass, a password manager that provides much more granular control over your sign-ins.
After you download and install the add-on, an icon is placed in the top-right corner of the Firefox window. Click it to open the LastPass menu, which lets you manage your identities, open the LastPass Vault, jump to favorite sites, and generate secure passwords. You can also import or export sign-in IDs, compose and print secure notes, and assign keyboard shortcuts for specific actions.
In addition to Firefox and IE, LastPass is available for Google Chrome and Apple's Safari browsers. LastPass backs up your passwords by storing an encrypted copy on its own servers. And because you can access your passwords via the Internet, you can use LastPass on any Web-connected device, although use of LastPass on an iPhone or other smart phone requires a Premium membership, which costs $1 a month. (You can also put LastPass on a USB thumbdrive for use with Firefox Portable and other portable apps.)
Our family PC gets quite a workout. It's a five-year-old machine that runs Windows XP and is used primarily by my daughter and teenage grandson for instant messaging, e-mail, social networking, and downloading audio and video files. Since I rarely use the system, I didn't notice that its antivirus subscription had expired.
Which explains why I was a bit surprised when my grandson called when I was out of town to tell me that the PC was acting strangely. Ads appeared on the desktop as soon as Windows started and Firefox and other programs would occasionally close without warning or fail to open at all.
I immediately suspected a virus and instructed my grandson to perform a virus scan. Unfortunately, the machine's antivirus app had gone AWOL. I talked him through the process of using System Restore to revert the PC to an earlier time. This improved matters somewhat, but the system continued to act flaky.
When I returned from the trip, I started the troublesome machine and attempted to open the Microsoft Update site to make sure its copy of XP was up-to-date. But the malware had managed to disable several Windows services intermittently, including Services.msc, so Internet Explorer would shut down repeatedly.
At this point, I was seriously considering a hard-disk reformat and XP reinstall. I even had the XP installation CD in the drive and was ready to begin the process. But even though my daughter and grandson assured me that they had backup copies of all their personal files, I decided to try one more time to salvage the existing setup.
I'm very glad I did, because it turns out there were lots of vacation and holiday images and videos on the machine that hadn't been backed up. First, I installed a free copy of Malwarebytes' Anti-Malware antivirus program on the infected PC, updated the app's virus definitions, and ran a complete scan.
The initial Malwarebytes Anti-Malware scan detected 104 separate infected files and folders.
(Credit: Malwarebytes)That first scan turned up a mere 104 infected files and folders. Here's a list of the nasties the machine had picked up:
• Trojan.Vundo
• Troja.Vundo.H
• Trojan.FakeAlert
• Rogue.Installer
• Trojan.Downloader
• Trojan. Dropper
• Trojan.Agent
• Worm.KoobFace
• Rogue.AdvancedVirusRemover
• Rogue.SystemSecurity
• Adware.BHO
• Rootkit.Agent
• Spyware.Agent
• Trojan.BHO
• Hijack.LSP
• Rogue.Multiple
• Disabled.Security
After viewing the report, I rebooted the PC and ran another malware scan. This time, Malwarebytes' app found only nine infected files.
The second Malwarebytes Anti-Malware scan detected only nine infected items.
(Credit: Malwarebytes)I rebooted once more and ran yet another scan, which indicated that the PC came up clean.
The third Malwarebytes Anti-Malware scan indicated that all viruses and other malware had been removed from the infected PC.
(Credit: Malwarebytes)Once I was assured that the PC was malware-free, I revisited the Microsoft Update site to download and install all the XP security patches the machine required. Then I sprang for the $25 version of Anti-Malware to get the program's real-time virus scanning and automatic updates.
I knew all attempts to alter the user behavior that led to the infections would be futile, so instead, I instructed my daughter and grandson to run Malwarebyte's scanner each time they start the system and just before each shutdown. That was a little over two weeks ago, and so far, the PC remains free of infection. Still, you can bet I'll be paying much closer attention to that machine from now on.
Earlier this month, an 82-year-old man in Auburn, Calif., was scammed out of $5,200 because his Facebook profile was too forthcoming. The first thing I did after reading his tale of woe on the Auburn Journal site was to examine my own Facebook profile from a stranger's perspective.
I didn't like what I saw.
What I saw was too much, so the second thing I did was edit my Facebook profile to remove some personal information and further restrict access to it. Unfortunately, the process took longer than I expected.
A Facebook privacy makeover begins by hovering the cursor over Settings and choosing Account Settings. The Settings tab shows your name, contact e-mail address, and other basic information. The Networks, Notifications, Mobile, Language, and Payments tabs are self-explanatory, although I unchecked several of the Notifications options that were selected by default.
The real work begins when you rework Facebook's privacy settings. Hover the cursor over Settings and choose Privacy Settings to open the service's Privacy Overview. Your privacy options are presented in four categories: Profile, Search, News Feed and Wall, and Applications. You can also add someone to your Block List by entering his or her name in the text box near the bottom of the page and clicking Block.
Facebook's Privacy Settings are listed in four categories along with a tool for adding names to your Block List.
(Credit: Facebook)Click Profile to view your personal and contact information. Your options in each category are everyone, people in your networks and friends, friends of friends, only friends, and a Customize dialog box, which provides a bit more granularity to your options. Click the Save Changes button at the bottom of the page once you've finished making your selections.
The custom options in the Facebook privacy settings let you limit access to your personal info.
(Credit: Facebook)I reset each privacy option to Only Friends, with the exception of the Basic Info category, which is viewable by everyone. To see your profile as your friends do, enter the name of a friend in the text box at the top of this page. (You can view and edit the entries in your Basic Info by clicking Info on your profile page and choosing Edit Information.)
You might be surprised by the amount of information about you that Facebook's search function makes available. To change Facebook's search settings, click Search on the Privacy Overview page. The default option under Search Visibility is Everyone, but you can change this to Friends of Friends, Only Friends, or a custom setting for people in your networks.
I chose to show in search results only a link to send me a message. I also unchecked the option at the bottom of the screen to create a public search listing for me to submit to Web search engines. When you're done, click Save Changes.
Uncheck options on the Facebook Search Privacy page to restrict your personal information shown in search results.
(Credit: Facebook)The default selections in Facebook's privacy settings for News Feed and Wall are similarly too open for my liking. It wasn't so much the options under Actions within Facebook, although I did uncheck several of these. The settings under Facebook Ads were a bigger concern to me.
There are two options on this page: "Allow ads on platform pages to show my information to" and "Show my social actions in Facebook Ads to." You can choose either "Only my friends" or "No one." Opting for the latter choice was a no-brainer for me.
More unpleasant surprises awaited on the Applications Privacy page. What your friends do affects how far afield your personal information travels. You can read about it under the Overview tab, which concludes by promising that Facebook won't sell your personal information and that "(y)our contact information is not exposed by the Facebook Platform."
I'm sure the Facebook Platform offers some real benefits, but until I have a better understanding of those benefits and their potential risks to my privacy, I'm opting out. To do so, choose "Do not share any information about me through the Facebook API." Take that a step further by selecting the other two options on this page, which block friends from viewing memberships in Facebook Connect sites and prevent Beacon sites from posting stories to your profile.
These days, I spend more time in Facebook than any other Web service except Gmail, and Facebook is gaining fast on that top spot. Of course, the bad guys are spending a lot more time there, too. Minimize your chances of catching their eye by lowering your profile.
One of the knocks against Google's online applications is that your personal data is stored unencrypted on the company's servers. For the many users of Google apps who are unconcerned about somebody snooping around their files, this won't matter. But those servers are no place to store sensitive personal or business information.
You can store your financial and other confidential information online for free by using a service such as Mozy or IDrive that encrypts the data on their servers, usually in a way that prevents the service's own employees from decrypting it. I looked at three services that include encrypted online storage along with other security services.
SpiderOak gives you up to 2GB of secure online storage for free but requires that you download a big client program, though you can access your data via a browser. The free storage offered by CryptoHeaven and SwissDisk top out at 50MB, but both of these services have more to offer, and SwissDisk doesn't even require a client download.
Free encrypted storage with room to spare
Secure online storage is only one of the features of the SpiderOak service, but the site's 2GB of encrypted-file capacity is difficult to ignore. You can also sync and share folders between multiple Windows, Mac, and Linux PCs. The service is designed primarily for backup but also lets you access your online files from any Internet-connected system.
SpiderOak claims to provide fault-tolerant servers to guard against data loss and also keeps old versions of your files to assist in recovery. The service uses a combination of 2048-byte RSA and 256-bit AES encryption. It also encrypts the keys you use to access the data so the company itself can't access your data.
The SpiderOak client program lets you view and access your online files.
(Credit: SpiderOak)The SpiderOak client program crashed when I attempted to transfer a single 1MB JPEG file. The software is a real throwback, and the reason I prefer an online service. In testing, I was prompted to download a 12MB update of the SpiderOak app. When I restarted, the program automatically updated the 257MB of data I had backed up previously.
It took more than an hour to transfer 257MB of data to the SpiderOak server. Subsequent syncs and single-file transfers went much quicker, but using the program feels like you're plodding through the settings and folder tree. If 2GB of storage space isn't enough, you can buy 100GB increments for $10 a month or $100 a year.
Secure more than files
Online file encryption is only one component of the security services CryptoHeaven offers a workgroup. You can also send and receive e-mail and IM securely by inviting people to communicate with you; for an added fee, the company will also host your domain to give your encrypted communications a personal touch.
The free service lets you store up to only 40MB, but that's expandable up to 50GB for prices starting at $7.99 a month or $66 a year for 200MB. Personal accounts come with up to five e-mail addresses, and business accounts offer up to 12 addresses.
Passwords are optional for the CryptoHeaven secure online file storage, e-mail, and IM service.
(Credit: CryptoHeaven)After you download the 8.4MB CryptoHeaven client program, the installation routine asks whether you want to password-protect the account and use a password hint. Business plans let you create and manage accounts, including assigning passphrases and setting permissions.
The company promises that no one can access your data but you via its "AES encryption with 256-bit symmetric key as well as public-key cryptography with 2048-4096-bit keys." Sounds secure enough for my needs.
The quick-and-easy approach to secure online storage
There's something to be said for the multifunction approaches taken by such security services as SpiderOak and CryptoHeaven. But there's a time and place for specialists as well. The SwissDisk service offers 50MB of secure online storage as a "gift" but charges from $3 a month for a Mobility service to $12 a month for a personal account that includes access to your data from Windows Explorer or Mac Finder.
After you sign up for your free account, you simply log in the SwissDisk site, browse to the files or folders you want to upload, and click Upload. My test 1MB JPEG file uploaded in about five seconds. You can download, delete, rename, or create a temporary URL for your online files. Simple and straightforward.
Storing files securely online couldn't be simpler than with the free SwissDisk service.
(Credit: SwissDisk)The only downside of the SwissDisk service is that you have to provide a telephone number and mailing address in addition to an e-mail address to sign up for a free account. Considering that the data and transmission lines are protected by 256-bit AES encryption and the SwissDisk servers "certified Hacker Safe," I'd say my files are safer online than they are on my own PC.
Microsoft has made great strides in educating Windows users about the need to keep their systems secure by downloading and installing the most recent updates. (I still recommend that you set Windows' Automatic Updates to download but don't install, as I described in a blog post from last July.)
The irony of the heightened awareness of Windows updates is that malware is less likely to target vulnerabilities in Windows--or other PC operating systems, for that matter. These days, most viruses and Trojans use holes in your browsers, media players, or Web applications to breach your system's security. That's why it's imperative to keep these programs up-to-date, which is a subject I covered in a post from last April.
Google pushes updates to its Chrome browser automatically--without bothering to let you know about it (the current version is 2.0.172.30). You may think I'm a hypocrite for preventing Microsoft from loading its updates automatically and applauding Google for doing the same thing with its browser. Here's the difference: if a Chrome update causes the program to malfunction, I can simply use another browser, but if a Windows update screws up, my entire system's hosed until I fix it.
If you want to use Chrome to browse without leaving any tracks on your system, press Ctrl-Shift-N to open a new browser window in Chrome's incognito mode. The sites you visit subsequently will not appear in your browser history nor will terms you search for stay in your search history. You won't pick up any new cookies, either.
You'll find plenty of add-ons in the Privacy & Security section of the Firefox Add-ons page that give Firefox a similar stealth mode. You can also choose Tools > Clear Private Data to wipe your tracks in Firefox, but this setting erases all your history in the various categories. Chrome's incognito mode lets you retain the history you want and delete the history you don't want.
Google's Chrome browser lets you surf without leaving tracks on your system via its incognito mode.
(Credit: Google)I've been spending a lot more time browsing with Chrome lately, and not just because of its incognito mode. Chrome seems faster to me than Firefox or Internet Explorer, and I'm getting used to Chrome's streamlined interface. Firefox remains my default browser, however. The one Firefox security add-on I won't browse without is InformAction's NoScript (donationware), which lets you block JavaScript, Flash, and other scripts on a site-by-site and source-by-source basis.
The best way to enhance your privacy while using Firefox is to set the browser to delete cookies each time you close the program. To do so, click Tools > Options > Privacy, select "Always clear my private data when I close Firefox," and click OK.
Check "Always clear my private data when I close Firefox" in the browser's Privacy settings to maintain your Web privacy.
(Credit: Mozilla Foundation)So what about Internet Explorer? IE 8 is said to be more secure than IE 7, which in turn was said to be more secure than IE 6. Two facts remain: Internet Explorer uses ActiveX, which in my opinion is inherently insecure; and IE 8's security options are way too complicated. What do those slider controls mean, really? (Press Alt, click Tools > Internet Options, and choose either the Security or Privacy tab to see what I mean.)
Bonus tip: Encrypt Gmail
I've been using Gmail as my primary e-mail service for several years, but it wasn't until a couple of months ago that I started encrypting my Gmail correspondences. (In fact, encryption wasn't available in Gmail until a couple of months ago.) To use encryption in Gmail, click Settings in the top-right corner of the main window, scroll to the bottom of the General tab, select "Always use https," and click Save Changes. Note that this setting prevents the iGoogle Gmail widget from working, but that's a small price to pay for the added security.
Web privacy resources
For more information on the privacy options in Google services, visit the Google Privacy Center. Along with an FAQ and overview, you'll find privacy videos and specific privacy options for YouTube, Orkut, Blogger, Docs, and other Google services.
The SANS Institute's Internet Storm Center offers a daily Internet threat level (green, the last time I checked) as well as information on the sources of recent Internet-based attacks and extensive links to other Internet security sources.
For a soup-to-nuts look at browser security, read the United States Computer Emergency Response Team's article Securing Your Web Browser. The information was last updated more than a year ago but remains relevant. Some of US-CERT's browser-setting recommendations are overkill for regular, everyday browsing, so take the advice with the proverbial grain of salt.
Last August, I described how to delay the messages you send from Microsoft Outlook. In that post, I bemoaned the lack of a similar feature in Gmail. Well, Google engineer Yuzo Fujishima comes to the rescue with a new tool called Undo Send, though unlike Outlook's send-delay feature, in Gmail, you have to act--or unact--fast.
To activate the feature, open Gmail, click Settings in the top-right corner, and choose the Labs tab. If you don't see a Labs tab, click more in the top-left menu, select even more, click the Labs link at the top right, choose Gmail Labs. Scroll to Undo Send, click Enable, and select Save Changes.
This feature isn't a miracle worker; it can pull back a message only in the first 5 seconds after you click Send. Still, many an e-mail "Oops!" comes to mind in that split second after you send it.
The Undo option appears for about 5 seconds in the "Your message has been sent" message at the top of your in-box.
When you use the Undo Send option from Gmail Labs, you have about 5 seconds to retrieve a message you just sent.
(Credit: Google)If you click Undo in time, your message is yanked from the outbound queue and you see a message informing you that the send was undone.
If your sent message was successfully retrieved, you see an alert to that effect.
(Credit: Google)Clearly, the Gmail Undo Send feature doesn't give you anywhere near the level of control you get when delaying sent messages in Outlook, but Gmail's version is much simpler to implement.
The Send Later extension for the Mozilla Foundation's Thunderbird e-mail client provides a similar function. Unfortunately, several people report problems using Send Later with the latest version 2.0.0.21 of Thunderbird. The extension appeared to work as advertised on my Vista PC, however.
The Send Later extension for Mozilla Thunderbird lets you delay your outgoing messages by the amount of time you prefer.
(Credit: talk2sk)If only everything we do on a computer had a "do-over" button!
The list of PC security products never ends. For every name that drops off, two more jump on. In fact, determining the best security hardware and software is a full-time job. Sometimes, you just want to throw up your hands and take your chances.
Maybe I'm just a cockeyed optimist, but I think you can stay safe without spending all your spare time doing research, installing updates, and generally becoming a PC-security expert. Here are five relatively easy ways to improve your security.
Use the firewall that's closest at hand
In the computer industry, the reputation of a product, service, or Web site is just about worthless. Yesterday's best firewall, ad blocker, spam buster, virus spotter, or spyware cleaner is today's bust.
Maybe the product got bought and the new owners aren't as conscientious about updates as the previous ones. Or the service's management team decides to go for profits and skimp on support, updates, and enhancements. There are lots of reasons why a good product goes sour, and the computer industry has seen nearly all of them.
So if you can't go by reputation, how do you choose a security product? One way is to go with the tools you've already got. Windows' security is roundly criticized, but the fact is, it's better than it used to be, and third-party security products have their own shortcomings.
Last February, I recommended that you use a third-party firewall rather than the one built into Windows. Six months earlier, I suggested that you pass on the third-party tools and stick with the Windows Firewall despite its shortcomings.
So which side of the fence am I on now? The simple side. The fact is, any third-party security tool complicates your setup. It's not difficult to find weaknesses in the Windows Firewall, but it's safe enough for most PC users, and it's much better than using no software firewall at all.
My previous post included links to information on Microsoft's TechNet site providing technical details of the Windows Firewall, tips for customizing the Windows Firewall, and help troubleshooting the firewall in XP and Vista.
Don't hesitate to try another free antivirus program
Just last week, I switched antivirus programs on my XP test system--for the umpteenth time. Something was slowing the system down, and after defragging the hard drive and doing other standard maintenance tasks, the machine's performance didn't improve as I expected it to.
Rather than go through a bunch of diagnostic tests, I simply uninstalled the system's antivirus tool and downloaded a competing package. The old and new programs were both free, and the switch didn't take much time to complete. The topper? The XP machine's performance perked up immediately.
Two antivirus programs that are free for home use and that are currently highly rated are Avast Home Edition and Avira AntiVir. You'll find a list of dozens of antivirus programs for Windows on this Download.com page.
Change your password...again
I hate those "your password will expire in x days" warnings as much as you do, but one of the simplest ways to protect yourself is by keeping your passwords fresh. Last year, I described the Ten Password Commandments, one of which was to devise a password-creation strategy that's all your own.
Just two months ago, I complained about the shortcomings of passwords as our primary security option, though I concluded that there's nothing better, for now. Lots of people swear by password managers such as RoboForm, but then you have yet another third-party app complicating matters.
For me, it's simpler just to devise a new password based on my unique, inimitable password-creation system, which I share with no one. No need to write it down, enter it in an online form, or encrypt it in a master-password file. Temporary amnesia, well, that's another matter.
For secure e-mail, use encryption
You would think that encrypting e-mail would be a breeze, but doing so is anything but. You and the recipient have to deal with digital certificates, public and private keys, and any number of other time-eating preparations and precautions.
The simplest way I know of to encrypt your e-mail is by using the Mozilla Foundation's Thunderbird with the Enigmail extension. Jason Thomas provides step-by-step instructions in this tutorial on the Lifehacker site.
Gmail users can secure their e-mail communications by enabling the service's built-in encryption. To do so, click the Settings button at the top-right of the main Gmail screen, scroll to the bottom of the General tab, select "Always use https," and click Save Changes.
Select "Always use https" under the General tab in Gmail's Settings to encrypt your messages.
(Credit: Google)
Keep your browser up-to-date
Most people will tell you that the Mozilla Foundation's Firefox browser is the safest way to surf, but a recent report from Google Switzerland and the Swiss Federal Institute of Technology found that "(u)sing the most recent version of a browser will lower the risk associated with drive-by-downloads and other Web-based attacks, which start by targeting the browser."
The report cites Google Chrome's silent updates as the best way to ensure that your browser is protected. The researchers also laud Chrome's lack of a way for users to disable its silent-update feature. Some people will object to software being downloaded to and installed on their system without their knowledge, but the fact is, these behind-the-scenes updates are the best way to keep you safe from the Internet bad guys.
Personally, I'm starting to rethink my choice of default browser. But as I mentioned earlier, you can't put any faith in a computer security product's reputation. And you can't be afraid to switch.
PCs do the darnedest things. When a program crashes, your system slows down, or a file or program refuses to open, it's probably due to a problem with an application or device. But not always. Computer viruses and worms will cause your PC to exhibit many of the same symptoms as a failed or failing component or program.
Here are some of the primary indicators that your system is infected:
• Your system slows to a crawl for no apparent reason.
• The machine crashes, with or without an automatic restart.
• Error messages pop up repeatedly.
• Programs or files open slowly or not at all (especially security apps).
• You can't access drives or other storage media.
• Certain Web sites won't open in your browser, especially those of security software vendors.
• You can't download updates for your antivirus software.
• You can't print.
• A program disappears from your system.
• Strange icons are added to your desktop, or programs appear that you never installed.
• The unused space on your hard drive disappears (which could mean a worm is making copies of itself).
• People in your contacts list receive e-mail from your account, often with a virus attached.
• There's a big jump in the amount of traffic on your network, especially outbound.
How to disinfect a PC
Whenever your system starts acting funky, the simplest remedy is to use Windows' System Restore feature to turn back the clock to a time when the machine worked. (Note that many viruses and worms can outsmart System Restore, so this is far from a cure-all.)
Microsoft's Help and Support site offers step-by-step instructions for using System Restore in XP (which also describes how to undo a restoration). Vista users will find information on System Restore and other system-recovery options for that operating system on the company's Windows Help and How-to site.
Even if System Restore appears to fix your PC, update your antivirus software's definitions and do a full system scan with the program. If you don't use AV software, download and install a copy. You'll find a list of free and low-cost antivirus programs on this Download.com page. Two freebies that get rave reviews from most users are Avira AntiVir Personal and Avast Home Edition.
Another option for virus and worm removal is Microsoft's own Malicious Software Removal Tool, which can disinfect a PC but doesn't prevent infections. Note that if your system is set to receive automatic Windows updates, it probably already has the tool installed. You can read more about MSRT on the Microsoft Help and Support site.
Of course, if the virus or worm has blocked your PC's access to the Internet or is preventing your security software from running, you'll have to use another system to download and install an up-to-date antivirus program on a flash drive, optical disc, or other external storage device. Then plug or insert that device in the infected machine and run the AV program from there. One option is the free ClamWin Portable, though many other free AV programs can be installed and run off external media.
Where did the virus/worm come from?
When you're in the midst of a PC disinfection, the source of the virus may not be your first concern. But once your system is working again, you want to avoid whatever action caused the problem.
In the past, most viruses and worms traveled via e-mail and latched themselves onto your hard drive when you clicked to open an attachment, or sometimes when you merely viewed a message. Now infections are more likely to occur after you browse to an infected Web site or download and open a file.
The recent Conficker worm takes advantage of Windows' Autorun feature that allows programs to open simply by plugging in the USB flash drive, CD, or DVD on which it's stored, sometimes even if you thought you had disabled Autorun and AutoPlay on the machine. Microsoft released a patch that closed this hole late last year, though you still must disable these features manually. You'll find instructions for doing so on this site.
Your best virus/worm-prevention strategy is to keep Windows and your antivirus/antispyware/firewall software up-to-date, don't open e-mail attachments you weren't expecting (even if they appear to be from someone you know), and avoid file-sharing and other dicey Web sites. This is no guarantee of keeping your PC virus-free, but it will keep the odds in your favor.
I'm a confirmed pack rat. I've got stacks of old utility-bill statements dating back to the 1980s. Alongside the boxes of ancient paper records in our attic are about a half dozen old PCs. The jewel of my "collection" is an original 60-MHz Pentium PC, complete with the famous floating-point bug. Well, it was famous in 1994.
One benefit of holding onto these PC relics is not worrying about their data falling into the wrong hands. (OK, I suppose a determined thief could break into our attic and walk off with the computer antiques, but I wish them luck finding the cables and peripherals required to bring the machines back to life.)
Not everyone is so attached to their old electronic equipment as I am. You probably know that you need to completely wipe or remove the hard drives from your PCs before you donate or recycle them. How to ensure that the data on the drives will be out of the bad guys' reach is another matter.
(On a related subject, don't ever let a computer repair shop hold onto your old hard drive if they replace it. And don't believe them if they say they returned the drive to the vendor. If they give you this spiel, call the cops and demand that they return the old hard drive to you, right then, right there.)
Free data-wiping program obliterates your data
If you want to keep the drive usable but totally erased, use the free Darik's Boot and Nuke (DBAN), which comes in a version that runs off floppy disks and USB flash drives and another that runs off a CD or a DVD. The program's interface won't win any awards, but DBAN has a solid reputation among security experts.
Attack the platter to render a hard-disk unreadable
No matter how thorough a data-wiping program is, the only way to be certain that a hard-drive's data is unrecoverable is by rendering the drive's platters unspinnable. I've heard and read all kinds of methods people use to destroy an old drive, some of which are downright dangerous.
Put it in a fire? There are lots of toxic chemicals in that gadget. Do you really want to be breathing them or otherwise releasing them into the environment? Microwaves are handy for destroying CDs and DVDs, but you'd have to cook a hard drive for a long, long time to blister the drive's platters.
Several Web sites suggest soaking the drive in diluted hydrochloric or muriatic acid. This might work, but you run the risk of burning yourself or breathing toxic fumes. Lots of people recommend breaking out the power tools and drilling several holes through the drive. You can achieve the same effect by pounding some nails through it, or simply by whacking the heck out of it with a hammer, sledge or otherwise.
I'm normally a big fan of brute-force methods, for the vicarious thrill if for no other reason. But the goal is to make sure you can't spin the drive's platters. There's a more subtle approach that achieves this, without necessarily requiring safety goggles.
I found a great step-by-step tutorial written by David Gewirtz that describes how to disassemble a drive, remove the platters (and other components, including the drive's magnets), and sand or grind the platter surfaces, which renders them unreadable.
David's method requires the use of TORX driver bits to remove the small screws holding the drive's case in place. These can set you back about $20, but you might be able to save the money by using a large, flat-head screwdriver to pry the case off.
David also suggests degaussing the platters by placing them between neodymium magnets before grinding their surfaces, which obliterates the data they hold. This strikes me as overkill, but I guess you can't be too careful when protecting your private data. Making wind chimes out of the degaussed and sanded platters, as David's wife did, is strictly optional.
