IT Security

Protecting your Computer

• An excellent way to prevent your computer from being infected is to not run as an administrator.  Many pieces of software do require an admin login in order to install, but most software does not need and administrator account to run.  Have two accounts on your computer and never use the admin account to check email or surf the web.

  Infections that occur when you are not logged in as an admin are often trivial to remove.  An infection you get as an admin may require a complete computer wipe and reload while the same infection on a non-admin account may only require the antivirus or anti-malware software to be run.

• Be careful opening attachments.  Never open an attachment or an e-card from someone you don’t know.  Many infections come from “fake” e-cards that appear to come from legitimate companies like Hallmark.  They often have generic messages or say they are from a friend or relative with no specific names.  If they don’t say specifically whom they are from don’t open them.  If they say there are from someone you know, drop them an email and ask if they sent you a card before you open it.  It only takes a few minutes to verify the message is legitimate and it can save you hours in trying to fix your machine later.

• Use software like Adblock and Flashblock in your web browser (not available for Internet Explorer).  They can block many of advertisements that pages host that can infect your computer. 

• If you get pop-up advertising don’t click anywhere inside the window.  Malware writers will often have a “Cancel” or “Close Window” button within the pop-up.  When you click it you may actually be agreeing for them to install software instead of just closing the window.  Always use the X in the upper right hand corner of the window to close it.  If you are unsure what to close to get rid of the pop-up quit your browser.   That should close the pop-up window.

• Don’t click links in an email to navigate to an important site.  Links in email messages can be forged.  It may look like you are going to paypal.com or citibank.com, but instead you are being directed to a page that looks similar and trying to steal your information and money.  Manually type in the address when going to bill payment, banking, or any other site that uses personal or financial information.

• Beware of phishing.  You may receive an email warning you that your email account is being turned off, or your utility bill wasn’t paid.  Phishers often try to scare you into acting quickly and handing over information you shouldn’t.  They may even include legitimate links in the email to make it seem more real.   Never email your password to anyone and don’t enter any information into the websites linked in the email.  More information about phishing: http://www.theregister.co.uk/2006/03/31/phishing_study

• Beware of social engineering attacks.  The first thing most people do when they find a lost USB key is to plug it into their computer to find out who the owner is.  For a couple of dollars investment in a cheap usb key, someone can install malware onto your computer.  That malware could capture every keystroke you type on that computer and send it over the Internet to the author.  They can get your passwords to important business systems or even your credit card numbers when you do online purchases.

Protecting your information

• It is important to use different passwords for different resources.  If one password is stolen you don’t want thief to have access to every account and resource you use. 

  Difficult unique passwords can be hard to remember.  Keep them in an encrypted file to protect them.  Use free software like Password Safe or Password Gorilla to securely store your passwords.  You only need to remember the one password to open the safe in order to get to all your other passwords.  You can use either of these software packages on Macintosh or Windows and you can keep any sensitive information (not just passwords) inside.

• Make sure your browser does not save your password or saves your password securely.  Safari by default will not show your saved passwords.

  Firefox will save your passwords securely only if you have a master password set.

  Internet Explorer will not directly show your saved passwords, but there are several small free applications that can expose those passwords.  Currently there is no safe way to save passwords in Internet Explorer.

  • How to set a master password in Firefox
  • How to turn of password saving in Internet Explorer

• Pay attention when your browser warns about a certificate mismatch or an expired certificate.  Some groups will use self-signed certificates instead of paying for one that that has been approved by a certificate authority.  The first time you see one of these warnings for a page you will get the option to save the self-signed certificate.  You will not be warned again unless the certificate changes or expires.

  While it is common for an educational institution or small organization to use self signed certificate, you should never get this warning when going to a financial or commercial business site.  If you do you should be suspicious that the site you are going to is fraudulent.

  If you get a SSL Certificate warning on a site you’ve visited before be very careful.  This is a red flag that something is wrong someplace.  When in doubt email the hostmaster of the website in question to find out why you are seeing the certificate problem.