I thought the following might be helpful to MoneyAM users. I'm grateful to Bruce Schneier for permission to republish it.

I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed."

But that's not true, and the reality is more complicated. You're screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.

Two years ago, I published a list of PC security recommendations. The idea was to give home users concrete actions they could take to improve security. This is an update of that list: a dozen things you can do to improve your security.

General: Turn off the computer when you're not using it, especially if you have an "always on" Internet connection.

Laptop security: Keep your laptop with you at all times when not at home; treat it as you would a wallet or purse. Regularly purge unneeded data files from your laptop. The same goes for PDAs. People tend to store more personal data--including passwords and PINs--on PDAs than they do on laptops.

Backups: Back up regularly. Back up to disk, tape or CD-ROM. There's a lot you can't defend against; a recent backup will at least let you recover from an attack. Store at least one set of backups off-site (a safe-deposit box is a good place) and at least one set on-site. Remember to destroy old backups. The best way to destroy CD-Rs is to microwave them on high for five seconds. You can also break them in half or run them through better shredders.

Operating systems: If possible, don't use Microsoft Windows. Buy a Macintosh or use Linux. If you must use Windows, set up Automatic Update so that you automatically receive security patches. And delete the files "command.com" and "cmd.exe."

Applications: Limit the number of applications on your machine. If you don't need it, don't install it. If you no longer need it, uninstall it. Look into one of the free office suites as an alternative to Microsoft Office. Regularly check for updates to the applications you use and install them. Keeping your applications patched is important, but don't lose sleep over it.

Browsing: Don't use Microsoft Internet Explorer, period. Limit use of cookies and applets to those few sites that provide services you need. Set your browser to regularly delete cookies. Don't assume a Web site is what it claims to be, unless you've typed in the URL yourself. Make sure the address bar shows the exact address, not a near-miss.

Web sites: Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure.

Think before you do business with a Web site. Limit the financial and personal data you send to Web sites--don't give out information unless you see a value to you. If you don't want to give out personal information, lie. Opt out of marketing notices. If the Web site gives you the option of not storing your information for later use, take it. Use a credit card for online purchases, not a debit card.

Passwords: You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc.

Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly.

Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

E-mail: Turn off HTML e-mail. Don't automatically assume that any e-mail is from the "From" address.

Delete spam without reading it. Don't open messages with file attachments, unless you know what they contain; immediately delete them. Don't open cartoons, videos and similar "good for a laugh" files forwarded by your well-meaning friends; again, immediately delete them.

Never click links in e-mail unless you're sure about the e-mail; copy and paste the link into your browser instead. Don't use Outlook or Outlook Express. If you must use Microsoft Office, enable macro virus protection; in Office 2000, turn the security level to "high" and don't trust any received files unless you have to. If you're using Windows, turn off the "hide file extensions for known file types" option; it lets Trojan horses masquerade as other types of files. Uninstall the Windows Scripting Host if you can get along without it. If you can't, at least change your file associations, so that script files aren't automatically sent to the Scripting Host if you double-click them.

Antivirus and anti-spyware software: Use it--either a combined program or two separate programs. Download and install the updates, at least weekly and whenever you read about a new virus in the news. Some antivirus products automatically check for updates. Enable that feature and set it to "daily."

Firewall: Spend $50 for a Network Address Translator firewall device; it's likely to be good enough in default mode. On your laptop, use personal firewall software. If you can, hide your IP address. There's no reason to allow any incoming connections from anybody.

Encryption: Install an e-mail and file encryptor (like PGP). Encrypting all your e-mail or your entire hard drive is unrealistic, but some mail is too sensitive to send in the clear. Similarly, some files on your hard drive are too sensitive to leave unencrypted.

None of the measures I've described are foolproof. If the secret police wants to target your data or your communications, no countermeasure on this list will stop them. But these precautions are all good network-hygiene measures, and they'll make you a more difficult target than the computer next door. And even if you only follow a few basic measures, you're unlikely to have any problems.

I'm stuck using Microsoft Windows and Office, but I use Opera for Web browsing and Eudora for e-mail. I use Windows Update to automatically get patches and install other patches when I hear about them. My antivirus software updates itself regularly. I keep my computer relatively clean and delete applications that I don't need. I'm diligent about backing up my data and about storing data files that are no longer needed offline.

I'm suspicious to the point of near-paranoia about e-mail attachments and Web sites. I delete cookies and spyware. I watch URLs to make sure I know where I am, and I don't trust unsolicited e-mails. I don't care about low-security passwords, but try to have good passwords for accounts that involve money. I still don't do Internet banking. I have my firewall set to deny all incoming connections. And I turn my computer off when I'm not using it.

That's basically it. Really, it's not that hard. The hardest part is developing an intuition about e-mail and Web sites. But that just takes experience.

Bruce Schneier

Amazing information.

Many thanks MM, loads I was not aware of.

This reply was written using Firefox just downloaded, and I now have Thunderbird as my email client plus many other bits since reading.

Thank you

Got to say I have broadand too, but Firefox is way quicker the Internet Explorer.

Brilliant

ttt

From http://technology.guardian.co.uk/news/story/0,,1891177,00.html

Hacker attacks hit home computers 50 times a night

Staff and agencies
Monday October 9, 2006
Guardian Unlimited

Home computers can be attacked by hackers more than 50 times a night, the results of an experiment showed today.
Every time a test PC was connected to the internet, it was targeted by viruses and attempts to gain access to the information it contained.

The experiment, carried out by the BBC News website, used a "honeypot" PC, which looked like a normal computer to potential hackers but secretly recorded every attempt to gain access to it.

Each time the machine was put online during the month-long test period, it came under attack from hackers or dangerous computer programmes. In one of the busiest nights of malicious activity, it was attacked 53 times.

The computer was subjected to a hijack attempt by subverting the web server built into Microsoft Windows. A successful hijack would have handed control of the PC over to the hacker.

There were two port scans - the reconnaissance process used by hackers to find new victims.

It was attacked 11 times by the Blaster worm, a computer programme that sends copies of itself to other PCs. A successful attack would have left the machine unstable.

Three Slammer worm attacks were made, which could have crippled the computer and left it prone to crashing, and there were 36 fake security announcements or advertisements for fake security software posing as warnings.

Reacting to these could leave a PC clogged with spyware - programmes monitoring what users do with their computer and then sending the information over the internet.

Over the course of the experiment, at least one attack an hour on average came from a dangerous computer bug with the ability to cripple an unprotected PC.

There was at least one serious attack a night, such as attempts to hijack the computer that could have led to it being turned into a zombie PC used to carry out criminal activity without the owner's knowledge.

The BBC said the experiment demonstrated the vulnerability of unprotected home PCs to malicious hackers.

According to the security software firm Symantec, 86% of all targeted attacks on computers are aimed at home users.

Experts estimate that there are around 200,000 malicious programmes, such as viruses, worms and spyware, in existence.

One hacker the BBC spoke to claimed to have made $10,000 (5,345) a day from computer crime, while another claimed the ability to hack into many online shops within three to four hours.

There is a lot of good free software out there to help against such attacks (but always remember to update regularly). I use AVG anti-virus, SpyBot Search and Destroy, AdAware and (my personal favourite) ZoneAlarm which actually tells you every time something is trying to access your computer. If you pay for the full version of ZoneAlarm, you can actually trace where the attack is comming from (usually). A quick search on the net will give you all the download sites.

Usual terror-inducing stuff, usually sponsored by the manufacturers of protection programs. All the 'attacks' mentioned will not affect a PC with reasonably current updates of Windows.

"I use AVG anti-virus, SpyBot Search and Destroy, AdAware and (my personal favourite) ZoneAlarm"

What a collection! It's amazing your PC still runs. I use none of these. To keep safe it is sufficient to (a) keep Windows up to date at least monthly using Windows Update (b) set security zones in IE and OE appropriately (c) have good practices, e.g. don't open attachments you're not expecting and (d) take regular backups.

Kayak

To keep safe it is sufficient to
(a) keep Windows up to date at least monthly using Windows Update
(b) set security zones in IE and OE appropriately
(c) have good practices, e.g. don't open attachments you're not expecting and
(d) take regular backups.

Q. What settings do you personally have on your machine for (b)?

Q. What backup procedures and methods do you personally use for (d) and how frequenty do you do them?

Doc

OE set to use Restricted Sites zone, check nothing is in Trusted Zone in IE.

At present I take a full backup monthly to tape, i.e. of the entire hard disk, and a differential backup daily. A differential backup is a backup only of the files that have changed since the last full backup. I also cycle through six sets of full backups and three sets of daily backups. This means that in the event of something mucking up the PC I can get back to any day within the last three months by loading the appropriate full backup and daily backup. When I was using the PC much more with local applications I was taking a full backup weekly.

Most if not all of the attacks on the BBC test computer would have been prevented if the internet connection had been through a firewalled router/ADSL modem.

The cost of these devices is now below 60 and in my opinion are the minimum requirement for conecting to the Internet in a fixed location.

If you are using a USB/ADSL modem, throw it away.

Kayak:

"I use AVG anti-virus, SpyBot Search and Destroy, AdAware and (my personal favourite) ZoneAlarm"

What a collection! It's amazing your PC still runs.

Only AVG and ZoneAlarm are always on. I run SpyBot and AdAware only when I suspect some pop-up has planted a tracking cookie. I also have an extremely fast machine with a 1Gbps connection (gloat, gloat).

I agree with most of what you say and also allow windows to do automatic backups. However, if you believe that using IE is safe then maybe you are unaware that IE allows automatic execution of DirectX applets - a direct method of allowing viral attack.

Perhaps you should try running a firewall program such as ZoneAlarm and see how many times a day something or someone is trying to access your PC. You will be suprised how many attacks are missed by Windows own firewall (which I also have enabled).

Regular backups are of course good practice. But are of little use if you backup an infected machine.

Healthy paranoia can be good for you. ;-)

LOL

SF I do know of the attacks since I have a router which logs them. However they will not affect a properly updated and protected system.

Oh, and it is perfectly redundant to have two firewalls enabled! But I would agree with Optimist that a router is far better than a modem and in fact will act as a firewall for incoming traffic just as well as your beloved Zone Alarm whether or not it has specific firewall functions. Buy a router and ditch the software firewalls.

Do you mean ActiveX applets? They can't be all that dangerous since they've never caused me to be infected by a virus.

"also allow windows to do automatic backups" - Windows XP's backup function is to do with changes to the system configuration and is there to enable you to roll back changes to the system or its configuration. It will not enable you to recover programs or data should you be unfortunate enough to suffer a virus attack or hardware failure. What I do is take a full copy of the system and data to a backup tape.

"Only when I suspect some pop-up has planted a tracking cookie" - tracking cookies are perfectly safe. They are merely information regarding what you did on the site you visited, and enable the site to recognise you the following time you visit. They are not executable and not dangerous. Also, there is nothing about a popup that makes it dangerous. It is merely a web page like any other, the only reason it pops up is to gain your attention. Tracking cookies in fact will normally be planted by the main page rather than a popup.

As I say, there is a lot of hysteria promulgated by those who sell security programs.

Funnily enough, the area people should concentrate on is backups, and yet not many people take regular backups of their data, even fewer take backups of their system, even fewer have ever checked that they know to recover from a backup, and even fewer do it all with some sort of a recognised cyclic backup media system.

I thought it might be time to revive this thread, having read some of the recent stuff on the PC & MAC CLINIC - On line problem solving thread.

MM

Cheers,MM. Interesting info.with some ideas that I've never thought of looking at.

At this particular juncture, could I highlight just one recommendation from Bruce Schneier's opening post:

Browsing: Don't use Microsoft Internet Explorer, period.

More from Bruce Schneier.


An Expectation of Online Privacy



If your data is online, it is not private. Oh, maybe it seems private. Certainly, only you have access to your e-mail. Well, you and your ISP. And the sender's ISP. And any backbone provider who happens to route that mail from the sender to you. And, if you read your personal mail from work, your company. And, if they have taps at the correct points, the NSA and any other sufficiently well-funded government intelligence organization -- domestic and international.

You could encrypt your mail, of course, but few of us do that. Most of us now use webmail. The general problem is that, for the most part, your online data is not under your control. Cloud computing and software as a service exacerbate this problem even more.

Your webmail is less under your control than it would be if you downloaded your mail to your computer. If you use Salesforce.com, you're relying on that company to keep your data private. If you use Google Docs, you're relying on Google. This is why the Electronic Privacy Information Center recently filed a complaint with the Federal Trade Commission: many of us are relying on Google's security, but we don't know what it is.

This is new. Twenty years ago, if someone wanted to look through your correspondence, he had to break into your house. Now, he can just break into your ISP. Ten years ago, your voicemail was on an answering machine in your office; now it's on a computer owned by a telephone company. Your financial accounts are on remote websites protected only by passwords; your credit history is collected, stored, and sold by companies you don't even know exist.

And more data is being generated. Lists of books you buy, as well as the books you look at, are stored in the computers of online booksellers. Your affinity card tells your supermarket what foods you like. What were cash transactions are now credit card transactions. What used to be an anonymous coin tossed into a toll booth is now an EZ Pass record of which highway you were on, and when. What used to be a face-to-face chat is now an e-mail, IM, or SMS conversation -- or maybe a conversation inside Facebook.

Remember when Facebook recently changed its terms of service to take further control over your data? They can do that whenever they want, you know.

We have no choice but to trust these companies with our security and privacy, even though they have little incentive to protect them. Neither ChoicePoint, Lexis Nexis, Bank of America, nor T-Mobile bears the costs of privacy violations or any resultant identity theft.

This loss of control over our data has other effects, too. Our protections against police abuse have been severely watered down. The courts have ruled that the police can search your data without a warrant, as long as others hold that data. If the police want to read the e-mail on your computer, they need a warrant; but they don't need one to read it from the backup tapes at your ISP.

This isn't a technological problem; it's a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don't have the same boundaries. We should be able to control our own data, regardless of where it is stored. We should be able to make decisions about the security and privacy of that data, and have legal recourse should companies fail to honor those decisions. And just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant -- even though it occurred at the phone company switching office and not in the target's home or office -- the Supreme Court must recognize that reading personal e-mail at an ISP is no different.

This essay was originally published on the SearchSecurity.com website, as the second half of a point/counterpoint with Marcus Ranum.
http://searchsecurity.techtarget.com/magazinePrintFriendly/0,296905,sid14_gci1354832,00.html or http://tinyurl.com/pnv8vq