Security Help Center

Computer Security: Protecting Your Data and Your Privacy
by Bill Natkin

Introduction
The widespread use of personal computers with Internet access in both the home and workplace has created an opportunity for unscrupulous individuals, companies, and governmental organizations to spy on users, steal data, hijack computers, destroy information, and generally make life difficult.

Hazards include:

       Theft of personal information
       Access to financial records
       Monitoring web browsing
       Interception of email, passwords, and account numbers
       Taking control of your computer to secretly use it for wrongful purposes
       Destructive viruses
       Clandestine marketing
       Phishing schemes
       Fraudulent sales and related scams

The intention of this article is to raise awareness of some of the risks computer users face, especially with regard to use of the Internet.  Armed with this information, and a few low cost or free tools, the reader can greatly reduce the risk of suffering from the aforementioned problems.  No single piece of hardware or software will accomplish the goal of building a strong defense.  A multi-layered system of protection provides the best protection.  Keep in mind that no security system is absolute; in theory anything can be cracked.

The first part of this article will attempt to provide some not-too-technical general information about computer system vulnerabilities.   Once one has an understanding of some of the fundamentals, steps can be taken to avoid the hazards listed above.

Internet Connectivity

For most users, the problem starts with an always-on, high speed Internet connection from a cable company or DSL service provider.  Traditional dial-up connections are generally less risky for a number of reasons.  To begin with, dial-up is accessed as needed as opposed to a continuous connection.  When the computer is not on line, it is not going to be invaded from the outside.  Additionally, the technical nature of the connection provide by a dial-up Internet service provider (ISP) is different than that of cable and DSL connections.

The user is also likely to know when a connection is initiated by their own computer (the client).  It ties up the telephone line, and usually, users can hear audible tones when their computer  connects to the internet via a dial-up MODEM.  People usually do not consider that a security breech may be initiated by their own computer, but it's fairly common.  It is generally believed that someone cracked into a client from the outside, disregarding the possibility that one's own computer started the "conversation" and subsequently gave away personal information.  This topic is covered further in the discussion on firewalls. The point is, most users of high-speed Internet connections have no way of knowing if their computer is having background communication with other computers on the Internet.  Good firewall software will warn you when this happens.

All computers connected to the Internet have a unique identification known as an Internet Protocol (IP) address.  The world wide web often creates an illusion of anonymity, but one certainly is not entirely anonymous if  browsing the web from a cable or DSL connection that is broadcasting a unique IP address with every click of the mouse. 

Once connected to the Internet the IP address provides crackers (often incorrectly called "hackers") a portal to breaking into a computer.

Basic Security Precautions

It is not necessary to have a browser program running for a cracker to get into a computer system.  If your computer has an "always on" Internet connection, then, essentially, your are on line all the time, whether or not your are browsing the web.  Some cable modems have a standby switch.  Putting the cable modem is standby mode is equivalent to "pulling the plug" to the Internet.  If you do this, then you are truly off line.  The following ten rules will greatly reduce your risks.

Rule Number 1:  Do not connect your computer directly to your DSL or cable modem

Cable company installers do this routinely.  Sometimes within a matter of days, the computer becomes hopelessly infected and is essentially inoperative.  The typical home cable Internet IP is hit 60 to 100 times per day with attempts to access you computer.  Some of these are simply accidental, mis-directed traffic and are not malicious.  Most are attempts to exploit one of Windows many security weaknesses.  If successful, they usually result in relatively harmless, but annoying pop up dialog windows that encourage you to buy something or visit a web site.  A few may be much more malicious and could cause serious problems.  On a typically under-protected system you will not even be aware of the problem until its too late to correct it easily.

The simplest, and most effective defense against this bombardment of traffic is to install a firewall / router box between your computer and cable MODEM.  This is a must!

Rule Number 2:  Do not connect to the Internet without firewall software running on your PC.

Consider this your second layer of defense after your hardware firewall.  Many users rely only on the firewall that comes with later versions of Windows.  This is too little, too late.  There are a few good, free firewall software packages available.  Check the links at the end of this article.  Kerio Personal Firewall is an example of a good program that will protect your computer from unwanted incoming traffic.  A good firewall program can also alert you of outgoing traffic.  Most users are shocked to find out how many programs they are using are accessing the Internet without their knowledge or consent.  Kerio also has options that alert you when programs are replaced, or launched from within other programs.  This too is an extremely valuable security feature.

Rule Number 3:  Install anti-virus software.

Take the time to know how the anti-virus software works.  Use on-access scanning and run a full virus scan once a week or so.  It is very important to update the virus definitions regularly; at least a few times per week if you use the Internet frequently.   Doing this automatically is recommended.

Rule Number 4:  Think before you click.

Do not download and/or install programs that you are not sure are safe.  This goes for email attachments too.  Many viruses, spyware, ad-ware, Trojans, etc. are installed unknowingly by the users themselves.  Check with well-known, reputable sources before installing software or running scripts that you are not familiar with.  Run a virus scan on newly downloaded files before execution.  When you do install software, read the licensing agreement.  You may be surprised to find out that you are agreeing to load spyware or otherwise compromising your privacy and security.

Rule Number 5:  Use strong passwords.

Do not use words, birthdates, phone numbers, addresses, or anything that a person or a computer program running a dictionary could guess.  Use cryptic mixes of upper and lowercase letters with numbers.  Avoid very short passwords.  Do not use the same password for several things.  Every one of your passwords should be unique.  Do not write them down and leave them lying around.  Do not store them in a file on your computer.  Do not save passwords using your browsers "save password" functions.

Rule Number 6:  Be very cautious when using a public network.

Understand that when you access the Internet from a computer at school, work, libraries, and so forth that you are using a sharing a network with other users, employees, and system administrators.  There are a variety of ways one can eavesdrop on your communication.  Passwords and other sensitive information can be intercepted on your side of the systems firewall.

If you use a web based email system, make sure it uses encryption.  You can usually tell if your communication is encrypted by the appearance of a small padlock graphic somewhere on the screen.  Most web email now uses encryption.  If you are a Cox customer, be aware that their email is not encrypted.  Your password and email content can easily be read by other people on a public network.  Cox customers are advised to complain about this.  The better practice is to use POP email when you are at home.

Rule Number 7:  Use the most secure software available.

Even the best programs can be found to have security weakness.  There are big differences between browsers, email software, music players, and messaging programs.  Some are notorious for security flaws, while others have a very good record.  Research carefully and update frequently.  is a highly recommended browser, and Thunderbird is a good email program. There are several others.  Most experts discourage the use of Internet Explorer and Outlook Express.  There are many sources for information on this topic.  See the links at the end of this article, but do your own research too.  Don't take just one source's word as gospel.

Rule Number 8:  Avoid installing peer-to-peer software.

Peer-to-peer programs are notorious for causing problems.  This software offers you the opportunity to share music or other files with everyone on the Internet.  In doing so, you open connections for crackers and virus spreaders.  Your computer will likely run slowly while it is busy serving everyone on the planet except you.  This is also a common way for your computer to be hijacked and used to spread spam and/or viruses to others.  You may also be setting yourself for serious legal problems regarding copyright issues.

Rule Number 9:  Lookout for imposter web sites & phishing scams

Some web sites cleverly masquerade themselves as something legitimate and familiar but, are in fact, a con.  Fake government sites are common.  If it has a .com address instead of .gov, be suspicious.  An increasingly common fraud plays on using HTML code to trick you into clicking on a link that indicates it will take you a web site, but actually takes you somewhere else.  Once there, you be prompted to give up sensitive information, then be ripped-off.

One way you can avoid this when web browsing is to pay attention to the status bar at the bottom of your browser screen.  Point to, but don't click on, a link.  Then look at the URL at the bottom of the screen.  You may see a link titled "Chase Bank Official Website", but the URL at the bottom of the screen tells you that you are actually being directed to "https://ImGoingToRippYouOffYouPoorSucker.com".

More commonly, the tricksters will suppress the URL from displaying.  Try right-clicking the link and selecting "properties".  This should show you the actual destination web site.  If your browser can not perform this action, get a different browser.  This usually works with email too.  Keep in mind that if a link description does not match the actual URL, it does not automatically mean that it is a scam, but it may be a clue.

Use prudent judgment regarding unsolicited email you receive.  Remember the fitting cliché, "If it sounds too good to be true...".  You may receive fake email that appears to be from a company or financial institution with which you do business.  The inclination is to trust the information because, after all, they clearly know you as a customer, right?  Sometimes your browser cookies may reveal that you are a customer of a company, and the bad guys will exploit that information.  It may also be the case that you are one of tens of thousands of people who received the same email in the hopes that a few will fall for the trick.

Rule Number 10:  If you use a wireless connection, make sure it is encrypted.

Many home users access the Internet using an  unencrypted wireless router.  Most can be configured to encrypt your traffic.  If yours does not have such a feature, get a new router.  Otherwise you may be sharing sensitive information with anyone within range who cares to eavesdrop.

The preceding ten rules are mandatory essentials.  There are a great many more precautions to be aware of.

If some of them are difficult to understand, or the terminology is unfamiliar, take the time to learn what they mean.  Seek professional help or the
expertise of someone you know if needed.

Most of this article concerns use of the Internet.  There are other issues unrelated to on line activity that you should be concerned with.  For example, the security of your computer hardware.  What is the worst thing that could happen if your computer is stolen?  Do you have sensitive data on your hard drive?  If so, you may want to consider encrypting that data on your machine.  The same is true if you share your computer with others, or take it into a shop for repair.  These are valid concerns even if you use a more secure operating system such as Linux, but especially so if you are using Windows.  Do not think that because you have a Windows log on password that you are protected.  A future article will cover precautions related to these concerns.

About The Author
Bill Natkin has worked in high tech industry for over 22 years.  Mr. Natkin is a member of the Independent Computer Consultants Association and currently runs Inetplanet, a computer consulting business in Phoenix, Arizona.  He has an Associate of Applied Science degree in Electronics Engineering from Mesa Community College and a Bachelor of Applied Science in Software Engineering from Arizona State University.



___________________________
© copyright 2006 Bill Natkin
This article may not be copied or reproduced, including electronic publishing, without the written permission of the author or his trustees. Linking to this article from other web sites is encouraged.