"Safe" versus "Safer"

There probably aren't too many people out there who haven't heard "Be safe" or "Use safe computing practises." But what, exactly, is safe?

'Safe computing' seems to be all the rage these days. There are those that say that if you use a firewall, be careful what you download, be careful what you install, be careful where you surf, and have a good anti-virus, you'll be just fine.

Really?

It's true that you'll be safer. But if the bad guys really are determined to find their way into your system, odds are they'll find a way. It might not even be to do something horrible to you, as odds are they don't know you. Odds are they simply want your computer and your bandwidth. Why is that?

One word: Botnet. Lots of compromised machines all attacking the same spot at the same time. It might not even be that, it could be just to shoot out spam. But I digress.

Safe. The only true "safe" computer is a computer that is completely off the Internet, and that you don't transfer files from the internet onto. For example: Let's say that the "safe" computer only has Windows and a printer. You download a .DOC file from your email, transfer it to diskette (does anybody still use those?) or CD-RW and then open it on your 'safe' computer to print it out.

Unfortunately, even that's not safe as it is possible that the anti-virus on your Internet computer missed the digital nasty within the .DOC file. Possible? Certainly.

Or, you download a game from one of "those" sites, copy it onto a CD-RW and install it onto your "safe" computer. Unfortunately, it came from one of "those" sites and your anti-virus missed the keylogger embedded in it. Granted, a keylogger on a computer that's not connected to the Internet won't be able to phone home, but the fact is that your 'safe' computer just got compromised.

And while I'm very sorry to say this, the simple fact is that there is no such thing as an absolutely safe computer any longer. UNLESS that 'safe' computer sits in the corner unattached to the Internet and all you never transfer files to or from it. In that case, it is safe from Internet attacks. It's also nearly useless.

That's not to say that you can't protect yourself to make it harder for the bad guys to get you.

If you're using a Wi-Fi router (I pray you're not) make sure it's using WPA encryption. Also, get into its settings and change the default password and address range. (Contact the store where you bought it from or the manufacturer of the router for assistance if you need it. Or ask a friend who knows how to do this.) If using a wired router, update its firmware as needed, and don't forget to change the password and default address range.

DISABLE JAVASCRIPT. Let me say that again: DISABLE JAVASCRIPT. Trust me on this one.

And then disable JavaScript. (*) TIP: This is a bit technical, but it will tell you exactly why JavaScript is so horribly broken. Listen to the whole thing. And then disable JavaScript.

Next, while a good anti-virus is not a protection against everything, it is an excellent idea to have one. There are several excellent free ones out there, or you can go with some of the subscription services. In any event, make sure that the definition files are up to date. Many of them will allow you to configure them to update as frequently as you wish.

A firewall is also a good idea, and again, there are many excellent choices out there. Make sure that you block inbound and outbound traffic both and allow only what is needed to reach the Internet. Make sure that it too is kept up to date. If you're using Windows XP SP2 (or Vista or 7) the firewall is on by default. It's better than nothing, but I should not like to depend upon it.

Don't visit "those" sites. And by "those" I mean porn, warez, or any sites similar to those. You never know what you'll get. Stay away from file-sharing software such as WinMX or Kazaa as well. Bad guys (and gals too, let's not forget about them) can easily find their way onto your system from the software itself.

If you do online banking, make sure that the address isn't "http://" but rather "https://" The "s" stands for "secure." Or, rather, more secure; since it too could be broken.

Update your OS. Microsoft Windows 2000, XP, Vista, and 7 all update themselves automatically. If you're comforable letting it do this; great. If you'd rather do it manually, check for updates no less frequently than weekly. Although "Patch Tuesday" is the 2nd Tuesday of each month for Windows, you never know if you'll miss an out-of-cycle patch unless you check.

A quick word about passwords: Make them hard for others to guess. Don't use words or names as these would be subject to dictionary and/or brute force attacks. An ideal password would be between eight and 16 characters in length and would contain numbers, letters (both upper and lower case) and extra characters (@, #, $, and so on.) Try not to use a pattern there either.

That sounds like a lot, I know. But each step you take makes it more likely that the bad guys will pass you over and search for somebody less-well protected. But even these steps cannot and will not guarantee that you're machine won't be compromised. But you'll have made it much harder for the bad people to get into.

And a few final words: Reading security bulletins is an excellent way to stay informed. But if you don't have time to do that, consider downloading Steve Gibson's "Security NOW!" podcast as it contains a wealth of information. "Windows Weekly with Paul Thurrott" likewise contains valuable information.

NOTE: Although there is no formal relationship (working or otherwise) between Steve Gibson, Gibson Research Corporation, Leo Laporte, TWiT, or the TWiT Network and myself, I do subscribe to Mr Gibson's security podcast "Security Now!" as well as to several of Mr Laporte's podcasts.

While it's true that even doing this won't protect you 100 per cent of the time, it's a very good idea to do so.

Time for that full-disclosure thing: While I have donated money to Mr Laporte I have no financial interest in his endeavour (ie: I don't get paid to mention him or the network.) And while I have been a licensed user of Mr Gibson's SpinRite since SpinRite II, I have no financial interest there either. But in the interests of full disclosure, there you go. Perhaps if some politicians were to be so forthright...

(*) - http://www.grc.com/sn/sn-221.htm

Gibson Research Corporation: http://www.grc.com/
Security NOW!: http://www.grc.com/SN/
TWiT Netcast Network: http://twit.tv/
Windows Weekly with Paul Thurrott: http://twit.tv/ww/