Here’s the reality: The only way to stay completely safe on the web is to stay OFF the web.
Wait, wait, I didn’t mean NOW, finish reading the article.
Yes, when you connect your computer to other computers (and that’s the whole idea of the web), you do open your door to a certain amount of bad behavior. The purpose of this article is to help you minimize the risk of virus/malware infections, identity theft, and loss of all privacy.
First and foremost, regardless of whether you’re on a Mac or a PC, or even Linux, you can be infected with bad stuff, so you need an antivirus/anti-malware program. There are many to choose from and I am not going to recommend any in this article. I may later on review several, but for now I’ll list several that are low-cost or no-cost. I personally use Sophos Anti-Virus on my Mac. I learned about it from following the podcast and blog, and I realize most of my audience will probably NOT be following their podcast or blog. It is free of charge and it works. My husband is using AVG, also free of charge. Both boys are using Microsoft Security Essentials, and that’s also what I use on my Windows machine. I have used AVAST with good results. The biggest problems people report with some antivirus programs is that they can be overzealous and really slow your machine down. The benefit of using a free program is that if you don’t like how it makes your machine perform, you can change programs with no heartburn. Some of the programs available for charge include ESOD, McAfee (pronounce it MACK-a-fee), Trend Micro, and Symantec/Norton products. I used a Norton suite many years ago and for the most part I was not disappointed in what I got.
Another tool is a firewall. You can use a hardware firewall appliance but for most of us it is not necessary. You can get a firewall to install if you run a Linux machine, and there are several you can use for Windows. I’ve used Zone Alarm and I liked it okay. Now I’m using Windows Firewall on my windows machine. I do not have a Firewall on my Mac, but my internet connection is not great, and we disconnect our computers from the network when we close the lids on our laptops anyway.
The most important tool you have to prevent virus and malware infections is your two hands. What they do—and what they DON’T do—can have the biggest effect on how likely you are to become infected. Repeat after me: I DO NOT HAVE TO CLICK ON EVERY LINK IN MY EMAIL. I DO NOT HAVE TO CLICK ON EVERY STORY THAT TUGS AT MY HEARTSTRINGS. I DO NOT HAVE TO BELIEVE EVERYTHING I SEE ON THE INTERNET.
When you see a story on Facebook to the effect that a celebrity has died or has done something scandalous, do some research before you click on it. Many of the stories like that will take you to another login page that looks just like a Facebook login, but it will actually capture your login activity; when you type in your name and password, there’s a piece of software capturing that information. There are various reasons people may want to do this, but what you will most likely see is that all of a sudden people are telling you that you’re putting stuff on their wall or sending them direct messages trying to sell them something; or you see weight loss products or male enhancement products showing up in your timeline.
If you use Windows Vista or Windows 7, you have User Account Control—USE IT! Yes, it can be annoying to have to answer “Are you sure you want to do this” a couple of times, but it is a viable alternative to having to enter a password for all installs, which Linux and Mac require. If the “are you sure” dialog box comes up and you don’t know why, TELL IT NO!!!! If you are trying to install something, then, tell it YES—but if you don’t know why your computer is asking you if you want to make a change to your computer—and installing something is making a change—then don’t authorize the action. A lot of the infections come in with your permission, and this will stop that portion.
Beware of what you allow with what you WANT to allow. READ what you’re downloading. Lately, Adobe Reader and Flash Player have been “offering” downloads of other programs, notable a virus scanner. You should already be using one before you get to the point of seeing that. If you install any kind of coupon printer, READ THAT AGREEMENT!!! Seriously, I got to the point of agreeing to install one and I read what I was installing. The license I was agreeing to stated that I was also agreeing to install other software that would collect information on where you go on the web, what you do, whom you interact with, etc., none of which in and of itself is necessarily “bad.” The problem is that you can’t be sure that all the other software is doing is what it says it is doing. It may also be logging keystrokes. That may not be horrible if all they got was your login to your favorite gardening website. However, if you log into your bank, and that software sends back to its boss your username and password of your bank login, that’s called a compromised account. It’s very important that you understand what you are installing, because once it’s installed, it may be no easy task to get rid of it. Also, it may be phoning home and allowing installations of other software as well, that may be sending out spam from your machine.
A couple of telltale signs that you are infected will be numerous popups of browser windows, or a consistently dreadfully slow computer when it shouldn’t be (if it’s running Vista or Windows 7, or one of the later Mac OS X versions, or a fairly recent version of any Linux OS). Every computer will have times when it is more sluggish than usual, if there are a lot of processes occurring at once or if it is processing updates, etc. but if it never returns to normal performance, an infection is one possibility.
Ransomware is probably about as bad an infection as you can get. Before I get too far into what it is and how to avoid it, I need to tell you to BACKUP, BACKUP, BACKUP! You’ll understand in just a few minutes.
Ransomware holds your computer hostage. Earlier versions just put a virus on your machine and presented a page with a link that took you to a payment site. Once your credit card information was entered, you were presented with another link that would either provide a cleaner to install or clean the machine with a scan-and-remove tool. The underlying threat was that anyone who had no qualms against holding your computer for ransom with a virus would not hesitate to use that credit card information for other nefarious purposes. We actually had some luck cleaning this stuff off for customers.
The newest variant of ransomware carries the name CryptoLocker, and unless you pay the ransom they demand, there is no cure. Lemme explain:
CryptoLocker begins the process of encrypting your hard drive and alerts you to its presence. The encryption process they use is asymmetric, which means that one key, or mathematical algorithm, is used to encrypt the data, and a different, but matching, key is used to decrypt it. The notice you get is that you have a certain number of days to pay the ransom before your hard drive will be inaccessible to you. The payment demanded is in two forms, one is bitcoin, and the other is MoneyPak. Both of these methods work to shield against identification, making your payment untraceable.
Your second best option if you get a CryptoLocker infection is to stop using the machine immediately, disconnect it from the web and from any storage drives, and do what we call a “nuke and pave”—completely reformat the drive and reinstall the operating system. The best option is to do a complete restore from a complete backup, and that is only the best option if the backup you bring in was done before the encryption started. If you ever get a notification that you have been hit by CryptoLocker, or by any software that says it will encrypt your hard drive and demands payment, immediately disable any automatic backups, and uninstall your backup software, if possible. This will prevent accidental overwriting of any good backups with encrypted backups.
We’ll go further into backup and restore in other places on this site, but from here you just want to take away the best ways to keep it from happening to you and what to do if it does.
When someone uses your personally identifiable information (PII) to do things as if they were you, such as open accounts, obtain credit, or rent an apartment, your identity has been stolen. This can happen as easily among family members as it can on the web. I’m not going to try to tell you how to deal with your family, but I can tell you how to guard against it on the web.
Let’s be clear on this: Banking and shopping over the internet are reasonably safe—as long as you pay attention and do certain things, and avoid certain things.
First, the DO’s: DO monitor all your bank accounts and credit and debit card activity. Verify all purchases and question any suspicious transactions. If you have any questions, call the financial institution immediately. DO log out of stores and bank websites where you have used your bank card. DO protect any passwords you use. DO look for this icon or this bar whenever you plan on using your bank card, or when you visit your bank’s website for login. DO visit my other site to learn how to create a strong password.
Now the DON’Ts: DON’T use public computers, like at a library or school or internet cafe, to conduct financial transactions. DON’T use anything on this list of passwords. DON’T leave passwords lying around, stuck on the bottom of your keyboard, taped to your monitor. DON’T click on a login link in an email that looks like it came from your bank or other place where you’ve done credit or debit card transactions. DON’T fall for any messages that come from friends stranded in London with no money.
This may sound like a strange subject to be addressing on a tech blog, but you can defeat a lot of your physical security with a few keystrokes. Pay attention to how much of your activity you post. If you make it known that you’re gone, and have previously said something on Facebook about a door lock that doesn’t work right, and posted a picture from your phone of your new car in your driveway, there’s a strong possibility that a thief can use metadata in the photo to figure out the exact location of the unoccupied house with the malfunctioning door lock. Make sure you disable location abilities on your photo app on your phone. Set your Facebook privacy to Friends only. Don’t advertise goodies thieves may want, if you get a fabulous new television for Christmas, don’t take the box to the curb till trash day.
Yes, your grandkids and your kids all know how to use this stuff better than you do. The problem is that they don’t know any more about doing it safely than you do. In fact, after today, you’ll know more than they do.
In much the same way that you’ve taught them about physical “stranger-danger,” talk to them about cyber-danger. Not everyone who “friends” them is their friend, and kids shouldn’t have any “friends” who aren’t FRIENDS. If they have never met them, they shouldn’t be online friends with them. There may be exceptions to this, for example, in a heavily monitored space set up as a safe place for kids to meet online, but even then you’d want to vet the monitoring organization.
You’ve taught your kids to walk away from a bully, teach them the same thing about cyberbullies. Unfriend and block. Bullies are everywhere, and children simply don’t have the sensibilities to allow them to deal with them. Best to avoid altogether.
Even if your kids are more technically savvy than you are, you are still their first line of defense against dangers online. Know what they are doing, know where they visit. Talk to them, and encourage them to talk to you. Let them know you won’t blow up if they accidentally end up at a porn site—it can happen by accident, and yes, you do want to know about it. You want them to know that you want them to talk about what happened, so they can process the feelings of ickiness they had when they saw what they saw, and so they won’t carry a burden of guilt for landing on a page they didn’t want to get to. It happens, it’s not their fault. Your cool head will serve them far better than any punishment (which they don’t deserve just for that) would.
if it happens to you
Depending on what exactly “it” is that happens to you, the process is different.
If you are a victim of identity theft, as soon as you see something suspicious, contact your bank’s fraud victim officer or whoever it is that is in charge of identity theft. Follow their instructions carefully, and make sure one of those instructions is to file a police report.
If you are a victim of cyberlocker, there isn’t much you can do beyond start over.
If your children are victims of cyberbullying, use the incident to bolster their understanding of where their genuine worth comes from. If there are threats of physical violence, your child probably has an idea of how realistic the threats are, and your course of action will be driven from that. Your kids’ friends probably know the bullies as well, those friends’ parents may be good resources as to how to deal with it. I’ll never understand how a cyberbullying victim keeps the bully as a “friend” online. But as a parent, your child should NEVER HAVE A PASSWORD THAT YOU DON’T KNOW!!!!!
This sounds like a lot, and it may be. I’ve adopted these strategies sort of by default as I learned of each threat. I spend a lot of time reading about and listening to and learning about this stuff so you don’t have to, so this isn’t just my opinion. It’s an aggregate of about 25 blogs and 12 podcasts on technology and security and parenthood. I’ve just been able to connect the dots and bring it all into one document.
Any questions, comments or suggestions? Anything I’ve missed or that you wish you had found here? Let me know. If I can address it quickly, I’ll either edit the post or answer your comment. If it’s deep enough, I’ll write a whole new post.