Security

10 Quick Fixes for the Worst Security Nightmares

Fix 7: Develop an Antiphishing Habit

The dastardly practice of phishing for personal information is still alive and well, and many fake sites can be hard to distinguish from the real ones. But a few simple practices can ensure you'll never be snagged by a phishing hook.

The best approach, and the most straightforward, is never to click a link in any e-mail message to access your financial accounts. Instead, always type the URL or use a bookmark. That one habit will protect you from almost every phishing attack.

If you can't make that change, then at least use the latest version of Internet Explorer, Firefox, or Opera to browse the Web. All have built-in features to block known phishing sites (and, as described in Fix 3, Opera and Firefox now also block known malware sites). Avoid Safari, which lacks any built-in antiphishing protection.

Finally, keep an eye out for the common phishing tactic of using URLs like "http://adwords.google.com.d0l9i.cn/select/Login." If you glance at the URL (an actual recent example listed by Phishtank.com), you might think the site's domain was google.com. In fact, it's heading to d0l9i.cn, a site in China where operators are standing by to swipe your personal details.

By highlighting the true domain in a URL, Internet Explorer 8 will help users decide whether the domain is legit (as in this example) and spot phishing attempts.
Internet Explorer 8 will use an innovative feature called Domain Highlighting that will make spotting such trickery easy. But until it becomes available, watch URLs carefully.

Fix 8: Keep Your Own Site Safe

It's not a good time to run a Web site. The Web may look like a digital wonderland, but behind the scenes it's a war zone. And the guns are trained on your site.

Crooks use automated tools to search sites for the most common vulnerabilities. If they find one, they blow the hole wide open to plant harmful code that will attack your loyal visitors.

To help keep your site safe, start with some quick, free scans that ferret out the most obvious problems. First, fill out a form at Qualys.com to request a free scan of one IP address.

The free Scrawlr tool searches your Web site for SQL injection vulnerabilities.
Next, download the also-free Scrawlr tool from HP. After a quick install, use Scrawlr to scan your site for SQL injection vulnerabilities (a type of hole targeted in a recent Sony site hack).

A clean bill of health from both scans won't guarantee that your site is safe. For instance, neither will find problems with custom JavaScript code, another common type of attack. And while requesting or running either scan is easy, fixing a reported hole might involve a fair bit of work. But that job will still take far less work than repairing your site and your reputation after your site has been hijacked.

Fix 9: Make Your Passwords Secure--And Easy to Remember

Online passwords are starting to seem about as safe as tissue paper protecting a bank vault. The supply of stolen logins is now so huge that crooks can hardly make any money selling them unless they add other ripped-off data, like addresses or Social Security numbers, according to security researchers. And thieves don't stop with stealing logins to financial accounts--the bad guys regularly pilfer access information for Web mail accounts as well. In one recent case, a scammer broke into Web mail accounts and sent messages to the victim's friends asking for money.

Experts say we should use strong, unique passwords for all our accounts. But they don't tell us how we're supposed to remember them, so most of us end up using the same, not-so-safe password at all our accounts.

Here's an easy fix that allows you to remember just one password, yet still have a strong, unique password for each site you use.  The Password Hash (or PwdHash) add-on for Firefox and IE takes that simple password you type and runs it through an algorithm that uses the site's domain name as part of the calculation. The utility subs in the resulting strong password before you send it to the site. All you have to do (after installing Password Hash) is hit the F2 key in a password box before you type.

For a download link and more info on this useful tool, head to the PC World Downloads page.

Fix 10: Get Extra Cleaning Help for Stubborn Infections

Sometimes even the best antivirus program misses an infection. And once a virus or Trojan horse gets in, removing it can be incredibly tough. If you suspect some nasty got past your defenses, then it's time to bring in extra help.

Many antivirus makers offer free and easy online scans through your Web browser. The scan will take time, as the scanning service will need to download large Java or ActiveX components before it can get started, but they're easy to kick off. You can run them in addition to your already-installed antivirus application for a second (or third, or fourth) opinion. Here's the lowdown on your options.

Trend Micro HouseCall: Will detect and remove malware; works with both IE and Firefox.

BitDefender Online Scanner: Detects and removes malware; requires IE.

Kaspersky Online Scanner: Detects malware, but doesn't remove it; works with IE and Firefox.

F-Secure Online Virus Scanner: Detects and removes malware; requires IE.

ESET Online Scanner: Detects and removes malware; requires IE.

Subscribe to the Security Watch Newsletter

Comments