Security Secrets the Bad Guys Don't Want You to Know

Don't Depend on Microsoft Word or Adobe Reader

They're extremely popular programs, but Microsoft Office and Adobe Reader are not the strongest applications from a security perspective--especially when it comes to opening files that you think are probably okay but aren't sure about.

Most bad guys subscribe to a big-tent theory of troublemaking. When they plan an attack, they usually aim at the most widely used software programs, which is one reason why Windows gets hit so much more often than Linux or Mac operating systems.

One way to stay a step ahead of them is to use less-popular apps that crooks target relatively infrequently. Many security experts open their PDF files in alternative readers such as Foxit Reader or PDF Studio. Similarly, ou can check .doc and .ppt files in OpenOffice. The downside is that, in a nonstandard application, files may not look exactly as they should. This drawback might make such apps unsuitable for daily use, depending on your needs, but even so you should consider using them to open dubious documents in.

Use a Service Like Gmail or VirusTotal to Check Documents That You Do Open

Why do security experts use alternative PDF and .doc readers?

They've warned us for years not to open attachments that come from untrusted sources. Strange .exe files are a sure sign of trouble, but hackers have also found ways to break into computers by tricking users into opening maliciously encoded documents. The vast majority of these attacks take advantage of known flaws in older programs; but in addition, new attacks--called zero-day attacks--periodically pop up, exploiting flaws that software makers haven't yet patched.

By now you know to find an alternative document reader, but if that doesn't work for you, consider adopting other methods to double-check documents and avoid viruses.

One approach is to let Google do the checking for you. Forward attachments to a Gmail address, and Google's filters will scan it for malware. Then, you can convert the document and read in Google Docs to see whether it's legit.

Another tip is to submit files to Virustotal. This free scanning service runs your file through 41 antivirus scanning engines. If any of the programs identifies it as malicious, Virustotal will let you know

Know What Programs You Use, and Verify That They're Up to Date

Haven't used an application in years? Go to your Windows Control panel and uninstall it! (The Windows 7 version of the Control Panel is shown here.)
The old version of RealPlayer you downloaded a few years ago may be nothing more than a security hole today. If you don't use a program, consider uninstalling from your PC.

To trim unwanted apps, visit the Windows Install/Uninstall section of the Control Panel. As a rule of thumb, if you're not using a program, lose it.

From a security perspective, every program--especially a widely used app--is just another path that hackers can use to break into your system. A useful security tool is the Secunia Online Software Inspector, which scans your PC for out-of-date software.

Use Plugin Check, a handy Mozilla feature, to see whether your browser's plug-ins need updating.
But don't stop there. On this helpful Mozilla page, you can check to see whether your various browser plug-ins--for Chrome, Firefox, IE, and Opera--need updates.

It's also a good idea to check your Facebook applications to make sure that you don't have the Facebook equivalent of software bloat. While logged in, click Account, Application Settings, and see what apps you have installed. If you don't use one, delete it.

Sharpen Your Password Game

People have to remember too many passwords on the Internet. Everyone knows this, but most of us get around the problem by using the same username and password over and over.

Hackers know this as well, and they're happy to use it against you. Often they steal a person's password and user name, perhaps via a phishing attack, and then try that combination on other popular services--Facebook, Gmail, PayPal, Yahoo--to see if it works there, too.

Luckily free and simple password management tools, such as KeePass Password Safe, are available to keep track of your passwords for you. They are a bit more work--you may tire of constantly jumping between a password manager and your browser every time you want to log into a Website, but remember that security always involves trade-offs.

If you use the Firefox browser, you can try the KeeFox plug-in, which integrates KeePass's password management with your browser. (Products like these "keep people on the good practice of having secure and separate passwords for everything, but keeps them from having to memorize them," says Wesley McGrew, a security researcher with McGrew Security.

Robert McMillan covers security issues for the IDG News Service.

Subscribe to the Security Watch Newsletter

Comments