“Daniel” from “Microsoft” called me the other day. The number looked halfway legit so I picked up. He out and out claimed to be from Microsoft and said he was getting alerts from my computer. His voice sounded familiar–I think I’d talked to him before.
“Which computer?” I asked.
“Your Microsoft computer,” he said.
Last week, I heard a webcast in which the presenter repeated some advice from 2004: Patch things like your financial systems first, and your workstations last.
Workstations need to be first. Read more
Continuing in the theme I’ve been following for the last couple of days, here’s a guide to security and privacy with web browsers. Like the guide I linked to yesterday, I’m not sure I agree with it 100%–I think saying never use Internet Explorer is too absolute–but I do agree with the overwhelming majority of it, and if everyone did all of this instead of what they’re doing now, we’d be in a much better state.
And, on a somewhat related note, here’s a rundown of what Windows 10 changes in the way of privacy, and some recommendations, but here’s a hint: You’re going to want to type privacy into your Windows search bar, pull up everything related, and start shutting stuff off. Use your discretion, but chances are there will be several things. If nothing else, there are things that are appropriate for a Windows tablet that aren’t appropriate for a desktop PC.
Let’s get back to privacy and safety in general, whatever OS you’re running. Here are some highlights.
One of the very best things security measures you can take is application whitelisting–limiting the apps that are allowed to run on your computer.
The Australian Signals Directorate–the Australian counterpart to the NSA–says doing four things cuts security incidents by a whopping 85 percent. You probably do three of the things. The fourth is application whitelisting.
- use application whitelisting to help prevent malicious software and unapproved programs from running
- patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
- patch operating system vulnerabilities
- restrict administrative privileges to operating systems and applications based on user duties.
I sometimes show my age by making jokes about Bonsai Buddy and Gator and Hotbar, but ads injected in browsers are a problem that’s coming back. And sometimes these ads come with malicious payloads, installing unwelcome software on your computer to maintain persistence.
Problems like this are the reason I tend not to load my browsers down with lots of extensions. Sometimes the functionality is cool, but I’ve always found ways to get what I need done with a stock browser, and then I have a better idea of what I’ve gotten myself into. I’m beholden enough to the agendas of Microsoft, Mozilla, or Google as it is; I don’t need third parties injecting their agendas into the mix, especially when they may be malicious.
And besides that, a lot of extensions tend to be very memory- or CPU-hungry. I have enough memory on most of my machines that I can dedicate 2 GB of RAM to a web browser, but I’m not sure why I should have to.
The fewer extensions you load onto your web browsers, the safer you’ll be, and in the long term, I’d wager the happier you’ll be as well.
Monthly patches and upgrades don’t always go well, but getting them down is increasingly critical, especially for applications like Flash, Reader, and the major web browsers. This week I called it “the new firewall.”
Twenty years ago, home users almost never bothered with firewalls. My first employer didn’t bother with them either. That changed in the late 1990s, when worms exploiting weaknesses in Microsoft software devastated the nascent Internet. Firewalls soon became commonplace, along with some unfortunate hyperbole that led some people to believe firewalls make you invisible and invincible, a myth that persists in some circles even today.
For this reason I’m a bit hesitant to declare anything a new firewall, but firewalls are necessary. So is protecting key software.
You may have heard people like me talk about watering-hole attacks. It’s an indirect attack on someone by compromising a third party and using that to get in. Here’s a watering hole attack example from the real world.
In this case, back in November, attackers got a Forbes ad server, and from there, attacked visitors from government and bank networks.
Here’s the logic: Since ad servers tend to be much less secure than your target company, you compromise an ad server from a site someone on the target network is likely to visit, then infect them from there. The attackers jumped to the ad network first. That put them into position to jump onto government and bank networks.
I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected.
I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not necessarily helpful.
I probably ought to know better than the venture into the topic of web browsers by now, but since I stepped into it Friday, I guess there’s no point in staying in the shallow end.
The problem with web browsers is that they all require you to trade one thing for another, and if anything, that’s more true today than it ever has been before. Read more
I’ve been seeing a lot of news this week about web browser plugins getting exploited to plant malware on computer systems. A lot of people know to keep Flash up to date, and to keep Java up to date or uninstall it–at least I hope so by now–but there are two targets that people generally forget about: Shockwave and Silverlight.
Because so many people have them installed and don’t know it, and therefore never update them, they are ripe targets for attack. Read more