In our connected world, you can not afford overlooking securing your computer if you are connected to the internet. I have been on the web for many years without a security problem, I hope it is because I am doing things right and it is not just dumb luck.

The first thing you need to look at is a firewall. I have read about tests where Windows computers without a firewall were connected to the internet and the infection time ran from 30 seconds to 3 hours, Note: they ALWAYS get infected. The default install of Windows has all ports open a bit like a house with all doors and windows open, with a sign in the front yard that says, nothing locked - no one home - come on in. You might get by with it but I don't expect you will.

You can get software firewalls that run as a service on your computer. If you are using dial up internet, the only firewall I know of is a software firewall. A software firewall can create problems. A bug in a software firewall can open your computer to attack so you must keep checking to see if you need to patch it. A lot of applications on your computer can be effected because they were not designed to run with a firewall on the computer and could require a lot of setup effort to get running again. If you can, use an external hardware firewall.

If you are on DSL, cable or wireless you need a router to connect and I have had good results with an external router/firewall for my connection. I got a Linksys router/firewall that was cheap and has worked great. I did find that the support from Linksys did not exist so you should keep that in mind (I noticed that they did add a support information section to their web site but I have not used it yet). I had to apply one firmware patch to the router after 10 months of use and have had no down time.

Dealing with firewall administration is a bit of a challenge for the home user because it is all about TCP/IP and that is a specialized area even among people who make their living with computers. A very high level description of TCP/IP is that on the internet, every computer has a number and each computer with a number has many port numbers. There is no need to have ports open to browse the internet and you can run with a firewall that has all ports closed. A virus must come through a port, email or a file that you download so keep the ports closed. The only port I have open on my system is port 80 so I can use a web server to allow people to download large files.

By the way, you can try to go through the settings on Windows to close ports by shutting down services that you do not need but if I remember right, it will keep something like 14 ports open no matter what you do.
Back to top of page

As a home user, securing your operating system is simple because it is unreasonable to expect a home user to know all there is to know about their computer OS so they can take technical measures to make their system secure.

Your first line of defense is a good password (see secure passwords below) for the administrative user on your computer (root for Linux or Unix and administrator for Windows). Changing the password of the administrative user should be the FIRST thing you do when you start your computer for the first time or should be done when you are installing the operating system.

Your second line of defense is to create a user account that you will use when you are working on the computer. Using a user account will limit the damage that a virus can do if you are exposed to one. Windows is not as clean in controlling rights by login so a user account will help in Windows but not as much as it would in Linux or Unix. The added security of a user account helps so much in Linux and Unix you should always create and use one.

Your third line of defense is to keep your operating system patched. It is a sad fact that patching your system can break it and not patching your system soon after the patch is out will mean that you can expect to get infected with a virus. I keep an extra test system that I use to test patches to see if they will break my system but that is not practical for home systems.

If you are running Windows, you need to install virus checking software that runs as a service. Often, virus checking software will break some things but you need it because no matter how hard you try you can not lockdown Windows completely so, some day you will have a virus infect you if you do not do this.
Back to top of page

A simple step to increase your browser security is to replace your Internet Explorer browser with Mozilla (go to www.mozilla.org and download it for free) or the Opera browser. I prefered Mozilla because it is what I have experience with but I did try Opera to see what it was like and now use Firefox.

Making your browser secure is complicated by press articles that do not draw a clear line between privacy and security. One area that has been way over stated in the press are cookies. From time to time, there have been cookie issues with IE but I don't remember any in Mozilla. Using a cookie is the best method for keeping the choices you have made in the site assigned to you so they can transfer from page to page until you close the browser. I did see some sites remove cookies at the height of the evil cookie press (it even made the evening news). When a site does not use cookies to control security and user preferences, you get sites that drop off the user (an example would be a shopping cart where you add items to your cart for 20 minutes and when you go to check out, the cart is empty) and/or sites that break security (the ID for your session is exposed on the URL and if you are logged in someone could take over your session).

If you are still concerned about cookies and privacy before you disable your cookies think about this, while driving and shopping, your picture is on many cameras and someone could check them to find out what you like to do. After you make a habit of covering your face while shopping and driving, you might gain some privacy by disabling cookies on your browser. I browse the web with cookies turned on for all sites. On my sites, I use cookies that expire when you close the browser and if you look in them you will find nothing but a big number because like most sites, I do not track you as a person but as a session (each new visit is a session) so you will not lose any data you entered.

A web page will often have Java Script in it. The name is VERY misleading because Java Script has NOTHING to do with Java. You can at times find viruses that use Java Script but if you disable it, many sites will not work right. I have Java Script on for all sites but I do not use IE or Windows which keeps my risk down.

A third party software called Flash is common on the web. If you are on dial up, Flash sites can be very slow and most of the time all they are doing with all that time is moving some graphics around on the screen, cute but not worth the wait. I have a fast connection so, I run Flash but I have to keep track of patches for it because a bug in Flash could allow an attack on my system.

If you download and install third party software (plugins), you are exposing your system to infection. Make sure you do your research BEFORE you download and I never download any plugin software unless I think it is very useful. Each software package you install on your browser makes one more thing you should track for patches. The most common way to get spyware is to download and install a plugin that sounds neat but is really spyware (a friend checked his daughter's machine and she was running 30 types of spyware that she had downloaded and installed).

Microsoft wanted to have something to replace Java applets in their browser because they did not control Java. For Internet Explorer they created ActiveX, ActiveX has provided infection access for many viruses. If you use IE I would turn off ActiveX and only turn it on by site if you have to.

Microsoft also tried to control Java by using their own incompatible Java Virtual Machine (often referred to as a VM) with IE. They lost a court battle for doing this and also created some security problems because they had security holes in their Java VM. If you go to java.sun.com, you can download and install the real Java VM for free or you should download and install the Microsoft IE patches which will patch the known security holes in their VM. The VM is not a big problem so far because it takes to long to download and run a Java Applet on dial up but as the number of fast connections climbs and more site start using Java Applets, the VM that you use could become an issue for you.

Most sites and/or browsers allow you to "save" a login and password, for sites that require a login. When you "save" a password it is then stored in a file on your computer and becomes a security risk. Do not "save" login information unless it is something where you do not care about the security like a newspaper site.

When I order on-line, I make note of how secure the site is. Before you enter credit card information, you should check the lower right corner of your browser to see if the little lock icon shows that it is closed. A closed lock means that your connection is now "secure" or in other words encrypted. I never enter personal information on the web unless the connection is encrypted. Your complete credit card number should not be displayed back to you on the next page. I want to re-enter my card for every order so I know that someone could not gain access to my card information by hacking my login to the site so I don't like sites that store the card information to be used with the next order. I also like it when they make me re-enter my password before I go to a secure part of the site because it is one more thing that can stop someone from stealing my account and using it.

I do not use IE to browse or search the internet for security reasons. If a site requires IE, I don't go there or if I really need to use the site (an insurance site for example), I will use IE to go directly to the site and exit IE when I am done.

Update: 7/1/2004 - If you are using Internet Explorer, being careful is really not a solution anymore. If you want to enter secure information on the internet do NOT use Internet Explorer.
Back to top of page

In the past, I have worked on some very secure systems. One of the first things I learned was, how to select a password. Once you learn how passwords are hacked, it is amazing how many people use passwords that are not secure.

For your password you should NOT use:

• Your child's name
• Your pet's name
• A character's name from your favorite movie, book or TV show
• Any word in the dictionary
• The make, model or nickname of your car
• Part of your address
• Your last password with a bigger number added

Server software is not needed for most home users. If you are running server software, make sure you set the password for the server if it has one and control the ports for the server with a firewall.

Office applications have the option of creating macros that are stored in document and spread sheet files. Like many of their other products, the Microsoft Office suite comes with virus support. I never download and use a document from the web or blind email with Microsoft Office, NEVER. I have not noticed as many Office viruses in the news lately. The money in viruses is from controlling your computer and that might be hard to do with a macro virus. In any case, it is easy to damage your computer files with a macro virus and you don't need that.

Some time ago, I switched to Open Office. You can download it for free at www.OpenOffice.org. I did not switch because of cost or security but I switched because the advanced functions in Word had become unusable for me (I will put more details on a computer system page). A side benefit to using Open Office is that I am not exposed to the Microsoft macro viruses.

The Adobe pdf viewer has had patches from time to time. I do use it with files I download from the internet so it is something I keep patched.
Back to top of page

Phishing is a type of scam where they use bugs in browsers to pretend to be a site that you would trust and collect your private information (SSN number, account numbers, passwords etc....).

At the top of your browser is the address bar where you can see the address (URL) of the site you are on. A common form of phishing is to send you an email that looks like it came from a site that you do business with that has a link in it to a fake site. Because it is easy to download the html and graphics from a site you want to copy, a fake site can be very convincing and even include links back to the real site. When you are on the fake site, they mask the URL so it looks like you are on the real site and give you a form to enter the information they want to get from you.

The solution to phishing is simple. If you get a request for personal information in an email, do not use the provided link (also expect it is a scam because most businesses know about phishing and will not send that type of email anymore). If you think (I would call them first because the odds are that it is not) the request is valid, type the address of the web site in your browsers address bar and get to the correct site that way.

Update: 7/1/2004 If you are using Internet Explorer being careful is really not a solution anymore. If you want to enter secure information on the internet and you think it might be Phishing, do NOT use Internet Explorer.
Back to top of page