Sign up to our newsletter
The latest security news direct to your inbox
By now, most of us are pretty wary when an email arrives, saying we have 24 hours to open a Word document, in exchange for four billion dollars from Robert Mugabe – waiting, conveniently, in an offshore account.
But “phishing” emails aren’t the only threat we face online – entire websites can be compromised to deliver malware, and our browser is often the “way in” for criminals.
This often happens when a new “zero-day” vulnerability is found – and before browser companies have protected against it. One such attack against Internet Explorer was reported by ESET this week.
But you don’t have to be paranoid, or hang back, or stop yourself enjoying the best the web has to offer. You just have to be careful. Our tips should help you browse with confidence.
Don’t install oddball software – even plug-ins
Browser plug-ins are a common, and usually innocent way to add functions to your browers – such as downloading YouTube videos, or adding social feeds such as Facebook to your browser. But recently, several malicious plug-ins have stolen user data – and even used victims as part of DDoS attacks. Choose carefully – ideally from companies you’ve heard of, with good reviews on your browser’s store. You should think very carefully before installing ANY software – especially if it’s free.
Not all pop-up windows are bad – many are useful. But some are used to deliver malware, or for phishing scams. Set your browser to block them by default – that way you get to “inspect” any pop-ups that do appear, and open the ones you want to see, rather than the whole lot.
The web IS social – but don’t be over-friendly
Accepting Facebook requests to get a boost in a Facebook game can seem like a good idea – but you’ve suddenly opened a “back door” into your life, to people you don’t know at all. With Facebook’s new Graph Search, this means your private data can easily be searched – giving away, for instance, your location, your employer, and perhaps your phone number. Accepting friend requests from people you don’t know and trust puts your reputation at risk. Purge friends regularly to be safe. You need to review your privacy settings on social media on a regular basis as they may change.
Sure, laugh at funny Twitter headlines – but be careful before clicking
Outrageous, funny news stories circulate very quickly on Twitter and Facebook – so they’re perfect for cybercriminals to lure the unwary. If a story seems too crazy to be true, it may well be. Google it instead, find a real news source and read it there. When E! News was hacked, the fake tweet “Breaking! Exclusive: Justin Bieber to E! online ‘I’m a gay’”, was retweeted 1,200 times. If you’re worried, use the free ESET Social Media Scanner. And on a general note, never, ever click any link involving diets.
Don’t ever update a video player just to see one video
Wardrobe malfunctions from celebrities share quickly on social networks – but it could be your PC that ends up malfunctioning. One of the most basic safety steps for web users is to ensure programs such as Flash and Java are up-to-date – using older versions can allow cybercriminals an easy way to attack your PC. But if a video you’ve been sent says an update is required, don’t click – this is a common cybercriminal trick to install malware, often with sensational videos about news stories or celebrities. Update apps such as Java and Flash from your computer’s control panel – or when they prompt you to.
“Free” gifts online are not free
Any offer where you fill in personal details in exchange for a chance to win an iPad or other consumer item should be treated with extreme suspicion – cybercriminals use these attacks to harvest personal details which can later be used in identity theft attacks.
Be very careful about public Wi-Fi
Coffeeshop hotspots were an icon of the dotcom era – but they’re also risky if you’re accessing work data or bank sites over a “public” network. You’re safer using a smartphone’s 4G connection “shared” with your laptop.
Update, update, update
It’s a boring bit of housekeeping – but you should ensure your PC is set up to update itself automatically if possible. Visit control panels in Windows and set Windows Update to automatic, and update your browser as regularly as possible as well – ie set it to update without your permission if possible. By making sure you have the most current patches issued to fill security holes in your computer’s operating system and applications, you can enhance your online protection.
Do it right, and your PC should be the safest device you own
There are times when your PC’s built-in protection offers the muscle you need for business or secure transactions – smartphone browsers often make it hard to see if you’re on a secure page or not, meaning you could be on a decoy bank page, rather than the real one. Make sure your PC’s software is up to date, use good AV protection, and pay attention to warnings in your browser about secure/insecure sites.
Watching video? Stick to sites you know
Paying for Netflix rentals is epensive – but safe. Sites offering “free” video are notorious for delivering malware – especially if they are offering films that are still on at the cinema. Be very careful of “free” films – as in life, on the internet, virtually nothing is “free”
Browser warnings are good – but not bulletproof
When browsers such as Chrome warn you that a site is risky, that’s a good sign to step back. Enable Safe Browsing – or the equivalent for Explorer or Safari – and you’ll have warnings of sites that may deliver malware. For added protection, AV software can block domains and sites – useful if a family are sharing a PC.
Don’t store passwords in your browser
A recent blog post revealed how Google’s Chrome can “show off” passwords in plain text if another user gets access to your computer. Problems can also occur from simply forgetting to log out – so for peace of mind, clear browsing history, and use a password manager instead. ESET Senior Research Fellow David Harley says, “It’s a really bad idea to save passwords in Chrome on a machine that can be accessed without authentication (obviously a bad idea in itself), or where an account is shared (also not good practice – especially on business machines – but probably not uncommon on home machines). I’d suggest that it’s usually better to use some sort of password manager to store your passwords than a browser…”
Don’t leave things to chance
This week, Microsoft issued a “fix it” for a vulnerability in its Internet Explorer browser – a patch which users could download to protect themselves. But users had to learn about it, and do it, themselves. Free AV software is useful – it lets you scan for known threats, at that moment – but for 24-hour protection against new threats, it’s worth considering a paid-for package.
Author Rob Waugh, We Live Security