On the TV1 Breakfast show this morning, Paul Henry was interviewing Peter Griffin about security software for home computers. In my previous field engineer roles, and my current role as "IT guy" for my extended family, I’ve got a lot of experience setting up and securing home computers as well as small business computers (ones that are not managed by a central server.) I’ve also had a lot of experience fixing computers that have been infected with viruses, trojans and other nasties.
So naturally I have strong opinions on the topic and I tend to disagree on some of the points that Peter was recommending. So here is my advice on securing a home computer running Windows. (See note at the end if you’re running a Mac or Linux.)
Note: This turned into a rather long article – I encourage you to read the whole post, but if you’re in a rush, at least read the summary at the bottom.
Starting at the bottom of the stack, if you’re buying a new computer get Windows Vista. I have lots of gripes about Vista, but it is far more secure than Windows XP, and will be supported for the next 5 years. If you’ve already got a computer you should be running Windows XP with service pack 2. If you’re not running service pack 2 on Windows XP, your computer is vulnerable to attacks. If you’re running any operating system prior to Windows XP, such as Windows 2000, Windows ME, Windows 98, etc, your computer is extremely vulnerable and you should probably just upgrade to a new computer running Vista. (Again, see note at the end if you’re running a Mac or Linux.)
You can check your operating system and service pack version by clicking on Start, then Run, and typing: "winver" (without quotes) and pressing enter.
Now that we’ve decided on the operating system, you need to make sure that it is kept up to date. This is one of the most important parts of maintaining your computer. As soon as Microsoft release updates to the operating system, hackers start creating malware that targets the vulnerabilities. It’s effectively a race between you and the hackers, which is why I recommend always installing updates as soon as they are released – and rebooting once they are installed.
There is a fear that updates can break your computer if you install them straight away, and there have been some cases in the past where this has been true, but you are far more likely to be infected by a virus by not updating, than you are of having a new update break your computer.
Windows makes it very easy to keep your computer up to date – just go to the Control Panel through the Start Menu, then find the Automatic Updates icon (or Windows Updates icon in Vista) and select "Automatic" which is labelled as the recommended option.
Most other software you install on your computer will also have some mechanism for keeping it up to date. Adobe (Acrobat Reader), Apple (Quicktime, iTunes), Sun (Java) all provide update mechanisms that usually use a scheduled task to check for updates. All of this software is also vulnerable to bugs and attacks so it’s important to let the software notify you when there is an update to install.
This is especially true of your Internet browser of choice. Whether you use Internet Explorer, Firefox, Safari, Opera, etc, it’s important to keep it up date as this is the software that you use the most to interact with the Internet. My personal favourite is Firefox and this is the most secure browser to use in my opinion. Running Internet Explorer on Vista with User Account Control (UAC) enabled has the added benefit of running as a limited user so is also less vulnerable to attack.
The single most important security software on a computer is the firewall – in fact, I can’t imagine ever running a home computer without a firewall. If you’re only going to take one piece of advice from this post, then make it the firewall.
If you have Windows XP or Windows Vista then you have a firewall built in, and you need to check that it’s turned on. Head back into the Control Panel, open the Windows Firewall icon, and turn it on. It’s that simple.
More advanced users running Windows XP, should use a third party firewall such as Zone Alarm, as you have more granular control about what comes in and goes out. But for home users not needing to allow any inbound traffic, then the Windows XP firewall is fine.
If you’re running Windows Vista, there’s no need to run any other firewall as the one provided by Vista is superb and has been greatly improved upon since Windows XP. Advanced users on Vista can tweak the firewall to their heart’s content by using the Windows Firewall MMC snap-in which you can get to through the Administrative Tools.
The benefit to using the Windows firewall instead of a third party firewall, is that Microsoft have designed it to hook in to the networking aspects of your computer. So if you enable file and print sharing, then Windows will open the necessary firewall ports.
If you’ve followed the previous three steps, then you’re in pretty good shape already. You’re running a supported operating system, your computer software is patched and up to date, and you have a firewall protecting you from network attacks. However, this does not prevent you from downloading a virus from the Internet, or opening a virus-infected attachment from your emails.
This is where antivirus software comes in – it runs in the background on your computer, monitoring all of the activity going on, looking for viruses that it knows about and also looking out any other suspicious behaviour.
There are lots of different antivirus products available today, some free, most of them not. I don’t recommend using the free software to home users, as you have no guarantees that the software will be kept up to date. I also don’t recommend buying ‘suites’ of software – such as the ones from Symantec/Norton, or McAfee. These suites try to take over whole your computer with their own recommended settings, and you get showered with cryptic alerts, slow performance, and unreliable behaviour from your computer.
My current recommendation is to install Trend Micro Internet Security 2008. This is by far the best antivirus software I have used to date, for the following reasons:
- It’s lightweight and won’t slow down your computer
- It’s easy to use
- It’s easy to configure
- And you aren’t forced into using all of their settings
During installation of the software, you are asked if you want to install the firewall – I always say no, as I’m quite happy with either the Windows XP or Vista firewall. And once the software is installed, step through each section and turn it off – apart from real-time virus monitoring. All you want antivirus software to do, is to protect you against viruses – anything else will just get in your way and annoy you. If you’re using a desktop email client like Outlook, Outlook Express, Windows Mail, Thunderbird, etc, then you also need to select the antivirus option to scan your emails.
Antispyware software generally comes in two types – the basic editions require you to run a scan over your computer so that it can find all the nasties, and the more advanced editions run as a service on your computer like the anti-virus software and constantly monitors your system. Most antivirus software products today have at least some basic antispyware functions that can be enabled.
If you’re running Windows Vista, then you already have Windows Defender installed and running and you need to do nothing else. Defender runs in the background monitoring your computer and updates to the software are delivered through Windows Updates.
If you’re running Windows XP, then you can download and install Windows Defender for free, which you can’t go wrong with. More advanced users may want to use several different versions of antispyware software at the same time, tweaking each one to suite their needs, but an average home user will be well protected with Windows Defender.
A phishing filter monitors the web sites you visit and looks out for sites that attempt to deceive you into thinking that you are visiting another site. A common example is a site that looks just like your Internet banking site but is actually a site created by hackers to encourage you to give up important financial information like your account names, passwords, pin numbers, etc.
Hackers use clever techniques by crafting web addresses that are long and confusing to tell whether it is a valid address or not. Phishing filters attempt to identify these dodgy addresses and warn you that the site is not legitimate.
Unfortunately, phishing filters are not yet as advanced as antivirus scanners and lots of dodgy sites don’t get picked up. This means you can’t rely solely on the phishing filter as a means of defence. But Internet Explorer 7 and Firefox 2 both have phishing filters built-in and should be enabled for an added layer of defence.
Common Sense and Dancing Pigs
The last layer of defence should be your common sense. Don’t rely purely on the security software on your computer from protecting you. Don’t trust any attachment that is sent to you – even if it comes from someone you don’t know such as friends or family. Don’t forget that if a friend’s computer gets infected with a virus, there is a chance that the virus may email itself to that friend’s entire address book, making it look as if your friend sent you a joke email.
This is where the Dancing Pigs comes in. In computer security circles, dancing pigs refers to how users will always choose dancing pigs over computer security. Bruce Schneier explains the phenomenon as follows:
If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet — he’s going to choose dancing pigs over computer security any day. If the computer prompts him with a warning screen like: "The applet DANCING PIGS could contain malicious code that might do permanent damage to your computer, steal your life’s savings, and impair your ability to have children," he’ll click OK without even reading it. Thirty seconds later he won’t even remember that the warning screen even existed.
If this sounds like something that you do on a daily basis – beware. But take heart in the fact that it’s not your own fault – software developers have made us ambivalent towards security messages over the years, as we get so damn many of them – most of which are safe to ignore, most of the time…
A classic example of this is Windows Vista’s new User Account Control (UAC) feature which is enabled by default on Microsoft’s new operating system. The theory behind this is that you are forced to run as a limited-rights user so that you aren’t able to do any accidental damage to your computer (like running dancing pigs applets.) This is a great idea, and is already implemented on both Macs and Linux, but the implementation of UAC was so poor, that from the first time you turn on your computer, you are bombarded with warning messages for even performing the most trivial of tasks. This forces you to become numb to the messages, and you just get into a routine of clicking "yes" for everything that pops up.
Microsoft won’t admit to UAC being a poor implementation, but they are changing the amount of alerts you receive in service pack 1, which is going through testing at the moment. So they must be aware of the problem.
Although backups aren’t strictly related to computer security, ensuring that have a good backup system could be priceless should your machine get so terribly broken from a virus that it can’t even boot up and needs to be reinstalled.
How many of you have your only copy of your digital photos sitting on the hard drive of your computers? Imagine how you would feel if that hard drive broke, or the contents got erased, or your computer got stolen.
I recommend a three-pronged approach to backing up your important data:
- Keep your important data cleanly organised on your computer and set up a backup routine either manually or using software such as the built-in backup software in Windows.
- Backup all your important files to a separate, external hard drive, or DVDs/CDs, or to another computer or server in your house.
- Then create another backup of your important files offsite – i.e. not in your house or possibly even your neighbourhood.
The third step seems a bit over the top at first, but keeping a backup of your photos on DVDs is no good if your house burns down or gets flooded. The best way to backup your photos to just upload them to a photo sharing site like Flickr – you get the added bonus of being able to show off your photos to friends and families. And if disaster ever strikes, your photos are preserved online and can be downloaded again in the future. For other important files, there are various online backup companies starting up but prices do vary so it’s worth shopping around.
To summarise, here’s a check-list for safe computing:
- Make sure you’re running a supported operating system. Windows Vista or Windows XP with service pack 2. Nothing earlier.
- Make sure that your operating system is up to date with Windows Updates, and make sure that all other software is kept up to date too.
- Use a firewall! The Windows built-in firewall is fine, only use a third party one if you know what you’re doing.
- Use antivirus software – but don’t let it take over your whole system, this just causes more problems. Disable the bits you don’t want to run.
- Use antispyware software – Windows Defender is good.
- Use the phishing filter built into your browser, but don’t depend on it to be 100% accurate.
- Use your common sense – treat all email attachments with caution.
Apart from purchasing antivirus software (Trend Micro Internet Security 2008 costs about $100), everything mentioned above is already built into your operating system or web browser and costs nothing extra to use.
Using a Mac or Linux
This post has focused on Windows only, but most of the same principals can be applied to either Macs or Linux computers. Historically there have been very few viruses found in the wild for either operating system, but as both Linux and Macs gain in popularity (as they are now) there will no doubt be more hackers targeting them. Don’t sit back and think that you’re secure just because you’re not running Windows.