Aetheric Research, Ltd.

Mobile devices offer a powerful platform for business and social applications.  The ubiquity of the handsets combined with the continually increasing power of mobile chipsets–today’s smartphones have at least as much computing oomph as the business desktop systems of ten years ago–has lead to a vibrant marketplace of mobile apps for any conceivable purpose.  A significant amount of money has been invested in these platforms–and where there is money, there is crime.  Accordingly:

• Make sure you understand what the app you’re installing requires.  The Android platform is particularly good here; each app lists what it has access to, so there are no unwelcome surprises.  If you should choose to go outside the official marketplaces (whether by unlocking your phone, in the case of the iphone, or by enabling the “install third-party apps” for Android), you lose the ‘official’ vetting.  The creators of the OS have a very vested interest in ensuring that hostile software does not end up on users’ handsets; they want their markets to appear “safe.”  For the most part, this does work, although Apple’s app market has had some problem with:
• Counterfeit apps.  You can generally identify these as being at a lower price point than the authorized app–possibly even offering the full functionality of the paid version of an app for free.  While most of the time these do not end up in the official app markets, it does pay to be careful in case one sneaks in.  Counterfeit applications have been known to play host to a variety of hostile software, some of which may end up costing you a significant amount of money.  
• Even if the counterfeit app does not contain hostile software, it may contain a weakness through which others can extract your personal information.  The real versions, those that the developer is paid for, are generally kept fairly well updated; it’s in the developer’s best interest to fix bugs.  The same maintenence does not extend to the counterfeit versions.
• Be careful with geolocation features.  Foursquare may give you a discount for being the ‘mayor’ of a location, but if you continually check in everywhere, then anyone can find out where you are.  Most people will likely not be too concerned, but those people in a law enforcement or military capacity may want to exercise extra care.
• Likewise, turn off the geotagging feature in your handset’s camera, especially when sharing the pictures with others.  There may be no obvious danger in sharing a picture of a funky face you’re making with friends, but if the location is embedded into the picture’s properties and there’s something appealing in the background, burglars have been known to look for these sorts of things.
• Handsets are small and valuable, and can potentially be stolen.  Most app markets have at several apps that allow the handset to be tracked via GPS if it should be lost or stolen.  They can also lock down the handset and make it unusable.
• Handsets are also relatively fragile.  Consider setting up a backup of your information, so that you can still access it if something happens to the handset. This is less a concern for Android OS phones than others; many of their applications synchronize your data with an online repository, if you allow them to do so.
• Mobile antivirus products have begun to appear; consider installing and using one of those.  

Naturally, all of the general safety tips still apply.  Much of the hostile sofware thus far has been focused at either extracting personal information or causing the hanset to spend money without your intervention–at least, so far.  A likely further avenue that the developers of this software will take is the ‘ransomware’ trick–encrypting your data, with the decryption key available only after payment; taking backups on a regular basis, as mentioned above, as well as being careful which software you install, makes you functionally immune to that trick beyond some mild inconvenience.

As Monday was about basic online safety and Tuesday was about safe Email use, today’s Security 101 will focus on web surfing specifically.  Web surfing is one of the more common uses of online time, as it’s the way to access much of the generally available information (rather than the special-purpose non-”web” internet archives–those are a special case).  Accordingly:

• Make sure that you have applied all the updates available for your computer, your browser, and any antivirus program that you might run.  The vast majority of infections by hostile software come about as a result of unpatched security updates.
• If you use Windows, do not use Internet Explorer.  IE is still tightly integrated into the operating system; as such, any vulnerability in IE that is not patched–either because Microsoft has not released a patch or because you ignored the previous bullet–is a vulnerability in Windows as a whole.  Using any other browser (such as Chrome, Firefox, or Opera) will introduce another layer for hostile software to have to go through before it can affect your computer.  Additionally, both Chrome and Firefox have numerous plugins (or add-ons or extensions or whatever the browsers are calling them these days) available specifically to make your browsing experience safer.  Some of those for Chrome have been discussed here; those available for Firefox are just as easy to find.
• Consider blocking most advertisements.  There have been several cases where advertisement servers have been compromised and have ended up serving ads containing hostile software.  Text ads are, by their nature, immune to this–though it is still adviseable to be very careful before considering clicking them, as many ads do point to sites of dubious provenance.  
• Hover before you click.  Especially on sites where users submit links, hover your pointer over the link and look at the address that appears at the bottom when you do so.  If you have any doubts about the domain that the link goes to, don’t follow it.
• When in doubt, close the browser.  A website can’t hurt you if you don’t have a browser open to it.
• If shopping, or any time that you might enter personal information, make sure that the form has SSL–a technology to keep your information encrypted in transmission–enabled.  Most modern browsers have a specific, clear indicator that the page has been encrypted with SSL; for instance, the Chrome browser will turn the address bar green.  SSL addresses always start with “https” rather than “http”–double-check to make sure, and don’t put in any personal information unless that’s there.
• Do not give out any personal information other than the bare minimum required.  If a site wants more information from you than you feel comfortable providing–especially if, like the Gawker family, they have poor security–consider alternatives instead.
• Avoid downloading any files unless you are sure of the source.  Anything more complicated than a basic text file can contain hostile software that can harm your computer, and this risk goes up with the complexity of the file.  
• If a website suddenly looks different than what you’re used to–especially if it’s one where you manage your financial information–doublecheck the spelling of the address.  There have been many instances of what is referred to as “typosquatting,” where an address only a couple letters off from the official one is bought by someone unrelated to the official website and used for fraudulent purposes.  If in doubt, close the browser window or tab and try again.
• If some kind of web content “requires” a plugin to view, do not follow the link from the page.  Instead, check to see if you have the plugin installed, and if not, look for the manufacturer’s webpage to find it.  Flash, for instance, comes from Adobe; any other source cannot be trusted.

As before, all the other general recommendations still apply:  think before you click, and if you’re not sure of a situation, find someone who does this for a living and ask them nicely.  Merely keeping “tips” in mind will not keep you safe–only a deep and abiding commitment to safety, and careful use of safe browsing practises, will do that.

Continuing yesterday’s monologue about remaining safe online, this entry discusses the typical hazards that might be found in email.

Email was invented shortly after the first computers were networked together; its roots as what was, at the time, a nifty interoffice memo system still show through in some places.  While it is convenient as a means of communication, it’s also convenient as a delivery mechanism for various scams and hostile software.  Accordingly:

• If you don’t know who it’s from, don’t open it.  Any email that you did not directly solicit will probably be either spam (and trying to sell you something), a scam (and trying to get your money without even the courtesy of giving you a fake handbag), or hostile software (which may steal your identity and send it to some guy in Moldovia who’s going to sell it to the Russian mafia).  If it’s from someone you know but the subject line is odd or uncharacteristic of them, don’t open it–it may have been sent by hostile software working off his addressbook.  Consider these letters to be the equivalent of a brown-paper package with a loud ticking noise inside–it’s better to let someone else deal with it.  
• The base email standard that everyone works with does not have any provision for confirming identity.  By forging email headers, any reasonably competent spammer or scam artist can pretend to be anyone else.  If your email provider or company allows for digital signing of emails–an add-on intended to prove that the sender is who they say they are–then consider using them.  Ask your mail administrator if they’re available.
• Never open an attachment unless you know exactly what it is.  Especially today, with free “cloud” storage available, there is no reason for any legitimate user to send programs through email; if any attachment asks you for permission to run, then it is likely hostile software.  Even innocuous-looking attachments can carry hostile payloads; pay attention to the email they’re sent in–ask yourself if the person who sent it to you would write in that manner.  If you’re not sure, delete it, and ask the sender to confirm that they sent it.
• Repeating from yesterday, do not forward chain emails.  If it’s worth sending on, then the original source likely exists online.  Give credit to the original creator; that way they’re more likely to keep creating.  You may also find out that what you’re forwarding is some kind of scam or other falsehood; in that case, by looking before you send, you’ve avoided looking foolish in front of your friends who do do the research.
• No, there is no email tracking software being tested, and you will not receive money for forwarding the email.  Similarly, any email that promises a benefit from forwarding it falls under the previous bullet point.  Do not forward chain emails.  They clog up mailboxes and lead to infection with hostile software.
• Repeating from yesterday, turn off the preview feature in your email client.  There have been several viruses that have used this in the past as a means of infection; it’s likely that, since it worked once, it’ll work again.  
• Never reply to an email that you did not specifically ask for.  Regardless of the apparent legitimacy if any ‘unsubscribe’ links or instructions to reply to the sender to unsubscribe, any unsolicited email should be deleted immediately; if your mail provider allows you to report it as spam, do so.  Following the unsubscribe instructions will tell the spammer or scammer that the email address belongs to a real person who checks it regularly.
• Read your emails in plain text.  Yes, this is boring.  It’s also safe, and will prevent several different kinds of hostile software from infecting your system.  Also:
• Send only plaintext emails.  If your email “needs” pictures or fonts or special layouts, then you need a website or a blog for that.  Plain text may be boring, but it is safe; nobody yet has managed to write a virus that will infect a text file.
• Never, NEVER, buy anything from an email link.  Any legitimate coupons will still be valid if you visit the website and go through the normal portal; any legitimate merchant will have several characteristics on their website for you to identify them.  
• Any email that says it requires immediate action on your part, else some bad consequence will happen, is a scam.  No legitimate business, bank, or service provider will send a notification of that kind through email.  Manually open the webpage of the company and log in in your usual way if you want to be sure; following any link from an email is a sure way to have your credentials stolen and sold to the Russian mafia.

Email has made modern business possible, but has also provided a platform for many criminals to make a lot of money off of careless and gullible users.  Be suspicious of every email that enters your inbox; even if you think you know who it’s from, it may well be forged or the result of infection by hostile software.  

For the sake of completeness, I tender for the consideration of the masses the following “tips”–though that’s hardly the right word–on the basic rules of staying safe online.  It’s worth noting that simply providing ‘tips’ as though safety was merely something to ‘keep in mind’ is really not enough; if you want to be safe, you have to make a comittment to safety and security.  Avoiding hazards is not a result of anything other than close and careful attention to everything that you do online.  Accordingly:

• Think before you click.  Especially on windows or error messages that pop up, think about what you’re doing before you click any part of it–especially before clicking a “yes” button.  Especially for Windows users, Microsoft has done a great disservice by spawning endless annoyance windows that have ingrained auto-agree behaviors into people’s minds–and hence allowed more than a few trojans into people’s computers.  Hovering the pointer over hyperlinks in webpages will display the URL that it leads to at the bottom of the browser; pay attention to this, to make sure you want to go where the link leads you.  Actually read error messages that show up, and if you’re going to be placing a support call about them, write down the exact wording; error messages exist for a reason–to tell people exactly what is wrong.
• Turn off automatic running and previewing ‘features’ on everything.  Yes, it’s a great convenience for the user to be able to pop a CD in a drive and have it automatically run a program.  It’s a great convenience for you to have your email show up without having to open it up.  It’s also an incredible convenience for anyone wanting to install some breed of malware onto your system–especially if you should happen to not pay attention to the previous bullet point and automatically click the ‘authorize’ button on any warnings that may appear.  True, turning off these features is a hassle, and results in more work; however, it’s less of a hassle to open emails and CDs by hand than to try to take back a stolen identity–especially if your identity is worth stealing, you may still be fighting that for decades.
• Use different passwords for different things.  A plurality of people, even after several highly-pubicized compromises of password information, remain lazy in their password discipline.  If you use different passwords on different sites, the only account that will be compromised in the event of a break-in on that site will be the one associated with that site.  Simply adding a letter or a number is not good enough, either; there are numerous tutorials online about how to choose secure passwords, and there are numerous tools available to help manage them.
• Turn on automatic updates for your operating system and for your antivirus program.  The only people who should not automatically run those updates are administrators of large corporate networks; they have to test patches before the patches are applied to production systems, and as such have means in place to control the updating of the systems under their charge.  Unless you are a systems and networks administrator for a large business or enterprise network, there is little to no reason not to keep the updates on automatic update.  The vast majority of malware is filtered out by simply keeping your system up to date and by paying attention to what you allow to run; the first filters out the majority of hostile software that relies on exploiting weaknesses in the operating system; the second filters out trojans masquerading as something else.
• Do not forward chain emails.  Yes, that means that the cute bunnies that someone sent you will not be sent to your Aunt Martha from your email address–however, it’s more than likely that those cute bunny pictures exist somewhere online.  The folks at Tineye have built a search engine for figuring that sort of thing out; find out where the pictures originally came from there, and send the link to your Aunt Martha.  This keeps her inbox from filling up; this gives credit to the original content creators; and this gives less opportunity for hostile software to spread.
• Turn off HTML emails.  Yes, plain text emails are boring, but they’re also safe.  If your email requires pictures and animations and other flashy things, then what you require is a website or a blog, not an email.  Viruses cannot spread through plain text.  Besides–if what you say doesn’t work without a cute font and a bunny picture, it probably wasn’t worth saying to begin with.
• There Ain’t No Such Thing As A Free Lunch.  Anyone offering you an “amazing deal” is probably trying to scam you.  If the price for a product or service that you’re seeing is more than a few percent away from the price elsewhere, then it’s probably not legitimate.  
• Never–never–NEVER–buy anything at all from an email that you did not specifically solicit.  Especially not ‘discount pharmaceuticals’ or whatnot.  There are more than enough legitimate sources for anything that is sent out in spam emails–and any email that shows up from any source that you did not make first contact with is spam.  Not only will buying these goods likely result in identity theft, but you are financing organized criminal operations, and you are putting yourself in danger of being clubbed to death by an irate mail administrator.  Do not click, do not open, do not reply that you want to be ‘taken off the mailing list’–if your mail provider offers a ‘mark as spam’ button, use that, or delete it.  The only reason spam continues is because it is profitable, and it only takes one or two people to buy something forit to remain profitable.
• Think before you click.  Again.  If you have to think about whether you should click something for more than a few seconds, then the answer is likely that you should leave it alone or deny it permission.  If you still aren’t sure, then find someone who does this manner of thing for a living and ask their advice–you’ll get a much better answer if you compensate them in some fashion for their time.  

The internet is a massive convenience, and is rapidly becoming entirely necessary for societal function.  Like any other place where people gather, there is danger of crime; just like walking through a bad part of town, keep your eyes open and your wallet hidden, and you’ll likely avoid any hazards.