Aetheric Research, Ltd.

As Monday was about basic online safety and Tuesday was about safe Email use, today’s Security 101 will focus on web surfing specifically.  Web surfing is one of the more common uses of online time, as it’s the way to access much of the generally available information (rather than the special-purpose non-”web” internet archives–those are a special case).  Accordingly:

• Make sure that you have applied all the updates available for your computer, your browser, and any antivirus program that you might run.  The vast majority of infections by hostile software come about as a result of unpatched security updates.
• If you use Windows, do not use Internet Explorer.  IE is still tightly integrated into the operating system; as such, any vulnerability in IE that is not patched–either because Microsoft has not released a patch or because you ignored the previous bullet–is a vulnerability in Windows as a whole.  Using any other browser (such as Chrome, Firefox, or Opera) will introduce another layer for hostile software to have to go through before it can affect your computer.  Additionally, both Chrome and Firefox have numerous plugins (or add-ons or extensions or whatever the browsers are calling them these days) available specifically to make your browsing experience safer.  Some of those for Chrome have been discussed here; those available for Firefox are just as easy to find.
• Consider blocking most advertisements.  There have been several cases where advertisement servers have been compromised and have ended up serving ads containing hostile software.  Text ads are, by their nature, immune to this–though it is still adviseable to be very careful before considering clicking them, as many ads do point to sites of dubious provenance.  
• Hover before you click.  Especially on sites where users submit links, hover your pointer over the link and look at the address that appears at the bottom when you do so.  If you have any doubts about the domain that the link goes to, don’t follow it.
• When in doubt, close the browser.  A website can’t hurt you if you don’t have a browser open to it.
• If shopping, or any time that you might enter personal information, make sure that the form has SSL–a technology to keep your information encrypted in transmission–enabled.  Most modern browsers have a specific, clear indicator that the page has been encrypted with SSL; for instance, the Chrome browser will turn the address bar green.  SSL addresses always start with “https” rather than “http”–double-check to make sure, and don’t put in any personal information unless that’s there.
• Do not give out any personal information other than the bare minimum required.  If a site wants more information from you than you feel comfortable providing–especially if, like the Gawker family, they have poor security–consider alternatives instead.
• Avoid downloading any files unless you are sure of the source.  Anything more complicated than a basic text file can contain hostile software that can harm your computer, and this risk goes up with the complexity of the file.  
• If a website suddenly looks different than what you’re used to–especially if it’s one where you manage your financial information–doublecheck the spelling of the address.  There have been many instances of what is referred to as “typosquatting,” where an address only a couple letters off from the official one is bought by someone unrelated to the official website and used for fraudulent purposes.  If in doubt, close the browser window or tab and try again.
• If some kind of web content “requires” a plugin to view, do not follow the link from the page.  Instead, check to see if you have the plugin installed, and if not, look for the manufacturer’s webpage to find it.  Flash, for instance, comes from Adobe; any other source cannot be trusted.

As before, all the other general recommendations still apply:  think before you click, and if you’re not sure of a situation, find someone who does this for a living and ask them nicely.  Merely keeping “tips” in mind will not keep you safe–only a deep and abiding commitment to safety, and careful use of safe browsing practises, will do that.

Continuing yesterday’s monologue about remaining safe online, this entry discusses the typical hazards that might be found in email.

Email was invented shortly after the first computers were networked together; its roots as what was, at the time, a nifty interoffice memo system still show through in some places.  While it is convenient as a means of communication, it’s also convenient as a delivery mechanism for various scams and hostile software.  Accordingly:

• If you don’t know who it’s from, don’t open it.  Any email that you did not directly solicit will probably be either spam (and trying to sell you something), a scam (and trying to get your money without even the courtesy of giving you a fake handbag), or hostile software (which may steal your identity and send it to some guy in Moldovia who’s going to sell it to the Russian mafia).  If it’s from someone you know but the subject line is odd or uncharacteristic of them, don’t open it–it may have been sent by hostile software working off his addressbook.  Consider these letters to be the equivalent of a brown-paper package with a loud ticking noise inside–it’s better to let someone else deal with it.  
• The base email standard that everyone works with does not have any provision for confirming identity.  By forging email headers, any reasonably competent spammer or scam artist can pretend to be anyone else.  If your email provider or company allows for digital signing of emails–an add-on intended to prove that the sender is who they say they are–then consider using them.  Ask your mail administrator if they’re available.
• Never open an attachment unless you know exactly what it is.  Especially today, with free “cloud” storage available, there is no reason for any legitimate user to send programs through email; if any attachment asks you for permission to run, then it is likely hostile software.  Even innocuous-looking attachments can carry hostile payloads; pay attention to the email they’re sent in–ask yourself if the person who sent it to you would write in that manner.  If you’re not sure, delete it, and ask the sender to confirm that they sent it.
• Repeating from yesterday, do not forward chain emails.  If it’s worth sending on, then the original source likely exists online.  Give credit to the original creator; that way they’re more likely to keep creating.  You may also find out that what you’re forwarding is some kind of scam or other falsehood; in that case, by looking before you send, you’ve avoided looking foolish in front of your friends who do do the research.
• No, there is no email tracking software being tested, and you will not receive money for forwarding the email.  Similarly, any email that promises a benefit from forwarding it falls under the previous bullet point.  Do not forward chain emails.  They clog up mailboxes and lead to infection with hostile software.
• Repeating from yesterday, turn off the preview feature in your email client.  There have been several viruses that have used this in the past as a means of infection; it’s likely that, since it worked once, it’ll work again.  
• Never reply to an email that you did not specifically ask for.  Regardless of the apparent legitimacy if any ‘unsubscribe’ links or instructions to reply to the sender to unsubscribe, any unsolicited email should be deleted immediately; if your mail provider allows you to report it as spam, do so.  Following the unsubscribe instructions will tell the spammer or scammer that the email address belongs to a real person who checks it regularly.
• Read your emails in plain text.  Yes, this is boring.  It’s also safe, and will prevent several different kinds of hostile software from infecting your system.  Also:
• Send only plaintext emails.  If your email “needs” pictures or fonts or special layouts, then you need a website or a blog for that.  Plain text may be boring, but it is safe; nobody yet has managed to write a virus that will infect a text file.
• Never, NEVER, buy anything from an email link.  Any legitimate coupons will still be valid if you visit the website and go through the normal portal; any legitimate merchant will have several characteristics on their website for you to identify them.  
• Any email that says it requires immediate action on your part, else some bad consequence will happen, is a scam.  No legitimate business, bank, or service provider will send a notification of that kind through email.  Manually open the webpage of the company and log in in your usual way if you want to be sure; following any link from an email is a sure way to have your credentials stolen and sold to the Russian mafia.

Email has made modern business possible, but has also provided a platform for many criminals to make a lot of money off of careless and gullible users.  Be suspicious of every email that enters your inbox; even if you think you know who it’s from, it may well be forged or the result of infection by hostile software.