Tuesday, January 27, 2015

Secure your device (the uncomplicated way)

There are lots of things you might do to protect your computers and Internet-connected devices, but basic, sane security doesn't have to be be a brain twister.
There are lots of things you might do to protect your computers and Internet-connected devices, but basic, sane security doesn't have to be be a brain twister. Below are a handful of simple steps anyone can take, whether you use a PC or a Mac, an Android or an iPhone, or any other form of computing device.


1. If you don't need it, get rid of it.


Software is written by people. People make mistakes (or depending on your level of paranoia, people can intentionally insert "back doors" into your computer). Some mistakes are silly (misspelled words on a screen, images that cover up text so it is impossible to read). Other mistakes are more serious - flaws in an operating system or  an Internet-enabled program may allow an attacker to gain control of your device from afar. If that program is not on your computer, it can't be used to break in.

Think of your computer as a home in a somewhat dangerous neighborhood. The more doors and windows you have, the more doors and windows you need to remember to lock, or bolt, or install bars on. More doors and windows equals more entrances for a burglar to attempt entry. More software equals more entrances for a hacker to attempt entry. 

Naturally, you need some doors - a house is useless with no way to enter, and a computer or device is useless without some software. In most cases though, you don't need an exterior door in every bedroom and bathroom. Removing doors from a home can be a pain - but removing unneeded software is as simple as using the Programs and Features menu in Windows, or the Settings center in Android or iOS.

The same idea applies to information. I once came across a database of customer names, addresses, and credit cards, left exposed on a web server. Incredibly, the database belonged to a company that had stopped using that web hosting business years earlier. There was simply no reason for that database to still exist on those servers. Had the company deleted the no-longer-needed information, there would never have been a breach.

Pictures may have a lifetime of value. Tax records should be kept for several years (for US readers, the IRS has some guidelines). Credit card records generally can be disposed of once you get your monthly statement (though I personally keep receipts for high-value items until the warranty expires). To grossly paraphrase a quote by Albert Einstein, keep information for as long as it is useful, but no longer.

If you don't need it, get rid of it.


2. If you do need it, keep it up to date.


When you buy a vehicle, sometimes the manufacturer discovers a defect later and offers to fix it at no charge. Some defects are more serious than others, but in most cases it would be foolish to decline such a recall. Computer software is no different - developers often find flaws or add new features, and in most cases it is foolish to decline these updates.

Microsoft and Apple have well-developed processes for delivering software updates. You can set up Windows to automatically download and install "Critical" and "Important" updates without your intervention. iOS devices will alert you to an available update and let you choose a time to install. Many application developers likewise offer automatic updates. Turn them on, whether on a PC or a mobile device. Yes, there is an occasional update that breaks something - but the risk of not patching is far greater than the risk of a bad update.

Set your software to automatically install available updates and patches.

By the way, this applies to your Antivirus software too. Antivirus programs use several techniques to detect malicious software, and those techniques constantly evolve as the developers find new malware and new ways to detect it. Outdated AV software is only barely better than no AV at all. If you recently bought a new computer, keep that in mind: you probably got a trial version of an AV program, generally good for anywhere between 3 months and a year. Once that time runs out, it will stop updating itself unless you purchase a subscription or replace it with a fully free antivirus program.

If you do need it, keep it up-to-date.


3. If you don't pay for it, ask who does?


Do you pay to use Facebook? Or Gmail? Or Candy Crush? If you don't pay for those services or apps, who does? The email servers Google runs are expensive to buy and expensive to run. It takes a lot of electricity to power a datacenter! 

The old adage that "you don't get something for nothing" is (almost) as true with software as it is on the playground. There are exceptions: some apps are developed by students just learning and seeing what they can make. Others (such as some projects I have published) are created by people for their own benefit and then made available to the world because there was never an intent to profit.

But more often than not, if you didn't buy it at Best Buy, and didn't pay for it in an app store, you are not the consumer: you are the product being sold. An app with a million users is a valuable advertising platform, and a Facebook with a billion followers has vast amounts of information about its users. The developers are making a profit somehow.

That's not necessarily a bad thing - as long as you recognize that fact. I am willing to trade a modicum of my privacy in order to interact with family and friends in Facebook, but I temper what I share with the knowledge that it is not private. I am willing to endure seemingly sentient advertising on Google because, well, sometimes that sentient advertising in fact offers a good deal on something I actually want. But I use an entirely separate device for online banking than for web browsing because sometimes (not often, but sometimes) that advertising carries a more sinister gift in the form of malware.

In a similar vein, make sure you get software from a reputable source. Shrink-wrapped software (do they still make that?) purchased from Best Buy or Amazon is probably safe. Apps purchased from the official app stores (Apple App Store, Google Play, Amazon App Store, Microsoft Store) are by and large OK. I wouldn't trust software downloaded from Joe's BBQ and Free Software though, nor would I trust software from the non-Google app stores pre-loaded on many of the cheapest Android tablets.

And a special note: if you didn't go looking for it, don't install it. It is a near-100% certainty that any installable program sent to you without you asking is malicious.

If you didn't pay for it, ask who did?


4. Put up the shields.


Antivirus programs have gotten a bad rap lately, what with all the "antivirus is dead" reports. To be sure, AV (or anti-malware) is not a magic solution to every threat, it still has its place.

Traditional antivirus software works by looking for "signatures" - fingerprints that uniquely identify a particular file. That approach was reasonably effective when a single computer virus was repeatedly sent from one computer to another, keeping the same fingerprints. It is far less effective with modern malware that can change its appearance each time it infects a new computer. Even so, there are around a quarter billion unique malware variations in existence; those more than a few weeks old (i.e. the vast majority) will generally be detected by most antivirus programs. AV may not be effective against the very newest threats, but it works against the vast array of already-known malware. Much like a motorcycle helmet, it won't protect you from every danger, but your chances are much better with than without.

Put up the shields.


5. Change the phone book.


A content-filtering DNS service stops you from accidentally going to a website hosting malicious content.
This last item is one I hesitated to include in a Small Words Security post, since it's slightly more complicated - but it is so effective that I think it worth mentioning.

Computers use a network protocol to communicate with one another; typically this is IP, or Internet Protocol. DNS - Domain Name Service - is how your computer knows that www.google.com is actually “74.125.225.242” (or was at the time of this writing). It happens silently in the background and is usually ignored unless it stops working. The typical DNS will give a valid answer for any web site. Whether the web site is Google, Disney, Phil's Phony Pharmacy or Ingrid's Illicit Images, an ordinary DNS will respond with the correct address for that site.

There are a variety of DNS servers - Internet phone books if you will - that work slightly differently. For most websites, they answer with the correct address, but for websites known to hold malware or other undesired material, they instead respond with an address to a warning page - a page that says "you don't really want to go there."

Whether you are using an iPhone, an Android tablet, or a Windows PC, you can easily change the settings on your device to use one of these "content-filtering DNS" services. I describe several different content-filtering DNS options, as well as step-by-step instructions, in a separate and only slightly more complicated post.

Change the phone book


Now it's your turn.


Do you have any favorite tips for simple device security? Let us know in the comments section below...

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen