Hackers or crackers or online criminals—whatever you call them—are working every minute of every day creating new malware that scam users more effectively. But most of these threats are new arrangements of old tunes. So with the right protection and a little savvy, you can avoid just about every digital threat you face.
(Note: This article is for busy Internet users who are looking for information on how to protect their PCs and their families from malware. For more about the technical side of malware, read Alia’s excellent series “A quick & dirty guide to malware”.)
What is the threat?
The first malware typically vandalized PCs and destroyed files. But since the early 2000s, the primary motive for malware creation has been profit. Online criminals are after your banking information or your credit card numbers or your computer’s processing power. In the worst case scenario, they may even be after private information that could be used to extort you or harm your business. And these sorts of attacks generally have both financial and psychological costs.
The true costs of malware can include your data, your content, your time, your effort and your heartache.
Want a few examples of malware mayhem? Spyware tracks you for advertising purposes and slows down your computer doing so. Keyloggers monitors your every keystroke in an effort to steal your credit card information. Scareware imitates anti-virus software in an attempt to extort a quick payment from you. Ransomware takes your files and demand a ransom in return. Rootkits can turn you PC into a zombie computer and use it to send out email spam or to host illegal materials or to join in attacks on websites. There’s even a malware that exists just to create a fake login page for your bank’s website to steal your account information.
How does malware end up on your PC?
Generally you end up with malware because you installed it. And whether you installed it or not, malware can only work if the program runs without being shut down or deleted.
Malware works like most scams — it requires some conscious or unconscious help from its victims. Thus online criminals have to know more than computer coding. They have to know what mistakes users are likely to make so they trick people who have probably NEVER fallen for a scam in their real lives. And the best criminals can convince even cautious users to make one wrong click.
How do you end up downloading and installing malware? Sometimes malware gets packaged in with more legitimate software. Sometimes simply clicking on a fake error message can trigger a drive-by malware download. And you’re certainly aware of the classic method of disguising malware in an email attachment.
You put yourself at risk when you’re downloading from a disreputable source or a peer-to-peer network of strangers. Seeking out “free” stuff on the Internet can cost you time and money. And this is especially true if you’re browsing and downloading without proper protection.
How to protect yourself from malware
1. Make sure your PC is updated and secure
I hope you’re reading this sitting down because I have quite shocking news for you: the software on your PC isn’t perfect. It may contain exploits or security holes that make it possible for your machine to be infected easily. Software companies know their programs are not perfect. That’s why they release updates. Microsoft, Apple and Adobe all release dozens of updates every year. You need to make sure you have these updates on your applications running or you’re increasing your risk of infection. Our free Health Check software is a quick and easy way to make sure your PC is protected.
Of course, we also recommend always running updated Internet security that includes anti-virus, spyware and firewall. Browsing Protection is another layer of security that can keep you from clicking on the wrong links. If you don’t have Browsing Protection, you can use ours. Check any link for free.
2. Be very skeptical of random pop-up windows, error messages and attachments
Modern browsers have reduced the burden of pop-up windows. But they do still exist. Most pop-ups are far more annoying than harmful. But you might think of pop-ups like broken windows into a neighborhood you were walking through at night. It’s a sign that you should be on guard.
Avoid clicking on any pop-ups that imitate your Windows error messages or error messages that come up when you try to close out of a page. (Force quit out of the program, if necessary.) If any software begins to install itself, close out immediately and run a scan of your Internet security software. You can also use our Online Scanner for free.
Avoid opening attachments at all unless you were expecting them and they come from a source you trust. If you can’t verify the source or feel anxious about a particular attachment yet have to open it, you can download it to your hard drive and have your updated Internet security scan the file before you open it.
3. Remove spam from your life
If you get a piece of spam, let your mail software know. Identify it as spam. You could also unsubscribe but unsubscribe link have been used on rare occasions to trigger a malware attack. Better to let your software handle it. If you have a friend on Facebook who spreads spam or bad apps, let them know. And if they continue spreading spam, unfriend them. You are responsible for your social network. Refuse to associate with those people who are not responsible for theirs.
4. Think thrice before installing any new software
Installing software should never be an impulse decision. Some people say think twice before downloading any software from a source you do not trust 100%. I say think three time.
At the very least, Google the name of a product you want to install. If you’re at all uncertain about whether to click download, consult with a tech savvier friend or your company’s IT guy.
When you install software, you could invite in a nasty predator that won’t leave until it’s done some serious damage. So think about installing software with a bit of the same sort of caution you use when deciding to let someone into your home.
5. Behave online as you would in real life
There’s an old saying in my family: “Don’t go licking the floors of a hospital.” What it means is: “Use your common sense.” You have a natural sensor in your brain that tells you when something feels dicey or unsafe. Trust your gut.
With the right software running and a willingness to step back when you feel uncertainty, you keep your PC and your life malware free.
CC image by Anonymous9000
It's like a press conference anyone can join from anywhere. And even if you don't have a question, you can upvote the ones you don't like and downvote the ones you do. President Obama did one. Snoop Dogg/Snoop Lion did one. An astronaut did one from outer space. And our Mikko Hypponen will sit down for his second Reddit AMA on December 2 at 9 AM ET. If you have something you've wanted to ask him about online security, great. If not, here are five resources that document some of Mikko's more than two decades in the security industry to prod you or prepare you. 1. Check out this 2004 profile of his work from Vanity Fair. 2. Watch his 3 talks that have been featured on TED.com. [protected-iframe id="7579bbf790267cc081ac7d92d951262c-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="fdf818f4afa2f7dcb179c5516c44918c-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_three_types_of_online_attack.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="54be2fe9bce28ae991becbe3d4291e56-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_how_the_nsa_betrayed_the_world_s_trust_time_to_act.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] 3. Check out his first AMA, which took place just after his first talk at TEDglobal was published. 4. Take a trip to Pakistan with Mikko to meet the creators of the first PC virus. [protected-iframe id="8c0605f62076aa901ed165dbd3f4fcd7-10874323-9129869" info="//www.youtube-nocookie.com/v/lnedOWfPKT0?version=3&hl=en_US&rel=0" width="640" height="360"] 5. To get a sense of what he's been thinking about recently, watch his most recent talk at Black Hat "Governments as Malware Creators". [protected-iframe id="54b24406f022e81b15ad6dadf2adfc93-10874323-9129869" info="//www.youtube-nocookie.com/v/txknsq5Z5-8?hl=en_US&version=3&rel=0" width="640" height="360"] BONUS: Make sure you follow him on Twitter to get a constant stream of insight about online security, privacy and classic arcade games. Cheers, Sandra
Yet another high-profile vulnerability in the headlines, Shellshock. This one could be a big issue. The crap could really hit the fan big time if someone creates a worm that infects servers, and that is possible. But the situation seems to be brighter for us ordinary users. The affected component is the Unix/Linux command shell Bash, which is only used by nerdy admins. It is present in Macs as well, but they seem to be unaffected. Linux-based Android does not use Bash and Windows is a totally different world. So we ordinary users can relax and forget about this one. We are not affected. Right? WRONG! Where is your cloud content stored? What kind of software is used to protect your login and password, credit card number, your mail correspondence, your social media updates and all other personal info you store in web-based systems? Exactly. A significant part of that may be on systems that are vulnerable to Shellshock, and that makes you vulnerable. The best protection against vulnerabilities on your own devices is to make sure the automatic update services are enabled and working. That is like outsourcing the worries to professionals, they will create and distribute fixes when vulnerabilities are found. But what about the servers? You have no way to affect how they are managed, and you don’t even know if the services you use are affected. Is there anything you can do? Yes, but only indirectly. This issue is an excellent reminder of some very basic security principles. We have repeated them over and over, but they deserve to be repeated once again now. You can’t control how your web service providers manage their servers, but you can choose which providers you trust. Prefer services that are managed professionally. Remember that you always can, and should, demand more from services you pay for. Never reuse your password on different services. This will not prevent intrusions, but it will limit the damage when someone breaks into the system. You may still be hurt by a Shellshock-based intrusion even if you do this, but the risk should be small and the damage limited. Anyway, you know you have done your part, and its bad luck if an incident hurts you despite that. Safe surfing, Micke PS. The best way to evaluate a service provider’s security practices is to see how they deal with security incidents. It tells a lot about their attitude, which is crucial in all security work. An incident is bad, but a swift, accurate and open response is very good. Addition on September 30th. Contrary to what's stated above, Mac computers seem to be affected and Apple has released a patch. It's of course important to keep your device patched, but this does not really affect the main point of this article. Your cloud content is valuable and part of that may be on vulnerable servers.
On Tuesday Apple announced its latest iPhone models and a new piece of wearable technology some have been anxiously waiting for -- Apple Watch. TechRadar describes the latest innovation from Cupertino as "An iOS 8-friendly watch that plays nice with your iPhone." And if it works like your iPhone, you can expect that it will free of all mobile malware threats, unless you decide to "jailbreak" it. The latest F-Secure Labs Threat Report clears up one big misconception about iOS malware: It does exist, barely. In the first half of 2014, 295 new families and variants or mobile malware were discovered – 294 on Android and one on iOS. iPhone users can face phishing scams and Wi-Fi hijacking, which is why we created our Freedome VPN, but the threat of getting a bad app on your iOS device is almost non-existent. "Unlike Android, malware on iOS have so far only been effective against jailbroken devices, making the jailbreak tools created by various hacker outfits (and which usually work by exploiting undocumented bugs in the platform) of interest to security researchers," the report explains. The iOS threat that was found earlier this year, Unflod Baby Panda, was designed to listen to outgoing SSL connections in order to steal the device’s Apple ID and password details. Apple ID and passwords have been in the news recently as they may have played a role in a series of hacks of celebrity iCloud accounts that led to the posting of dozens of private photos. Our Mikko Hypponen explained in our latest Threat Report Webinar that many users have been using these accounts for years, mostly to purchase items in the iTunes store, without realizing how much data they were actually protecting. But Unflod Baby Panda is very unlikely to have played any role in the celebrity hacks, as "jailbreaking" a device is still very rare. Few users know about the hack that gives up the protection of the "closed garden" approach of the iOS app store, which has been incredibly successful in keeping malware off the platform, especially compared to the more open Android landscape. The official Play store has seen some infiltration by bad apps, adware and spamware -- as has the iOS app store to a far lesser degree -- but the majority of Android threats come from third-party marketplaces, which is why F-Secure Labs recommends you avoid them. The vast majority of iPhone owners have never had to worry about malware -- and if the Apple Watch employs the some tight restrictions on apps, the device will likely be free of security concerns. However, having a watch with the power of a smartphone attached to your body nearly twenty-four hours a day promises to introduce privacy questions few have ever considered.