Safe Personal Computing

I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed."

But that's not true, and the reality is more complicated. You're screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.

Two years ago, I published a list of PC security recommendations. The idea was to give home users concrete actions they could take to improve security. This is an update of that list: a dozen things you can do to improve your security.

General: Turn off the computer when you're not using it, especially if you have an "always on" Internet connection.

Laptop security: Keep your laptop with you at all times when not at home; treat it as you would a wallet or purse. Regularly purge unneeded data files from your laptop. The same goes for PDAs. People tend to store more personal data--including passwords and PINs--on PDAs than they do on laptops.

Backups: Back up regularly. Back up to disk, tape or CD-ROM. There's a lot you can't defend against; a recent backup will at least let you recover from an attack. Store at least one set of backups off-site (a safe-deposit box is a good place) and at least one set on-site. Remember to destroy old backups. The best way to destroy CD-Rs is to microwave them on high for five seconds. You can also break them in half or run them through better shredders.

Operating systems: If possible, don't use Microsoft Windows. Buy a Macintosh or use Linux. If you must use Windows, set up Automatic Update so that you automatically receive security patches. And delete the files "command.com" and "cmd.exe."

Applications: Limit the number of applications on your machine. If you don't need it, don't install it. If you no longer need it, uninstall it. Look into one of the free office suites as an alternative to Microsoft Office. Regularly check for updates to the applications you use and install them. Keeping your applications patched is important, but don't lose sleep over it.

Browsing: Don't use Microsoft Internet Explorer, period. Limit use of cookies and applets to those few sites that provide services you need. Set your browser to regularly delete cookies. Don't assume a Web site is what it claims to be, unless you've typed in the URL yourself. Make sure the address bar shows the exact address, not a near-miss.

Web sites: Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure.

Think before you do business with a Web site. Limit the financial and personal data you send to Web sites--don't give out information unless you see a value to you. If you don't want to give out personal information, lie. Opt out of marketing notices. If the Web site gives you the option of not storing your information for later use, take it. Use a credit card for online purchases, not a debit card.

Passwords: You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc.

Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly.

Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

E-mail : Turn off HTML e-mail. Don't automatically assume that any e-mail is from the "From" address.

Delete spam without reading it. Don't open messages with file attachments, unless you know what they contain; immediately delete them. Don't open cartoons, videos and similar "good for a laugh" files forwarded by your well-meaning friends; again, immediately delete them.

Never click links in e-mail unless you're sure about the e-mail; copy and paste the link into your browser instead. Don't use Outlook or Outlook Express. If you must use Microsoft Office, enable macro virus protection; in Office 2000, turn the security level to "high" and don't trust any received files unless you have to. If you're using Windows, turn off the "hide file extensions for known file types" option; it lets Trojan horses masquerade as other types of files. Uninstall the Windows Scripting Host if you can get along without it. If you can't, at least change your file associations, so that script files aren't automatically sent to the Scripting Host if you double-click them.

Antivirus and anti-spyware software : Use it--either a combined program or two separate programs. Download and install the updates, at least weekly and whenever you read about a new virus in the news. Some antivirus products automatically check for updates. Enable that feature and set it to "daily."

Firewall : Spend $50 for a Network Address Translator firewall device; it's likely to be good enough in default mode. On your laptop, use personal firewall software. If you can, hide your IP address. There's no reason to allow any incoming connections from anybody.

Encryption: Install an e-mail and file encryptor (like PGP). Encrypting all your e-mail or your entire hard drive is unrealistic, but some mail is too sensitive to send in the clear. Similarly, some files on your hard drive are too sensitive to leave unencrypted.

None of the measures I've described are foolproof. If the secret police wants to target your data or your communications, no countermeasure on this list will stop them. But these precautions are all good network-hygiene measures, and they'll make you a more difficult target than the computer next door. And even if you only follow a few basic measures, you're unlikely to have any problems.

I'm stuck using Microsoft Windows and Office, but I use Opera for Web browsing and Eudora for e-mail. I use Windows Update to automatically get patches and install other patches when I hear about them. My antivirus software updates itself regularly. I keep my computer relatively clean and delete applications that I don't need. I'm diligent about backing up my data and about storing data files that are no longer needed offline.

I'm suspicious to the point of near-paranoia about e-mail attachments and Web sites. I delete cookies and spyware. I watch URLs to make sure I know where I am, and I don't trust unsolicited e-mails. I don't care about low-security passwords, but try to have good passwords for accounts that involve money. I still don't do Internet banking. I have my firewall set to deny all incoming connections. And I turn my computer off when I'm not using it.

That's basically it. Really, it's not that hard. The hardest part is developing an intuition about e-mail and Web sites. But that just takes experience.


This essay previously appeared on CNet

Posted on December 13, 2004 at 9:59 AM • 45 Comments

Comments

Nick TDecember 13, 2004 10:22 AM

I highly recommend www.bugmenot.com as well for a security measure. For anyone not familiar with it, it's a website that has a set of bogus logins/passwords to let you get around places like chicagotribune.com that ask you for a login simply to create marketing data. There is a Firefox/Mozilla extension for it that makes it extremely simple to use. Also, if you find a site that absolutely forces you to use a real email, look into one of the sites such as mailinator.com which provides a sort of generic mail-drop.

Bill GodfreyDecember 13, 2004 10:40 AM

VMWare (or similar) is useful incase you want to run anything you don't 100% trust.

If I had my way, VMWare would be the only component of the 'host' and *everything* would run inside 'guest' sessions.

nerowolfeDecember 13, 2004 12:26 PM

To do a simple portscan of your computer (to test your firewall), google for "ShieldsUp"... It's written entirely in assembler or something weird like that, but the service has worked for me for years.

ArikDecember 13, 2004 12:53 PM

You missed the "Let a knowledgable person go over your computer every once in a while, so they can update your spyware detection software, make sure your computer is devoid of malware, delete temporary folders content and make sure the security settings haven't been altered" tip.

I see it as a sort of maintenance work. I manage my folks computers and a few friends', and once in a while I do a once-over. It takes about 15 minutes, and usually it goes without a hitch.

There should be a paid service offering you on-site computer security maintenance - one which you will pay if your machine is malware-free and if it's not the maintenance is free...

-- Arik

Roger MarisDecember 13, 2004 12:56 PM

cmd.exe one of the few things I use on a regular basis in Windows. Can't live without the command line. Why get rid of it?

Rick LobrechtDecember 13, 2004 1:37 PM

What about not running as Administrator? One of the things that greatly reduces the attack vector on Linux and Mac OSX is that the user you are normally logged in as doesn't have rights to install anything, or make any system wide changes. Do the same with Windows. Read Aron Margosis's excellent blog for tips on running as a non-Administrator. http://blogs.msdn.com/aaron_margosis If you're using XP Home, or XP Pro not a member of a domain, its even easier. Just use Fast User Switching if you need to do something as a non-Admin.

Felix_the_macDecember 13, 2004 1:46 PM


A very timely article for me since I will be seting up my brother-in-law's new PC in a couple of days!

I am surprised that you didn't tell people not to use the admin account for everyday tasks.

Any particular reason?

TimoDecember 13, 2004 2:31 PM

If you cant get rid of cmd.exe, rename it.

Why? Because it's powerfull "tool", many exloits uses cmd.exe.

Timm MurrayDecember 13, 2004 2:36 PM

Roger and Ben: I suspect both of you are at least up to the "power user" level where you're using the command line on a regular basis. In which case the advice doesn't really apply to you. However, most people never touch it. Some viruses (Code Red, for instance) make direct use of command.com/cmd.exe. If the user will never touch the command line, neither of these programs should be there.

David FayDecember 13, 2004 2:36 PM

For those who have asked about cmd.exe: I'm guessing that Bruce suggests deleting it because few users need it and it is a very common target for virii, worms, etc. to attack.

I frequently use cmd.exe so I'd never delete it. However, moving it to another directory or renaming it might suit just as well, since most malware will expect it to be at its normal location.

An interesting little anecdote: back in the days of Windows NT 4.0, I had forgotten my administrative password and needed it to install some software. Based on some advice I found quickly on the web, I backed up logon.scr and then renamed cmd.exe to logon.scr. Then I just logged out and waited 15 minutes, and presto! a command prompt appears. I then changed my password from the prompt (and running as Administrator, I was not required to know the previous one) and I was on my way again.

Anyway, that story is not really related to Bruce's suggestion. It's mostly the IIS-targeted exploits that attempt to use cmd.exe nowadays, I believe.

JCDecember 13, 2004 4:31 PM

Your advice re: the bank's SSL vs non-SSL pages isn't quite right. It's perfectly OK to put your password into a non-SSL form IF IT SUBMITS to an SSL encrypted document. The POST request will be secure, even if the initial page is not. Granted, that's a bit beyond most users, but by default all browsers do warn you when you submit to a nonsecure page.. of course, that gets removed within the first couple times most people see it.

papillonDecember 13, 2004 7:13 PM

Good list of tips, I just wanted to throw this one in as an addendum to not using the admin account for everyday stuff:

If you run an OS with multiple accounts, create a non-admin, powerless user account and name it 'Admin', give it the most difficult password your OS will handle, then never use it and make sure that your actual admin account isn't called 'Admin'

Joel ThomsDecember 13, 2004 7:20 PM

I've seen many tools that include cmd.exe. Deleting it may give a false sense of security. The cmd.exe provided by the tool will run exactly as the cmd.exe that was removed.

JojoDecember 13, 2004 9:27 PM

You ask too much of common users. The average user is not only clueless, but they don't care to learn about technology and most refuse to pay anyone to setup and maintain their computer. Computers need to be greatly simplfied for the average user before any progress on general security is going to be made.

SandeepDecember 13, 2004 11:25 PM

The average user is not aware of security issues created by their direct actions. Most assume an antivirus software and a firewall will protect them.

-Sandeep

PS: Firefox, Thunderbird?

DaveDecember 14, 2004 3:11 AM

JC: It's still a bad habit to enter passwords into non-SSL pages because you might be giving the pass to a typo-squatter or DNS hijacker unless you read the source to verify that the POST will go SSL to the expected site, with a valid cert. For most users that is an unreasonable expectation.

Wells Fargo is apparently ignorant of this issue, fortunately you can request their main page via HTTPS.

DithermasterDecember 14, 2004 9:46 AM

Warning: *Don't* try to break CD-ROMs. They shatter into flying shards and, well, you could put an eye out or something. Much better to microwave or shred them (on a device that supports that!).
///d@

Bruce SchneierDecember 14, 2004 1:09 PM

I love bugmenot.com, and use it all the time. Someone wrote a Firefox extension that automatically grabs a random password from the site.

I should have mentioned it in the article. Next time....

Noah CampbellDecember 14, 2004 3:44 PM

This isn't completely related to personal computer use, but don't store any personal information (namely address ) on a USB dongle or anything that accompanies your keys. If the keys are found by someone of ill intent, you might as well leave your front door open while you're home or office.

Karl-Friedrich LenzDecember 14, 2004 6:28 PM

What is the advantage of using a credit card instead of a debit card?

This makes sense the other way round. With a debit card, the risk is limited to the balance on that card, and the card might be anonymous.

Matt BrubeckDecember 14, 2004 7:15 PM

In the United States, consumers are legally liable for only up to $50 due to fraudulent credit card use. Debit cards don't have the same legal protection.

In other words, a stolen credit card can cost you a maximum of $50. A stolen debit card can cost you a lot more. (On the other hand, some debit card issuers limit the liability even though they aren't legally required to.)

Korben DallasDecember 14, 2004 7:50 PM

The only problem I have with this article is the following: I don't know whether I should remember it as a quintessential example of a "well-paid-for" article or as a quintessential example of an article written by a complete lamer. Most likely, the former (considering the author)

SuneDecember 15, 2004 8:59 AM

'I'm stuck using Microsoft Windows and Office, but I use Opera for Web'

Ah - the height of spineless hypocrisy.

Lorenz LangDecember 15, 2004 9:52 AM

I use a program named Startpatrol on my Win98-PC. It runs in the background and displays a warning window whenever an unknown process starts or the various autostart areas of Windows are modified by a process.

Processes can be stopped by Startpatrol and modifications to the autostart areas can be prevented.

I think it's a good addition to firewall, anti-virus and anti-spyware programs - IIRC
it's even freeware.

Clive RobinsonDecember 15, 2004 9:56 AM

In reply to Dithermaster and others about CD-ROMs

It is actually quite pointless breaking them or shreading them, the density of data they store means that quite a bit of data is still readable to somebody with the appropriate tools (which are not that expensive).

Untill the new Sony "Paper CDs" come along,

http://www.sony.net/SonyInfo/News/Press/200404/04-0415E/

(apparently they are burnable) the only effective way of removing data from CDs is "Slagging" this can either be in a sufficiently hot (and well ventilated) fire or in a microwave oven.

Two words of caution "Slagging" though, the materials used for CDs of all types decompose into some quite nasty gases that you most definatly do not want to breath in, this applies to both the fire and microwave. The second applies to microwaves, unless you want to damage it you would be well advised to do the following,

0,Get a seperate microwave oven to do it
1,Get a large plate of glass or ceramic
2,A glass or ceramic beaker/mug
3,About 1/4 pint of water.

The water goes in the beaker, the beaker goes on the plate the CD goes ontop of the beaker you do not use full power, and you watch from a safe distance. You microwave untill one of two things have happened (depends on the type of CD),

1, The reflective metal layer has burnt away
2, The CD has melted and deformed to such an extent that it is not optically usefull

If the CD starts to burn stop microwaving imediatly.

I would not advise cooking in the microwave after it has been used for Slagging as there are likley to be undesirable chemicals inside it that might be dificult to clean out.

Mike Van PeltDecember 15, 2004 1:41 PM

Besides the $50 fraud liability limit on credit cards in the US:

A debit card withdraws money directly from your checking account. Fraudulent charges can drain your account and cause you to bounce checks. Bounced check charges are typically over $20 each, and in some states, you are criminally liable if you bounce a check.


When you dispute fraudulent charges, with a credit card, your money is in your pocket, which gives you an advantage. With a debit card, the money is out of your checking account, in the pocket of the criminal, and you have to persuade the bank to give it back to you.

Scott MillerDecember 16, 2004 5:39 AM

Very good advice, I'd mention anly a couple of things:
> The difference between cash in your wallet and your password(s) is that the damage from stolen cash is limited to the face value of the bills. > Bruce shorts his own creation by not mentioning Password Safe as an alternative for securing pw. > There is at least one less than $50 device that shreds CD/DVD by scoring the reflective material - after two passes any handling of the disk results in a shower of foil "dandruff". > As of v1.3 Spybot Search & Destroy includes a real time monitor that can warn the user of attempts to change registry settings. > I would add a caution about ever allowing a browser or web page to "remember" any authentication information, even the user name. > Allowing unneeded OS services to run under Windows is an unneccessary vulnerability - turn them off. There is at least one site that has some pretty good (and understandable) advice on what to turn off and why - " www.blackviper.com ". > Agree with the comments about not running with Administrator privileges under Windows. Rename the Administrator account and run as Restricted User by default.

Scott

MarkDecember 17, 2004 7:56 AM

so if you delete the files "command.com" and "cmd.exe." wouldnt that crash your computer, also how would you get to the command prompt? Just curious.

Jim ThompsonDecember 17, 2004 9:57 AM

"*Don't* try to break CD-ROMs."

I cut my CD-ROMs and old CD-R/RWs with a pair of sharp scissors. It takes some muscle, but doesn't result in bits of plastic flying everywhere. If your scissors won't cut through the disc, try buying a pair of tin snips at your local hardware store; they're designed for tougher material.

Prashanth ReddyDecember 17, 2004 12:14 PM

Quick Question - Bruce - you have reccomended that you delete command.com and cmd.exe - is there no impact from doing this ?

Regards
Prashanth

greenflameDecember 22, 2004 12:13 AM

On the contrary everything Bruce said is
accurate.The thing about atleast two Anti-
Virus APP's especially.I run 4 of the "best"
Applications on my client's machines.Even
when it "cleans" the Malicous program it
still leaves traces all over the place.Alot
of the high end Anti-Virus suits dont even
clean the older Viruses let alone detect them.

Ive seen Buisness grade Anti-Virus App's that cost Hundred's of dollars,and they couldnt even
clean simple programs.Another thing that needs
to be stressed is that Viruses ,and especially
Spyware piggy back in on APP's that come from
even "ligit" web sites.It is simple to bind
a executable to another executable.It dosent
matter what word processor or presentation
software you use! if it has any way for a
person to embed instructions in it(VBscript,
Javascript,TCL etc..)it can be used to construct
a Malicous stack of code.

NOTE:Every time you execute a file you could
be re-infecting your Machine! and hardly any
Anti-Virus suites check for Binded stuff.You
would also be very suprised who is making
spyware now day's! the companys are usally
owned by Corporations like Time Warner,Yahoo
etc..

Not to mention Viruses that emulate ,and
embed them selves into ligitamate/important
services on your machine.You Win2000+ users
probly have more than 3 SVHOST files running right now.

mud and flameDecember 24, 2004 7:22 PM

Lest anyone panic, having more than three instances of SVCHOST doesn't necessarily mean malware. Standard installations of XP have four. 2000 has four if you're using automatic Windows Updates -- the fourth is for a service called Background Intelligent Transfer Service (BITS). Even a fifth doesn't necessarily mean a virus, though that's one possible reason.

professor fateDecember 28, 2004 4:49 PM

Bruce, if you look at the two-year-old list, the bottom point (#11) was to turn off the computer connected to the "always-on" connection when not using it. I presume turning off was recommended as a way to isolate or disconnect the computer from the Internet.

In your most recent update, that same point has moved to the top of the list, at position number #1.

There are lots of ways to disconnect a computer from the Internet. Aside from turning it off, you can unplug the data cable, turn off the modem, or get a hardware disconnection device.

The latter is a relay device from Pathlock Corp. You place it in series with an ethernet connection (from the modem or router) and it automatically disconnects. Pure hardware with no software to worry about.

shannonApril 11, 2006 3:07 PM

Hi,

I'm a student working on a project that has to do with mail security. I put together a website that talks about the problems of mail theft and fraud. www.mypostalprotection.com Through my research, I found out that only 13% of identity theft happens online. Have you ever done any research into this area of security? I would be interested to hear what your perspective is on the crimes of mail and identity theft. Please check out my website and let me know what you think.

ChantelMay 15, 2007 4:58 PM

Hi, im 14 years old and im having sport on wedesdays and tuesday
is it safe to run while the period still goin?

_EmDecember 4, 2007 5:24 PM

The one point that I disagree with to some degree is to do with passwords. It *is* possible to create unique passwords long and "random" enough to be secure, but also memorable.

All you need is some bit of text you can memorize, a simple hashing function you can memorize and some data that is unique to where the password is being used.

I use this method to generate 32 character passwords that are all unique, contain no words, yet I can (almost) instantly recall or generate them when needed. Of course, I also keep them in a highly encrypted file with a decent password protecting it as a safeguard, just in case the unique context data changes and I can't recall what it used to be.

For passwords that must be available unencrypted (due to lack of context, enforced password changes, etc.), I agree with Bruce's suggestion of writing them down -- but don't write down "Password to ebay.com account bschnier" followed by the password -- find some more creative way to hide your passwords in plain sight -- make a poem that contains one or more of them (second letter of each line makes up the password in February, third for March), or something similar. That way, someone peeking at your data has to know what it is before they can use it against you.

Boyscout44January 20, 2009 1:09 PM

I just re-read your original blog " December 13, 2004
Safe Personal Computing" and it still seems very relevant to me. Will there be/ has there been an update lately?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..