Com-Central.net

Maximum Security: 94 Essential Tips for Staying Safe
11.02.05


By Michael J. Steinhart

How security-savvy are you? Many users simply aren't. Your machine may have come with an antivirus program preinstalled, but is the subscription up to date? Are you running a firewall of any kind? Are you conducting regular spyware and adware scans?

Or do you not mind hackers and unscrupulous marketers mining your PC for personal data?

We're always telling you about the latest and greatest security products, but at the core of any strategy must be common sense, healthy skepticism, and a willingness to learn. If money's tight, there are plenty of free resources that can help you protect your system or systems. It doesn't hurt to have some experts on your side, either, and that's where we come in.

We've collected dozens of our best security tips and pointers, broken down by category: system, networking and wireless, e-mail, Web surfing, malware, and mobile. Whether you're a novice or a seasoned user, you'll find plenty of valuable advice for shoring up your defenses and maximizing your security.

System Security
11.02.05
Get in the Zone


Safe Out of the Box

New computers are often the most vulnerable to Internet and e-mail–borne attacks. Before you connect a new machine to the Internet, make sure that it is protected by a firewall and patched to the greatest extent possible. And if you're giving a PC or laptop as a gift this year, secure the machine before you give it to a novice user.

Put up a hardware firewall. Ideally, the PC is on a network with a hardware firewall. This will ensure that the devices behind it are protected against most attacks. If the PC is not on a network, purchase a firewall device. Any of today's home wireless and wired routers provide some firewall functionality.

Put up a software firewall. You'll also want a software firewall on each PC, to further block hack attacks and protect against misbehaving applications. Windows XP comes with a partial solution; you should make sure it's enabled until you get a better one. Prior to Windows XP Service Pack 2, it was called the Internet Connection Firewall (ICF), and it's pretty bare-bones. The firewall in Service Pack 2 (called the Windows Firewall) is much better, but it still prevents only inbound unwanted traffic. You really want a two-way firewall, such as ZoneAlarm Pro or Norton Personal Firewall, to stop unwanted outbound traffic�for example, attempts by spyware to send personal data to its creators.

Install SP2. Windows XP Service Pack 2 fixed many security holes in XP and improved the operating system's patching tool. The safest way to update a system to SP2 is to order a CD from Microsoft or download a complete copy of the service pack from downloads.microsoft.com to an already updated system, then burn it to a CD and put it on the new computer. If you have enabled the ICF, you can feel safe enough to go to the Windows Update site (www.windowsupdate.com) and install SP2 on the new computer.

Watch out for malware. Even with a firewall in place, you need to be wary of virus-infected e-mails, Web pages that exploit browser holes, and adware you could install unwittingly off the Web. Install an antivirus program and update it before surfing the Web casually or setting up e-mail. Set the antivirus program and Windows to retrieve and install security updates automatically. When your update subscription runs out, resubscribe. If a newer version of the antivirus software is available, upgrade. Out-of-date antivirus protection is no protection at all!

You've got adware. It's possible your new machine may come preloaded with adware, so you may want to install a good antispyware product, such as Spyware Doctor from PC Tools or Webroot Spy Sweeper, and scan the system before going online.

How suite it is. The easiest way to protect yourself and ensure the apps doing the job don't conflict with one another is to get a package, such as ZoneAlarm Security Suite, that includes antivirus, antispyware, antispam, and firewall.

Protection on the cheap. There are several good, free antivirus filters and software firewalls available, such as avast! 4 Home Edition and ZoneAlarm 6 free. Generally they're only for personal use, and they aren't quite as easy to configure as the commercial products. (Check out "Web Resources" by visiting go.pcmag.com/freeware.)

System Security

Restrict Access

Windows XP's User Accounts applet offers two levels of user security: administrator and limited. An admin account lets you do anything on the system, which leaves you at risk for any malicious program installing code at will. The limited account does not allow program installation or changes in system settings.
Restrict Access

Limit yourself. By default, XP asks for a user name on installation, assigns it administrator privileges, and boots directly into that user from then on. But you can set up a limited account by clicking on Start | Control Panel | User Accounts. Select Create a new account, and name the user. Click Next and select Limited user on the Account Type screen, then click Create Account. Use the limited account for day-to-day activities.

Set a password. For increased security, assign a password to every account with administrator privileges. From the User Accounts screen, click on the user and select Create a Password. Follow the wizard and add a password to the account. Don't use an obvious password such as "password," "admin," or your username.

Doors are locked. Some people don't want to set a password because it slows down the log-on process. But password protection is absolutely essential. If you're sure your system is in a safe location, however, you can use Microsoft's TweakUI PowerToy (www.microsoft.com/windowsxp/downloads) to log on to a specified account automatically. Click the plus sign next to Logon, select Autologon, choose Logon automatically at system startup, and specify a username and password. Note that an office is not a safe place. We recommend this only if you trust all your housemates and visitors, and if your PC is always in a secure location.

Quick fix. Unfortunately, the limited user account makes some applications, such as games, difficult or impossible to run. But you can log on as a limited user and still use incompatible programs by using the Run with different credentials option. First install the app. Windows may balk if you try to install from the limited account, in which case you have to log out and log back on as the administrator, or it may just ask for an admin's username and password. Once it's up and running, log off and log on to the limited user account. The app should run properly, but if it doesn't, right-click on its shortcut or menu item, select Properties, and click the Advanced button on the Shortcut tab. Now check the Run with different credentials box and click OK.

Note that Windows won't let a Limited user change a shortcut that's shared by all users. If an "Access denied" error message pops up when you click OK, cancel your changes and right-drag the shortcut to the desktop, choosing Copy. Now edit the resulting local shortcut as described above. When you double-click on the icon, you'll get a log-on dialog telling you to enter a username/password that has administrator rights.

System Security

Get in the Zone

Even if Internet Explorer isn't your default browser, its rendering engine is used for everything from the Windows Explorer file manager to the Active Desktop. So you're still exposed to any threat that exploits IE security holes. We recommend using security zones to manage the Internet, but by default the local machine, or "My Computer," is not available from the zone settings. You can, however, set a value in the Registry to make it available.

Close all browsers and instances of My Computer or Windows Explorer, then open RegEdit (Start | Run, type in regedit and press Enter). Navigate to the Registry key: HKEY CURRENT USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0. (Right-click this key and choose Export to create a REG file that you can launch to undo your changes if necessary.)

Find the value Flags and double-click on it. In the editing window, change the value to 1. Click OK and exit RegEdit.

Once you've made the change, go to Control Panel, open Internet Options and choose the Security tab. Select the My Computer content zone (you may have to scroll to the right) and then click on Custom Level to make changes. Be careful; security changes may affect the way some programs work. When in doubt, set IE to alert you rather than block questionable events.

System Security

Rolling Back Time

Use System Restore. Windows System Restore (in Windows Me and XP) lets you roll back the system settings and critical files if installing or uninstalling a program causes problems. The tool sets restore points on a regular basis and creates additional points before apps and drivers are installed. When your security tools can't clean an infection, try restoring your system to an earlier time before the malicious app arrived.
Rolling Back Time

To verify that System Restore is running, go to Control Panel | System and choose the System Restore tab.

System Restore for Windows 2000: Win 2000 doesn't include System Restore. You can, however, replicate much of its functionality. The Windows 2000 Backup program (Start | Programs | Accessories | System Tools | Backup) has a System State option under the Backup tab. On a normal Windows 2000 system, this backs up the boot file, the COM+ class registration database, and the Registry.

Disable System Restore temporarily (XP). Unfortunately, antivirus and antispyware tools cannot clean infections from restore points, so even if you've cleaned out some malware, a rollback may bring reinfection. We've also seen infected restore points cause the security software's alarms to go off at each scan. To stop this from happening, you'll need to disable System Restore.

From the System Restore tab (Control Panel | System) check Turn off System Restore on all drives. This will delete all restore points. After the cleanup, turn System Restore back on. Just repeat these steps and uncheck the box.

System Security

Using Safe Mode
Using Safe Mode

Starting your computer in Safe Mode is often one of the only ways to regain control after a crash or a virus or spyware attack. Windows usually blocks you from deleting any files that are currently running (including malicious software), and malware often makes sure it loads at start-up. Safe Mode bypasses many drivers and start-up programs; by going into this mode you may be able to remove the offending apps. (We've also found that simply booting into Safe Mode and then rebooting back into Normal Mode may make an unstable system more reliable.)
Getting to Safe Mode

To enter Safe Mode, you need to coax Windows into displaying the Startup menu. Depending on the version, this menu offers Normal or Safe Mode, and sometimes Safe Mode with networking, command prompt, and other options.

Getting to Safe with F8. You can get to the Startup menu by pressing a hot key during boot time, or using the System Configuration Utility (MSConfig, not available in Win 2000).

Typically, you enter Safe Mode by pressing F8 after powering up. Some systems may prompt you to start tapping the button at a specific time in the boot sequence with a signal, such as a small line or square in the upper left corner of the screen, or with a beep. Whatever the signal, when you receive it, press F8. If your BIOS is set for quiet mode, though, you probably won't see the signal.

Safe Mode the MSConfig way (XP). If you're using Windows XP, choose Run from the Start menu, type msconfig and press Enter. Select the BOOT.INI tab, enable the /SAFEBOOT option and click the OK button. If you're going to need network or Internet connectivity, check NETWORK here, too. When the system asks you to restart, click Restart and Windows will boot into Safe Mode. To restart in normal mode, reopen MSConfig, select the BOOT.INI tab, and uncheck /SAFEBOOT, then select the General tab and check Normal Startup.

System Security

Extend Your View

Malware files often use double extensions. By default, Windows hides file extensions; this feature may help a malware file trick you into thinking it's safe to open. A virus named prettywoman.jpg.exe, for instance, would appear as prettywoman.jpg. Change your settings to see the real extensions.

In Windows XP/2000, open My Computer, then click on Tools | Folder Options. Select the View tab, look for the heading Hide extensions for known file types, and uncheck the box.

Network & Wireless Security
11.02.05
How Secure Are You?


How Secure are You?

Get a checkup. Vulnerability scanners probe computers on the network for potential security holes, and some even give you instructions on fixing them. There are many excellent commercial scanners, such as Retina from eEye ( www.eeye.com ), the ISS Internet Scanner ( www.iss.net ), and AppDetective by Application Security ( www.appsecinc.com ), which scan for a large number of known problems and are updated as new issues are discovered. You can specify a particular system to scan or, if you give the tools an address range, they will find all systems and scan them for you.
How Secure Are You?

These are probably overkill for a home network. Instead, you could try the NeWT security scanner, a free tool from Tenable Network Security ( www.tenablesecurity.com ). Microsoft also offers a free tool, the Microsoft Baseline Security Analyzer ( www.microsoft.com/tech...ahome.mspx ), which scans single systems or systems across a network for common misconfigurations and missing security updates. If you administer a business network, you should use these free tools in addition to a commercial scanner.

Scan from within and without. Scans run inside the network probe for vulnerabilities from the perspective of a user already logged on. If you have a firewall in place, your internal environment is protected from many outside threats. Run the scanner from outside your network and tell it to scan your outside IP address. Look for open ports and make sure they're all being used for the applications you want.

Be cautious. Vulnerability scanners can generate a flood of warning messages, many of them doing nothing more than telling you that you did something (like open port 80 on your Web server) that you plainly intended to do. So don't assume the scanner knows more than you, especially when it gives the warning a low priority. Take advice from these programs as suggestions, not orders.


Network & Wireless Security

Wireless? Go WPA

Even the people who designed WEP (Wired Equivalency Privacy, the first-generation wireless security protocol), admit that it's a weak protocol that's easily outwitted. The next generation, WPA (Wi-Fi Protected Access), is a much better solution, but it's not necessarily available for your old Wi-Fi equipment. Linksys, for example, includes WPA support in all its 802.11g equipment, but added it to only a few of the older, 802.11b devices. See "Wireless Security: WPA Step by Step" at go.pcmag.com/WPA to learn how to upgrade your equipment to WPA.

WPA provides enterprise mode, in which users enter individual usernames and passwords that are checked by a special server, and personal mode, where everyone uses the same shared password. That password is used as a key for encrypting all the data on the network. In our experience, we've found that all home users and almost all small businesses will get along fine with the shared password mode.

A relatively new WPA2 that implements even stronger encryption than WPA is beginning to appear in products. The improvements are benign overkill for home users, but WPA2 is backward-compatible with WPA, so there's no reason not to buy it.

For the best protection, use a passphrase of at least 20 characters and write it down somewhere safe.

Network & Wireless Security

Avoid Windows Messenger Spam

If you're using Windows XP or Windows 2000 and connect directly to the Internet, you can fall victim to Windows Messenger Service pop-ups. This is not related to any instant messaging app, but to an arcane network utility called Net Send.

The Net Send message service was used by network administrators to send pop-up messages to all users (like "The server's going down in 5 minutes, so save your work and shut down"), and to let users send notes to one another.
Avoid Windows Messenger Spam

By default, Windows XP and 2000 both have this service running when you start your computer, with the result that when you are connected to the Internet, anyone who knows your IP address can send you a pop-up message that looks like a Windows alert, not an ad. Some spammers scan through a series of Internet addresses and find computers that have this service turned on. When they find one, they send it a message.

Turn off Net Send. In Windows 2000 and XP, you can turn off the Messenger Service by clicking on the Start button, then selecting Run and typing Services.msc. Press Enter. In the Services window, scroll down to the Messenger entry. Double-click on it to bring up the Messenger Properties window. First click the Stop button to end the Messenger Service. Once the Service status is tagged Stopped, click on the Startup type drop-down box and select Disabled. Now click on OK. You will be brought back to the Services window, and the Messenger Properties window will now say Disabled under Startup type. Close the window and you're done.

Or keep it on. The fix above can eliminate the problem, though it can sometimes get in the way of legitimate application alert functions from antivirus programs, print spoolers, or a UPS device.

If you find that you must keep the Net Send Messenger Service running, you can block external messages using a firewall. When using a hardware or software firewall, block inbound NetBIOS and UDP protocol broadcast traffic. When setting up a personal firewall, such as ZoneAlarm, you may need to create exceptions for your own subnet, or for individual machines with which you want to share data.

Network & Wireless Security

Working on the Chain

Some browser hijackers insert themselves into the Windows Winsock (Windows Sockets) component�the mechanism that applications use to make Internet connections�and when they're removed they leave the component broken and unable to connect.
Working on the Chain

The new Winsock 2, installed by upgraded versions of Internet Explorer and native to Windows XP, incorporates a feature called Layered Service Provider (LSP), which allows third-party vendors to insert their own code�for monitoring or content filtering�into the Winsock data stream. The feature is also used by spyware companies to facilitate their own monitoring. When a legitimate program (such as Net Nanny or Cybersitter) is uninstalled, it patches up the Winsock. Spyware products don't always extend the same courtesy.

When the Winsock is broken, you may be able to use IM but not e-mail and Web browsing. This odd behavior makes troubleshooting difficult, because you're connected to the Internet and you have an IP address, but the browser still won't work.

The easiest way to fix the broken chain is to use a freeware utility called LSP-Fix. This utility is primarily for Windows 98, though it works on Windows Me, 2000, and XP. It is available from Counterexploitation, a Web site dedicated to identifying and removing spyware, adware, and other malicious programs, at www.cexx.org/lspfix.htm. LSP-Fix works by "reconnecting" the disconnected layers in the Winsock stack. In most cases it can repair the damage without further problems.


E-mail Security
11.02.05
Don't Get Attached


Don't Preview

We all know we shouldn't open unknown attachments, but having the message preview pane enabled in Outlook or Outlook Express can automatically open messages that may infect your system. Note that if you have Service Pack 2 installed (as we recommended in the first section), Outlook and OE do prevent many problematic items from displaying in the preview pane, but it's safer to disable it entirely.

In Outlook Express, select View | Profiles | Preview Pane and turn it off.

In Outlook 2000, select View | Preview Pane (it's a toggle, click on, click off).

In Outlook 2003, select View, then Reading Pane, and click Off.

E-mail Security

Don't Get Attached

Block attachments in Outlook. Not opening attachments is probably the best way to prevent infection. Outlook 2003, Outlook 2002, and Outlook Express 6 come configured to block dangerous attachments automatically; in Outlook Express you can turn the blocking off, but in Outlook 2003, it's always on. You can also update Outlook 98 or Outlook 2000 to include attachment blocking.

Block attachments in OE6. If you're using Outlook Express 6 and extension blocking is off, click on Tools, then select Options. Select the Security tab, and click the check box for Do not allow attachments to be saved or opened that could potentially be a virus.

Early warning. In Outlook Express, check the box marked Warn me when other applications try to send mail as me for a little extra protection.

Add to the block list. What about ZIP, PIF, and other file formats that could hide malware? These aren't stopped by default, but the Microsoft Knowledge Base article at support.microsoft.com/kb/837388 describes how to add extensions to Outlook's block list; unfortunately, it doesn't work with Outlook Express. The technique requires editing the Registry, but it is basically the same for Outlook 2000, 2002, and 2003.

Here are the steps for home users (non-Exchange environments) using Outlook 2003. For Outlook 2000, substitute a 9.0 for the 11.0 in the HKEY. For Outlook 2002, substitute 10.0. We recommend backing up this Registry key before using the editor.

Click Start | Run, type regedit, and then click OK. Locate and then click the following key: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security. On the Edit menu, point to New | String Value. Type Level1Add, and then press Enter. On the Edit menu, click Modify. Type <, then a list of the attachment file extensions (separated by semicolons, not spaces), then >. For example, you would type .zip;.pif if you wanted to block both formats from appearing in the e-mail message as an attachment. The value string would look like this: <.zip;.pif>

Unblocking files. If you need to open up access to a blocked attachment, you can use the Level1Remove key. Surf over to Slipstick Systems (www.slipstick.com) for instructions and a full list of the blocked extensions, as well as a list of tools that let you add or remove attachment blocking without editing the Registry.

E-mail Security

Return to Sender

Clever spoofs. An unwelcome side effect of the latest worms is the barrage of undeliverable mail. Many viruses use "undeliverable" or similar messages in the subject line so users will be duped into opening the message and infecting their machines. Also, e-mail viruses deliberately spoof the return address when sending themselves to a harvested list. This prevents legitimate nondelivery messages from alerting the victim to the virus's presence�and dumps irrelevant nondelivery messages on the owner of the spoofed address. In either case, delete the message without opening it.

Check the header. If you think that it might be from a legitimate address, right-click on the message line in the Outlook Inbox and select Options to view the header (do not double-click, or you'll open the message). In Outlook Express, right-click, select Properties, and choose the Details tab.

Even though the header seems indecipherable, you can use it to find out whether a real correspondent bounced back the message. Check the To: area for a legitimate e-mail address; if you find one, this is a real undeliverable response for the server where that e-mail was sent.

E-mail Security

Certified Mail

How do you know that e-mail from your mom is really from her? You don't. E-mail doesn't have any built-in authentication. There are efforts under way to add authentication between e-mail servers, but personal authentication options have been around for years. Your mom just needs her own digital certificate.
Certified Mail

Buy a certificate. When you receive a message that is digitally signed, it comes with a seal icon. Double-click on it, start exploring, and you'll find information about the sender, and, potentially, a certificate authority. This is a company that issues certificates (typically for a fee) and vouches for the information in them. To get a certificate in Outlook, click Tools | Options and go to the Security tab. Click the Get a Digital ID… button near the bottom. This will open the browser to a Microsoft page with information on digital certificate vendors.

Or get one free. There are tools you can get for free to generate unique certificates, but if they are not held by a public authority, all they can prove is that the message wasn't tampered with. A better idea is to visit thawte (www.thawte.com), a subsidiary of VeriSign that offers personal certificates for free.

Certification pays. Digital certificates let you encrypt message contents and prove that they have not been tampered with, and AOL Instant Messenger (among other apps) can use your certificate to authenticate your ID.

Use Outlook for encryption. S/MIME (or Secure Multipurpose Internet Mail Extensions) is the standard for encrypted and "signed" e-mail. All recent versions of Microsoft Outlook and Outlook Express, Eudora, and Netscape Messenger support it, but no product makes working with certificates easier than Outlook.

E-mail Security

Something's Phishy
Clever Spoofs

When searching for bargains on the Internet, be very skeptical of sites with which you don't have a relationship and which you don't know from reputation. Scammers put a lot of work into search-engine placement to attract deal-hunters. Links to these shady stores lead to a checkout screen asking for the card name, number, expiration date, and CVV (card verification value). After you provide the information, you're brought to a page that says an error has occurred and you should pay by postal money order. This means some victims could actually lose their credit card information and the value of the money order.

E-mail Security

Don't Be a Spam Magnet

Spammers make money not just by spreading advertisements, but by reselling their lists, and the more live people on the list, the more valuable it is.

Don't buy it. The worst thing you can do is buy something from a spammer. It puts you on a list of "real live ones."

Don't unsubscribe. Don't click the Unsubscribe or Click here to be removed from our list links at the bottom of spam messages. Doing so lets spammers know your address is valid. Note that many legitimate sites�such as e-tailers�also provide an unsubscribe link with their e-mail messages, and those are honored.

Don't open or preview. Spammers can confirm your existence when you open an HTML spam message. Through images on the page, or "Web bugs," the spammer's server gets alerted that you opened the e-mail. The latest versions of Outlook and Outlook Express address this by not downloading images unless you tell the program to do so. If you don't know the sender, don't get the pictures.

Web-Browsing Security
11.02.05
Get Inside


Internet Explorer's default settings, while allowing you to enjoy all the Web has to offer, can sometimes be too open. Here are some ways to tighten up IE's security.

Web-Browsing Security

Get Inside

Open Control Panel | Internet Options to access Internet Explorer's settings. In the Internet Properties dialog, select the Security tab, then click on the Custom Level button. You can scroll through all the available settings. In each instance, you have the option of Enabling, Prompting, or Disabling the function.

Disable by default. In most cases, it's best to disable something questionable. If you choose to be prompted, you may end up with many more annoying alerts than you've encountered in the past.

Prevent pop-ups. Completely preventing active scripts from running is a drastic move, as many sites use scripting for legitimate purposes. However, if you frequent sites that pop up dozens of extra windows, try this: Scroll down the Security Settings list to Scripting and disable all settings (in IE 6, it's three settings). You may also want to disable ActiveX controls; certainly don't automatically enable them. You can also block signed controls (which have a valid certificate) or unsigned ones. In Medium security mode, unsigned controls are disabled, signed ones are allowed.
Get Inside

Establish trust. What if you want to disable scripting for most pages, but want to look at PCMag.com or eBay without a flurry of alerts? IE has settings that let you manage these "trusted" sites without compromising general security. To add often-visited Web sites to the Trusted category, choose Tools | Internet Options from the menu and click the Security tab. You will see icons for several "Web content zones." Click on the "Trusted sites" zone icon, and then click on Sites. Type in the domain of the trusted site, such as ebay.com, and click Add. You may need to uncheck the box titled Require server verification (https:) for all sites in this zone. IE will prefix the domain with the "*" wildcard character, though you won't see it until you exit and reenter. When you're done, click on OK. Trusted sites get a Low-level security rating, which allows downloading content such as ActiveX controls and plug-ins, cookies, and all scripting. IE will still block unsigned ActiveX controls.

Why am I still getting alerts? If you've set scripting and ActiveX control downloads to Prompt, you may still get warnings on trusted sites. This is usually because the site supports banners or ads that are hosted by nontrusted domains.

Web-Browsing Security

Be Different

Switch browsers. Most virus, worm, and spyware writers go after the largest targets. That's the primary reason they tend to attack Windows and Internet Explorer. An easy step to reduce your risk is to switch to the free browser Firefox, or to Opera (which is now ad-free, too). Moving to a lower-profile browser isn't a magic bullet, though, so keep your security settings on the alert.

Switch OSs. A more radical step, but worth consideration, is to move off the PC platform entirely and buy a Mac, or use Linux, which runs on most existing hardware. It's questionable whether these non-Microsoft products' code is any more secure, but simply because they move below the radar they're less susceptible to attack.


Web-Browsing Security

Change Your Layout

A fairly common technique used by phishing attacks changes the URL displayed in the Internet Explorer address bar by popping up a tiny window over it with the false address.

One of the reasons this works is that the address bar is usually in its default location. If you move the address bar, the window still pops up, but it's obvious that it's a false address, because it appears in the wrong place.

Move it. You can move any of the menu or button bars in Internet Explorer by clicking and dragging the vertical line of dots at the left end of the bar. If you have trouble moving these toolbars, they may be locked. Right-click on an empty toolbar area and uncheck Lock the Toolbars.

Web-Browsing Security

Don't Get Jacked

Browser hijacking is one of the most common ailments facing home and corporate users. You surf to a site, and all of a sudden, your browser defaults to a specific search engine and your home page is different. The scammers responsible even monitor the results of targeted advertising (usually in the form of pop-ups) in your browser.

Most of these annoying pages are just pushing a product or service, but some hijackers are accompanied by Trojan horses and backdoors that let vendors download updates and collect keystrokes and other data.

Be skeptical. Most hijacks come through user interaction. If you get a pop-up asking you to download a special viewer, free software, or, in its simplest form, change your home page, click No or close the window.

Stay updated. Make sure you've got all the Windows updates and that your antivirus program has the latest signatures. Most can stop these hijacking Trojans at the front door.

Clean up. If you fall victim to a hijack, use a spyware scanner (such as the free Micro-soft Antispyware beta, Spy-Catcher Express, Ad-Aware, or Spybot Search & Destroy) to root out the bad code.


Anti-Malware Security
11.02.05
Fakes A-Poppin'


Changing Antivirus Protection

Most antivirus products provide a year of updates once you open the box, with the option to buy extended update plans. But sometimes you may want to switch to a new product, either by the same or different vendor. Remember, antivirus products don't coexist well. Even if a product is out of date, if it is configured for on-access scanning, it is "watching" your file and Internet access. Many also use an e-mail proxy, which redirects incoming and outgoing mail through a scanner, all of which can either conflict with new antivirus products, or at best, hurt performance.

Out with the old. Uninstall and remove your old antivirus before installing the new product. If your old software is reasonably up to date, do one last scan before uninstalling to be sure to start clean. It's especially important that your software firewall (or at least the Windows Firewall) be active during that time period from when you uninstall one product to when you install the other.

In the meantime. If the old software is more than a week out of date, use an online scanner, such as Trend Micro's free HouseCall, McAfee's Stinger tool, or Panda Software's ActiveScan (see Web Resources for Getting Rid of Malware for more free apps). Before you uninstall, close all Web pages and your e-mail client to minimize exposure.

Disable first. You may get a warning to disable the antivirus before uninstalling, which you can do with most products by right-clicking on the icon in the system tray (next to the clock in the lower right of the screen). If the product asks whether you want to delete the quarantine or backed up files, say yes, as the new AV will probably find them when it installs.

In with the new. Install the new product and update its definition files immediately. Do a full drive scan. Finally, make sure that the on-access scanner is enabled.


Anti-Malware Security

Fakes A-Poppin'

What do you do when you get a pop-up warning out of the blue that you might have a security problem? The scammers behind what purports to be security software like to take advantage of nervous users. Clicking anywhere in this ad, whether on the phony "Yes" or "No" buttons or anywhere else, takes you to the vendor Web site, where you can download their product. Our advice is: Ignore these messages and close the windows immediately by pressing Alt-F4.

Unmask the impostor: These pop-ups look very much like Windows dialogs and even menus. How do you recognize that a window is really a pop-up ad?

First, even if a window presents a dire message, don't panic. If you look at the title bar and status bar, the top and bottom of the window, you can tell that it is an Internet Explorer window. This is a clue, but not conclusive proof that the window is not a security warning.

Full proof. If you're still curious, though, right-click on it and select Properties. You should be able to see the originating site. A real IE-based dialog box from Windows would have a nonstandard address starting with something like res:. A Web ad will have an ordinary URL.

Anti-Malware Security

Spyware-Fighting Tools
Spyware-Fighting Tools

Pop-ups be gone. Google, MSN, and Yahoo! all offer free pop-up blockers. Opera and Firefox have ones built in, and Windows XP Service Pack 2 adds one to Internet Explorer. Many good antivirus suites now also come with pop-up blockers, so there is no need to actually buy one. But use a blocker from a company that you trust.

Tougher threats. Rogue or suspect anti-spyware programs advertise through the very pop-ups that they claim to remove, and often badger a user with high-pressure tactics.

One of the hallmarks of these products is that they are free to download and scan, but if you want to clean your system, you must purchase a license. Some of these will produce false positives, claiming spyware infections to further convince you to buy. The most insidious of the lot, dubbed extortionware, uses malicious installations, blocks removal, and sometimes causes connectivity problems, unless you buy the product. A few of these rogue products will actually be spyware themselves, recording data and reporting back to their vendors' sites.

How do you tell the difference? As a general rule, if a vendor uses a pop-up ad to advertise that it rids your system of pop-ups and spyware, you should consider it suspect. Although some good commercial antispyware products offer free scans, legitimate ones will not state in an ad that they already detect an infection.

Get help. SpywareWarrior.com lists over 90 applications that have been tested or are suspected to be of unknown or dubious value as spyware protection. Also check out SpywareGuide (www.spywareguide.com), which offers information and tips.

Read the fine print. Keeping your system clear of spyware, adware, and malicious programs takes diligence and awareness. Pay attention to requests to download software to your machine. Don't agree to anything until you read the End Use License Agreement (EULA). If something sounds fishy, close the browser.

Anti-Malware Security

Here's Your Host
Here's Your Host

When you type in a Web address, such as www.pcmag.com, the browser contacts a central DNS (Domain Name Services) server, which looks up the site and translates it to a numeric IP address. But every copy of Windows has a mini-DNS called the hosts file, and the browser checks that first before reaching out to a DNS server somewhere on the Net.

This hosts file is a favorite target for viruses, spyware, and browser hijackers, which can, for example, use the hosts file to direct all requests for Yahoo! or Google to their own search page by listing the domains, but pointing them all to a single IP address. Some viruses and worms use the hosts file to block access to antivirus sites, too, pointing their domains to your own system, represented by the Localhost address of 127.0.0.1.

Fixing a hosts file is actually pretty easy�you just edit it in Notepad. You'll find it under the Windows folder. In Windows XP, it's in C:\Windows\System32\Drivers\Etc; in Windows 2000, it is C:\Winnt\System32\Drivers\Etc.

The lines in the file that begin with pound (#) are comments, so the only active line is the last one, which directs Local-host to the IP address 127.0.0.1.

Hosts that have been hijacked may look like this:

66.250.107.100 msn.com

66.250.107.100 www.msn.com

66.250.107.100 search.msn.com

66.250.107.100 auto.search.msn.com

Any attempt to access MSN would open up this alternate page.

It could also look like this:

127.0.0.1 localhost

127.0.0.1 liveupdate.symantec.com

127.0.0.1 update.symantec.com

127.0.0.1 download.mcafee.com

127.0.0.1 www.symantec.com

127.0.0.1 www.sophos.com

Now you'll get an error whenever you try to access these antivirus sites.

To fix the file, you can delete everything in it except the Localhost listing. If that line is missing, create a simple text file with only one line�127.0.0.1 localhost�and save it as the file name "hosts" (no file extension) to the same folder.

Note that you can also use the hosts file to block unwanted sites, by adding the site address to the list and redirecting it to Localhost.

Anti-Malware Security

Identify Nasties

Many malicious programs, and even some well-meaning ones, add junk to the start-up folder. Memory clutter is one of the main causes of slow booting, slow running, and general system instability. The more things load at start-up, the slower the boot process, and the less room later for other programs.

Run MSConfig. The System Configuration Utility lets you edit the programs that Windows loads at boot time. Click on Start | Run, type in msconfig, and hit Enter. Use the Startup tab to enable or disable all or individual files. Disabling all files can be used to narrow down a problem. In most cases, disabling all start-up items will allow Windows to boot cleanly, after which you can add back files, such as the user interface for antivirus and firewalls that run at boot time. Important note: If you're using MSConfig, be careful not to make any changes in the Services tab.

Use a Start-Up Manager. A start-up manager such as Absolute Startup (go.pcmag.com/absolutestartup) or our own Startup Cop Pro (go.pcmag.com/utilities) gives you much more control over which apps can run at start-up.

Identify bad files. How can you tell which start-up files are good and worth keeping? Many times you can get an idea of what a file is by looking at the Command or Location column in MSConfig. The command is the executable file and command line string used to start a file. The location shows where the command is executed from, usually a Registry key or the Windows Startup folder.

If that doesn't work, visit www.sysinfo.org and check its database to determine whether a file is required or associated with the system, with applications, or with malicious code.

You can also search for the filename on Google. The results often include a definition from AnswersThatWork.com or the WinTasks Process Library (www.liutilities.com/products/wintaskspro/processlibrary). WinTasks can also help you sort out processes in the Windows Task Manager. The PC Magazine Premium Utility TaskPower provides similar functionality.

Once you've ID'd a file, you can enable or disable it. When you're done, click OK (or Apply and OK). Windows will ask you to reboot, and then it'll display a warning box that tells you it's using selective start-up. Clicking OK launches MSConfig again. You can bypass this by clicking the Don't show this again option.


Anti-Malware Security

Picking Up the Pieces

Spyware removers don't always clean out all the fragments of everything they delete.
Web Resources for Getting Rid of Malware

Not to worry. The basic issue is whether there's anything left that can run, and most often, there isn't. But for those who like a system scrubbed really clean, a spyware removal tool can get you to the point where you can search manually for and remove the remainder. It's easier if the fragments are stored in well-named Registry keys and directories, but if the program hides in the Windows System directory, detection is harder.

Do another scan. Scan with another program. The second scan may flag fragments as proof that the malware isn't gone, but that will help you locate and remove them. As long as you are careful to run only one resident scanner at a time, you should see no conflicts.

Mobile Security
11.02.05
Kiosk Safety


Stay Cool at Hot Spots

Surfing the Web at your local coffeehouse is great, but the guy sitting a few seats away could be surfing your laptop, downloading personal or corporate data. Public wireless hot spots often let hackers store and retrieve data with relative ease. You need to do two things:

Disable file sharing. In Windows XP, open Control Panel and select Network Connections. Right-click on the wireless adapter and select Properties. On the General tab, scroll the list of items the adapter uses and uncheck File and Printer Sharing for Microsoft Networks.

Use a personal firewall. Use a product that supports security zones, such as Norton Personal Firewall or ZoneAlarm. The firewall will sense that you're on a new network and ask you whether you trust the network. You don't.

Mobile Security

Kiosk Safety

Public computers at Internet cafés, libraries, and airports are convenient, but they require heightened vigilance.

Look around. Make sure nobody's able to glance at your screen or keyboard.

Beware of keyloggers. Many public computers are locked down, so no additional software can be installed except by the administrator. But there's a chance a hacker could install a Trojan keylogger to capture keystrokes, and an industrious crook could use a hardware device�such as the KeyGhost Hardware KeyLogger�that connects between the keyboard and PC. The KeyGhost device can be mistaken for part of the normal keyboard cable. If you can, check where the keyboard plugs into the back of the machine to make sure there isn't an extra plug. If there is, find another PC.

Another clever workaround is to click Start | Accessories | Accessibility | On Screen Keyboard and type your password in using the mouse, or type your password with one or more strings of junk in the middle, then delete the junk using the mouse.

Don't tip your hand. We recommend that you avoid typing any sensitive data at public kiosks. Also, don't walk away from the computer while you're logged in. Many sites (such as eBay) set cookies for an online session so if you close the browser and reopen it, you don't have to log on again. If you close the browser and walk away, the next user could pick up where you left off. Microsoft Passport and Yahoo! accounts can also be persistent. If the kiosk has Windows XP, it could ask if you want to associate your Passport account to the Windows XP account. Be sure to say no!

Clean your tracks. Be sure to delete your electronic trail of temporary files, cookies, and surfing history. If you're using Internet Explorer, click on Tools | Internet Options. On the General tab, click on Delete Cookies, Delete Files (and be sure Offline content is checked), and Clear History.

Still in Internet Options, click the Content tab, then click the AutoComplete button. In the resulting dialog box, click the Clear Forms button and the Clear Passwords button.

If you downloaded any documents, delete them too. If you edited any documents, clear the "recently used documents" list. In Windows XP, right-click on the taskbar at the bottom of the screen and select Properties. Select the Start Menu tab; click on Customize | Advanced. Now click on the Clear List button for Recent Documents. Lastly, empty the trash to purge any deleted files.


Mobile Security

Security Is Key

To better protect yourself when using computers other than your own, especially public PCs, carry around a USB memory drive loaded with mobile security tools. We covered several in "The Ultimate USB Key" (go.pcmag.com/ultimateusb).

Use a password manager. Siber Systems' Pass2Go (www.pass2go.com), for example, lets you store all your passwords on the key and fills in log-on forms in IE and Firefox automatically, evading some types of keyloggers. All data can be encrypted with a master password; even if a keylogger captures this password, it's of little use without the physical key.

Scan before you surf. Antivirus and antispyware apps that run from the key can make sure that the system is clean before you use it. Just make sure to update these tools' definitions before scanning.

Keep your apps to yourself. Self-contained versions of apps like Firefox and Open-Office.org, ported by John Haller (www.johnhaller.com), let you surf the Internet and edit your documents without touching the host PC's browser or office suite.

P.I. Protector Mobility Suite 3.0 (go.pcmag.com/piprotector) lets you keep your e-mail on the USB key, and while the protector is running, all of your temporary files also reside on the key. When you shut it off and pull out, no trace is left. The new U3 Smart Drive keys make running apps like these even easier.

Bring your own OS. Note that some mobile apps do create temp files on the host system's hard drive. If the app crashes, there's a chance it may not have cleaned up properly. For even greater protection, there are versions of Linux that can run off a USB key, and the Knoppix distribution of Linux runs off a CD. If you can boot to the key, any threats that may be lurking on the host's hard drive will never see your data.

Powerful Passwords
11.02.05
Passwords


Most PCs and lots of personal data, such as bank records and Web mail access, are guarded only by a username and password. Usernames are fairly easy to guess and often pre-filled in, so you need to make sure your passwords are strong�not easily guessed or cracked by "dictionary" attacks that throw millions of letter combinations at the dialog. Many of the most widespread Internet worms have built-in dictionaries of common passwords, and once they are running on your system, they can attack your computer and others on your network.

* Don't use any part of your username, full name, address, birth date, and so on. This data is readily available to intruders.
* Don't use English or even foreign words.
* Make sure your password is at least six to eight characters long. In fact, the longer the password, the better.
* Use different kinds of characters in your password. At the very least, your password should contain uppercase letters, lowercase letters, and numbers. If you're comfortable with non-alphanumeric symbols (such as #@!&) or extended ASCII characters (which you can access by holding down Alt and typing on the number pad), use them.
* Change passwords every month to six weeks.
* Don't write your passwords on a sticky note and post it on your monitor.
* If you need to keep a repository of passwords, use a utility like RoboForm Pro (www.roboform.com) that keeps an encrypted list of all your passwords under a single master password. These programs can also generate strong passwords to your specifications.
* Don't recycle old passwords or use the same one for several different applications.
* Use a word you know, but substitute punctuation and numbers for letters. For example, coffee could become C0FF33 and Indiana_Jones could become [email protected]@_j0n3s.
* Use a passphrase�a group of words, as opposed to a single word. If you're a Beach Boys fan, "It's not a big motorcycle, just a groovy little motorbike" might be a good passphrase.

Note that not every security system lets you use passwords this long, or even ones that have embedded spaces. Some e-commerce sites, for example, will allow you only 8- to 12-character alphanumeric passwords. But since Windows 2000, Windows has allowed passphrases with up to 127 characters.

Web Resources for Getting Rid of Malware
11.02.05


The Internet is teeming with threats, but it's also home to hundreds of helpful sites, free software, and real-life volunteers who will help you scan, identify, and get rid of malicious code.

Helpful Sites:

* HijackThis (www.merijn.org) is a free spyware scanner; you can post its logs to www.spywarewarrior.com or SpywareInfo (spywareinfo.com). The friendly experts there will review them and provide detailed, individualized instructions for cleaning your system.
* Scumware.com is a friendly and plain-English site with instructions on how to detect and remove various adware and malware programs.
* MajorGeeks.com has malware information for the more advanced user.

If you're not sure whether a file is malicious, you can upload it to sites such as VirusTotal (www.virustotal.com) and virusscan.jotti.org, each of which uses over a dozen scanning engines to determine the nature of the file. You can also attach a file to an e-mail message and send it to scan @ virustotal.com with the word SCAN as the subject line. You will receive an e-mail report of the scan.

Discussion Forums and Download Resources:

* Wilders Security Forums (www.wilderssecurity.com)
* ComputerCops forums (castlecops.com/forums.html)
* cexx.org Message Boards (boards.cexx.org)

Free Virus Scanners:

* Trend Micro Housecall (housecall.trendmicro.com)
* McAfee Free Scan (us.mcafee.com, registration required)
* Symantec Security Check (security.symantec.com)
* RAV AntiVirus (www.ravantivirus.com/scan)
* Panda ActiveScan (www.pandasoftware.com/activescan, registration required)
* Computer Associates (www3.ca.com/securityadvisor/virusinfo/scan.aspx, download required)
* Avast! (www.avast.com, registration required)
* Kaspersky Antivirus (www.kaspersky.com/scanforvirus, upload required)
* GrisSoft AVG (www.grisoft.com/doc/40/lng/ww)
* Norman Antivirus (www.norman.com , 30-day trial)