I’m paranoid about the web, and with good reason.
The #1 way hackers get into computers today is through your web browser from an infected website. The battle for control of your computer has spread from e-mail and attachments. Another battlefront has opened up on your web browser. A large number of big-name sites have been hacked recently and nobody is completely sure just what the hackers made off with. Hackers use DNS spoofing to trick computers into coming to an infected website, so you can’t completely be sure that you ended up on the website you intended to visit. They also buy up common misspellings of big sites to catch anyone that makes a typo.
Of course, whenever someone starts talking about a really secure platform, the Mac fanboys jump right in to tell me how secure Apple MacOS is–never mind that the MacOS/Safari combo gets hacked every year (2007, 2008, 2009, 2010,2011) during PWN2OWN at CANSECWEST. Never mind that the hackers have now developed a crimeware kit for the Mac, which means Mac users will need to be on the lookout for a deluge of malware from now on.
With so much dangerous malware and so many threats, how do I stay secure online?
Before I go online:
I don’t generally install or use toolbars, apps or helpers except the NoScript plugin where appropriate. The only active content plugins are the standard Adobe Acrobat, Adobe Flash, QuickTime and Java plugins, and as I previously mentioned, the browser usually runs with plugins disabled. The automatic update feature for all of these plugins, and for the web browser and Windows Update are turned on and set to run daily.
Since I run Windows, I enable User Account Control & Data Execution Protection. Windows 7 has address randomization in the kernel and a number of other security features. If they 0day Chrome, it’s sandboxed and all they get is the browser tab and they’ll have to work a lot harder to get control of the computer. I have a complete Internet Protection Suite installed, enabled and configured to automatically perform updates at the most frequent interval it permits, about every 4 hours. That’s not nearly fast enough to keep up with the speed at which malware is adapted and released by hackers, and hackers run the malware they produce through the most current version of several Internet Protection Suites before they are released, so even this is no guarantee of protection.
Short of switching to a LiveCD (a Linux distribution that boots from CD) and virtualization to run a temporary copy of a Windows (which I can delete after use), I can’t think of a much more secure posture while using Windows, let alone any other OS.
There really is no ‘perfect’ way to stay protected and there are no magic bullets. Preparation and Awareness are the two biggest tools in my arsenal for avoiding computer infections.