Protecting Yourself Online

These days, there are many ways in which your security and privacy may be violated when you're on the Internet. I've tried to order them most serious first. However, you should really consider all of them. They're all relatively easy to solve, or at least make difficult enough on the prospective hacker that he'll simply go to someone else's system.

Disclaimer: use the following at your own risk. Following the suggestions below will not guarantee your computer system will be secure. The following suggestions are provided only as indications of some, but not all, areas of security and privacy you should consider.

Note on endorsements below: I'm not making any money off the hardware or software I recommend below. If you're looking for a quick and easy way to solve your problem, the thing I point you to will probably work. There are free alternatives sometimes, and I try to point those out as well.

Most Severe Security and Privacy Problems

No Firewall

Many people sign up for Cable Modem or DSL, but place their system directly onto the public Internet without a firewall. This will definitely place your system at risk. Even those using normal dialup modem access are at risk while they're connected (people with cable or DSL are worse off, because it's an always-on connection).

There are both software and hardware solutions to this problem. ZoneAlarm (software) has both free and pay versions; most software solutions will run you $30-40, and a hardware box will run $60-100. Hardware is the way to go. You simply stick it between your modem and your computer. If you want the simplest recommendation, go buy a Linksys BEFSR41. It's cheap and popular, and I can help you configure it once you buy it. The NetGear RT314 is similar.

No Virus Scanner

Viruses are one of the worst problems these days for computers on the Internet. If you're not running a virus scanner AND paying for the subscription to keep it up to date, your system is at risk. Anyone that receives e-mail, looks at web pages, or downloads files is at risk. Virus scanners typically run $30 per year. There are some freeware alternatives. My recommendation: McAfee's VirusScan Online. I've been using it for years, and it's caught several problems. My company uses Symantec's Norton Antivirus, which is as good or better. There are a number of other good choices; just pick one, install it, and keep it up to date. (Note: I like Norton because it updates silently and automatically; McAfee nags you every time there's an update. I submitted this as Obvious McAfee Product Improvement #1, but got the runaround. Maybe they'll figure it out on their own.)

File Sharing Turned On

If you have Windows File Sharing turned on, you risk serious exposure, especially if you have one or more of the problems above. With File Sharing turned on, your data may be easily exposed to anyone trying to view it.

Here's an article describing how to turn off File and Print Sharing in Windows for Windows 98, and another for Windows XP.

802.11b Access Point Not Secured

When you buy an 802.11 access point to enable wireless in your house, by default it comes unsecured. This means that anyone within radio range can get onto your home network. If you've got File Sharing turned on, rest assured that your neighbors, or anyone else that drives down your street with a laptop, can get to your data. (Don't believe me about the drive-bys? Take a look at wigle.net, it should scare the sh*t out of you if you have an unsecured access point. Your access point WILL be discovered and registered, it's only a matter of time.)

     The 300,000+ access points discovered by hackers so far

At the very least, you should assign a WEP key to your access point. This is a sort of password that any client needs to be able to get onto your wireless network. You will, of course, have to configure all of your clients with the same WEP key, so they can get access to your wireless network.

In addition, some access points have the ability to limit which MAC addresses (a fancy name for the unique identifier each network card has) are allowed onto the wireless network. This is a useful additional layer of protection.

Note, though, that both of these methods are crackable, and as long as you have an access point on your home network, you're somewhat exposed. Having both of these restrictions in place is probably enough to deter the vast majority of hackers; they'll probably just move on to your neighbor, which is good enough. Still, if you're concerned, unplug it if you're not using it.

No Regular Windows Updates

Many of the products here must be updated frequently to maintain their effectiveness.  Examples: your virus scanner, ad blocker, and spyware detector.  In addition, Microsoft frequently patches huge holes in its operating system and browser via windowsupdate.microsoft.com.  I haveset it up to automatically accept and install any critical patches.  Right-click on 'My Computer' on the desktop, and go to the 'Automatic Updates' tab to set the options.

If everybody would enable this automatic update capability, the impact of viruses and worms would be drastically reduced.

Serious

Spyware Made Its Way Onto Your System

'Spyware' programs are programs that get installed on your computer, usually with your permission behind some other harmless-sounding reason, that track your surfing habits and/or data entry. This data could include personal information such as web sites you visit, your address, credit card numbers, or social security number.

Your best bet is to install an anti-Spyware program such as the excellent freeware SpyBot. Run it frequently, let it fix whatever problems it finds, and update it frequently. If you like it, give a little. (Note that the f8ster is a cheapskate and only gave them $5, even though they probably deserved more, but I figured if everybody gave $5 they'd be doing quite well. They're doing good things, it's worth it. Go give 'em a couple bucks so I don't feel so guilty. It really is a great program.)

Your Surfing Habits Tracked in Other Ways

Especially today, with the Government far more interested in tracking online activity, anonymous browsing suggests itself as a solution to what looms as a serious privacy issue every American should consider. One solution: Products offered at www.anonymizer.com. One product/solution package sold at Anonymizer includes ZoneAlarm Pro.
 

Sensitive Hard Disk Data Not Encrypted

When practical, you should also encrypt any local data, especially sensitive information such as financial data (e.g. Quicken files), password files, etc. This way, if someone does gain access to your system, your data will still be encrypted, making it more difficult to get to.

Some operating systems make this really easy. Here's an article from Microsoft explaining how to turn on encryption on NTFS volumes. If your drive is not NTFS, there are other third-party apps to do it. One such is Jetico's BestCrypt, which I haven't tried.

Deleted Files Not Really Deleted

You wouldn't think of throwing out sensitive documents without cross-shredding them first, right? [Note: if you're not cross-shredding things like pre-approved credit card applications, old bank statements, etc. before you throw them out, we have a term for you: Identity Theft Victim.] The same logic applies to your computer data: when you delete something through Windows, it's not really gone, even if you empty the Recycle Bin. It's often trivial to recover that data.

One way to avoid this is to use a file shredding program, like Jetico's BCWipe for Windows. This is an excellent $40 product, the best one I've tried. Here's a couple examples:

BCWipe is quite complete, and can provide military grade data destruction.

Note: don't forget that you've also backed up the data you're shredding. [You are doing backups, right? *Sigh* OK, that's the next section, I guess. :)]

Important Data Not Backed Up

Someone once told me: "there are two kinds of people in this world: those who have lost data, and those who will." If you're serious about protecting your system, you should at least back up your data, if not your whole system.

There are many schools of thought around backups; I'm not going to bother to go through them all here. Here's what I did: I bought a big 100GB drive, installed it as my D: drive, and I use the Windows Backup utility included with Windows XP to back up the important stuff from the C: drive of all my other computers to it. (Note: the Windows Backup utility does not get installed by default for Windows XP Home users; you can find it in the \addins directory on your XP Home CD.) I try to keep everything under the 'My Documents' folder someplace, then I back that up.

Passwords Not Properly Managed

If you're like me, you have at least 100 accounts, everywhere from Amazon.com to Yahoo!. And, you need to keep track of all those passwords. Well, you gotta have some way to manage them. The truly security conscious will tell you that all 100 passwords should be different, and you should never write them down, and they should be hard to guess. Well, sorry, no human can do that, so a good secure password manager is in order. I recommend Password Agent. They have a free version, but it'll only hold up to 25 entries per file (yes, you can have multiple files, but the unlimited version's only $15). It stores them all encrypted, protected with your master password.

Sensitive Data Sent Via E-Mail

E-mail you send is typically sent in cleartext -- that is, your message is not encrypted.  There are several places along the way where your messages could easily be intercepted and read by hackers.  There are a couple solutions to this problem.  One is to consider something like PGP.  Some mailers (like Outlook and Outlook Express) also support e-mail encryption natively.  You'll need to obtain a digital certificate from someplace like Thawte (free), and you'll need to trade public keys with anyone you want to correspond with via encrypted e-mail.  See this tutorial for an example of how to set this up from Outlook Express.

Sensitive Data You Just Handed Out (What Were You Thinking?)

Here are some fairly obvious things, but they bear repeating here:

• Never place ANY sensitive data in e-mail.  If someone sends you e-mail requesting it, it's likely fraudulent spam.  Reputable companies will never ask you for sensitive information via e-mail.
• Guard your Social Security Number with your life.  There are very few places you will need it (typically financial, loan, or insurance sites).  Don't enter it unless you're absolutely convinced of the reputation of the company you're giving it to.
• Be careful where you shop online.  I typically use Amazon for most stuff.  Occasionally, I'll find something cheaper elsewhere, but if it's not a name I recognize, I'll use a site like cnet.com to check the rating first, and I only buy from the highest-rated companies.  CNet uses a 1-3 star rating, so I'll try to find a 3-star rated vendor with the lowest price.
• Consider using a single credit card for online purchases, one with a low limit.  When provided the option, don't store credit card numbers at a merchant's site -- they get hacked all the time, and the credit card databases get stolen.  [Update: one of mine was just stolen, but fortunately, my credit card company detected the usage pattern as potential fraud, and blocked all the charges.  I was lucky.  I suspect I know which site it was stolen from, but I can't prove it.]

Annoying (and Sometimes Serious)

Spam

Please see my related article on spam for a great solution to the problem. Also, consider free throwaway e-mail accounts when you sign up for things online.  Use it until it starts to get spam, then throw it out and get another.  Yahoo! and Hotmail are two popular places to go.  Don't give out your 'real' e-mail address to anyone but friends.  Come to think of it, if you don't want spam, don't give it out to anyone, ever. :)

Popups, Banner Ads, Cookies, and Other Web Flotsam

I use AdSubtract Pro ($30) for popup control. It installs itself as a local proxy server. Some have complained about possible performance problems, but I haven't had any. It provides control over cookies, popup windows, and banner ads. It'll also clean up temp files and browser history if you want. It's pretty good overall. There's also a free version with less features.

Other popup solutions include using Mozilla or Opera as your browser -- both have security settings to disallow unwanted popups.  Update: the new toolbar from Google (toolbar.google.com) has basic popup blocking, and it works great -- I've dumped AdSubtract in favor of this solution.

Other References

Lycos Guide