At 11:41 PM -0600 12/14/04, Bruce Schneier wrote: > Safe Personal Computing > > ><http://www.schneier.com/blog/archives/2004/12/safe_personal_c.html> > >I am regularly asked what average Internet users can do to ensure their >security. My first answer is usually, "Nothing--you're screwed." > >But that's not true, and the reality is more complicated. You're >screwed if you do nothing to protect yourself, but there are many >things you can do to increase your security on the Internet. > >Two years ago, I published a list of PC security recommendations. The >idea was to give home users concrete actions they could take to improve >security. This is an update of that list: a dozen things you can do to >improve your security. > >General: Turn off the computer when you're not using it, especially if >you have an "always on" Internet connection. > >Laptop security: Keep your laptop with you at all times when not at >home; treat it as you would a wallet or purse. Regularly purge >unneeded data files from your laptop. The same goes for PDAs. People >tend to store more personal data--including passwords and PINs--on PDAs >than they do on laptops. > >Backups: Back up regularly. Back up to disk, tape or CD-ROM. There's >a lot you can't defend against; a recent backup will at least let you >recover from an attack. Store at least one set of backups off-site (a >safe-deposit box is a good place) and at least one set >on-site. Remember to destroy old backups. The best way to destroy >CD-Rs is to microwave them on high for five seconds. You can also >break them in half or run them through better shredders. > >Operating systems: If possible, don't use Microsoft Windows. Buy a >Macintosh or use Linux. If you must use Windows, set up Automatic >Update so that you automatically receive security patches. And delete >the files "command.com" and "cmd.exe." > >Applications: Limit the number of applications on your machine. If >you don't need it, don't install it. If you no longer need it, >uninstall it. Look into one of the free office suites as an >alternative to Microsoft Office. Regularly check for updates to the >applications you use and install them. Keeping your applications >patched is important, but don't lose sleep over it. > >Browsing: Don't use Microsoft Internet Explorer, period. Limit use of >cookies and applets to those few sites that provide services you >need. Set your browser to regularly delete cookies. Don't assume a >Web site is what it claims to be, unless you've typed in the URL >yourself. Make sure the address bar shows the exact address, not a >near-miss. > >Web sites: Secure Sockets Layer (SSL) encryption does not provide any >assurance that the vendor is trustworthy or that its database of >customer information is secure. > >Think before you do business with a Web site. Limit the financial and >personal data you send to Web sites--don't give out information unless >you see a value to you. If you don't want to give out personal >information, lie. Opt out of marketing notices. If the Web site gives >you the option of not storing your information for later use, take >it. Use a credit card for online purchases, not a debit card. > >Passwords: You can't memorize good enough passwords any more, so don't >bother. For high-security Web sites such as banks, create long random >passwords and write them down. Guard them as you would your cash: >i.e., store them in your wallet, etc. > >Never reuse a password for something you care about. (It's fine to >have a single password for low-security sites, such as for newspaper >archive access.) Assume that all PINs can be easily broken and plan >accordingly. > >Never type a password you care about, such as for a bank account, into >a non-SSL encrypted page. If your bank makes it possible to do that, >complain to them. When they tell you that it is OK, don't believe >them; they're wrong. > >E-mail: Turn off HTML e-mail. Don't automatically assume that any >e-mail is from the "From" address. > >Delete spam without reading it. Don't open messages with file >attachments, unless you know what they contain; immediately delete >them. Don't open cartoons, videos and similar "good for a laugh" files >forwarded by your well-meaning friends; again, immediately delete them. > >Never click links in e-mail unless you're sure about the e-mail; copy >and paste the link into your browser instead. Don't use Outlook or >Outlook Express. If you must use Microsoft Office, enable macro virus >protection; in Office 2000, turn the security level to "high" and don't >trust any received files unless you have to. If you're using Windows, >turn off the "hide file extensions for known file types" option; it >lets Trojan horses masquerade as other types of files. Uninstall the >Windows Scripting Host if you can get along without it. If you can't, >at least change your file associations, so that script files aren't >automatically sent to the Scripting Host if you double-click them. > >Antivirus and anti-spyware software: Use it--either a combined program >or two separate programs. Download and install the updates, at least >weekly and whenever you read about a new virus in the news. Some >antivirus products automatically check for updates. Enable that >feature and set it to "daily." > >Firewall: Spend $50 for a Network Address Translator firewall device; >it's likely to be good enough in default mode. On your laptop, use >personal firewall software. If you can, hide your IP address. There's >no reason to allow any incoming connections from anybody. > >Encryption: Install an e-mail and file encryptor (like >PGP). Encrypting all your e-mail or your entire hard drive is >unrealistic, but some mail is too sensitive to send in the >clear. Similarly, some files on your hard drive are too sensitive to >leave unencrypted. > >None of the measures I've described are foolproof. If the secret >police wants to target your data or your communications, no >countermeasure on this list will stop them. But these precautions are >all good network-hygiene measures, and they'll make you a more >difficult target than the computer next door. And even if you only >follow a few basic measures, you're unlikely to have any problems. > >I'm stuck using Microsoft Windows and Office, but I use Opera for Web >browsing and Eudora for e-mail. I use Windows Update to automatically >get patches and install other patches when I hear about them. My >antivirus software updates itself regularly. I keep my computer >relatively clean and delete applications that I don't need. I'm >diligent about backing up my data and about storing data files that are >no longer needed offline. > >I'm suspicious to the point of near-paranoia about e-mail attachments >and Web sites. I delete cookies and spyware. I watch URLs to make >sure I know where I am, and I don't trust unsolicited e-mails. I don't >care about low-security passwords, but try to have good passwords for >accounts that involve money. I still don't do Internet banking. I >have my firewall set to deny all incoming connections. And I turn my >computer off when I'm not using it. > >That's basically it. Really, it's not that hard. The hardest part is >developing an intuition about e-mail and Web sites. But that just >takes experience. > >Others have disagreed with these recommendations: ><http://www.getluky.net/archives/000145.html> ><http://www.berylliumsphere.com/security_mentor/2004/12/heres-another-re >ally-good-twelve.html> or <http://makeashorterlink.com/?Z3772560A> > >My original essay on the topic: ><http://www.schneier.com/crypto-gram-0105.html#8> > >This essay previously appeared on CNet: ><http://news.com.com/Who+says+safe+computing+must+remain+a+pipe+dream/20 >10-1071_3-5482340.html> or <http://makeashorterlink.com/?V6872560A>
-- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
