Well, actually, it happened after I’d been at my desk for a few minutes. My wife called me and said she thought that we had a virus because we had a bunch of e-mails from one of our accounts with spam in it. Now we have never had a virus before and we have virus software currently installed from McAfee but when I checked our e-mail accounts, it did in fact look like it had come from our e-mail address. Worst, it was also sent to a handful of people that were in our address book.

Quickly I did some research on Google. After looking around I determined that our GMail account from google had been compromised. Apparently somebody from a Chinese IP address had logged into my GMail account with the valid password through the web interface and sent a single spam e-mail to everyone in our Google address book. Luckily we don’t use the web interface with GMail opting, instead, for their IMAP access so we can use Windows Live Mail so we only had a handful of addresses in the address book that had been added there automatically from the handful of times we have used the web interface.

From all of this I deduced that our bad security practices had come back to haunt me. What bad security practice? The practice of using the same username and password (or a slight variation) on every website we register on. Now I’ve known this was risky for a long time but I didn’t see an easy way to avoid it. A person can only remember so many username / password combinations. Even with our slight variations, it was often difficult to remember which combination we used when we had to log onto a site we rarely visited.

Immediately I changed the password on our compromised GMail account. After that I did some research on what the best way to manage the security of our increasingly complicated world. Here’s what I found out.

I found an article written by the Software Engineering Institute at Carnegie Mellon University. The article at the top states that it is no longer being updated but I found the information that it contained to be top-notch and definitely worth every home computer user’s time to read. You can find it here: http://www.cert.org/homeusers/HomeComputerSecurity/

I’ll give you the Reader’s Digest Version.

There are 9 things a home user should do to protect their digital security:

1. Install and Use Anti-Virus Programs – Every computer should have an antivirus program. Honestly, I feel like this is the last line of defense against viruses as you’ll see further down this list. Anti-Virus companies are in a cat-and-mouse game with virus makers. They’ll usually protect you once a virus is known but if you’re one of the unlucky few that are the first to get it, there’s nothing your anti-virus program can do for you. Anti-Virus programs for years tended to be expensive and you had to re-purchase it every so often to continue to be protected. Now we have many options that are free or at least free for home use. Here are a couple:

Microsoft Security Essentials – I really like this program. I used to pay for Microsoft’s previous product called “One Care” which was a complete security package. Microsoft has scaled back and now provides the anti-virus portion of it free of charge. It seems to be good quality and light-weight so your computer doesn’t grind to a hault once it’s installed.

AVG – AVG is a commercial virus protection product that has a free version for non-commercial home use. I used it for a short time and it seemed to work well. My only complaint was that it required a reboot every time it updated virus definitions but I believe this is no longer the case. It’s a very good product backed by a good security company.

Avast – Avast is also a large security company that provides a free version of its antivirus for home use. I’ve never used Avast but I hear it good things about it.

ClamAV – This is an antivirus program made for the Linux operating system but it also now has a version for windows. It’s Open Source and free of charge, though you can purchase a certified version which is basically to give the developers money for their efforts. I’m not sure how reliable ClamAV is but if you’re looking for something for Linux especially, it’s one of the few choices out there. It’s also available for Mac OSX.

And yes, you Mac users need to think about antivirus programs too. “Apple is now recommending that Mac users install anti-virus software to help users secure their systems.” In that article it lists ClamAV, Symantic, McAfee, and Intego as options for OSX.

2. Keep Your System Patched – The fight against the bad guys is cat-and-mouse. Operating systems are extremely complex pieces of software and there is a major balance between making the OS secure and making it easy to use. When a vulnerability is found, Microsoft, Apple, and Linux work extremely quickly to close of the hole. Nevertheless, if you don’t patch your system, it does you no good whatsoever. If you’re on Windows, make sure you’re set up to update automatically. Linux will also give you a prompt (near every day) when it has updates for you to download and install. I don’t know Macs well, but I’m sure they have an automatic update feature as well. Make sure your system is always up-to-date with the latest patches.

3. Use Care When Reading Email with Attachments – This is the biggest thing you can do to keep from getting a virus. Don’t open up an attachment that you know nothing about. The article gives you some guidelines:

• The Know test: Is the email from someone that you know?
• The Received test: Have you received email from this sender before?
• The Expect test: Were you expecting email with an attachment from this sender?
• The Sense test: Does email from the sender with the contents as described in the Subject line and the name of the attachment(s) make sense? For example, would you expect the sender – let’s say your Mother – to send you an email message with the Subject line “Here you have, ;o)” that contains a message with attachment – let’s say AnnaKournikova.jpg.vbs? A message like that probably doesn’t make sense. In fact, it happens to be an instance of the Anna Kournikova worm, and reading it can damage your system.
• The Virus test: Does this email contain a virus? To determine this, you need to install and use an anti-virus program. That task is described in Task 1 – Install and Use Anti-Virus Programs.

4. Install and Use a Firewall Program – A firewall is a program that limits what programs are allowed to talk to the internet. Microsoft has a built-in firewall since XP Service Pack 2. It’s effective for the most part but in XP it is only one-way, that is to say, it keeps people from connecting to your computer from the internet but doesn’t keep programs on your computer from contacting computers on the outside. In Vista and Windows 7 they have made it two-way. If you have XP, you’ll want to purchase a different firewall program to use. There is only one that I know about that is free of charge. Zone Alarm is good and effective and works on XP.

Apple also has a built-in firewall in OSX and if you’re a Linux user, ipchains work but it’s not for the faint of heart. I’m sure there are other options out there as well.

5. Make Backups of Important Files and Folders – Computers will fail. Your hard drive will fail. Windows machines, Apple machines, Linux machines, they will all fail someday. You can count on it. Now that we rely more and more on digital cameras, online accounting software, and so forth, it’s even more critical when that failure happens. So you HAVE to make backups. The easiest way to do backups is to go and buy an external hard drive and have the computer automatically copy your data files over every so often. Make sure it’s automatic so you don’t have to try and remember. All three operating systems have built-in ways of doing automatic backups.

Now if you really want to be safe, you have to make sure you have a copy of your backups offsite, or in other words, not in the same location as your computer. It does you no good to keep the backup hard drive in the laptop case because if you get it stollen at the airport, your backups are gone as well. I use a program called Carbonite. It runs in the background on your computer and automatically encrypts your files that you want to backup and uploads them to a server. Now I would do this in addition to the hard drive backup. A full restore from carbonite could take a week to fully restore so it’s kind of a backup to your backup should the worst happen. It’s not free but it’s cheap enough to make it worth it.

6. Use Strong Passwords – This was my biggest issue. The article lists 4 things in making a strong password:

• The Strong test: Is the password as strong (meaning length and content) as the rules allow?
• The Unique test: Is the password unique and unrelated to any of your other passwords?
• The Practical test: Can you remember it without having to write it down?
• The Recent test: Have you changed it recently?

Our problem was mostly that they weren’t unique. Somebody had access to our e-mail address and password on a website somewhere or broke into a very low security site and from that had my GMail logon information.

Now the problem comes in how do you manage all of these passwords that are long, unique, and strong. The only way I can do that is with a password management program. There are 2 that are the most common out there:

KeePass is an Open Source program that manages your passwords and will even generate random passwords for you. It runs on your computer and there are plugins that make it easier to use on your system. It’s free and it works. It’s not as polished but the price is right.

RoboForm has the most features and is very popular. It has a toolbar directly in your web browser that lets you easily grab the password for the site that you’re trying to log onto. It’s very slick and easy to use. The cost is $40 per computer.

Which one did I pick? KeePass because I’m kind of cheap that way. With 3 computers in the house that uses the web, $40 a pop was more than I wanted to spend.

7. Use Care When Downloading and Installing Programs – Downloading and installing a program is the quickest way to put something nefarious on your computer and could potentially bypass all of your other well thought-out security. Here’s a list on making sure what you download is safe (from the article):

• Learn as much as you can about the product and what it does before you purchase it.
• Understand the refund/return policy before you make your purchase.
• Buy from a local store that you already know or a national chain with an established reputation.

If it’s free, always look at it with suspicion. The company has to make money somewhere and if it’s free then there’s probably some malware or virus included. Be especially careful of things like screensavers, font packages, and smileys or “fun” little doodads. And for heaven’s sake, don’t let your kids download this crap. What seems fun can quickly bring your computer to its virus-infected knees and you’ll find yourself formatting the hard drive and reinstalling everything (or worst, paying for someone else to do it).

I’d also like to mention file sharing. There’s nothing wrong with file sharing in and of itself. There are a lot of legitimate things to download via peer-to-peer (P2P) networks. But they’re also the way that a lot of people download illegal media and programs. Don’t use P2P unless you know what you’re downloading and it’s from a reliable website. Never use it to download illegal software especially. These programs are often rebuilt so that they not only allow the software to be installed on the computer without paying for it but it also installs viruses and malware as well. If you think about it, the kinds of people that create the ability to steal software are also the kinds of people that would have no problem whatsoever with gaining using viruses. Just don’t do it. If you want a software program, save up your money and buy it or find a legitimate free or Open Source alternative.

8. Install and Use a Hardware Firewall – Luckily these are now being included on nearly all High Speed Internet modems and routers but you have to make sure they are turned on and have a good password. Leaving the modem password to its default allows anyone to go in and change the configuration to something more favorable to them.

While on this subject, I’d like to add something that wasn’t mentioned in the article. Wireless routers are very popular now because it allows all the computers in the house to have easy access to the internet. Unfortunately most people plug them in, see that they can get on the internet and then forget about them. All wireless routers need to have security/encryption enabled. Otherwise any one of your half-dozen neighbors have clear entry to use your internet and your network and has access to your computers. Even someone parked around the corner could use your internet service or your network. If they’re doing something illegal, it’ll be your door that the police will come knocking on. Always use the highest form of security offered. WEP is the least secure so don’t use it unless it’s your only option. Use WPA2 if you have it or WPA if you don’t.

9. Install and Use a File Encryption Program and Access Controls – This is something I wasn’t doing all the way either. When it talks about “access controls”, this means only giving access to the files on your computer to the people that you want to have access. If you have Windows Vista or 7, use UAC that is turned on by default. This makes sure that if a program is installing or changing system settings, it tells you first and has you put in your password or at least click “OK” to acknowledge it. If you’re not doing the changes yourself or installing a program when it pops up, then it’s ok to click “cancel”.

Second, make sure your computer hard drive is encrypted. This is extremely important with laptops because of them being mobile. If your hard drive is encrypted then someone else can’t get the information off of it (ie bank account information, contacts, pictures, passwords, etc) without the password. Even if they take the hard drive out and put it in a different machine, they won’t be able to access the information. It will look completely like random data.

There are a couple of options to encrypting your hard drive. If you happen to have Vista Enterprise or Ultimate or Windows 7 Enterprise or Ultimate, there is a program called Bitlocker that will do the encryption for you. If you’re unsure of how it works, it’d be a good thing to have someone help you or have a computer shop do it for you.

An Open Source alternative is a program called TrueCrypt. This program is fairly straightforward to use. You can create an encrypted section where you just store your sensitive information or you can encrypt your entire hard drive. This is the one I opted for because I really didn’t want to shell out for Windows 7 Ultimate. This isn’t hard to set up, but if you’re unsure, it’s a good idea to get help from someone who is more comfortable with it. The downside of encryption is if done wrong, you won’t ever be able to get your data back. Even the NSA would have a hard time doing it.

So that’s it. This is what I’ve learned in the past 2 days. As it turned out, I was doing everything except for numbers 6 and 9 and that was enough to make me vulnerable. Go through these items and make sure you’re good on all 9 so that what happened to us doesn’t happen to you.

This entry was posted on March 12, 2010 at 12:11 pm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Posted in FYI by Josh Ferguson 1 Comment