But that’s not true, and the reality is more complicated. You’re
screwed if you do nothing to protect yourself, but there are many
things you can do to increase your security on the Internet.

 


Two years ago, I published a list of PC security recommendations.
The idea was to give home users concrete actions they could take to
improve security. This is an update of that list: a dozen things you
can do to improve your security.

General

Turn off the computer when you’re not using it, especially if you have an „always on” Internet connection.

Laptop security

Keep your laptop with you at all times when
not at home; treat it as you would a wallet or purse. Regularly purge
unneeded data files from your laptop. The same goes for PDAs. People
tend to store more personal data – including passwords and PINs – on PDAs
than they do on laptops.

Backups

Back up regularly. Back up to disk, tape or CD-ROM.
There’s a lot you can’t defend against; a recent backup will at least
let you recover from an attack. Store at least one set of backups
off-site (a safe-deposit box is a good place) and at least one set
on-site. Remember to destroy old backups. The best way to destroy CD-Rs
is to microwave them on high for five seconds. You can also break them
in half or run them through better shredders.

Operating systems

If possible, don’t use Microsoft Windows.
Buy a Macintosh or use Linux. If you must use Windows, set up Automatic
Update so that you automatically receive security patches. And delete
the files „command.com” and „cmd.exe.”

Applications

Limit the number of applications on your
machine. If you don’t need it, don’t install it. If you no longer need
it, uninstall it. Look into one of the free office suites as an
alternative to Microsoft Office. Regularly check for updates to the
applications you use and install them. Keeping your applications
patched is important, but don’t lose sleep over it.

Browsing

Don’t use Microsoft Internet Explorer, period. Limit
use of cookies and applets to those few sites that provide services you
need. Set your browser to regularly delete cookies. Don’t assume a Web
site is what it claims to be, unless you’ve typed in the URL yourself.
Make sure the address bar shows the exact address, not a near-miss.

Web sites

Secure Sockets Layer (SSL) encryption does not
provide any assurance that the vendor is trustworthy or that its
database of customer information is secure.


Think before you do business with a Web site. Limit the financial and
personal data you send to Web sites – don’t give out information unless
you see a value to you. If you don’t want to give out personal
information, lie. Opt out of marketing notices. If the Web site gives
you the option of not storing your information for later use, take it.
Use a credit card for online purchases, not a debit card.

Passwords

You can’t memorize good enough passwords any more, so don’t bother. For
high-security Web sites such as banks, create long random passwords and
write them down. Guard them as you would your cash: i.e., store them in
your wallet, etc.


 


I’m suspicious to the point of near-paranoia about e-mail attachments and Web sites.


Never reuse a password for something you care about. (It’s fine to have
a single password for low-security sites, such as for newspaper archive
access.) Assume that all PINs can be easily broken and plan
accordingly.


Never type a password you care about, such as for a bank account, into
a non-SSL encrypted page. If your bank makes it possible to do that,
complain to them. When they tell you that it is OK, don’t believe them;
they’re wrong.

E-Mail

Turn off HTML e-mail. Don’t automatically assume that any e-mail is from the „From” address.

Delete spam without reading it. Don’t open messages with file
attachments, unless you know what they contain; immediately delete
them. Don’t open cartoons, videos and similar „good for a laugh” files
forwarded by your well-meaning friends; again, immediately delete them.


Never click links in e-mail unless you’re sure about the e-mail; copy
and paste the link into your browser instead. Don’t use Outlook or
Outlook Express. If you must use Microsoft Office, enable macro virus
protection; in Office 2000, turn the security level to „high” and don’t
trust any received files unless you have to. If you’re using Windows,
turn off the „hide file extensions for known file types” option; it
lets Trojan horses masquerade as other types of files. Uninstall the
Windows Scripting Host if you can get along without it. If you can’t,
at least change your file associations, so that script files aren’t
automatically sent to the Scripting Host if you double-click them.

Antivirus and anti-spyware software

Use it – either a
combined program or two separate programs. Download and install the
updates, at least weekly and whenever you read about a new virus in the
news. Some antivirus products automatically check for updates. Enable
that feature and set it to „daily.”

Firewall

Spend $50 for a Network Address Translator firewall
device; it’s likely to be good enough in default mode. On your laptop,
use personal firewall software. If you can, hide your IP address.
There’s no reason to allow any incoming connections from anybody.

Encryption

Install an e-mail and file encryptor (like PGP).
Encrypting all your e-mail or your entire hard drive is unrealistic,
but some mail is too sensitive to send in the clear. Similarly, some
files on your hard drive are too sensitive to leave unencrypted.


 


If the secret police wants to target your data or your communications, no countermeasure on this list will stop them.

None of the measures I’ve described are
foolproof. If the secret police wants to target your data or your
communications, no countermeasure on this list will stop them. But
these precautions are all good network-hygiene measures, and they’ll
make you a more difficult target than the computer next door. And even
if you only follow a few basic measures, you’re unlikely to have any
problems.

I’m stuck using Microsoft Windows and Office, but I use Opera for
Web browsing and Eudora for e-mail. I use Windows Update to
automatically get patches and install other patches when I hear about
them. My antivirus software updates itself regularly. I keep my
computer relatively clean and delete applications that I don’t need.
I’m diligent about backing up my data and about storing data files that
are no longer needed offline.

I’m suspicious to the point of near-paranoia about e-mail
attachments and Web sites. I delete cookies and spyware. I watch URLs
to make sure I know where I am, and I don’t trust unsolicited e-mails.
I don’t care about low-security passwords, but try to have good
passwords for accounts that involve money. I still don’t do Internet
banking. I have my firewall set to deny all incoming connections. And I
turn my computer off when I’m not using it.

That’s basically it. Really, it’s not that hard. The hardest
part is developing an intuition about e-mail and Web sites. But that
just takes experience.

 

 

 Biography

Bruce Schneier is one of the world’s foremost security experts. His latest book is „Beyond Fear: Thinking Sensibly About Security in an Uncertain World.”