Thursday, November 01, 2007
How good is Consumer Reports's security advice?
Their September 2007 issue has 19 tips for avoiding infections, scams, and identity theft. Their advice is only about protecting yourself online. Remember that your single best defense against identity theft is a shredder.
How good is their advice? Pretty good, though I take issue with a few things. Let's go over it point by point.
They mean things like the firewall in your operating system and the spam blocker in your email program. Good advice, but I have no clue what they mean in the details when they say the Mac firewall is "lacking". They recommend a third-party firewall for Windows called ZoneAlarm, which is good if a little geeky, but recommend that you get it from download.com. Go to zonealarm.com instead. It's usually better to get your software as close as possible to the original source.
This one's really important and it works. I just heard a guest lecture in a class I'm attending by someone who's studied malicious web pages. He found that browsers that were completely up to date with security patches were immune to all the attacks he found in his research.
They're right here too. Vista has some real security improvements over XP, and Firefox 2 is better than Firefox 1.5. But be careful: upgrades can make other things worse.
Ennh. There are a few browser toolbars that are from good guys, but even those have issues. One of them warns you about phishing sites but also transmits your search history to the company that provides the toolbar. That may be OK with you but don't install blindly.
No. It makes sense in theory, except that my firewall blocks multiple attacks every minute, so there's no real protection from turning off your computer. Using it at all means you either have an effective firewall or you get attacked.
They may be infected with programs to steal passwords. That's happened in real life. Beware of checking email from a Wi-Fi hotspot: by default, most email programs log in over the air with an unencrypted password. Anyone else at the hotspot can see that password.
I'm happy with mine, but Apple hasn't been improving security as fast as Microsoft. Macs are less of a target today, and as my friend Steve Stroh says, "I'll take that!", but all it takes is for criminals to start aiming at Macs and that advantage could disappear overnight.
Yes, but one of the places they listed as a reputable source of free downloads has distributed spyware in the past.
Except some of the ones they recommend have poor reputations among people who repair infected PCs, and standalone products can be superior.
Duh.
That's because none of them come close to 100% detection, which means that two of them together won't catch everything, which means you should avoid downloading electronic junk food anyway.
I use Sneakemail addresses for things like product registration and message board signups. Each one gets a different address, and if one sells my address to a spammer I can turn off that address without affecting other email. I've only had to do that once, however.
Debit cards are pretty hazardous for online use.
That padlock in your browser means (if everything works) that the site has proven they're who they say they are and that your traffic is protected from eavesdropping. It's not a Good Housekeeping seal of approval and the site could still be crooked.
Consumer Reports says "never" respond to email that asks for account numbers, passwords and the like. At the very least I'd say treat them with suspicion and double-check.
There are many things that can do wrong, and you can't be sure that email is from who it says it's from, but it's really hard to explain what's safe and what isn't.
Yes to this one. Once upon a time, disnie.com was a porn site. Disney's lawyers took care of that in short order, but crooks still register misspellings of common site names. Type carefully, like CR says, or better yet use a bookmark.
That's good citizenship, not safety.
CR says to check bank and other statements as soon as they come in. I say check them online more than once a month.
|
How good is their advice? Pretty good, though I take issue with a few things. Let's go over it point by point.
1. Turn on built-in protection
They mean things like the firewall in your operating system and the spam blocker in your email program. Good advice, but I have no clue what they mean in the details when they say the Mac firewall is "lacking". They recommend a third-party firewall for Windows called ZoneAlarm, which is good if a little geeky, but recommend that you get it from download.com. Go to zonealarm.com instead. It's usually better to get your software as close as possible to the original source.
2. Use automatic updates
This one's really important and it works. I just heard a guest lecture in a class I'm attending by someone who's studied malicious web pages. He found that browsers that were completely up to date with security patches were immune to all the attacks he found in his research.
3. Upgrade
They're right here too. Vista has some real security improvements over XP, and Firefox 2 is better than Firefox 1.5. But be careful: upgrades can make other things worse.
4. Install a browser toolbar
Ennh. There are a few browser toolbars that are from good guys, but even those have issues. One of them warns you about phishing sites but also transmits your search history to the company that provides the toolbar. That may be OK with you but don't install blindly.
5. Turn off your computer when not in use
No. It makes sense in theory, except that my firewall blocks multiple attacks every minute, so there's no real protection from turning off your computer. Using it at all means you either have an effective firewall or you get attacked.
6. Use public computers with care
They may be infected with programs to steal passwords. That's happened in real life. Beware of checking email from a Wi-Fi hotspot: by default, most email programs log in over the air with an unencrypted password. Anyone else at the hotspot can see that password.
7. Consider a Mac
I'm happy with mine, but Apple hasn't been improving security as fast as Microsoft. Macs are less of a target today, and as my friend Steve Stroh says, "I'll take that!", but all it takes is for criminals to start aiming at Macs and that advantage could disappear overnight.
8. Be careful about downloading free stuff
Yes, but one of the places they listed as a reputable source of free downloads has distributed spyware in the past.
9. Consider a protection suite
Except some of the ones they recommend have poor reputations among people who repair infected PCs, and standalone products can be superior.
10. Run antivirus software
Duh.
11. Run two antispyware programs
That's because none of them come close to 100% detection, which means that two of them together won't catch everything, which means you should avoid downloading electronic junk food anyway.
12. Use disposable email addresses to make spam easier to block
I use Sneakemail addresses for things like product registration and message board signups. Each one gets a different address, and if one sells my address to a spammer I can turn off that address without affecting other email. I've only had to do that once, however.
13. Use a credit card
Debit cards are pretty hazardous for online use.
14. "Secure" sites may not be safe
That padlock in your browser means (if everything works) that the site has proven they're who they say they are and that your traffic is protected from eavesdropping. It's not a Good Housekeeping seal of approval and the site could still be crooked.
15. Protect your personal information
Consumer Reports says "never" respond to email that asks for account numbers, passwords and the like. At the very least I'd say treat them with suspicion and double-check.
16. Don't follow hyperlinks from email
There are many things that can do wrong, and you can't be sure that email is from who it says it's from, but it's really hard to explain what's safe and what isn't.
17. Beware of typo-trapping sites
Yes to this one. Once upon a time, disnie.com was a porn site. Disney's lawyers took care of that in short order, but crooks still register misspellings of common site names. Type carefully, like CR says, or better yet use a bookmark.
18. Report phishing
That's good citizenship, not safety.
19. Review your accounts regularly
CR says to check bank and other statements as soon as they come in. I say check them online more than once a month.
# posted by Frederick @ 7:15 PM Email to a friend:
Haloscan: they provide trackback