In the world of comic books, every bad guy is an evil genius. On the web, hackers, spammers, and phishers may be evil, but they're not required to be geniuses. They can make a healthy living just by exploiting known security holes that many users haven't bothered to patch. Or by relying on the propensity of millions of people to do things they've been told over and over not to do.
The silver lining is that you don't have to be a genius to avoid these common attacks either. Implement a few simple fixes, and you'll avoid most of the bad stuff out there.
Fix 1: Patch Over the Software Bull's-Eye
Have you turned off automatic updates for Windows and other programs on the rationale that "if it ain't broke, don't fix it?" Then consider this: Your programs may be very, very broken, and you don't know it. The days of big splashy viruses that announce themselves to PC users are over. The modern cybercriminal prefers to invisibly take control of your PC, and unpatched software gives them the perfect opportunity to do so.
Today, a hijacked web page - modern digital crooks' attack of choice - will launch a bevy of probes against your PC in search of just one unpatched vulnerability that a probe can exploit. If it finds one, better hope your antivirus program catches the ensuing attack. Otherwise you likely won't even notice anything amiss as it infects your system.
Luckily, you can completely block the majority of web-based exploits by keeping all your programs - not just the operating system or your browsers - up-to-date. Attack sites ferret out holes in seemingly innocuous applications such as QuickTime and WinZip as well as in Windows and Internet Explorer. So turn on automatic update features for any software that offers the service - it's your quickest and easiest option for getting patches.
Fix 2: Find the Other Holes
If every program used easy automatic updates - and we were all smart enough to use them - the thriving malware business would take a serious hit. Until then, a free and easy security app from Secunia can help save the day.
The Secunia Personal Software Inspector, available as a free download, scans your installed software to let you know which out-of-date programs might be making your PC unsafe. But it doesn't stop there - for each old program it finds, it offers quick and easy action buttons such as one labelled Download Solution, which retrieves the latest software patch without you even having to open a browser.
The program also gives you links to the software vendor's site as well as Secunia's full report about the vulnerability on your system. You can choose to block future warnings about a particular program (but you should, of course, be careful before doing so).
Secunia PSI isn't perfect, and doesn't always make it easy to update unsafe program components. But for most apps it provides a quick - and very important - fix.
Fix 3: Let the Latest Browsers Fight for You
The most insidious hijacked web pages are nearly impossible to spot. Tiny snippets of inserted code that don't display on the page can nevertheless launch devastating behind-the-scenes attacks.
Trying to avoid such pages on your own is asking for trouble, especially since crooks like to hack popular sites - attacks against sites for Sony games and the Miami Dolphins are just two well-known examples. But new site-blocking features in the just-released Firefox 3 and Opera 9.5 browsers provide some shielding.
Both browsers expand on the previous version's anti-phishing features to block known malware sites as well, whether they're hijacked pages on legitimate sites or sites that were specifically created by bad guys. Neither browser completely eliminates the risk of landing on such pages, but every additional layer of protection helps.
Microsoft plans to add a similar feature to Internet Explorer 8, but this version won't be ready for prime time for a good while. For more on the browsers' improved security, see "New Browsers Fight the Malware Scourge."
Fix 4: Sidestep Social Engineering
The most dangerous crooks use clever marketing to get you to do their dirty work for them and infect your own PC. Lots of social engineering attacks are laughably crude, with misspelled words and clumsy grammar, but that doesn't mean you should dismiss the danger. Every now and then, a well-crafted attack can slip past your defences and lure you into opening a poisonous email attachment or downloaded file. A targeted attack might even use your correct name and business title.
To fight back, turn to a simple but powerful tool: VirusTotal.com. You can easily upload any file (up to 10MB) to the site and have it scanned by a whopping 35 different antivirus engines, including ones from Kaspersky, McAfee, and Symantec. A report tells you what each engine thought about your file. While some (such as Prevx) are prone to false alerts, if you get multiple specific warnings that include the name of the particular threat, then you almost certainly want to delete the file.
A lack of warnings doesn't guarantee a file is safe, but it does give you pretty good odds. Use VirusTotal to check every email attachment and download you're not 100 percent sure about, and you'll avoid insidious social engineering.
If using VirusTotal starts to become a habit (not a bad idea) and you want to make sending files for scanning to VirusTotal really easy, download the free VirusTotal Uploader. Once you've installed the utility, just right-click a file, and you'll see an option (under Send To) to upload it to the VirusTotal site.