Basic Rules Plus Common Sense Add Up to Security

By Rob Pegoraro
Sunday, December 25, 2005

For some people, the worst gift ever would be a new computer with an Internet connection. One embittered user wrote in October to say that he was "so frustrated with hackers, virus, Trojans, worms, constant upgrades, security patches, etc, etc." that he was going to suspend his Internet account.

I'm guessing that a new laptop wasn't on his wish list this year.

But many other people have been booting up new computers and wondering how to keep them secure. They are likely to get some confusing messages about that. The worst one is "you can't" -- that you must accept these intrusions because it's too hard to stop them all.

Nonsense. If you can learn to cook with fire, drive a car and pay your taxes -- all activities in which, unlike computing, failure is punishable by fines, imprisonment or death -- you can figure out how to operate a computer safely.

Two other messages merely cause people to waste a lot of time and effort.

One is that you can only keep a computer safe by using the right tools. Your PC will not be secure, the thinking goes, unless you add the correct firewall, anti-virus software and anti-spyware utilities -- with any others, you might as well leave the front door unlocked.

The other is that failure to practice the right rituals will invite the wrath of the computing gods. This leads people to do things like unplug their Internet connection every night (even though that's the easiest time for a computer to get security updates) then plug it back in each morning. They will turn off harmless Web-browsing options, just in case, and delete browser cookies that don't threaten their PC's integrity. Some will even reinstall Windows every year, just in case.

A smarter approach combines a little of both beliefs: Let your computer guard itself with a firewall and automatic updates, pick safe programs and keep them up to date, then use your common sense to spot the bait set out by the perpetrators of viruses, spyware, phishing attacks and other "malware."

This applies whether you run Windows, Mac OS X or any other system-- although the risks are far lower outside Windows.

The first step is the simplest: Turn on your computer's firewall. By screening unsolicited connections, it stops the most dangerous attacks, the network worms that can board a computer without your consent or notice. (Viruses must trick people into running them, which is why a PC guarded solely by a firewall can be kept clean if used cautiously enough.)

In any new Windows PC, the firewall is already on; don't worry about adding some other company's firewall software. In Mac OS X, open the System Preferences window and select the Sharing category to activate the built-in firewall.

The second step is to get any security fixes for your operating system. Windows XP now does this automatically, downloading and installing patches as they arrive. Mac OS X will fetch updates automatically, but you must remember to install them yourself.

Step three applies to Windows users: Run whatever anti-virus program came on the PC and make sure it will update itself past the initial trial period. That will usually require buying a yearly subscription. Pay up, or switch to the free Avast ( ) or AVG ( ) anti-virus utilities.

Step four also goes for Windows users: Switch from Microsoft's Internet Explorer browser to such safer replacements as Mozilla Firefox (my pick) or Opera, both available through free downloads ( and ). Even after dozens of security fixes, IE's basic design leaves it on a weaker footing than other browsers.

Because Microsoft's Outlook Express e-mail software shares code with Internet Explorer, it can be a risk too -- although it does effectively block access to programs attached to e-mails, the most common way for viruses to spread. This aging program also doesn't screen against spam or phishing e-mails (those messages that demand you verify a financial account but lead you to a fake site). Instead, try the free Mozilla Thunderbird, a cousin of Firefox, or Qualcomm's Eudora ( ).

Step five goes for everybody: Update any programs that regularly access the Internet, such as Sun Microsystems' Java software ( ), media programs such as iTunes and RealPlayer, the Macromedia Flash browser plug-in ( ) and instant-messaging applications. Most of these programs will look for new versions automatically; if not, go to each application's Web site and download a fresh copy.

Step six is the one that never ends: Use common sense when you run into the unexpected. Don't attribute omniscience to Internet sites or think that things must always work differently online than off.

That random Web page you just visited? No, it doesn't know about your computer's software, so you can ignore the ad telling you to scan your PC for trouble now .

The e-mail from the FBI, ordering you open the attached file to read about the illegal Web sites you visit? Ignore that too. If the Feds really think you're an outlaw, they would send men and women with guns to express their concern.

That e-mail alert purportedly from your bank? Think about that: If your account was really in that much trouble, wouldn't the bank call you instead of sending an e-mail you might not read until days later? If you're really worried, phone the bank yourself to check. Or type the bank's address into your browser -- ignore the link in the e-mail -- and see if any messages are waiting for you.

Don't rush to install strange new software. Let the collective expertise of the Internet help you first: Run a Google search ("Is StrangeFreeProgram spyware?") to see if other users had problems.

If you're not the only person using the computer, make sure that everybody else follows these practices as well. If they can't or won't, lock your account on the computer with a password, then set up a limited account for them that will stop them from causing more than minor damage. In Windows XP, go to the User Accounts control panel; in Mac OS X, select the Accounts icon in the System Preferences' window.

What about all the anti-spyware and Internet-cleanup programs the security gurus recommend? They are worth having around (although it's still in testing, I recommend Microsoft's free Anti-Spyware), but if you do your job right you'll never have to run them.

Living with technology, or trying to? E-mail Rob Pegoraro

© 2005 The Washington Post Company