Three articles, written by Computer Home Help staff, have been published in the Lexington Minuteman newspaper, Lexington, MA.

The titles of the articles are:

1. Safety Tips for You and Your Computer
   This article provides an introduction to security issues that affect the home computer user when their computer is connected to the Internet.
   
2. Computer Spyware/Adware it's Worse Than a Virus
   This article provides information about a new threat to computer users usually referred to as Spyware, Adware or 'unsolicited commercial software
   
3. Don't Let Phishing Spoil Your Appetite for e-mail
   This article provides information on another threat to users of email. This threat is the use of mass mailings of deceptive e-mail messages that are designed to trick people into revealing their passwords or other sensitive information. A successfull "phish" usually results in financial loss to the individual.

Scroll down to read the articles.

1. Safety tips for you and your computer

Introduction

As we grow up from childhood to adulthood we learn gradually the importance of personal and domestic security. We learn not to talk to strangers, not to let strangers into the house, to lock the doors of our house and car at night. In the world of the Internet, many of us do not have the opportunity to learn slowly over a long period. We are dropped into Internet adulthood abruptly. When our computer is connected to the Internet it may look to a potential intruder like an unoccupied house in a remote location with all the doors and windows open, in fact an invitation to spy and steal.

The remainder of this article explains the risks your computer is exposed to when it is connected to the Internet by comparing it to something familiar to you, that is, your family, your home and your belongings

The Risks

You and your family, as a matter of course, take care of your precious property and personal information. You take precautions against loss by locking your doors and windows, keeping valuables hidden or locked away or in a safe deposit box. Personal information may be kept in a locked filing cabinet and not left lying around for the casual visitor to see. Many people have insurance against fire, theft, water damage, and accidental damage. Members of the family just know, that the last one to go to bed makes sure that the doors are locked and lights are off.

In the case of the Internet, your computer needs similar protection. You, the owner need to be aware of the risks so that you can make informed decisions about what to do. Security and privacy are probably most peoples greatest concern. You don’t want to lose your personal data like financial records, credit card numbers and passwords and you don’t want to inadvertently share that personal information without your explicit permission.

When your computer is connected to the Internet you are at risk of losing the programs and data stored on it because of, for example a virus attack, which might erase files on the hard disk. Also you may lose the privacy of your personal information because a hacker or a “spy” program on your computer may copy that information and send the copy to another person over the Internet. This risk is considerably greater if you have a broadband or “always-on” connection to the Internet.

You know you can reduce your exposure to some risks by not walking through certain parts of a city late at night. Similarly you can reduce your Internet risks by not visiting certain types of web sites or downloading certain types of free programs. So, your defenses to the risks of the Internet are a combination of careful behavior, putting locks on your computer’s “doors” and having some level of technical “insurance”. Behavior means where you surf on the web and what you do at various web sites, putting locks on the computers doors means having an Internet firewall, and insurance, in this context, means having anti-virus and other detection programs on your computer.

One other risk that must guarded against is that of “manufacturing errors.” This means that programs contain errors or “bugs” that leave “holes” through which hackers can gain access to your computer. The program vendors discover or hackers reveal these holes and the program vendor then makes a “patch” for the hole that users then have to apply to their copy of the program.

Behavior

If we consider behavior first, we should note that a big security risk is the behavior of those in your family with adventurous and inquisitive minds, that is, probably the younger members of the family. They are more likely to visit dubious web sites and download programs with insufficient caution. Those two activities can to result in programs being installed on your home computer that you did not really want and that subsequently do things that are not in your best interest. These actions include monitoring your web surfing and gathering other sensitive information off your computer and sending it to another person or computer. Since you have “invited” these programs onto your computer they may not be blocked by a firewall or caught by some anti-virus programs. Once these programs get onto your computer they can be very difficult to eradicate and can do almost everything on the computer that you can do while sitting at the keyboard. So the watchwords are, be careful where your surf and what free software you download.

Firewall

An Internet firewall is a piece of hardware (a small box) or a special program on your computer. Windows XP includes such a program, usually known as a software firewall. A firewall operates like a security guard checking people who enter a building to ensure that they have authorized access. The firewall inspects information that crosses between the Internet and your computer and only lets authorized information pass. The simpler firewalls only monitor information coming into your computer, the more comprehensive ones also check information leaving. That would be like the security guard checking to see that people who leave the building to make sure they don’t take material with them that they should not. A number of authorities recommend that domestic users have, at the very least, the simpler of the two firewalls. This type of firewall will block hackers from gaining accessing your computer and the information stored on it. The more comprehensive firewall can, for example, prevent a program that has been surreptitiously planted on your computer from sending out information that it has gathered from your computer. A firewall program is included in the security suites offered by well-known anti-virus vendors such as Symantec and McAfee. Just as a security guard needs to know who to let into and let out of a building, the firewall needs to learn what programs should be permitted to send or receive information over your Internet connection. This makes setting up a firewall program more difficult than setting up an anti-virus program.

Anti-virus Programs

A computer virus is a program that can replicate itself and spread from computer to computer. A more generic term for malicious programs is malware. This term covers numerous variations of programs that have a malicious intent such as worms and Trojan horses. A common way for a virus to get onto your computer is by being attached to an email message. The more popular anti-virus programs can check email and instant messages for viruses. One of the caveats with anti-virus programs is that they need to be kept informed of new viruses. The popular antivirus programs have the ability to “phone home” to collect the latest virus definition. In this way, when a new virus is created and released the anti-virus program will be able to recognize it and block it. This updating service is by subscription and usually needs to be renewed on an annual basis. Failure to keep your subscription current means the anti-virus program will become out of date and ineffective against new viruses. More recent versions of anti-virus programs also scan your computer for other varieties of malwear known as Spyware and Adware.

Patches

A program patch is a small program that is added to an existing program to correct a bug or other vulnerability in a program. A program vendor usually makes patches available to customers on its web site. These patches can be downloaded free. This is one example where it is good practice to download a free program. Microsoft makes downloading and installing patches a relatively simple procedure. Visit the vendor’s web site and look for “Updates.” Since your browser program, for example, Internet Explorer, and your email program, for example Outlook Express are two of the major ways your computer connects to the internet it is critical that these programs be kept properly “patched.” For similar reasons, your operating system should also be kept up to date, particularly if it is one of the Windows operating systems.

Summary

The safety and security of the personal information you keep on your computer depends upon all four components, the firewall, the anti-virus program, keeping all programs up to date, and cautious web-surfing behavior.

2. Computer Spyware – It’s worse than a virus!

Introduction

A few years ago computer users had only to be concerned with one malevolence, viruses – which were usually mischievous or at their worst destructive. The motives of the virus creators might be described as a desire for notoriety amongst their peers.

As viruses have been around for a while, it is likely that most computer users are aware of them, what they do, and what precautions to take against them. However there is a new and growing threat to computer users that is now considered by many to be a greater problem than viruses. The new threat is a convergence of technology and questionable interests.

Now, virus-writing technology seems to be converging with two interests, those of profit and crime. The commercial interests of the purveyors of pop-up advertising and spam are employing various forms of virus-like programs and spamming to push advertising pop-ups onto computer screens in ever-mounting quantities. Also, virus-like technologies are now used not merely for destructive purposes but to steal credit card numbers and people’s identity for even greater forms of theft. The more cynical of us might consider that the line between these two interests, crime and profit, is getting rather blurred. The remainder of this article will deal with the profit-interests.

The commercial programs that result in advertising pop-us are usually referred to as ‘spyware’, and ‘adware’ and sometimes grouped together and called parasites. A less pejorative term is unsolicited commercial software. The problem of unsolicited commercial software has grown considerably and it is believed that many millions of computers are affected. The situation has prompted a group of senators to tackle the problem with a proposed law that would make it harder for web sites to inflict their invasive programs on unwitting users and easier for the recipients to remove them - the more notorious parasites are almost impossible to remove. In the meantime, it is prudent to be aware of the problem, and if you believe you are at risk, or that your computer is already infected, to take appropriate action.

What do these parasites do?

Unsolicited commercial software can instigate a wide range of activities. Some examples are:

· Deliver unwanted advertising (‘adware’) usually as unexpected popups

· Watch what you do while you are online and send that information back to marketing companies (‘spyware’)

· Change, without your permission, the home page of the program you use to browse the web and prevent you from changing it back. A phenomenon usually referred to as ‘homepage hijacking’ or more generally ‘browser hijacking’. The changed home page is frequently one that displays advertising chosen by the site that planted the homepage hijacker on your computer.

· Make your modem call premium-rate phone numbers

· Open security holes in your computer and allow the makers of the parasite software to download and run their own software on your computer at any time they please

· Slow down the operation of the computer and cause errors or cause the compute to crash

· Provide no uninstall feature, and hide the program in unusual places on the hard disk to make it extremely difficult to remove.

How did these parasites get on my computer?

The most common way for unsolicited commercial software to be installed on a computer is by being ‘bundled’ with free programs. The parasites become installed at the same time as you install the free program. Popular file-sharing programs, for example Kazaa, Grokster, Imesh and BearShare are notorious for this.

Usually the small print in the end user license agreement, will warn you about this, and it is sometimes possible to opt out of receiving the parasites. Unfortunately few people take the time to read the small print, so the parasite software is loaded onto your computer with your tacit approval. Therefore, when taken to task about their practices, the purveyors of this type of software claim that the user has willingly accepted their product. So if you plan to install free software, it is advisable to read the license agreement carefully before your accept the software, and not just click Next-Next-Next.

If you use Internet Explorer, merely visiting a web page that includes a link to a program can load parasite programs onto your computer. Depending on the security setting of Internet Explorer, a window will appear asking if you wish to accept one of these programs. If you click “Yes” the software is allowed to run and can do almost anything it wants on your computer, including installing parasites. If the security settings are set lower than normal, you will not even be asked to give permission for installation of the parasite.

It is therefore inadvisable to click ‘Yes’ to a “Do you wish to download and install...” prompt unless you are very sure you trust the publisher of the software.

Sometimes web sites or pop-up ads attempt to trick you into clicking ‘Yes’ by stating the program is necessary to view the site, or by displaying endless error windows if you click ‘No’. Some will attempt to trick a “Yes” response from you by claiming that the program has a digital certificate and is therefore safe. Try not to fall for these ploys.

Guarding Against Parasites

Guarding against spyware and adware is not a simple case of installing a program and leaving it to do its job. It is usually necessary to first remove the existing parasites and then set up the computer to block further infection. That second step is quite difficult because it requires you to make some trade-offs between your desire for protection and your desire for ease of use. The anti-spyware programs cannot make these trade-offs for you. Also, these trade-offs are likely to be quite different from user to user, for example between adults in a family and teenagers. So, if the same computer is used by responsible adults and less-responsible teenagers (or vice versa!), the trade-offs will be difficult to make. Almost certainly someone is going to complain.

Here are some considerations for guarding against parasites. The first is selecting and setting up your browser program. The second is reflecting on your browsing behavior. And the third is installing a program similar to an anti-virus program that can remove and block parasites.

The Browser Program

Your portal to the Internet is the browser program, the most common being Internet Explorer. (If you use AOL to connect to the Internet, the underlying browser is still Internet Explorer) Because there are usually security holes in Internet Explorer that have not yet been corrected, you should ensure you have the latest updates and patches from Microsoft. Do this by going to the Start menu, select Windows Update then click Scan for Updates.’ Then follow the instructions to install the critical updates The next step is to set the security level for the Internet zone by going to Tools->Internet Options->Security and set the level to ‘high’ for the Internet zone. However, since many web sites just won’t work with the security set to’ high’, you are faced with a dilemma, and here the options proliferate, presenting you with decisions that are, again, not easy to make.

One option which will reduce your exposure to risk is to use a different web browser, for example Mozilla or Netscape, for everyday browsing, and use Internet Explorer only for sites you trust and will not work with the other, more secure, browsers. Another option is to decide that some web sites are unlikely to present a risk and use a low security setting for them and a high setting for all others. Both options require that you change settings in the more complicated areas of the browser program options.

A further option is set the security level to ‘high’ for day-to-day browsing and reset it to ‘medium’ or ‘low’ if a particular site, which you trust, refuses to work properly with the ‘high’ setting. After working with that trusted site you would then have to return the setting to ‘high’. This unfortunately becomes tedious after a while and it is all too easy to forget to return the setting to ‘high.’ Other blocking mechanisms are available but are outside the scope of this article.

Your browsing behavior can simplify problems considerably. For example, if you are the only user of the computer and you never visit questionable web sites or download free programs or open email attachments, your exposure to the risk of adware and spyware is considerably reduced. It would nevertheless be prudent to occasionally check your system for these parasites.

Anti-Spyware/Adware Programs

There are several anti-parasite programs available, both commercial and free. However, reliable sources report that some of the anti-parasite programs, not necessarily the free ones, come bundled with parasites. That’s ironic. Consequently, it is important to be cautions in buying an anti-spyware/adware program. Popular computer magazines such as PC World and PC Magazine publish reviews of this type of software and the reviews are available on the web. One popular and respected anti-parasite program is Ad-aware by Lavasoft. This is available in free and commercial versions. Unlike anti-virus programs, which are almost “install, set and forget,” many of the anti-parasite programs require regular attention from you, say, on a weekly basis. Unfortunately, for families with adventurous web users, who want to want to keep their computer free from parasites, the current Internet climate and the current state of the art software requires some time commitment from someone.

[Since this article was published, Micorosoft has entered the AntiSpyware program market. Refer to the Micorosoft web site for further details]

“But I use an anti-virus program”

A frequently asked question is “Why doesn’t my anti-virus software detect spyware and adware? Some anti-virus programs do detect some parasites, but not all. And the selection of which they detect seems to be arbitrary. Most parasitic software does not spread from computer to computer; it just installs, with your tacit approval, and runs on one system. But that does not mean it is harmless, and anti-virus software does not attempt to detect all software that could be harmful. In fact, some computer users might willingly accept the spyware or adware in order to use the free software that came with it. So, in contrast to viruses and worms, not all adware or spyware programs will be considered undesirable by all computer users. For this reason it becomes difficult for anti-virus vendors to make a program that will block both viruses and adware/spyware and be as easy to use as an anti-virus-only program. Also, when you run the anti-spyware/adware program it may necessary for you to decide whether you wish to keep a particular parasite program or not.

Typically anti-parasite programs work as a complement to anti-virus software and given the lack of comprehensive protection by anti-parasite programs, it is advisable to run more than one anti-spyware/adware program to have reasonable confidence that your computer is free of parasites.

Summary

3. Don’t Let Phishing Spoil Your Appetite for e-mail

Introduction

Just when you think you’ve got a handle on most Internet “nasties” such as viruses, and spyware, along comes another problem. If you thought that junk mail or Spam was just an irritation, think again. Spam now poses a significant threat to the unwary computer user. Many computer users are accustomed to seeing emails offering low-cost mortgages, low-cost prescriptions, health and physical enhancement products and get rich quick schemes. These are easy to recognize and deal with. However Spam is now a major vehicle for fraud and the technique is referred to as “phishing.” Phishing is the term used to describe the mass emailing of messages that are designed to trick people into revealing their personal financial information such as bank account or credit card numbers, passwords and PIN. The theft of this information invariably leads to financial fraud. The statistics for successful “Phishing trips” are disturbing. There have been numerous reports in the press, including reports from research by Gartner, Inc. “The Gartner survey, completed in April, indicated a high rate of success for phishers. Based on survey data, Gartner estimates that about 19 percent of those attacked, or nearly 11 million U.S. adult Internet users, have clicked on the link in phishing attack e-mail. Moreover, 3 percent of those attacked, or an estimated 1.78 million adults, report giving phishers their financial or personal information. More than 1.4 million users have suffered from identity theft fraud, costing banks and card issuers $1.2 billion in direct losses in the past year.”
The most common phishing attacks involve a fraudulent but official-looking email, typically from a bank, financial institution, web-based payment organization like Paypal or an online auction site. The email frequently uses a scare tactic that is designed to cause the unwitting user to hurriedly respond to the message for fear of the dire consequences that are suggested in the email, such as having their account closed or having their transactions reported to the police. The email usually instructs the user to click on a link in the email message that takes them to the web site that appears to be that of the bank or other business. The fraudulent website is often indistinguishable from the legitimate web site of the business. The text is very plausible and images, such as the company logo, may very well be identical. The web sites are very convincing even to those with a critical eye and a suspicious inclination. On arriving at the fake web site the user is instructed to log in to “verify” that their login information has not be tampered with or some other trumped up explanation that is calculated to trick the user into complying with the scam. The result is that the fake web site captures the credit card number, PIN, password or social security number and fraudulent transactions will almost certainly follow. At other times a low-key, non-threatening approach is employed that is calculated to trick users by lulling them into trusting the apparently non-threatening nature of the email. Both approaches have been highly effective. These fraudulent web sites operate just long enough to trap a few victims and are then shut down to avoid seizure of the owners by investigators. Of course, if you don’t have an account at the bank or business in question you can be confident that the email does not apply to you. However, if you do have an account you may easily be persuaded to respond and divulge your financial information.
It seems likely that this situation is not going to be resolved in the short term and the solution is likely to be a combination of consumer education, adjustments to business practice, technology changes and new legal frameworks. The best defense right now is to be extremely suspicious of any email messages that ask you to supply personal information and do not click on links in email messages that might take you to a website. If you feel you must visit the web site, type in the company’s web site address yourself into the address box of your browser. Better still, if you have any doubts, contact the business by phone and check to see that the email message is genuine. These phishing attacks are extremely dangerous because they are becoming ever more sophisticated, the financial damage is done so swiftly and there is little in the form a paper trail for the authorities to use in order to catch the culprits.

If you would like to learn more about phishing attacks or see examples of phishing, visit the web site of the Anti-Phishing Working Group at http://www.antiphishing.org/ This site also provides advice to those who believe they may have inadvertently given out their financial information.

Enjoy a phish-free festive season.

Paul Lewis is a seven year resident of Lexington. He is a computer consultant and teaches evening classes titled Viruses, Spam and Spyware. He can be reached at paul@ComputerHomeHelp.com or 781-910-7117.