Keep security advice current

Cliches about safe computing behavior aren't enough, because e-mail, surfing, and patching vulnerabilities change all the time.

Remember when computer security was simple? Advice was as easy as, "Don't boot with a floppy drive in your A: drive" and "Don't enable the macro to run." Boy, do I long for the days of yesteryear.

More and more, application vulnerabilities are being announced every day, whether it's something attacking Apple QuickTime, Macromedia Flash, YouTube videos, Adobe Acrobat, or Microsoft Office. And telling people not to open untrusted content is like telling them not to open e-mail from people they don't know. It's not bad advice, but you can't stop there.

You've got mail

On the "don't open e-mail from people you don't know" recommendation, malware has been using e-mail address books for nearly a decade now. Malicious spam and e-mail often comes from our friends, parents, and coworkers. The better advice is not to open e-mail that is unexpected, seems out of character for the sender, and contains links or content to click. When in doubt, e-mail or call the sender and confirm that they really meant to send it. Or do like me, and just delete it when there's a shadow of a doubt. I can't trust my friends and associates to thoroughly validate the stuff they send me. To them it's a cute little animated GIF or a YouTube video of a hot girl dripping barbecue sauce over a less hot car. To me, it's probably malware. It's just the way my mind works.

All these years later, you still can't tell people to open e-mails from only people they trust. Targeted spearphishing is becoming more common. You can't count on mispellings (sic) and bad grammar to alert you to a phishing attack. They have your name and your interest [for example, your bank account, Better Business Bureau complaint, 401(k) provider, and so on]. I won't give you my bank logon info, but there's a good chance that I'll respond, strongly, to my Dell laptop warranty expiring earlier than what I paid for or object to an unauthorized change in my 401(k) portfolio. Those malware guys are sneaky.

Surfing safari

Today, the frequent advice you'll get, in the face of application malware, is to not open content from or visit untrusted Web sites. That is so 20th century! Unless you've been hiding under a rock for the last few years, security article after security article has been detailing how malware is being served up by the Web sites we trust most. It's the NFL Web site, travel site, news site, political gabfest site, and blog that we all love. They get compromised, we visit, and we get infected.

The popular Web site is compromised through its own application vulnerability and ends up serving malware to visiting users. Or it has banner ads that push malicious content. Or the favorite search engine contains highly ranked results that are thoroughly malicious. If you haven't gotten the memo, malware is infecting us from sites and people we explicitly trust! And this isn't something new. Years ago, during the initial minutes of the Nimba worm outbreak in 2001, one of the world's most popular news Web sites tried to infect me. I was reading that hour's news when all of a sudden Notepad kept popping up, displaying gobbledygook (that's a technical term). I had closed Notepad a few times before I realized that what was happening was a result of my computer security defense. In an effort to render malicious scriptable content harmless, I had remapped the Windows Scripting Host file extensions (such as ".vbs") to be reassociated with Notepad instead of Wscript.exe or Cscript.exe. I finally realized that my defense was actually working. What I thought was ASCII character gobbledygook was instead encrypted executable content.

Patch and learn

The advice I give family, friends, and readers is this: Stay fully patched, with both your OS and your applications. If you don't check your entire patch status on a regular basis, you're probably not completely patched. Run Secunia's Software Inspector as a check if you don't have anything else. It isn't enough just to check your OS and biggest vendor's patching status. Run anti-malware and firewall software on the computer and keep it up to date. Perimeter security won't suffice.

Educate your end-users about the risk of attacks from Web sites they know and love. Users should be encouraged to be skeptical about all downloads, whether or not they come from a "trusted" site. Tell your users to never install video codecs, even if they promise to let them see the latest cool video. Explain to them that free software is rarely ever free. Teach them how to recognize malware warnings from their legitimate anti-malware software and, conversely, how to spot fake advertisements telling them that they're infected. Tell them not to download and run anti-malware programs that appear to detect the threat first and then require the download. That's backward.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Roger A. Grimes

Roger A. Grimes

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?