| Now it's time to set up security for your web browser. This can help to reduce the risk I mentioned earlier, where someone can embed spyware or other malicious software right into a web page. If you don't set up the security of your web browser properly, this embedded software will be able to run on your computer if you simply open up a particular web page in your browser. Internet Explorer, or IE, uses Internet zones to control this behavior and to restrict a website's ability to infect your PC with malicious software. You can think of an Internet zone as a way of classifying a particular website, and whether you trust that website not to contain any malicious software. Using Internet zones allows you to group a bunch of sites together under a single classification and assign the same security settings to all of the sites in a zone with a few simple mouse clicks. By default, IE will place all websites into the "Internet" zone until you manually re-classify them. This creates a default security blanket that will help to protect you against any new or unknown websites that you visit. Configuring IE security is an interesting balancing act because setting your IE security settings too low will leave you open to attacks by malicious software, but setting them too high will make it difficult for you to browse even legitimate websites, which can become a nuisance in and of itself. To help you strike a balance, IE has four pre-configured security settings that you can set on any one of the zones: By default, all sites in the Internet zone will run with Medium security. This security level is something of a compromise between security and usability: it'll prompt you before downloading most types of software, but not to the point that trying to browse the web gets annoying. There are some computer security professionals who will say that you should always run with High security, and I've found that this is becoming a more viable option as website operators are becoming more security conscious. It used to be that running at High security all the time led to more "Are you sure you want to do this?" pop-ups than even I was willing to stomach, but now you can browse to most sites under High security without noticing much of a difference when you're dealing with legitimate websites. If a site you use regularly doesn't work properly under High security, you can manually add that site to one of the other Internet zones see the "More About Internet Zones" sidebar for more information. Another option is to temporarily lower the security settings for the Internet zone to Medium: just don't forget to set it back to High when you're done! To configure the default security settings for the Internet zone, do the following: Open your web browser. Click on Tools Internet Options. -
Click on the Internet zone, and move the slider button to Medium or High. Click on OK to set this security level for all new websites that you browse to.
More About Internet Zones The other Internet zones that you can place a website in are as follows (you can see this yourself by clicking on ToolsInternet Options from Internet Explorer, and then clicking on the Local intranet. This zone is mostly used for businesses that use an internal website (or intranet) for company-related business and communications. Placing a website in the Local Intranet zone assigns it the Medium-Low security level, which bypasses a number of security checks. I don't recommend placing a website in this zone unless your corporate IT folks tell you to do it. Trusted sites. This zone is assigned the Low security level. Sites in this zone have even fewer security checks on them than the ones in the Local Intranet zone, so this zone is also one that I wouldn't place a website into unless I was absolutely certain that it was safe. For example, I've placed my company's web mail server into this zone because it runs a number of scripts that help me to automate how I deal with my corporate email. I trust these scripts to run without prompting me for approval every time they need to do so...but I trust that these scripts are safe largely because I wrote them. For everyday web browsing, put websites in this zone only if you're absolutely comfortable with using them and if they won't function properly under the security settings of the Internet zone. Restricted sites. This zone places the highest security settings on any web pages you add to it. To add a site to one of these zones, do the following: 1. Click on ToolsInternet Zones. Go to the Trusted Sites zone. 2. Type the name of the site you want to add to the Trusted Sites zone, and click Add. 3. You may need to remove the checkmark next to "Require server verification (https:) for all sites in this zone." This feature is in place to make sure that only secure sites ones that use the https:// prefix are part of the Trusted Sites zone. |
ActiveX Controls and Digital Certificates There are two other terms that I want to explain to you since they're quite important to how you configure IE: ActiveX controls and digital certificates. An ActiveX control is just a piece of software that's embedded into a web page; the most common place that you'll see an ActiveX controls is on websites that have online games that you can play within your web browser. If you've ever clicked on a link to play a game like Solitaire or Slingo and you've seen a prompt to install a piece of software so that you can play the game, that was probably an ActiveX control. (You'll see an example of this later in this section.) Just as every pop-up ad on the Internet doesn't mean that you've been hit with adware, not every piece of embedded software that you encounter is dangerous. But the difficulty with ActiveX controls is that they can be misused by malicious programmers since an ActiveX control has the ability to access files on your hard drive. Because of this, you want to make sure that you're able to answer two questions when you come across an ActiveX control: this control come from someone that I trust?", and I want to let this ActiveX control run on my computer?"
To help you answer the first question does this ActiveX control come from a reliable source your web browser will look for a digital certificate. You can think of a digital certificate as an electronic ID card, much like a driver's license. So, if a company like Microsoft places an ActiveX control on their website, they will pay for a digital certificate that will verify that the control actually came from Microsoft. It doesn't even need to be an ActiveX control: most software that you install from a CD has a digital certificate as well. Digital certificates must be renewed on a regular basis so that software companies will need to re-verify their information to receive an updated certificate. You may have just noticed what a digital certificate doesn't tell you it doesn't tell you that the software you're downloading is free from errors, or that it won't do anything to harm your computer. The purpose of a digital certificate is to give you the assurance that the ActiveX control came from a particular source. You can then decide whether to download the control based on whether you trust the company that it came from. An ActiveX control that comes with a valid digital certificate is called a signed ActiveX control. An ActiveX control that doesn't have a valid certificate is an unsigned ActiveX control. |
Before you download any ActiveX control or other piece of software, you need to ask three questions: Does the software have a valid certificate? (Is it signed?) Does the certificate come from the company it should? If you're downloading software from "The Big Games Company," the certificate shouldn't be from "Joe Mack's personal computer." Is the certificate valid, or has it expired?
For example, let's say I go to a website some friends have recommended that has some cool puzzle games. These games use ActiveX controls to run in my web browser, so the first time I load up the site, I see the screen shown in Figure 5, Figure 5. Downloading an ActiveX Control 
Since this site was recommended by someone I trust, I might just go ahead and click "Install" right from here. But let's say that I want to be really sure this is a legitimate download. If I click on the name of the publisher, I'll see a screen showing me the details of the digital certificate, as you can see in Figure 6. This tells me that the software I'm downloading has a valid digital certificate that comes from the site I browsed to. I can also see the name of the company who issued the certificate, and when it was issued. At this point, I feel confident enough to download this software. So, what are some danger signs to look out for when downloading software? An ActiveX control that has no digital certificate. The digital certificate was issued to a company other than the website you're downloading from. The certificate has expired. The certificate was issued by a signer that you've never heard of. It's possible for a hacker to generate his or her own digital certificate, but it won't have the name of a respected company attached to it. Look for VeriSign, Thawte, and Geotrust as the big players. This is equivalent to a bar requiring an ID from a recognized issuer, such as the state DMV, and not "Bob's ID Card Service."
Figure 6. Verifying a Digital Certificate 
You'll also see digital certificates used to protect entire websites. Anytime you purchase something online and see that "https://" in front of the URL, any traffic that you're sending to and from that site is being secured from prying eyes. Unfortunately, one trick that's used by hackers is to put up a fake website pretending to belong to your bank, an online auction site, or even a charitable organization the FBI usually reports a flurry of fake donation sites that are created in the wake of major disasters like the 9/11 tragedies and the Asian tsunamis. Hackers will use the same graphics and design as the real site and will even use certain tricks to make the URL address look like it's the real thing. But when you enter your credit card information to make a "donation," you've just given your financial information to a complete stranger, and a malicious one at that. If you're ever uncertain, you can check for a valid certificate to verify that you're visiting the correct site by double-clicking on the small padlock icon in the lower right-hand side of your browser. You can see the certificate for www.amazon.com in Figure 7, Figure 7. Verifying a Website Certificate 
Mean Tricks and Devious Deeds Another trick hackers will use to steal your personal information is called phishing. In a phishing attack, you'll receive an email asking you to log onto a site to update your personal information it might even be a site that you actually use. Or it might appear as an "appeal" from a non-profit organization. As a general rule, no legitimate website will send you a request for your personal information (like your credit card number, Social Security number, or website passwords) using email because email messages are notoriously difficult to secure. If you're not sure, your best bet is to ignore the URL that you've been sent in the email and instead go directly to a web address that you know is valid - don't believe your own eyes when looking at a link in the email message. For example, if you receive an email from eBay asking you to click on a link within the email to verify your account information, you should instead delete the email message and go directly to www.ebay.com. If you're looking for a charitable website, the website of your local news station or government agency will usually have links that you can trust. Another unkind trick is for a malicious website to send you a pop-up window with a message like: "You've been selected to take our free survey! Click OK to begin the survey, or Cancel to decline." The part that makes this unkind is that the pop-up has been programmed to install spyware or another piece of malicious software, regardless of whether you click "OK" or "Cancel" if you click anywhere within the pop-up window, the malicious software will use that as its cue to begin installing. To close a pop-up window, especially one that you don't trust, close it only by clicking on the "X" in the upper-most right-hand corner. (Look back at Figure 7 for an example.) Be sure that you're clicking on the very top-most "X" since you'll sometimes see more than one. |
The "Alternate Browser" Question In recent months, there's been something of a push within the computing world to start moving away from Internet Explorer, the web browser that comes with Microsoft Windows products. This recommendation began in the wake of some serious security vulnerabilities that were reported in IE that were leading to an increase in spyware infections. And even though these vulnerabilities have been largely corrected, and IE offers a safe browsing experience in almost all cases, the simple fact is that there are some spyware programs that are specifically engineered to attack Internet Explorer. The question then becomes: if you believe IE's critics, what's the alternative? Many people have started using Firefox, which is an open source web browser that you can download for free from http://www.mozilla.org/products/firefox/. So is Firefox a good browser? Absolutely. It has a few things that are different from IE, where you need to click a different button or look in a different place than you're used to in order to create a bookmark or make your fonts bigger, for example. But is Firefox more secure? It is, and then again it isn't. It's very true that many spyware programs don't affect people who use Firefox because the spyware is looking for Internet Explorer instead. But before you run to make the switch, it's important to understand exactly what is entailed in the words open source. An open source program is freely available for anyone to download, and it's developed by programmers who are literally donating their time to create it. In some ways this leads to better security because you've got hundreds or even thousands of programmers whacking away at Firefox to try to find any security problems that it has. But what happens when a security problem is found? You're depending on these same volunteer programmers to correct the issue, and ultimately no one is really accountable for fixing the problem. When hackers start writing spyware and other malicious software to attack Firefox (and they will), it'll be interesting to see how well Firefox's open source model holds up by comparison. In the end, there's nothing really wrong with using Firefox as an alternative to Internet Explorer: you may even find that you like it better. But remember that Internet Explorer is still installed on your Windows PC even if you're using a different browser, so be sure to keep your computer updated using Windows Update all the same.
|
