Become a Patron of Ask Leo! and go ad-free!
Transcript
Five tips to getting the most out of your technology. Tip number four. Stay safe.
Now, I get the questions about security all the time as you might imagine. One of the most common questions I get is, well, what security software should I use? What’s the best? I get it, like I said, all the time.
Now, as it turns out, there’s of course a fair amount of disagreement on exactly what software packages or package you should be running. Should you do an all-in-one; should you use it from this vendor or that vendor? What’s important? What’s not important? Do the ratings matter? What companies do they come from? Behavior of the particular package, whatever?
You know what, it’s actually not the right thing to focus on. The other question I get, of course, is well just the general one. How do I stay safe in today’s world online with my technology? It’s not an obvious thing to do for most people. Now, I have lots of articles on that just like I do on security software, and in fact, my most important book here is all about staying safe online.
It has several steps and a bucket load of recommendations of things that you should do and software you should run and things you should watch out for while you’re online or while you are using your software. But really, all of that, everything in that book, everything on your computer can be summed up in one phrase.
What’s the most important security software you have? Right now? It’s the software up here. It’s the software in your brain. The most important point in my book: there is no security software on the planet that can protect you from yourself. The technology is important, but you are the one in control; you are the one who can bypass every security barrier that’s put in place.
It’s how a lot of malware gets on people’s machines right now. It will bypass firewalls; it will bypass security software; it will bypass any number of different things, because the user wants whatever it is that’s been promised by the software or the attachment or the whatever that they’re looking at.
There’s nothing that can protect from yourself. So, what does it mean then to use what we often call “common sense” which of course, isn’t really all that common. It’s learned behavior; it’s stuff that basically you need to know; you need to think about.
The most important rule of staying safe on the internet is actually very simple. Exactly two words: be skeptical. If it’s too good to be true, guess what? It’s probably not true. Heck, even if it sounds too good, it may not be. It’s still something you need to be wary of.
Watch for wild claims. Something for nothing. Free, the word free can be used for good and for evil. Promises in spam; promises in web ads; promises in product sales. These are all things you need to watch for, and you need to be skeptical about.
Software you’ve never heard of, from someone you’ve never heard of? Be skeptical. An attachment you’re not expecting. You know that one where they send you some kind of delivery notification that says: this package you ordered is going to be delayed? A) You never ordered any package. B) You have no idea why they’re sending it to you via whatever shipping company that is, and C) They want you to open an attachment.
Guess what? It’s fake. It’s malware. It’s something that you don’t want. You need to be skeptical. Check it out first. What does it mean to check it out? I get that a lot too. I mean how do I know if something is legitimate or not?
Google is your friend. Search engines are your friend. Look it up. There’s usually, especially for the really common scams, there’s a ton of information on there on what they are, why they are, how they’re bad, what to look for specifically with that email or that product or that whatever it is you have in front of you. Use the tools you have available.
Do some research. Use sites like Web of Trust, and I think there are some others that actually rate the trustworthiness, if you will, of lots of different websites on the internet. If you’re giving a product from company A and company A has a website, look up that website on Web of Trust, or like I said, some of the equivalent sites.
Chances are, there’s good information about them. And if there’s no information, maybe the product is brand new, maybe the company is brand new, maybe it’s just not listed. I hate to say it, but assume the worst. Start looking for other third parties to get information about whatever it is you’ve just found.
Heck, I’m a third party. I’m Ask Leo!; I will often have information about tools and software and sites that people haven’t heard of. Maybe I have. The converse is also very, very true. It’s very common for me to get a question about, you know, what do you think about such-and-such package? I’ve never heard of them.
Well, you know what, if I’ve never heard of them that doesn’t necessarily mean that they’re bad; it doesn’t really mean anything at all. It’s no data; it’s lack of information. I may be able to sometimes give you a recommendation that says well, you know what? That kind of tool? You don’t need that kind of tool at all.
This is what you should do instead, or I’ve never heard of them. I don’t know what they’re doing, but here’s another tool that does the same thing that I have heard of and that I trust. These are the kinds of recommendations that you’ll find on the internet from reputable sites that you can build up a level of trust with. Hopefully, like Ask Leo! but there’s lots of other sites and other sources of information like that.
Always, always, always be cautious when you install software. When you do install software, never, and I hate to say it but I really have to say, never, ever accept the default options. There are just too many things that happen when you do.
The important thing to remember about default options is that the defaults are there for their convenience, not yours. In other words, the defaults are there to set up the software the way they want it to be set up, not necessarily the way you want it to be set up.
Always assume that you must not click on, you know, the default options. Always click on customize, if customize is the option there. Clicking on customize is essentially not accepting the defaults. You always want to customize; you always want to not accept the defaults.
A couple of great examples. What happens when you accept defaults can vary a great deal. Windows 10, the most recent example is a good example because if you accept the defaults for Windows 10, well, you’ve accepted a lot of privacy exposure; you’ve accepted a lot of options that potentially send information to Microsoft.
Now that information may be totally benign; that’s a topic for another day, but the point is when you accept the defaults, you don’t even know that those options are being selected for you; you might want something else. If you want something else, you’ve got to choose the customize or not default options.
In the worst case with other software packages, particularly free software that’s downloaded from the internet, when you don’t choose customize, when you allow the defaults to happen, you can get foistware – software that you didn’t expect, software that you don’t want; you could even get malware as part of the installation that you accept by default.
So don’t accept defaults. The bottom line is that companies on the internet need to make money. It’s how they survive. Even free software and sites need to make money in order to, at a minimum, recoup their costs, because that software is not free to develop. Those sites, they’re not free to run.
The same is very true for Ask Leo!. What I do, what you see, what I make available on the internet, costs me money. That means I need to make money somehow to recoup those expenses and maybe get a little bit more to make it, I’ll call it worth my while or get a little bit of return for the value that I hope that I provide on the internet.
That doesn’t necessarily mean that all free things are bad. It does mean, though, that those things that are offered for free are somehow going to be looking at ways to get revenue to sustain their operations. In the past, we’re actually at an interesting turning point right now.
In the past, for the past, I’ll say twelve years that I’ve been doing Ask Leo!, advertising has been a very, very lucrative way of recouping the cost. It’s made Ask Leo! possible. The problem, of course, is that with the rise of ad blockers and other things, that’s just kind of sort of going away.
And it’s actually putting a lot of sites including Ask Leo! in a tough position, because what we had been counting on for revenue is going away. What that means is that these companies, all of the companies, myself included have to make strategic decisions about exactly how they’re going to replace that revenue.
Many companies will do good things. I hope I’m one of them. I hope I’m going to end up doing aboveboard, legitimate things like selling books, and I’ve got some other options in the works as well, but these are all aboveboard, obvious, clear ways that, yep, you will exchange money for value – we hope.
Other companies – not so aboveboard. Other people are in a tough position where they are having to make hard decisions about how they’re going to recoup their revenue. Sometimes that means they slide in software that somebody else pays them to slide in without your knowledge.
That’s an example of bad decisions by those companies that end up affecting you in ways you didn’t expect for the free software that wasn’t really free at all. Trust has to be earned. Always, always be skeptical. Do your research. The interesting thing though is that trust also has to be, I’ll just say, maintained.
The issue is that, well, things change. We know things change. Heck, it was the topic of our first tip. Companies get sold. Software changes. Priorities change. Desperate people do desperate things. If some website, for example, suddenly sees all of it’s advertising revenue go away, that could be desperate time for that site.
They may start to do some things that are less than aboveboard. I’m not one of them. I’ll never, ever do that, but again, your trusting that what I’m telling you is the truth, and that what I’m telling you will always be the truth. These are things for every website, for every product, for every company that you interact with or do business with on the internet.
You need to keep in mind: things change. I’m not saying don’t trust. Like I said, I hope you trust Ask Leo!. I hope you trust other sites out there that provide information and provide value to you on an ongoing basis. There are sites that are worthy of your trust.
But always know that things can change. So always know that, yeah, we’ll keep an eye out. I trust them today; I’ll trust them tomorrow but if all of a sudden something bizarre happens, maybe we need to re-evaluate that trust. Like I said, companies get bought and sold. Desperate people do desperate things. Change is one of the unfortunate realities of the dynamic environment that the internet really provides us all.
When in doubt, how do you know? What do you do? When in doubt, do nothing but ask questions. And in fact, keep asking questions until you’re satisfied with the answers. I really mean that, because a lot of people will trust a little too quickly. They won’t ask enough questions before downloading the software.
They’ll be satisfied with assurances from the people that have a vested interest in misleading you that whatever it is is alright. The wonderful example are things like password reset mails that you might get. You know, “We’re about to close your account. You must provide us your account information or we’re going to close your account.”
If you reply to that and say, “Hey, are you legit?” of course, they’re going to say they’re legit because they want to keep fooling you, and they want to get your account information. It’s a trap. It’s a scam. Don’t do it. Ask more questions of more people before you do anything whenever there is a doubt about what you are about to do.
This is how you avoid scams; this is how you avoid malware; this is how you avoid foistware, and ultimately, with everything else we might throw at it, technology or otherwise, this is how you stay safe when you’re using your computer and the internet.
It’s way more important than anything else you can do. As always, I would love to hear your reaction to my thoughts. I would love to hear your ideas on ways to stay safe using the internet, basically avoiding many of the things that I’ve talked about.
Again, as always, here’s a link. There’s the article on askleo.com where you can leave your comments. They all get read. They do get moderated so that we actually don’t get the spammers out there trying to sell you stuff that is not trustworthy.
What you don’t see of course is that we do see a lot of that kind of stuff – I’ll just say come through the comments stream on Ask Leo!
So, let me know what you think. How do you stay safe? How do you, what steps do you take to stay safe on the internet? And I will see you again next week with our last tip – tip number five which I think is something that will kind of surprise you in the sense that you’ll say, “Ok, great, well, given tips number one, number two, number three and especially number four, how do I do tip number five?” We’ll talk about that next week. Until then, I’m Leo Notenboom for askleo.com. Thanks for watching. Take care.
The One aspect which seems to be paramount, is, KEEP ALL OF YOUR SOFTWARE UP TO DATE.
Don’t use Flash, or, Java; Turn them off in the browser options; Also, (in the Browser), use only
Session Cookies, and do NOT allow 3rd party cookies.
Where possible, only use 2 Factor Authentication, especially for Banking; Maybe look to use Yubikey?
If you really feel confident, consider (Full Disk) Encryption.
But consider THIS, you ARE a commodity, so therefore, your details WILL continually prove to be of
interest; If That, was not so, Google, Facebook, M$, etc., would allow (encourage), End-to-End encryption.
Keeping only session cookies is feasable, but not practical. That way, no polylingual site can ever remember that you prefer this or that language : That Japaneese site will keep been displayed in japaneese untill you switch to english, every time you go there.
No site can remember your preferences from visit to visit.
Not allowing third party cookies is often not a viable solution : Many sites demanding you to log-in use an intermediate login and validation site, and that site need to use cookies to pass back your logged in status. Those cookies are effectively third party cookies.
Two factors authentication often demand that you have a smart phone. NOT EVERYBODY have one ! If they use a text message and your plan don’t include text messages, you also just can’t use two factors.
Yeah, I don’t worry about cookies at all. The inconveniences and disadvantages associated with blocking them far outweigh the advantages, in my opinion.
A mobile phone is not a prerequisite for 2 factor authentication; You can use alternative methods
such as the Yubikey; 2FA was around before the mass adoption of the Mobile phone.
I’ve seen some websites offer to make a voice call which would work with a land line for 2FA, others from banks use a list of onetime challenge response passwords, others use one time challenge response password calculators. From what I’ve seen, many websites offer more than one method of 2FA.
W.r.t. cookies, it was my belief, that IF there were specific requirements, then you could White List those particular Sites.
I run, as I have outlined above, and do not experienced any problems; In fact, I do not even allow, automatic Re-directs.
Staying Safe, is really about, becoming Enlightened, and Taking Responsibility.
The Article was about Staying Safe, NOT, Lets-risk-it.
Sure, proof-of-concept cookie tossing or cookie injection attacks have been demonstrated, but they’re not something that’s happening in the wild and, for a number of reasons, nor are they likely to. The fact is that, from a pure security standpoint, people really don’t need to worry about cookies.
NOT reading ‘Terms & Conditions’, may also, inevitably, lead to Exposure:-
http://www.techentice.com/snapchat-now-reserves-right-to-use-and-distribute-taken-in-the-app/
That’s good advice and theoretically true, but in practice most terms and conditions are so long and convoluted as to be virtually indecipherable. I’ve almost given up trying. But when I see one like that, it raises my skepticism level a few points, so I still consider it useful information.
Totally agree. Additionally, in the case of really unscrupulous developers, there’s no guarantee that the EULA will even be accurate. By far the best advice is to only install apps from well-known, well-established developers that have been downloaded from a trusted source – preferably, the developer’s website.
“How do you stay safe?” – I never complete a financial transaction on a website I’ve opened via an emailed link.
I always thought I was smart enough to be able to spot a scam from a mile away, but a couple of years ago I received an email that made me realize that maybe I wasn’t. The email in question was from Costco (supposedly). There was nothing unusual about that: I’m a Costco member and it looked exactly the same as the other emails I receive from them. Even the “From” field was the same as usual. The email linked to a page of special offers that looked exactly like a Costco page. Even the links on the special offers page worked properly, redirecting you to other genuine Costco pages – click the Costco logo and you’d be taken to the genuine Costco homepage, for example. But that special offers page was not genuine: it had a CoTSco.com (or something similar) URL rather than CoSTco.com.
It was by far the most convincing scam email I’d seen and, while I spotted the fake URL, I’m sure many other people didn’t. It certainly made me realize that I probably wasn’t as immune from scams as I’d thought.
For one reason or another I know that my computer has malware, in spite of the AV company’s attempts to reduce it, most likely due to the kind of actions Leo has been talking about in this vlog. I know because when I bought the computer last year I could surf and stream without the streaming being interrupted by loading adverts on web pages. These days, the stream is always breaking up. I have a lappy with an Intel Pentium 2.40 GHz processor and the full capacity of 8GB RAM, it really shouldn’t be doing that, I’ve been told. Have used Malwarebytes in the past but never really felt it was doing enough, so I didn’t load it on this PC and like I say, the AV company claim of addressing malware has left me relying on it somewhat. I would love some advice on how to remove malware myself, if you have the inclination, Leo :-)
I can’t help you remove your malware, but I can tell you that relying on your antivirus program to keep you safe is risky. By various reports, AV programs catch between 25% and 50% of malware, and what one catches, another might miss. And don’t be too quick to dismiss Malwarebytes – it’s well tested and trusted, and provides a level of protection that AV programs don’t.
The percentage is closer to the high 90s, but that still means malware can get through. Malwarebytes is great, and is mentioned in these articles, but in addition to Malwarebytes and AV programs AdwCleaner, also mentioned in the first article, has removed stuff all those others missed:
https://askleo.com/how-do-i-remove-pups-foistware-drive-bys-toolbars-and-other-annoying-things-i-never-wanted/
https://askleo.com/how_do_i_remove_malware/
Mark — Where does your 90% figure come from? Mine were averages from tests of a variety of providers, and I’m curious who comes in at 90%.
Hey, thanks for all the input on my post! Wish me luck ;-)
It really depends on what numbers you choose to believe. These days, the bad guys use something called crypting services. These services take malicious code and use encryption to obfuscate the code in such a way that it will not be detected by antivirus programs. Additionally, the effectiveness of the obfuscation of the code is checked by running it against pretty much every antivirus engine on the market. And all of this can be totally automated. What this means is that, if you’re unlucky enough to be hit by newly obfuscated malware, the chances of your antivirus program detecting it may be quite slim.
This isn’t to say that antivirus programs are useless. They’re pretty good at detecting old stuff and heuristics may even detect newly obfuscated stuff. But don’t count on it. And don’t rely on your antivirus software to mitigate risky behaviours.
Very good advice. Most old PC users have learned this the hard way. But, your article and articles like it are great. They help initiate the novice. Without nurturing novices to make them “pros” the PCs days are numbered.
In addition to the recommendations of 2FA, not clicking links and running a firewall (I use AVG) and not accepting the defaults when installing, I also use a virtual machine for the stuff that I still don’t really trust but still like to explore.
Works for me, when something nasty happens it is in my virtual machine and I just delete the machine and get another one.
You’ve basically said it all Leo in your video. Sometimes, it takes people to get burned first in order to understand the importance of being “skeptical” while on line. It had happened to me in the past long ago and I can tell you that I have learned my lessons. Another important fact is that some people lack the basic knowledge on how to configure their web browsers, or even worst they just cannot resist, for whatever reason, the urge to click on a link for a website even when WOT or Virus total or Malwarebytes anti-Malware tag the link or the site as suspicious.
I just hope they will learn inchmeal after such bad experiences.
Keep up the good work Leo!
Since there are ads now that actually give you malware, I always use ad-blockers. On sites I trust, like askleo, I white list and get the ads. I also use Privacy Badger but it only blocks tracking cookies and even then allows you to allow if you want to, for example Amazon tracking cookies that keep up with your shopping cart, YouTube cookies that put the “watched” on the sub page, etc. . I block all third party cookies and allow the rest … provided they pass Privacy Badger. As for phishing, I never click the link, I go to the site the same way I always do and check there to see if there is a problem. Result: so far, so good.
“On sites I trust, like askleo, I white list and get the ads.” – Whether or not you trust a particular website is actually irrelevant. Pretty much every website that displays ads uses an ad network like Google’s DoubleClick or Zedo. And when malicious ads are pushed out using these networks, there’s not much the site owners can do about it. The websites of the New York Times, Last.fm, the London Stock Exchange and the Huffington Post have all been used to distribute malware, as have many other extremely well-known websites.
It’s worth noting, however, that this type of malware usually infects machines by exploiting vulnerabilities in old, unpatched versions of apps such as Flash. In other words, if your apps are update and you’re running a AV, the risk of your computer being infected in such a manner is quite small.
Privacy Badger blocks those and any others that I tell it to, even if they are green to start. That is why I use both.
Oh, worst case, “Restore from image”.
Just caught this, for what it’s worth:-
http://arstechnica.co.uk/security/2015/11/user-data-plundering-by-android-and-ios-apps-is-as-rampant-as-you-suspected/
The point about the mental software is the best. I was convinced to hand over control of my computer to a supposed Microsoft technician and only because I was able to disconnect the internet once I realized I was bamboozled. I still had to revert to a previous restore point, and lost a ton of data, but still…very embarrassing!
Sorry to read that, Lew. The best advice is to assume that anybody who makes unsolicited contact – whether by email, telephone, letter or a knock on the door – is a scammer and to provide no information or cooperation until you’re 100% satisfied that they are not. A legitimate caller will be understanding if you want to ask questions and will be understanding if you want to take some time to check them out. And, unless you’ve asked a company for technical support, nobody ever – EVER! – needs access to your PC.
Leo, enjoy listening to your video’s. As a novice much of it goes over my head. As I watched the video’s a pop up kept coming up that id I subscribe to your newsletter I could get a book on why the computer is slow. Since Ialready subscribe, any way I can get this booklet?
Sure – just reply to an emailed newsletter asking for a copy and we’ll get you one.