Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Tip #4: Stay Safe!

Become a Patron of Ask Leo! and go ad-free!

Transcript

Show Transcript

29 comments on “Tip #4: Stay Safe!”

  1. The One aspect which seems to be paramount, is, KEEP ALL OF YOUR SOFTWARE UP TO DATE.
    Don’t use Flash, or, Java; Turn them off in the browser options; Also, (in the Browser), use only
    Session Cookies, and do NOT allow 3rd party cookies.
    Where possible, only use 2 Factor Authentication, especially for Banking; Maybe look to use Yubikey?
    If you really feel confident, consider (Full Disk) Encryption.
    But consider THIS, you ARE a commodity, so therefore, your details WILL continually prove to be of
    interest; If That, was not so, Google, Facebook, M$, etc., would allow (encourage), End-to-End encryption.

    • Keeping only session cookies is feasable, but not practical. That way, no polylingual site can ever remember that you prefer this or that language : That Japaneese site will keep been displayed in japaneese untill you switch to english, every time you go there.
      No site can remember your preferences from visit to visit.

      Not allowing third party cookies is often not a viable solution : Many sites demanding you to log-in use an intermediate login and validation site, and that site need to use cookies to pass back your logged in status. Those cookies are effectively third party cookies.

      Two factors authentication often demand that you have a smart phone. NOT EVERYBODY have one ! If they use a text message and your plan don’t include text messages, you also just can’t use two factors.

      • Yeah, I don’t worry about cookies at all. The inconveniences and disadvantages associated with blocking them far outweigh the advantages, in my opinion.

      • A mobile phone is not a prerequisite for 2 factor authentication; You can use alternative methods
        such as the Yubikey; 2FA was around before the mass adoption of the Mobile phone.

        • I’ve seen some websites offer to make a voice call which would work with a land line for 2FA, others from banks use a list of onetime challenge response passwords, others use one time challenge response password calculators. From what I’ve seen, many websites offer more than one method of 2FA.

      • W.r.t. cookies, it was my belief, that IF there were specific requirements, then you could White List those particular Sites.
        I run, as I have outlined above, and do not experienced any problems; In fact, I do not even allow, automatic Re-directs.
        Staying Safe, is really about, becoming Enlightened, and Taking Responsibility.
        The Article was about Staying Safe, NOT, Lets-risk-it.

        • Sure, proof-of-concept cookie tossing or cookie injection attacks have been demonstrated, but they’re not something that’s happening in the wild and, for a number of reasons, nor are they likely to. The fact is that, from a pure security standpoint, people really don’t need to worry about cookies.

    • That’s good advice and theoretically true, but in practice most terms and conditions are so long and convoluted as to be virtually indecipherable. I’ve almost given up trying. But when I see one like that, it raises my skepticism level a few points, so I still consider it useful information.

      • Totally agree. Additionally, in the case of really unscrupulous developers, there’s no guarantee that the EULA will even be accurate. By far the best advice is to only install apps from well-known, well-established developers that have been downloaded from a trusted source – preferably, the developer’s website.

  2. “How do you stay safe?” – I never complete a financial transaction on a website I’ve opened via an emailed link.

    I always thought I was smart enough to be able to spot a scam from a mile away, but a couple of years ago I received an email that made me realize that maybe I wasn’t. The email in question was from Costco (supposedly). There was nothing unusual about that: I’m a Costco member and it looked exactly the same as the other emails I receive from them. Even the “From” field was the same as usual. The email linked to a page of special offers that looked exactly like a Costco page. Even the links on the special offers page worked properly, redirecting you to other genuine Costco pages – click the Costco logo and you’d be taken to the genuine Costco homepage, for example. But that special offers page was not genuine: it had a CoTSco.com (or something similar) URL rather than CoSTco.com.

    It was by far the most convincing scam email I’d seen and, while I spotted the fake URL, I’m sure many other people didn’t. It certainly made me realize that I probably wasn’t as immune from scams as I’d thought.

  3. For one reason or another I know that my computer has malware, in spite of the AV company’s attempts to reduce it, most likely due to the kind of actions Leo has been talking about in this vlog. I know because when I bought the computer last year I could surf and stream without the streaming being interrupted by loading adverts on web pages. These days, the stream is always breaking up. I have a lappy with an Intel Pentium 2.40 GHz processor and the full capacity of 8GB RAM, it really shouldn’t be doing that, I’ve been told. Have used Malwarebytes in the past but never really felt it was doing enough, so I didn’t load it on this PC and like I say, the AV company claim of addressing malware has left me relying on it somewhat. I would love some advice on how to remove malware myself, if you have the inclination, Leo ๐Ÿ™‚

    • I can’t help you remove your malware, but I can tell you that relying on your antivirus program to keep you safe is risky. By various reports, AV programs catch between 25% and 50% of malware, and what one catches, another might miss. And don’t be too quick to dismiss Malwarebytes – it’s well tested and trusted, and provides a level of protection that AV programs don’t.

        • Mark — Where does your 90% figure come from? Mine were averages from tests of a variety of providers, and I’m curious who comes in at 90%.

          • It really depends on what numbers you choose to believe. These days, the bad guys use something called crypting services. These services take malicious code and use encryption to obfuscate the code in such a way that it will not be detected by antivirus programs. Additionally, the effectiveness of the obfuscation of the code is checked by running it against pretty much every antivirus engine on the market. And all of this can be totally automated. What this means is that, if you’re unlucky enough to be hit by newly obfuscated malware, the chances of your antivirus program detecting it may be quite slim.

            This isn’t to say that antivirus programs are useless. They’re pretty good at detecting old stuff and heuristics may even detect newly obfuscated stuff. But don’t count on it. And don’t rely on your antivirus software to mitigate risky behaviours.

  4. Very good advice. Most old PC users have learned this the hard way. But, your article and articles like it are great. They help initiate the novice. Without nurturing novices to make them “pros” the PCs days are numbered.

  5. In addition to the recommendations of 2FA, not clicking links and running a firewall (I use AVG) and not accepting the defaults when installing, I also use a virtual machine for the stuff that I still don’t really trust but still like to explore.
    Works for me, when something nasty happens it is in my virtual machine and I just delete the machine and get another one.

  6. You’ve basically said it all Leo in your video. Sometimes, it takes people to get burned first in order to understand the importance of being “skeptical” while on line. It had happened to me in the past long ago and I can tell you that I have learned my lessons. Another important fact is that some people lack the basic knowledge on how to configure their web browsers, or even worst they just cannot resist, for whatever reason, the urge to click on a link for a website even when WOT or Virus total or Malwarebytes anti-Malware tag the link or the site as suspicious.

    I just hope they will learn inchmeal after such bad experiences.

    Keep up the good work Leo!

  7. Since there are ads now that actually give you malware, I always use ad-blockers. On sites I trust, like askleo, I white list and get the ads. I also use Privacy Badger but it only blocks tracking cookies and even then allows you to allow if you want to, for example Amazon tracking cookies that keep up with your shopping cart, YouTube cookies that put the “watched” on the sub page, etc. . I block all third party cookies and allow the rest … provided they pass Privacy Badger. As for phishing, I never click the link, I go to the site the same way I always do and check there to see if there is a problem. Result: so far, so good.

    • “On sites I trust, like askleo, I white list and get the ads.” – Whether or not you trust a particular website is actually irrelevant. Pretty much every website that displays ads uses an ad network like Google’s DoubleClick or Zedo. And when malicious ads are pushed out using these networks, there’s not much the site owners can do about it. The websites of the New York Times, Last.fm, the London Stock Exchange and the Huffington Post have all been used to distribute malware, as have many other extremely well-known websites.

      It’s worth noting, however, that this type of malware usually infects machines by exploiting vulnerabilities in old, unpatched versions of apps such as Flash. In other words, if your apps are update and you’re running a AV, the risk of your computer being infected in such a manner is quite small.

  8. The point about the mental software is the best. I was convinced to hand over control of my computer to a supposed Microsoft technician and only because I was able to disconnect the internet once I realized I was bamboozled. I still had to revert to a previous restore point, and lost a ton of data, but still…very embarrassing!

    • Sorry to read that, Lew. The best advice is to assume that anybody who makes unsolicited contact โ€“ whether by email, telephone, letter or a knock on the door โ€“ is a scammer and to provide no information or cooperation until youโ€™re 100% satisfied that they are not. A legitimate caller will be understanding if you want to ask questions and will be understanding if you want to take some time to check them out. And, unless youโ€™ve asked a company for technical support, nobody ever โ€“ EVER! โ€“ needs access to your PC.

  9. Leo, enjoy listening to your video’s. As a novice much of it goes over my head. As I watched the video’s a pop up kept coming up that id I subscribe to your newsletter I could get a book on why the computer is slow. Since Ialready subscribe, any way I can get this booklet?

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.