Black Friday is almost upon us, and the steep hardware discounts mean new computers for many. To help you during these tough economic times, we've refreshed the Download.com Security Starter Kit for 2010. Although nothing can replace common-sense browsing, this collection of freeware security tools will help you protect new machines and old from pernicious threats, large and small. Longtime readers will notice that in addition to changing up our recommended antivirus program, we've fleshed out the Web browsing safety category, and made other changes as well. If you're looking for more than freeware security programs, check out the CNET Download.com Windows Starter Kit for 2010.
In this year's version, you can expect to see Avast chosen ahead of AntiVir as our most favored antivirus app. Despite its odd interface, Avast scored higher than any other freeware antivirus in a third-party test, and it doesn't skimp on protection, either, with e-mail, network, rootkit, and behavioral guards along with its top-rated virus protections.
We're still recommending Malwarebytes Anti-Malware for spyware removal, but we've also added PC Tools' standalone ThreatFire as an excellent way to strengthen behavioral detections and prevent spyware from infecting you in the first place. Recent improvements to the program have made it incredibly light on resources, and in our days of empirical testing we didn't notice it slowing down our computers at all.
New this year is the expanded in-browser security category. We've recommended five browsing tools that are available as add-ons, and we took care to make sure that they applied to as many of the major browsers as possible. However, Firefox's deep add-on toolbox makes it naturally the browser with the most diverse collection of security tools, so expect to see it heavily, although not exclusively, represented.
PC Tools' ThreatFire.
(Credit: Screenshot by Seth Rosenblatt/CNET)Firewalls used to be the forefront of security, but now they're just another tool you should have. Microsoft has made the native Windows 7 firewall impressively useful, but we realize that not everybody has Windows 7, and even those who do might want an alternative. This year, Online Armor joins Comodo on the list.
In Encryption, TrueCrypt remains the gold standard. The Thunderbird extension Enigmail joins it as a must-have tool for keeping your private e-mails as you intended them--away from prying eyes. In Parental Control, we've added OnlineFamily.Norton. It's not strictly desktop based, although to use it you must use its desktop hook, called Norton Safety Minder. Symantec has created what looks to be a unique and free approach that includes an emphasis on parental education and attempts to foster parent-child communication about how to use the Internet safely. We're of the opinion that anything that helps parents realize that browsing the Internet is far more than a TV with options is a good thing.
If you disagree with our security and safety choices for the Security Starter Kit, please let us know in the comments below.
With most computers threatened by attacks coming through Web applications, it's no surprise that security would be a key piece of Chrome OS, Google's browser-based operating system that stores data in the cloud.
In this video, Google security engineer Will Drewry explains how Chrome OS separates user data from root or system data, which makes the system more secure and easier to re-install the operating system.
(Credit: Google)Google showed off its new lightweight operating system designed for Netbooks and cloud computing on Thursday. As anticipated, it will rely on many of the same security features and concepts used by the Chrome browser.
"The browser is the operating system. We've expanded the browser to add operating system functionality," Caesar Sengupta, a group product manager at Google, said in an interview.
Chrome OS uses a combination of operating system-level protections and exploit mitigation techniques to limit the attack surface, or amount of code that can be targeted in an attack, and to reduce the likelihood of an attack being successful. "The biggest security impact is that all applications run within the browser," Sengupta said.
Chrome relies heavily on sandboxing, keeping different processes and applications in separate partitions. This limits the interaction between applications and the OS kernel.
For example, with conventional operating systems, if an application crashes, it can crash or otherwise affect other programs that are running, Sengupta said. "But if everything is sandboxed, that becomes more difficult to do," he added.
Many systems are compromised by deceptive attacks, such as when a user opens an innocent-looking PowerPoint file which unleashes a virus or other malware that can get access to everything on the computer.
With Chrome, "applications can't just download any binary and run it," Sengupta said.
Chrome has a verified boot process that uses cryptography to ensure that the Linux kernel, the nonvolatile system memory, and the partition table are not tampered with when the system starts up, according to a security overview of Chrome. (Google security engineer Will Drewry explains the security concepts of Chrome OS in a video on YouTube.)
"Right now, on your conventional operating system, any kind of process can run, which makes it difficult to predict what any process will do," Sengupta said. "On Chrome, because the whole operating system is essentially signed by Google, there is a lot we can do to make it secure."
If an application manages somehow to break out of the browser sandbox, to get through the kernel hardening and processing infrastructure, and manages to change something on the operating system, the changes will be detected the next time the user boots up the machine. "As soon as it detects something is different and not signed by Google, it will warn the user and try to clean itself again," Sengupta said.
Cleaning up is easier than with a standard operating system, too, because the system data is separated from the user data, which includes user preferences, system settings, and a local cache of data stored on the Google servers in the cloud, he said.
All user data stored by the operating system, browser, and any plug-ins are encrypted and users cannot access each others' data on a shared device, according to the Chrome OS security page.
Meanwhile, Chrome will automatically update to get the most recent software and patches for the operating system, just like the Chrome browser updates in the background while users are online, Sengupta said. Users will not run the risk of having their system get infected or compromised before they can install updates, as happens with Windows and other software.
In addition, the antiphishing technology found in the Chrome browser will protect Chrome OS users from inadvertently visiting malicious Web sites, he said.
Google is publishing detailed design documents on Chrome OS, which will allow security experts to scour the code for weaknesses over the next year before the operating system is released to the public, according to Sengupta.
There are some security and networking technologies that are supported in other operating systems that Google is passing on, at least for now.
Google will keep an eye on biometric authentication technologies, but believes that the cost/reliability trade-off is not where it needs to be just yet, according to the security overview for Chrome OS. Smart cards and USB crypto tokens are "interesting technology, but we don't want our users to have to keep track of a physically distinct item just to use their devices," the overview concludes.
Google is likewise not interested in Bluetooth, a wireless protocol widely used in laptops and handheld devices, for authentication. "Bluetooth adds a whole new software stack to our login/screenlocker code that could potentially be buggy, and the security of the pairing protocol has been criticized in the past," the security overview says.
Updated November 24to clarify that Bluetooth is not being considered for authentication.
Amid promises to "reinvent the Web," the browser Opera debuted a new beta feature earlier this year called Unite that has been deemed stable enough to offer to all users. Opera's own hype aside, the Unite service provides people with the capability to serve files, host and stream music, and send messages to each other from inside the browser itself--a feature that is unique among the big five browsers. Opera 10.10 is available for Windows, Mac, and Linux.
Much like Opera's built-in e-mail client, Unite is basically a cloud-based, customizable server that includes multiple services, but its open API allows you to write and share your own services. The initial offering includes the default Unite Home, which is the Opera Unite Web page that is given to each user, a media player for creating your own publicly available music stream, the "fridge" for a Facebook-style message wall, an instant messenger with a public/private toggle, a photo sharing app, and file serving and Web hosting capabilities.
Besides including Unite, Opera 10.10 also includes an array of bug fixes, mostly aimed at smoothing out the Unite experience, tweaking mail, news, and chat features, and fixing three security problems. Two are relatively minor, one concerning an error message leak and the other a buffer overflow. The third error Opera is refusing to disclose at this time, but stated that it was discovered by the Google Security Team's Chris Evans. The full changelog for Opera 10.10 is available.
As I've tested Unite over the past few months, it's generally been a stable experience, with a few hiccups to be expected by the beta. However, it hasn't exactly set the browsing world on fire, either, and its target audience is still hard to define. Do you have an opinion on Unite? Let me know in the comments.
Another iPhone worm has been spotted in the wild.
Unlike the previous exploitation, which merely changed a jailbroken iPhone's wallpaper to a picture of Rick Astley of "Rickrolling" fame, this new threat allows hackers to steal sensitive information.
According to security firm Sophos, which wrote about the exploitation after a Dutch ISP spotted it late last week, the worm attacks jailbroken iPhone and iPod Touch devices only.
The worm "uses command-and-control, like a traditional PC botnet," Sophos wrote in a blog post on Saturday to warn users about the exploit. "It configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server to upload stolen data and cede control to the bot master."
Jailbreaking, which has been around for about two years, is a hack that enables iPhone and iPod Touch users to download applications unavailable through Apple's App Store.
Sophos wrote that the worm attacks users on several ISPs, including UPC in the Netherlands, Optus in Australia, and T-Mobile in several countries worldwide. Worse, the worm spreads faster on a Wi-Fi connection than a 3G connection. Users with affected devices might notice extremely short battery life while on Wi-Fi. According to Sophos, that's mainly due to the worm engaging in "so much network activity."
When a device is infected, it's assigned a unique number so that the attackers can easily pinpoint a single device. It also looks for authentication systems that use SMS, better known as mTANs. mTANs are frequently used by banks that send an SMS message with a password to mobile phones, allowing people to log in to their online accounts, Sophos wrote.
In essence, this threat is serious.
Sophos recommends that people with infected iPhones and iPod Touch devices restore them back to Apple's most recent firmware update. For now, there is no other way to fix the problem.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
Retailers aren't the only ones gearing up for the holiday season. Criminals are also out in force.
To highlight the increased crime during the holidays, security company McAfee has come up with the "12 Scams of Christmas" ranging from bogus electronic greeting cards that deliver malware instead of cheer to fake charities that steal your money and your identity.
It's especially important to be extra careful this time of year, says McAfee's David Marcus. "The bad guys know people are spending more time online, they're paying more bills online so [the criminals] stand a chance of being a bit more successful this time of year.
In a podcast interview (scroll down to listen), Marcus counted down the 12 scams of Christmas starting with:
- Charitable phishing scams: Marcus warns consumers to be wary of e-mails that appear to be from legitimate charities. Not only will they take your money and deprive charities of needed funds, but they will also steal your credit card information and identity.
- Fake invoices from delivery services: During this period, scammers will send out fake invoices and delivery notifications appearing to come from Federal Express, UPS, the U.S. Postal Service or even the U.S. Customs Service saying that they were unable to deliver a package to your address. They ask you to confirm your address and give them credit card information to pay for delivery.
- Social networking friend requests: Bad guys take advantage of this social time of year by sending out authentic looking friend requests via e-mail. Marcus recommends that you not click on those links but sign into Facebook and other services and look for friend requests from the site itself. Clicking on a link could install malware on your computer or trick you into revealing your password.
- Holiday e-cards: Be careful before clicking on a holiday e-card, especially if it's from a site you haven't heard of. This is a way to deliver malware, pop-ups, and other forms of unwanted advertising. Some fake e-cards will look like they come from Hallmark or other legitimate companies, so pay close attention and make sure it's from someone you know. If you're going to send an e-card, be sure you're dealing with a reputable service lest you risk infecting yourself and your friends.
- Fake "luxury" jewelry: If you see an offer for luxury gifts from companies like Cartier, Gucci, and Tag Heuer at a price that's too good to be true, it probably isn't true. These links could lead you to malware and take your money or merchandise that will probably never arrive (or be fake if it does). Some of these sites, according to McAfee, even display the logos of the Better Business Bureau.
- Practice safe holiday shopping. Make sure your wireless network is secure and be sure you're shopping on sites that are secure. Though it isn't an iron clad guarantee, you should look for the lock icon in the lower right corner of your browser and make sure the Web page starts with https. The "s" stands for "secure."
- Christmas carol lyrics can be dangerous: Bad guys know that people are searching for holiday related sites for music, holiday graphics, and other festive media. During this time, they create fraudulent holiday related sites.
- Job search related scams: With the unemployment rate at 10.2 percent, there are plenty of job seekers looking for work. Beware of online offers for high paying jobs or at-home money making schemes. Some of these sites ask for money up front, which is a good way for criminals not only to steal your "set up fee" but misuse your credit card too. Marcus said that some "get rich quick" sites are all about money laundering, asking you to accept an inbound financial transfer and pay them.
- Auction site fraud: McAfee has observed a rise in fake auction sites during the holidays. Make sure you're actually going to eBay or whatever site you plan to deal with.
- Password stealing scams: Criminals use low-cost tools to uncover passwords, in some cases planting key logger software to record keystrokes. Once they get your passwords, they gain access to bank accounts and credit card accounts and send spam from your e-mail accounts.
- E-mail banking scams: A common type of phishing scam is sending out official looking e-mails that appear to come from your bank. Don't click on any links but type in your bank's Web address manually if you need to access your account.
- Files for ransom: Hackers use malware to gain control of your computer and lock your data files. To access your own data you have to pay them ransom.
Listen to Larry's interview with McAfee's David Marcus
Listen now: Download today's podcast
Internet Explorer 8, Firefox 3, Google Chrome 4, Apple's Safari 4, and Opera 10 include features that block sites known to host malware and malicious downloads. All but Opera also let you browse without leaving any tracks. But just as important as these protections is ensuring that whichever browser you use is thoroughly patched.
Filtering out bad sites
Firefox's built-in antiphishing tool claims to update its bad-site database 48 times a day, according to Mozilla's Firefox security page. Firefox 3 uses Google's Safe Browsing service to automatically block sites that are known to host malware. The Google Code site describes how Safe Browsing works in Firefox.
To verify that attack-site blocking is enabled in Firefox, click Tools > Options > Security and make sure "Block reported attack sites" is checked.
Firefox will prevent known-bad sites from opening when "Block reported attack sites" is checked.
(Credit: Mozilla Foundation)The same feature is built into Google's own Chrome browser. You can ensure that malware-site filtering is on in Chrome by clicking the wrench icon in the top-right corner, choosing Options, and selecting Under the Hood. "Enable phishing and malware filtering" should be checked. The Google Chrome Help site describes the feature. (Hint: This page looks very similar to the description on the Google Code site.)
Google's Chrome browser blocks known-bad sites when "Enable phishing and malware protection" is checked.
(Credit: Google)The SmartScreen technology in version 8 of Internet Explorer blocks known-malicious downloads as well as bad URLs. Other new security features in IE 8 include automatic blocking of click-jacking and cross-site scripting attacks, automatic crash recovery, and highlighting of the actual domain name in the address bar. The Microsoft Security site describes the SmartScreen Filter and includes links to a SmartScreen FAQ and information for site managers.
Apple's Safari browser added phishing and malware blocking in version 3.2, which was released in late 2008; read about this and other security features in Safari 4 on the Apple Safari site. Likewise, Opera's Fraud Protection predates the phishing and malware filters in IE and Firefox and is enhanced in the latest version 10. But attack-site blocking is only one of Opera's many security features, which you can read about on the Opera site.
Browsing in private
To activate private browsing in Firefox 3, click Tools > Start Private Browsing, or simply press Ctrl-Shift-P. You can set Firefox to start in private-browsing mode by clicking Tools > Options > Privacy and check "Automatically start Firefox in a private browsing session." The Mozilla support site provides more information about this feature. Likewise, put IE 8 in private-browsing mode by clicking Safety > InPrivate Browsing, or by pressing Ctrl-Shift-P. You can also open a new tab and click either Browse with InPrivate or Open an InPrivate Window.
IE 8 also lets you control the information about your browsing habits that's shared with Web tracking services. To activate this feature, click Tools > InPrivate Filtering Settings and choose "Let me choose which providers receive my information." This opens the InPrivate Filtering settings dialog, where you can turn filtering off, choose which services to block from tracking you, or automatically block all trackers.
Internet Explorer 8's InPrivate Filtering lets you block some or all Web tracking services.
(Credit: Microsoft)You can open an incognito window in Google Chrome by clicking the wrench icon in the top-right corner and choosing "New incognito window," or simply press Ctrl-Shift-N. The incognito icon (a shadow figure in a fedora and glasses) appears in the top-left corner of the browser window. The Chrome support site offers a more detailed description of this feature.
Opera lacks an equivalent private-browsing capability but does offer private searching and other identity-blocking features, as described on the Opera site. To activate private browsing in Safari, simply click Safari Settings Menu > Private Browsing.
Automatic and not-so-automatic browser updates
Patching is a way of life with nearly all software, but especially with browsers and the media players associated with them: Adobe Reader, the Flash Player, Apple's QuickTime, and Sun's Java, among others. All of a browser's security features can be rendered useless by a piece of malware that takes advantage of an unpatched hole in the program.
Firefox 3 alerts users to the presence of an update and now also notifies you when your Flash Player is out-of-date. Internet Explorer 8 updates via the Windows Update/Microsoft Update services. Google Chrome made a splash by being the first browser to update itself in the background without requiring any prompting from users. Safari updates automatically via Apple's update service, which also serves up patches automatically for QuickTime, iTunes, and other Apple software. Opera also notifies you automatically when a new version is available.
But updating is too important to leave to others. Back in April, I described Secunia's Online Software Inspector and downloadable Personal Software Inspector, which identify out-of-date programs on your PC. The programs mentioned in that post have all been updated since, but Secunia's services should point you to the most recent versions.
(Note that Secunia sometimes reports a program as being out-of-date when in fact you have the latest version. On my PC, it continually reports my up-to-date Flash Player as being in need of an update, for example. But the free service Secunia provides is worth putting up with this and similar minor annoyances.)
Cisco is offering a free iPhone app that will allow people to get customized alerts on new security threats and other information for safe Web browsing.
The app, which will be available on Friday in the Apple iTunes store, provides information about new malware signatures, bulletins for how to mitigate against threats, ways to see if particular Web sites are compromised, as well as links to podcasts and videos.
The Cisco SIO To Go iPhone app gets its information from the company's Security Intelligence Operations (SIO) system which gathers information in real time from 700,000 sensors located at customer sites, ISPs, and other sites around the world. The data from the disparate sources allows Cisco engineers to do threat correlation to detect Internet attacks and spam campaigns.
The app is designed for professionals and security geeks, not the average consumer, said Michael Weir, Cisco security marketing director.
"I can make it applicable to my needs and the security needs of my [enterprise] network," he said.
The Cisco SIO To Go iPhone app offers information about the safety of particular Web sites.
(Credit: Cisco)There's no way to reduce to zero your risk of picking up some piece of malware while browsing. You need layers of security to keep viruses, Trojans, and botnets at bay—the more layers, the safer your browsing. (Of course, the more layers, the slower your browsing, too, so don't get carried away.)
Much emphasis has been placed on the enhanced security features of the latest versions of the popular browsers. Whether one is any safer than another is anybody's guess, but no browser gives you more ways to thwart a Web-based attack than Firefox via its wealth of security add-ons.
Link checkers add warnings to search results
Search results are often difficult to trust, even when the URL looks familiar. Phishers are adept at planting dangerous links that look like harmless ones. Link checkers provide you with an indication of the trustworthiness of sites before you click their links. (Note that several of the products are available for Internet Explorer as well.)
Some of the programs, such as McAfee's SiteAdvisor, give the thumbs-up or thumbs-down based on a single company's research. Web of Trust (WOT) bases its recommendations on the collective intelligence of a network of volunteers. LinkExtend is a link-check aggregator that combines the analyses of eight different services.
McAfee SiteAdvisor adds a safety indicator to Web search results.
(Credit: McAfee)While the recommendations of link checkers are helpful in identifying safe sites, you can't take their yeas and nays as gospel. For example, sites that offer downloads of system utilities may be flagged as dangerous because the programs require access to the operating system and thus could do major damage in the wrong hands.
Track the trackers
You know popular Web sites download software that tracks your activities on their sites, but do you know who's doing the tracking? Find out with the Ghostery add-on that pops up the names of the trackers as the page opens. The program puts a small "ghost" icon in the bottom-right corner of the Firefox window that turns orange when trackers are present. Click the link that appears to the right of the icon to find out more about the trackers and block them individually or entirely.
The Ghostery Firefox add-on lets you know who's tracking your activities on the site.
(Credit: Ghostery)
View encryption specs
When you open an encrypted Web page, a lock icon appears in the bottom-right corner of the Firefox window and the URL in the address bar begins with "https." But there's more than one form of encryption, and knowing which type and strength of encryption in use can be handy.
The CipherFox add-on puts in the bottom-right of the Firefox status bar the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cipher and keysize currently in use. Double-clicking the entry opens the CipherFox dialog box, where you can disable RC4 encryption and display partial SSL/TLS. (Note that the developer accepts donations to support the product.)
Take charge of Web password management
Firefox's built-in password manager lets you create a master password and remember passwords for specific sites, but if you want to get serious about managing your passwords, get LastPass, a password manager that provides much more granular control over your sign-ins.
After you download and install the add-on, an icon is placed in the top-right corner of the Firefox window. Click it to open the LastPass menu, which lets you manage your identities, open the LastPass Vault, jump to favorite sites, and generate secure passwords. You can also import or export sign-in IDs, compose and print secure notes, and assign keyboard shortcuts for specific actions.
In addition to Firefox and IE, LastPass is available for Google Chrome and Apple's Safari browsers. LastPass backs up your passwords by storing an encrypted copy on its own servers. And because you can access your passwords via the Internet, you can use LastPass on any Web-connected device, although use of LastPass on an iPhone or other smart phone requires a Premium membership, which costs $1 a month. (You can also put LastPass on a USB thumbdrive for use with Firefox Portable and other portable apps.)
If you have received an e-mail from the Internal Revenue Service or the Federal Deposit Insurance Corporation, chances are it was a phishing attempt. If you received e-mail from your bank, PayPal, or Facebook urging you to immediately verify information or risk having your account suspended, it was undoubtedly phishing.
Phishing attacks have spiked this year, according to recent reports. The Anti-Phishing Working Group reports that there were more than 55,600 phishing attacks in the first half of 2009 alone. Phishing is particularly dangerous because once criminals get a victim's password for one Web site they can often use it to get into other accounts where people have re-used the password.
And anyone can be at risk. The wife of FBI Director Robert Mueller banned him from doing online banking after he came close to falling for a phishing attempt.
Here is some basic information that can help people avoid being tricked by phishing attacks.
What is phishing?
Phishing is an attempt, usually via e-mail, to trick people into revealing sensitive information like usernames, passwords, and credit card data by pretending to be a bank or some other legitimate entity. The e-mails typically include a link to a Web site that appears to be legitimate and which prompts users to provide information. Sometimes, the phishing e-mail will include a form in an attachment to fill out. One common tactic phishers use is to pretend to be from the fraud department of a financial institution or online retailer like PayPal and ask for information to be provided to prevent identity fraud. In one case, a phishing e-mail purporting to be from a state lottery commission asked recipients for their banking information so their "winnings" could be deposited into their accounts.
Phishers also are increasingly exploiting interest in news and other popular topics to trick people into clicking on links. One e-mail purportedly about swine flu asked people to provide their name, address, phone number, and other information as part of a survey on the illness. And users of social networks are becoming popular targets. Twitter users have been directed to fake log-in pages.
Attackers are also turning to instant messaging to lure people into their traps. In one recent scam a live chat window was launched via the browser. The scammer communicated to victims via the chat window, pretending to be from a bank and asking for additional information.
This phishing e-mail looks legitimate and even offers to provide tips on how to avoid fraud and spoof e-mails.
(Credit: Screenshot by Elinor Mills/CNETNews.) What are other recent examples of phishing attacks?
A recent e-mail scam asks PayPal customers to provide additional information or risk getting their account deleted because of changes in the service agreement. Recipients are urged to click on a hyperlink that says "Get Verified!"
E-mails that look like they come from the FDIC include a subject line that says "check your Bank Deposit Insurance Coverage" or "FDIC has officially named your bank a failed bank." The e-mails include a link to a fake FDIC site where visitors are prompted to open forms to fill out. Clicking on the form links downloads the Zeus virus, which is designed to steal bank passwords and other information.
E-mails that look like they come from the IRS tell recipients that they are eligible to receive a tax refund and that the money could be claimed by clicking on a link in the e-mail. The link directs visitors to a fake IRS site that prompts for personal and financial information.
A legitimate-looking Facebook e-mail asks people to provide information to help the social network update its log-in system. Clicking the "update" button in the e-mail takes users to a fake Facebook log-in screen where the user name is filled in and visitors are prompted to provide their password. When the password is typed in, people end up on a page that offers an "Update Tool," but which is actually the Zeus bank Trojan.
What are some tell-tale signs of a phishing attempt?
Many phishing attempts originate from outside the U.S. so they often have misspellings and grammatical errors. Some have an urgent tone and they seek sensitive information that legitimate companies don't typically ask for via e-mail.
What should I look for in an e-mail?
Check the sender information to see if it looks legitimate. Criminals will choose addresses that are similar to the one they are faking. For instance, phishers have used "Alerts@Paypal.co.uk." However, legitimate PayPal messages in the U.S. come from Service@paypal.com" and include a key icon. Most phishing e-mails come from outside the U.S. so an address ending in ".uk" or something other than ".com" could indicate it's a phishing attempt.
The e-mail address may also be obscured. Hitting "reply all" may reveal the true e-mail address. You can also set your e-mail preferences to show "full header" to see the full e-mail address and other information. If you are at all unsure whether the e-mail is legitimate, go to the company's Web site to see the address listed.
Legitimate companies tend to use customer names or user names in the e-mail, and banks often will include part of an account number. Phishing emails typically offer generic greetings, like "Dear PayPal customer."
Inspect the hyperlinks inside the body of the e-mail. Phishers typically will use subdomains or letters or numbers before the company name, and sometimes the words in the links are misspelled. For example, www.BankA.security.com would link to the 'BankA' section of the 'security' Web site. Often, it's difficult to tell if the link is legitimate just by looking at it. By mousing over the link you can see the real address on the bottom of most Web browsers.
In addition, PayPal, Amazon, banks, and many other businesses use the SSL (Secure Sockets Layer) protocol which is designed to ensure that customers are visiting the real site. That means https:// will be seen in the URL address bar instead of just http:// and usually there will be some other change in the address bar. For instance, PayPal displays a "P" and its name is highlighted in green at the front of the URL. The major browsers have antiphishing measures designed to detect malicious sites. Some phishers also try to hide the real Web address they are sending victims to by using URL shortening services.
If the e-mail has an attachment, be wary of .exe files. Scammers like to hide viruses and other malware there so it executes when opened.
Do not be fooled by the look of the Web site you may be directed to. The Web site may look just like a real bank or PayPal page, including the use of the real logos and branding. It could be a good fake page or it could be a legitimate page with a phishing pop-up window on top.
How can phishing attacks be avoided?
Try to stay off spam lists. Don't post your e-mail address on public sites. Create an e-mail address that is less likely to get included in spam lists. For instance, instead of bobsmith@xyz.com, use bob.smith.az@xyz.com.
If an e-mail looks reasonable contact the company directly if you receive an e-mail asking you to verify information. Type the address of the company into the address bar directly rather than click on a link. Or call them, but don't use any phone number provided in the e-mail.
Don't give out personal information requested via e-mail. Legitimate companies and agencies will use regular mail for important communications and never ask customers to confirm log-in or passwords by clicking on links in e-mail.
Look carefully at the Web address a link directs to and type in addresses in the browser for businesses if you are uncertain.
Don't open e-mail attachments that you did not expect to receive. Don't open download links in IM. And don't enter personal information in a pop-up window or e-mail.
Make sure you are using a secure Web site when submitting financial and sensitive information.
Change passwords frequently. Don't use the same password on multiple sites.
Regularly log into online accounts to monitor the activity and check statements.
Use antivirus, antispam, and firewall software and keep your operating system and applications up-to-date.
What can I do if I think I've been victimized by phishing?
The Anti-Phishing Working Group has a comprehensive site explaining exactly what steps people should take based on what type of information they have given out.
Where can I report phishing attempts?
You can forward suspected phishing e-mails to reportphishing@antiphishing.org and spam@uce.gov. Companies typically have an address to forward phishing examples to, such as "spoof@company.com." Always include the entire phishing e-mail. Complaints can be lodged with the Internet Crime Complaint Center at the FBI.
Here are additional resources.
http://apwg.org/consumer_recs.html
http://www.irs.gov/newsroom/article/0,,id=154848,00.html
http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx
This phishing e-mail includes a sender e-mail address and link that are obviously not associated with Facebook.
(Credit: Screenshot by Elinor Mills/CNETNews.)First introduced in beta in April, Panda Cloud Antivirus graduates to a stable, public release and signifies a major security vendor taking aim at the freeware competition--instead of the other way around. Cloud Antivirus was notable on its beta release for being one of the few security options available to users that contained most of its protections in the cloud. This allowed it to protect users while consuming significantly fewer resources than many competing programs.
Panda Cloud Antivirus 1.0 is notable as a free security solution for two reasons: Panda is a reputable security vendor, and the program achieves its goal of freeing up system resources. In a press release, Panda Security CEO Juan Santana described Cloud Antivirus as a game-changer. It's not clear quite yet that that's the case, but at the very least the program looks to fill a niche created by resource-conscious netbooks.
As light on resources as advertised, Cloud Antivirus offers strong reputation-based protection for those who want their security program out of sight and out of mind. A third-party efficacy evaluation wasn't available at the time of writing, but in empirical testing the program only used 9 MB of RAM while idle, and only 56 MB of RAM when scanning. Many other security programs will run scans at 150 MB of RAM or more.
Despite keeping most of its database in the cloud, Panda Security's Senior Research Advisor, Pedro Bustamante, noted during an interview in October that Cloud Antivirus isn't disabled just because the host computer is disconnected from the Internet. "Panda has an offline mode that uses a small cached copy of Collective Intelligence on your local drive, it's only the most recent threats on a real time wild list." Collective Intelligence is the name that Panda gave its cloud system when it was introduced in 2007.
When you open Cloud Antivirus, the main window lets you know whether you're safe or not with a big red or green icon. Cloud Antivirus works as other antivirus solutions do, offering a Quick Scan and a Custom scan for specific folder, files, and drives, but its ancillary features are exceptionally light. The Quick Scan took 13 minutes on my Windows 7 Lenovo T400 laptop.
Dragging an active Cloud Antivirus window, in Windows 7 at least, will turn it translucent.
(Credit: Screenshot by Seth Rosenblatt/CNET)You can opt out of contributing anonymous data to the cloud, but that also opts you out of automatic threat management. There's a network connection proxy option should you need it, and a reporting feature that will show you what kind of threats have been detected and removed from your computer. You can filter the report by All, Last 24 hours, Last Week, or Last Month, and there's a Recycle Bin pane from which you can recover a false positive, should you need it. Unfortunately, the Recycle Bin is hidden behind an obnoxious "flipping" screen that cheesily rotates when you need to access it.
If you're familiar with the minimalist Microsoft Security Essentials, Cloud Antivirus is even simpler. I did notice some odd interface rendering around the minimize and close buttons in Windows XP, but not in Windows 7. There are other more serious concerns about the program. Most notably, it lacks a scheduler, and it removes user input from update functions. Scans are also limited: you can tell the program what to scan, but not what to look for, so forget about toggling heuristics or rootkits. Then again, the point of this kind of security is that it's all wrapped into one.
Keeping in mind its limited feature set, and that we don't have efficacy numbers at the time of reviewing, Panda Cloud Antivirus makes good security choice for those willing to take the plunge.
