REPOST: Three Rules for Using the Internet

Repost from my dead blog, 2006-02-27

We have three rules for using the internet at home. There are other things I do to try to help us remain secure, but nothing we can do is more important than these three things. In future posts, you’ll see me reference my “three rules” over and over and over again. When I talk to friends about security, they ask me what firewall, antivirus, anti-popup, anti-spam, anti-phishing, anti-malware, anti-spyware software I use. My response to all of them is typically “none”. Again, there are exceptions, which I’ll discuss after the three rules.

The three rules:

1) Never (well, as little as humanly-possible) use Internet Exploder. The number of sites that work only with IE is on the decline. But the number of vulnerabilies with IE (and the HactiveX junk it allows to be loaded) are always increasing. That doesn’t mean that Firefox doesn’t have vulnerabilities, but IE still holds enough of the user base by sheer default that users tend to use it by accident, so it’s simply going to be the target of attacks for awhile. There are vulnerabilities in Firefox, but far less exploited because it simply doesn’t have the penetration that Exploder does.

2) Never click a link in an email. Friends, read that carefully. If you send me a link that says “click here” I won’t click it. If my bank sends me an email with a link, I won’t click it (I can type pretty well). If Imelda Marcos sends me an email asking me to help her transfer some money if I just click a link, I won’t click it. I sent an email with a couple of URL’s in it (I send in plaintext, so at least I didn’t send them as hyperlinks - the email client may present them as such) to some friends, and at the end mentioned “never click a link in an email”. When a friend asked why, I sent back a response with three different approaches of fooling the user into clicking the link: 1) a link where the text was a URL, but the URL in the href was entirely different, 2) an image where the text in the image was the victim site, but the href again pointed to the attacker site, and 3) an example of using reflected cross-site scripting to use an XSS vulnerability in the victim site to render the attacker site. Phishing is 100% dependent on one thing - dumb users clicking links in emails. If you don’t ever click a link, you will never ever fall for a phishing scam. Never. (Convenient as it is, I’m considering blacklisting tinyurl.com, too.) And if you follow this advice, you can proly ignore my post on deleting your root certs (although it’s still good reading).
3) Never visit p0rn or war3z sites. Those are the sites that install malicious stuff on your machine. You want to see how quickly your machine can get pwned? Install a fresh OS, type in some bad words or “free software” or “install keys” or “free war3z” into google and visit those sites with Exploder. Let me know if you’re able to get back operational with no bots without having to format and re-seed.

Now, my family doesn’t have to concern themselves with it, but I do use a NAT in front of the PC. And I do keep all my machines patched. And I do limit the amount of stuff with open ports. And I do on occasion install M$ Anti-spyware (hey - they were the first to step up and disable the Sony rootkit) on occasion just to make sure. But if you follow those three rules, none of the nasty stuff on the internet should really be an issue.

I guess there is a fourth rule, but it’s hard to make a hard and fast rule about it - don’t install software you don’t absolutely trust. We can be pretty sure if Firefox included a bot or rootkit or something, we’d know about it. But other stuff, who really knows?