10 quick fixes for the worst security nightmares

For everyone else, we suggest a good, free service from Spamgourmet.com that's quick and easy to set up and use; it allows you to create disposable addresses on-the-fly that will forward e-mail messages to your regular address.

Fix 7: Develop an antiphishing habit

The dastardly practice of phishing for personal information is still alive and well, and many fake sites can be hard to distinguish from the real ones. But a few simple practices can ensure you'll never be snagged by a phishing hook.

The best approach, and the most straightforward, is never to click a link in any e-mail message to access your financial accounts. Instead, always type the URL or use a bookmark. That one habit will protect you from almost every phishing attack.

If you can't make that change, then at least use the latest version of Internet Explorer, Firefox or Opera to browse the Web. All have built-in features to block known phishing sites (and, as described in Fix 3, Opera and Firefox now also block known malware sites). Avoid Safari, which lacks any built-in antiphishing protection.

Finally, keep an eye out for the common phishing tactic of using URLs like http://adwords.google.com.d0l9i.cn/select/Login. If you glance at the URL (an actual recent example listed by Phishtank.com), you might think the site's domain was google.com. In fact, it's heading to d0l9i.cn, a site in China where operators are standing by to swipe your personal details.

Internet Explorer 8 will use an innovative feature called Domain Highlighting that will make spotting such trickery easy. But until it becomes available, watch URLs carefully.

Fix 8: Keep your own site safe

It's not a good time to run a Web site. The Web may look like a digital wonderland, but behind the scenes it's a war zone. And the guns are trained on your site.

Crooks use automated tools to search sites for the most common vulnerabilities. If they find one, they blow the hole wide open to plant harmful code that will attack your loyal visitors.

To help keep your site safe, start with some quick, free scans that ferret out the most obvious problems. First, fill out a form at Qualys.com to request a free scan of one IP address.

Next, download the also-free Scrawlr tool from Hewlett-Packard. After a quick install, use Scrawlr to scan your site for SQL injection vulnerabilities (a type of hole targeted in a recent Sony site hack).

A clean bill of health from both scans won't guarantee that your site is safe. For instance, neither will find problems with custom JavaScript code, another common type of attack. And while requesting or running either scan is easy, fixing a reported hole might involve a fair bit of work. But that job will still take far less work than repairing your site and your reputation after your site has been hijacked.

Reprinted with permission from

For more PC news, visit PCWorld.com.
Story copyright 2009 PC World Communications. All rights reserved.