Skip the navigation

Security secrets the bad guys don't want you to know

Thwart some of today's most common attacks with these tips

By Robert McMillan
July 19, 2010 12:47 PM ET

IDG News Service - You already know the basics of internet security, right?

You know to keep your antivirus program and patches up to date, to be careful where you go on the Internet, and to exercise online street-smarts to resist being tricked into visiting a phishing site or downloading a Trojan horse.

But when you've got the basics covered, but you still don't feel secure, what can you do? Here are a few advanced security tips to help you thwart some of today's most common attacks.

Remember, however, that security is all about tradeoffs. With most of these tips, what you gain in security, you lose in convenience. But hey, it's your computer. Be as paranoid as you want to be.

Avoid scripting

This may be the one piece of advice that will do most to keep you the safe on the Web: Steer clear of JavaScript, especially on sites you don't trust.

JavaScript is very popular, and for good reason. It works in almost all browsers, and it makes the Web a lot more dynamic. But it also enables bad guys to trick your browser more easily into doing something that it shouldn't. The deception could be something as simple as telling the browser to load an element from another Web page. Or it could involve something more complicated, like a cross-site scripting attack, which gives the attacker a way to impersonate the victim on a legitimate Web page.

JavaScript attacks are everywhere. If you use Facebook, you may have seen one of the latest. Lately, scammers have set up illegitimate Facebook pages offering things like a free $500 gift card if you cut and paste some code into your browser's address bar.

That code is JavaScript--and you should never add it to your browser. "Scammers use this technique to open up unwanted surveys, fill your social networking profiles with spam or even to send you to phishing pages," says Chris Boyd, a security researcher with Sunbelt Software.

But miscreants can add JavaScript to hacked or malicious Web pages, too. To avoid attacks there, you can use a free Firefox plugin called NoScript that lets you control which Websites can and cannot run JavaScript in the browser. NoScript goes a long way toward preventing rogue antivirus programs or online attacks from popping up when you visit a new Website.

By blocking scripting everywhere and then using NoScript to build a whitelist of trusted sites, you can derail most of the so-called Web drive-by attacks that currently plague the Internet.

NoScript also comes with a cross-site scripting blocker. Cross-site scripting has been around for a while, but these days bad guys are using it more frequently than ever to seize control of online accounts on sites such as Facebook and YouTube.

Originally published on www.pcworld.com. Click here to read the original story.
Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies