Digital Security Primer Part II: Resist Malware

Malware is THE single biggest digital threat we face today.

Part I | Part II | Part III | Part IV.1

Malware

Not to insult anyone’s intelligence, but “malware” is short for “malicious software,” software that takes some action that is not in our best interest. When we go on the internet, regardless of what sites we go to we are essentially walking around in the sketchy part of town, headphones in, eyes down…and unarmed. The problem is there’s no graffiti, it’s well-lit, everyone looks friendly, and all the stores are upscale.

We’re in the bad part of town and we don’t even know it. That’s the problem with the internet; even “good” or “safe” or “reputable” sites serve malware sometimes. Maybe they sold ad space and didn’t vet the code that went into it, or maybe their site got hacked. The old adage to use “good browsing hygiene” is impossible because it’s not possible for us to assess whether a site is “good” or “bad”.

Malware is the mugger we’ll never see coming, and we’ll probably never realize our wallet is missing. That’s the insidious thing about malware; its main goal is to remain undetected after it has “mugged” you. Getting malware on a modern machine can be difficult. The attacker who uses it has spent either a massive amount of time or money, or both developing the exploit through which it installs. He wants to get a foothold on your machine and keep it. If you discover it (because it slows your machine down, or it makes a million porn pop-ups appear), you’ll fix it, so it does its best to fly under the radar.

Once installed, malware might do any number of things. It may use your machine to mine cryptocurrency, process stolen credit cards, or turn it into a CAPTCHA-solving zombie. It might record your keystrokes and what happens on your screen and for blackmail use. It might encrypt all your stuff and extort you for a couple of thousand bucks to get the decryption key. Your computer might be used in distributed denial of service attacks, to send email spam, or maybe just to hack your email/bank/social media accounts. It might even turn your machine into a child pornography server.

Someone reading this – maybe even me – is impacted by malware right now. Securing the system against malware is the critical first step to becoming secure. Fortunately, the techniques for doing this are pretty easy.

Step 1: Get Off Your Administrator Account

When you purchased your laptop (phones/tablets are a little different, we’ll talk about those later) it came with a single account – the administrator. Your computer must have an admin account. The admin account allows the system administrator to make global changes to the computer – things like installing or removing software, making changes to the registry, etc.

Unfortunately, most of us log in to this account and begin using it as our personal account. When we use this account all the time, we’re operating in a state (this state is technically called “escalated privilege”) where changes like this are possible to anyone who wants to make them. Windows or Mac assumes, “hey, the admin is logged in, so these changes must be legit…so let’s let them happen.”

The administrator account is designed so that a company’s system administrator can create discrete user accounts for the employees of the company so that only he can make global changes. The user accounts can use all the functions of the computer (browsers, word processors, etc.) but they can’t make global changes. For personal use, you should think of yourself as your household/family’s system administrator WHEN NEEDED…but you should think of yourself as a user most of the time.

This means you need to set up a Standard User Account for yourself and work out of it. This should be the very first step when you purchase a new computer. If you already have a computer and you’ve been working out of it for a while you might not want to do this because all your files are where you want them, etc. In that case, you can make a new administrator account and “demote” your current one to a standard user.

Step 2: Update, update, update!!!!

Updates are important. There are more lines of code in Microsoft Word than were used in the entire first mission to the moon. Naturally, in this much code, there are bound to be mistakes that potentially equal vulnerabilities. We want updates the instant they are available, not only because they correct the vulnerability, but also because the existence of an update advertises the problem to malware developers. Though it is slightly inconvenient, GET YOUR UPDATES IMMEDIATELY!!!

1. Update Your Operating System. This one is actually pretty easy. Unless you’ve messed with it, your operating system (Windows or Mac) is set to update itself automatically. Let it happen, and when it tells you it needs to shutdown to apply updates, DO IT. Don’t screw around, forget about it, then spend the next two weeks running out-of-date software.
2. Update your Applications. This one is harder. Unless all your apps come from your OS’s developer’s app store (be it Apple, Google Play, or Windows) you aren’t automatically going to be notified when an update is available. So, there are some sub-steps under this one. These are borrowed (and paraphrased) from Brian Krebs and known as Krebs’ “Three Basic Rules of Internet Safety“.
   1. If you didn’t go looking for it, don’t install it. This one is kind of self-explanatory.
   2. If you installed it, UPDATE IT. Most of us don’t think twice about installing a program on our computer. We should though; we are giving it extraordinary access and placement to our system, and to our personal data. If you install it, you accept responsibility for taking care of it, i.e. managing its permissions and privacy settings, and keeping it updated. The problem with this one is that it’s hard to know when an update is available. At best you’ll be alerted when you open the app that a new version is available. When you see this message, DON’T DELAY – INSTALL THE UPDATE!
   3. If you no longer need it, GET RID OF IT. This is by far the most important one. All those programs and apps you’ve installed that you don’t use are attack surface. They’re out of date. Even if they’re up-to-date, they’re not perfect and have vulnerabilities. Conduct an audit of your applications and get rid of everything you don’t need. If it turns out you needed it, guess what? You can reinstall it. But if you haven’t used it in the last 30 days, there’s a good chance you won’t ever use it again.

Step 3: Antivirus

This is usually what people think of when they think of computer security. For me, this is important but is the last line of defense. My first lines of defense are created by not operating in a state of escalated privilege (an administrator account) and keeping everything updated. I’m already making an attacker make a decision about me, to wit, “do I risk burning this little-known or zero-day exploit on this guy?”

Still, I would recommend having a reputable, high-quality antivirus. It does work. It works through two mechanisms. First, it has a definition file which is essentially a “naughty list” of code that it will not allow executing on your machine. The problem there are exploits that are not currently known and cannot, by definition, be on this list. The fix is to also monitor activity heuristics. If a weird process that is potentially malicious is observed, your antivirus should put a stop to it. Lastly, a lot of antivirus will conduct a recce of your system before attempting to install. If they notice no antivirus, it’s tantamount to a burglar noticing you don’t have an alarm system – you move up his flow chart of possible targets.

None of these techniques are “high speed,” but if everyone did these three things we’d live in a massively safer digital environment. Malware would be way harder to deploy on a broad scale and would be far less lucrative. Start with these three steps. The upcoming book, Digital Self-Defense, will detail these steps and many more in much greater detail. I’ll be back here on the blog later with more.