With the wide use of "drive by" hacks, ones where a web page need only be visited for the system to be infected with malware, it is vital that you keep your browser up to date and that you run up-to-date anti virus software.
Internet Explorer is widely targeted by malware as it is the default Windows browser. You can reduce the risk of infection by using an alternative browser, however none of them are immune from security issues.
Some alternatives are:
Most browsers have a feature to check for updates automatically which you should set to do. You are advised to apply updates as they become available.
Whatever browser you choose to use, it is essential that your system and Microsoft components are patched regularly, which for Microsoft means the second Tuesday of every month.
There are many Add-ons available for browsers, depending on the browser they may be known as Add-ons, Widgets, plug-ins or ActiveX controls. Some better known examples are the Google toolbar and Flash player.
While these add-ons can provide useful additional functionality, they are also a means by which malware can be applied to a system and therefore they may need to be updated for security reasons. When you install an add-on you may be asked if you want it to check for updates automatically, you should do so. You should also limit the number of add-ons and extension you have as they can have a detrimental impact on your browsers and your computers performance.
You should always take care when prompted to install what seems to be a genuine well-known web browser application or add-in such as Flash Player. For example, a website telling you to update to the latest version of Flash player to view their content might well be telling the truth, or it could be trying to trick you into installing some malware, check the URL before you click. Add-ins should always be obtained from the companies which produce them.
Downloads for common products such as Flash are listed below:
- Quicktime which can be downloaded from Apple's main Quicktime site.
- Flash which can be downloaded from Adobe's FlashPlayer site
- Silverlight which can be downloaded from the main Microsoft Silverlight site.
Always run active up-to-date anti-virus software on your computer.
McAfee VirusScan Enterprise is available free for use for all members of the University.
Many websites run hidden scripts which can invisibly infect your system if you visit them. These infections are difficult to protect against, but there are some steps you can take to protect yourself, the first being keep your browser and system patched and up to date.
Beware of sites which tell you to install additional unknown software so you can fully experience their webpages, they will just install malware onto your system.
Be cautious in places like Internet cafes as you can have no confidence over how secure or well maintained these machines are. There is a good chance they could have malware such as keystroke loggers installed. Therefore avoid logging onto sensitive online accounts (e.g. your bank account) if possible when surfing in these venues.
Do not download well-known software or other files from sites other than the vendors own. Be aware tat many sites hosting software to download are targets for hackers, and may have software with a virus embedded into the product or hidden in the installer package. P2P sites offering "free" pirated software, movies, music and games are also frequently infected.
If VirusScan identifies a virus on your machine which includes PWS (for example PWS-LDPinch) then you should change your passwords for any sites or services you have accessed on that machine, as well as your login(s) to that machine. PWS is an abbreviation for Password Stealer.
If you are using Internet Explorer you should check that Protected Mode is on.
If you use Firefox to browse the web you can download and install the plugin called NoScript. NoScript will alert you when a website tries to run a script: you can choose to allow the script to run (if you trust the site) or block it.
You should not click on links or URLs sent in emails or Instant Messaging applications from unknown or untrusted sources.
If you must click on a link check that it is not going to re-direct you. Often emails sent in HTML disguise the URL by displaying text which is different from the destination URL. There are a number of re-direct services such as www.speedyurl.com and http://tinyurl.com/ which allow long URLs to be truncated, this can be a useful service but could also be used for malicious purposes.
Banks will never ask you to confirm your details on-line via email, especially passwords, ignore any such "phishing" mails. See http://en.wikipedia.org/wiki/Phishing for information on phishing.
The Computing Service will never send you an email asking for your password. Any emails from "webmail support" or similar are phishing attempts to gain access to accounts for spamming purposes.
Patches From Third Party Vendors
It has been known for some third party (i.e not Microsoft) to release a temporary patch or fix for vulnerabilities in IE. We do not suggest you use these as when an official patch is released you will have to remove the third party patch first, this process can be quite tricky and can cause problems.