Things you can do to reduce the risk of being a victim of phishing:

- Compute as a User Only account. The single biggest thing that you can do, is not computing as either Admin, Root, or a Privileged user. You get zero mistakes if you click on a link and you’re running as Administrator. You should not be computing as admin when you’re browsing the internet. It’s too easy to infect your machine.

- Don’t rely on virus protection. Virus protection is important, but it’s not a silver bullet.

- Keep your system and your programs updated and patched. Attackers are going after programs other than those from your OS. Keep your downloaded programs updated. If you don’t use a program, delete it. It’s an unnecessary security risk and it makes you a target. Especially if it has a hardware driver (like Roxio), it can be a threat.

- Secure your program settings. Hundreds of people have been infected because Outlook opened and executed a program that you didn’t approve. If you see pictures on your outlook, you are automatically downloading and executing computer code. Set your outlook not to auto-anything without permission.

- Don’t open attachments unless you know where they’re coming from and you expect them. Don’t open anything without confirming the source first.

- Verify the domain before clicking on an embedded link.

-Turning off your computer makes it secure. Shut it down and power it up so that it can clean up the memory. It improves security and makes the performance better. You might just remove an exploit waiting for an opportunity.

– Use No Script as an add-on for Firefox and Chrome to prevent drive-by scripting on your browser. http://noscript.net/ It will stop scripts that you didn’t even know were executing in your machine. It’s not the end-all, it’s a little bit of a hassle because it will stop scripts that you want to run, but it can make you safer.

- When purchasing, be sure to clear your privacy settings. If you use tab browsing, each tab has access to the information stored in your browser. If you’re purchasing on one tab and have FB and Twitter in other tabs, the other scripts can gain access to your banking information in the other tab.

- If it’s too good to be true, it is. Don’t fall for scams. You won’t lose weight by eating chocolate in a bathtub, Microsoft won’t give you money, and you can’t grow hair by clicking on this link.

- Back up your data. If your system is compromised, is your data safe? Backup storage is safe and cheap. If you’re visiting shady sites, there are more exploits waiting than with more reputable sites.

No Script – As referenced by Richard: http://noscript.net/

Richard’s question:

Do you believe that email is a completely unreliable protocol? Why or why not?

Can you read a URL to find the top domain? Can you distinguish if it’s wrong?

@DanWoodard, Richard’s response to your question: The reason they give that 90 day password change date, is that if they get hold of your password hash, they can crack it in 90 days with reasonable computer technology. It is my opinion (not NASA’s, not reflected by the government), from a pure security standpoint and taking it as a home user, it is far more important to have different passwords fore very account. It takes 90 days to crack a reasonable password, if they can avoid that and just use your password hash to break into your account, they will. If they crack your Facebook account and find your username, and your password is the same for all accounts, they will just use that representation to attack the other accounts. Especially for banking, especially for important information that is being stored, I believe that it is more important to have different passwords so those hashes are different.

Richard’s question for the group:

1. You can stop phishing immediately by not clicking on embedded links. The institution could stop you from being a phishing victim by requiring a text based client. As a user, would you be willing to accept a text based client if you knew it would make your information more secure?