How Do Computers Get Infected with Viruses

Everyone knows the warnings they get about viruses. Don’t open weird emails. Update your software. But those are pretty abstract and don’t explain the real dangers to watch out for.

How do infections really happen?

You get tricked

“But I’m too smart to get tricked.” 
– You

Most infections are by people downloading and running the virus themselves. I’ve seen very smart, seasoned professionals fall for all kinds of schemes. For example:

  • In email attachments that say they’re invoices, parking tickets, or legal judgements
  • A website will say you need to update software in order to use it
  • Part of other programs you download and run from unreputable sites
  • You’re told you have an infection and you need to do something to fix it
  • Trying to use stolen software. This is a huge way people get infected because criminals know that it’s a super easy way to get people to run untrustworthy software
  • Some viruses, when they infect computers, will email themselves to everyone on someone’s address list. You can’t trust even files you get from friends unless you were expecting them and the email makes sense. Feel free to reply back and ask

The first rule is that you don’t download or agree to run software that isn’t something that you were specifically looking for.
The software you do get must be from a link on the original company’s website.
When you do install software, make sure you read every option it gives you. 

Your antivirus saying something isn’t a virus doesn’t mean anything.

You get kit’d

There are specially designed web pages that test your computer for lots of outdated software, and if it finds some, it uses known programming errors in those programs to infect your computer – usually in seconds and without you doing anything. These are called exploit kits and they are big business.

Criminals hack other sites or use malicious advertisements to redirect your browser to them. This happens even on big sites, where it’s called malvertisingYou don’t have to go looking, these infections come to you.

They also send these links in emails and messages on social networking sites.

Usually you are protected if you keep your software up to date. 

You get 0day’d

Hackers will sometimes discover a programming flaw and, rather than report it to the developer of the program, use it against people. This kind of flaw is called a “zero-day” because users of the affected program had zero days to deploy a fix before they got infected.

These are rare, but it’s one way criminals can get in. This is why you don’t open email attachments or office documents you didn’t specifically ask for.

Configuring a Windows computer from the ground up for security and stability Part 1.

This blog will walk you through configuring a Windows computer from the ground up for security and stability. This configuration will make you virtually impervious to viruses you don’t actively try to install yourself, and will help constrain any malicious code that does get on your computer.

Pretty much all of this is free, but any mentions of products in this guide are completely un-compensated.

Section A: The Ground Up

The best thing to do is start from the bare hardware and install Windows 10 from scratch with UEFI, TPM, and SecureBoot turned on. If you don’t want to do that, skip to Section B. Any retail computer purchased with Windows 8.1 onward will already have these turned on.

1.) Update BIOS

For best compatibility and security you should update your computer’s BIOS. A modern BIOS (really UEFI) is a full operating system that runs below and at the same time as Windows, and it needs patches too. People who built computers in the early 2000’s will tell you BIOS updates are risky, and they were, but not anymore. They deliver fixes, features, and security updates you won’t hear about on the news.

Even new computers/motherboards need updates. If you’re starting from scratch, do the BIOS update after installing Windows 10.

You can find the BIOS update tool on your manufacturer’s driver page for your computer model. You will need to reboot for it to take effect. If you have a Surface, BIOS updates are delivered through Windows Update.

2.) Prepare Windows Bootable Media

To get ready to install Windows 10 64bit on the bare hardware, use Microsoft’s Media Creation Tool to create a bootable DVD or USB stick.

Make sure everything is backed up before proceeding. The following changes will wipe your Windows installation.

3.) Configure BIOS

This is important and is something nobody talks about.

From the boot of your computer, press the setup hotkey. It may be F1, F2, F8, F10, Del, or something else to get into SETUP mode.

In the BIOS:

  • Set a setup password. Make it simple, this is only to prevent malicious modification by someone in front of the computer or by a program trying to corrupt it.
  • Change boot to/prioritize UEFI. Disable everything except UEFI DVD, UEFI HDD, and USB UEFI if you plan on using a USB stick to install Windows.
  • Enable the TPM (if available) and SecureBoot (if available) options. This is super important.
  • Disable 1394 (FireWire) and ExpressCard/PCMCIA (if you’re on a laptop) as a layer to further mitigate DMA attacks. This isn’t as important anymore, but if you don’t use them you might as well turn it off.
  • If you want, and if the computer offers it, you can enable a System and HDD password. We will be using BitLocker to protect the disk, but this is an extra layer you can add if you want. I don’t.
  • If you don’t use webcam or microphone, you may be able to turn them off in the BIOS

Save settings and shut down.

4.) Install Windows 10

Insert your DVD/USB. Boot the computer and use the boot menu hotkey to boot to your UEFI DVD or UEFI USB. The hotkey is often F12.

Follow the prompts and install Windows. If it gives you an option of where to install Windows to, and there’s already a partition, delete the partition first.

Keep an eye out for Part 2

For more information on all our services, please visit our website @ http://www.cans.scot

The CANS Guide to Not Getting Hacked

KEEP YOUR APPS UP TO DATE

Probably the most important and basic thing you can do to protect yourself is using up-to-date software. That means using an updated version of whatever operating system you’re using, and updating your apps and software. Bear in mind that you don’t necessarily have to use the latest iteration of an operating system, such as, say, Windows 10. (In some cases, even slightly older versions of operating systems get patched. Sorry, that’s not the case with Windows XP, stop using it!) What’s most important is that your OS is still receiving security updates, and that you’re applying them.So if you come away with one lesson from this guide is: update, update, update, or patch, patch, patch.

Many common cyberattacks take advantage of flaws in outdated software such as old browsers or PDF readers. By keeping everything up to date, you have a way lower chance of becoming a victim of ransomware, for example.

PASSWORDS

We all have too many passwords to remember, which is why people just reuse the same ones over and over. And even though our brains aren’t actually that bad at remembering passwords, it’s almost impossible to remember twenty or more unique and strong passwords.

The good news is that the solution to these problem is already out there: password managers. These are apps that keep track of passwords for you, automatically help you create good passwords, and simplify your online life. If you use a manger, all you have to remember is one password, the one that unlocks the vault of your passwords.

Intuitively, you might think it’s unwise to store your passwords on your computer. What if a hacker gets in? Surely it’s better that I’m keeping them all in my head? Well, not really: for most people’s threat models, the risk of a crook taking advantage of a shared password on a website is far greater than some sophisticated hacker dropping a load of super-fancy malware onto your device. Again, it’s all about understanding your own threat model.

So, please, use one of the many password managers out there, there’s no reason not to do it. It will make you—and the rest of us!—safer, and it’ll even make your life easier.

TWO-FACTOR AUTHENTICATION

Having unique, strong passwords is a great first step, but even those can be stolen. So for your most important accounts (think your main email, your Facebook and Twitter accounts) you might want to add an extra layer of protection known as two-factor (or two-step or 2FA) authentication.

By enabling two-factor you’ll need something more than just your password to log into those accounts. Usually, it’s a numerical code sent to your cellphone, or it can be a code created by an ad-hoc app (which is great if your cellphone doesn’t have coverage at the time you’re logging in).

There’s been a lot of attention recently around how mobile phones may not be suitable as 2FA devices. Activist Deray McKesson’s phone number was hijacked, meaning hackers could then have the extra security codes protecting accounts sent straight to them. And the National Institute of Standards and Technology (NIST), a part of the US government that writes guidelines on rules and measurements, including security, recently discouraged the use of SMS-based 2FA.

The attack on Deray was low tech: It essentially involved getting his phone company to issue a new SIM card to the attackers. It’s hard to defend against that, and there are other ways to get those codes sent via SMS, as text messages can, in theory, be intercepted by someone leveraging vulnerabilities in the backbone that carries our conversations. There is also the possibility of using an IMSI-catcher, otherwise known as a Stingray, to sweep up your communications, and verification texts too.

But apart from the trick of getting a new SIM card, these are attacks that are not trivial to pull off, not just because they might requires specific hardware like Stingrays, but also because they are relatively expensive.So, realistically, though, for the vast majority of people, SMS 2FA is still a robust security measure that does what it’s designed to do: add an extra layer on top of your password that might get phished or otherwise stolen.

You could, if the website allows it, use another 2FA option that isn’t SMS-based, such as an authentication app on your smartphone (for example, Google Authenticator), or with a physical token like a Yubikey. If that option is available to you, it’s great idea to use it. But it would be foolish to disregard SMS 2FA altogether, especially if you’re not under targeted attack.

2FA is a great way to make it nearly impossible for average cybercriminals to break into your most important accounts. You can check out all the services that offer it and how to turn it on here.

A 2FA token like a Yubikey (pictured) can be a more secure 2FA solution that doesn’t require a cell connection.

DOs & DON’Ts

Don’t use Flash: Flash is historically one of the most insecure pieces of software that’s ever been on your computer. Hackers love Flash because it’s had more holes than Swiss cheese. The good news is that a lot of the web has moved away from Flash so you don’t really need it anymore to still enjoy a fully-featured and rich browsing experience. So consider purging it from your computer, or at least change the settings on your browser so you have to click to run Flash each time.

Do use antivirus: Yes, you’ve heard this before. But it’s still (generally) true. Antiviruses are actually, and ironically, full of security holes, but if you’re not a person who’s at risk of getting targeted by nation-state hackers or pretty advanced criminals, having antivirus is still a good idea. Still, it’s far from a panacea, and in 2016 you need more than that to be secure.

Do use some simple security plugins: Sometimes, all a hacker needs to pwn you is to get you to the right website—one laden with malware. That’s why it’s worth using some simple, install-and-forget-about-it plugins such as adblockers, which protect you from malvertising threats presented by the shadier sites you may wander across on the web. (We’d naturally prefer if you whitelisted Motherboard since web ads help keep our lights on.)

Another useful plugin is HTTPS Everywhere, which forces your connection to be encrypted (when the site supports it). This won’t save you if the website you’re going to has malware on it, but in some cases, it helps prevent hackers from redirecting you to fake versions of that site (if there’s an encrypted one available), and will generally protect against attackers trying to tamper with your connection to the legitimate one.

Do use VPNs: If you’re using the internet in a public space, be it a Starbucks, an airport, or even an Airbnb apartment, you are sharing it with people you don’t know. And if some hacker is on your same network, they can mess up with your connection and potentially your computer.

Don’t overexpose yourself for no reason: People love to share pretty much everything about their lives on social media. But please, we beg you, don’t tweet a picture of your credit card, for example. More generally, it’s a good mindset to realise that a post on social media is often a post to anyone on the internet who can be bothered to check your profile, even if it’s guessing your home address through your running routes on a site like Strava, a social network for runners and cyclists.

Personal information such as your home address or high school (and mascot, which is a Google away) can then be used to find more information via social engineering schemes. The more personal information an attacker has, the more likely they are to gain access to one of your accounts. With that in mind, maybe consider increasing the privacy settings on some of your accounts too.

Don’t open attachments without precautions: For decades, cybercriminals have hidden malware inside attachments such as Word docs or PDFs. Antiviruses sometimes stop those threats, but it’s better to just use commons sense: don’t open attachments (or click on links) from people you don’t know, or that you weren’t expecting. And if you really want to do that, use precautions, like opening the attachments within Chrome (without downloading the files). Even better, save the file to Google Drive, and then open it within Drive, which is even safer because then the file is being opened by Google and not your computer.

Do disable macros: Hackers can use Microsoft Office macros inside documents to spread malware to your computer. It’s an old trick, but it’s back in vogue to spread ransomware. Disable them!

Do back up files: We’re not breaking any news here, but if you’re worried about hackers destroying or locking your files (such as with ransomware), then you need to back them up. Ideally, do it while you’re disconnected to the network to an external hard drive so that even if you get ransomware, the backup won’t get infected.

Your life needn’t be the above-pictured cyberhell. Most hacks are opportunistic, and these basic precautions go a long way toward securing yourself. Image: Shutterstock

GO OUT THERE AND BE SAFE

That is all for now. Again, this is just meant to be a basic guide for average computer users. So if you’re a human rights activist working in a dangerous country or a war zone, or an organization building IT infrastructure on the fly, this is certainly not enough, and you’ll need more precautions.

But these are common sense essential tips that everyone should know about.

And remember, always be vigilant!