Optimal User-End Internet Security (Or, Rational Internet Browsing)

The problem with the textbook security advice is that if you follow all of it, it will cost you more than the expected loss from following none of it, and since the people who write it rarely bother to give priority guidance, people end up rationally following none of it. What's actually needed is a very short list of advice that's feasible to remember and follow, and which will cost less to follow than its expected benefit.

Here's a couple of my suggestions to start with:

1. If you're going to use the same password for two dozen random websites, don't also use that same password for your PayPal account.

2. Don't publish your date of birth, it's an attack vector for identity theft. If a website demands your date of birth, and you choose to give the real year, at least change the exact day. (Same goes for other identifying pieces of information e.g. mother's maiden name, date of birth is just the one that comes up most often.)

A lot of what can be said here is merely practical advice rather than anything to do with cognitive biases. One real problem is with the PC - it's security model is rather like an office with a security guard at the gate. The guard is quite fierce. But - once inside, there's no further security - all the filing cabinets are unlocked. All the offices are open. You can read everyone's email. The PC needs a layered security model, but doesn't have much of one. To counteract this, take the guard's job seriously... - buy some internet security software and use it.

Stay out of bad neighbourhoods.

Only download software from people who have a reputation to lose. Don't just believe that pirates crack programs and make them available for free on the Internet out of the kindness of their hearts. Maybe some do - maybe even most of them. But if you download a cracked program and run it, you are giving control of your PC to the pirate. Maybe that free program is not such a good deal after all.

Divide your online activity into personas that don't identify you, and you can afford to throw away, and accounts that you're a bit paranoid about. Anything with personal info is in the latter category. Watch out for facebook - it encourages you to put all your personal identifiers into the public domain, which is not a good idea. What use is it for your bank to use your mother's maiden name and your birthday to secure your dealings with them if you can take all that info from your facebook page?

Don't access the important accounts from a computer which you don't trust.

What do people want who try to break your security? One of three things.

1. Your PC, so they can send spam to other people, or use it to attack other computers, to aid extortion etc. Or nick your credit card details as you type them in.
2. Your identity, so they can pretend to be you and empty your bank accounts.
3. Your money, some other way.

If an online id doesn't contain any info about these things, just don't worry about it - set a half decent password and leave it at that.

If you contact someone else, you can usually be pretty sure they are who you think they are. If someone else contacts you, the most likely thing they'll lie about is who they are. This is the only cognitive bias thing - we tend not to realise that who initiates a conversation is important. If you do it, you're pretty safe. If the other person does, the other party is much more likely not to be who you think they are.

Hi, I'm from your bank and need you to verify this fraud... Hi, I'm a police officer, and your friend x.... Hi, I'm from the state lottery.... Hi, I'm a Nigerian chap who needs a little help (true, but then the part about their immense wealth isn't...) Hi. I'm your friend x and I'm stuck in London....

Have a cached "Yeah, right - so how do I know that's who you are?" ready and waiting. If in doubt, terminate the conversation and if necessary reinitiate it yourself - don't let the other person 'help' you to do this. For example, if someone calls saying they are from your bank, you should consider calling the bank back using the phone number on your statement or your bank card. Don't take the number from the person you're not sure about !

Maybe not very cognitive-biasy, but it's the best I can do for you....

An interesting paper arguing that ordinary people's carelessness for internet security is in fact individually quite rational, at least in some cases:

http://research.microsoft.com/apps/pubs/?id=80436

"Why would anyone want to attack me? I'm nobody special." People readily understand why an attacker would want to break into the US Army's computers, or Microsoft's, or Al Jazeera's. The reasons to attack an ordinary user's PC are somewhat harder to communicate: they want to take over your computer in order to use it to attack others (being part of a botnet); to sniff your email password or cookies so your account can be used to send spam or to phish your friends; and so on.

My approach to Internet security centers around not allowing the browser to execute code with admin privileges:

1. Never surf the Web under an administrator account. This is easy because I never have log into my Admin account -- Windows 7 makes it easy to work under restricted accounts.

2. Use a modern, secure browser. Never use IE because it relies on ActiveX controls which execute native code.

3. Always set the UAC to maximum security. Never turn it off. This may sound scary for Vista users (and anyone who has seen the brilliant "Security" ad by Apple), but actually it's much better in Windows 7.

4. Never install any software unless absolutely necessary.

5. When installing software, pay attention to the publisher signature of the .exe installer -- most well-known software companies have their .exe files signed. I once witnessed a situation where a co-worker downloaded what he thought was Skype but failed to notice that the .exe had no publisher signature, and ended up sending the bad guys $30 for "Skype activation". We had to wipe his PC right away -- the installation required an admin password so the .exe had enough privileges to install any trojans it wanted.

6. Always have an anti-virus software installed and running. I use Avast.

Nitpick:

Yet, there are still some things that can be said to a layman, especially by the ever-poignant Russel Monroe

Randall Munroe.

(sorry, having issues with the markdown)

I can't find the link, but Bruce Schneier, who is basically a cryptographer and security protocols guy, talks about some of these things. A big thing is that we over-weight the risk of the most recent threat we've talked about. For instance if you and I talk about six different risks:

1. Password hacks where an attacker gets the password database on a webforum, then uses that to log into your email account (because you used the same password), then grabs your banking information and gets in because...same password.
2. Viruses delivered via email attachments
3. Malware delivered by downloaded software
4. Attacks against open ports on your computer.
5. Spear Phishing
6. "Drive by" malware from SQL injections on internet websites.

You'll worry most about #6 because it's the last thing in your mind, while you can do the MOST good worrying about the first one (use at least 3 passwords, one for web forums, one for (each) email address, and one for your banking), then the next two (don't open attachments unless you're sure of the source and use a virus scanner).

Also we worry about the big and the personal--movie script type attacks or targeted attacks, when the reality is MUCH more prosaic. Most of us, as in 99.9% (ok, I made that number up, but I'd bet I'm close) of us, will never be specifically and personally targeted through technical computer attacks (attacks against our ideas, or some sort of internet or personal flaming or defamation doesn't count here, I'm talking technical attacks) as we're just not interesting.

Over a decade ago I was on the CypherPunks mailing list, and you would occasionally see people asking what they could do to keep the TLAs from spying on them (looking for hard crypto etc.). The only real answer is "don't do anything to interest them". Most people are boring, their lives are uninteresting, and there is nothing you can gain from personally going after them.

However, that doesn't mean that you won't be attacked impersonally and/or randomly. You do have a bank account, you do have a computer that can be used to pass spam, to infect other machines, or whatever.

Keep understanding that it's not personal on any level. They aren't out to get YOU, they're just out to get your stuff, and devise your strategies accordingly.

To bullet point it:

• We think about personal attacks rather than impersonal
• We tend to think about the big, flashy, or "Hollywood" attacks and not the more prosaic attack.
• We tend to focus on the last threat we've discussed, read or thought about, and not develop a more generalized threat model.

Here are a few tips that maybe should not be taken to literally, but are useful to think about and sometimes may be a good idea more directly as well:

• Don't have anything to hide, make sure that anything worth stealing involves some physical object not hooked up to your computer. Act as if a random stranger with a concealed face were physically looking over your shoulder at all times.

• Keep an eye on your CPU, ram, bandwidth, etc. usage. Even if you were overtaken by a botnet that didn't use a noticeable amount of these than that'd also mean it's not that big a bother anyway.

• In general cultivate an intuition for computer science and what exactly your computer needs to be doing at any time so you can notice suspicious behaviour.

• Keep your guard up for psychological attacks, hostile memes, and Langford basilisks. If you don't already know learn what those are and how you can protect yourself.

• [insert random quote from "the art of war" here]