Remember when computer security was simple? Advice was as easy as, "Don't boot with a floppy drive in your A: drive" and "Don't enable the macro to run." Boy, do I long for the days of yesteryear.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
More and more, application vulnerabilities are being announced every day, whether it's something attacking Apple QuickTime, Macromedia Flash, YouTube videos, Adobe Acrobat, or Microsoft Office. And telling people not to open untrusted content is like telling them not to open e-mail from people they don't know. It's not bad advice, but you can't stop there.
You've got mail
On the "don't open e-mail from people you don't know" recommendation, malware has been using e-mail address books for nearly a decade now. Malicious spam and e-mail often comes from our friends, parents, and coworkers. The better advice is not to open e-mail that is unexpected, seems out of character for the sender, and contains links or content to click. When in doubt, e-mail or call the sender and confirm that they really meant to send it. Or do like me, and just delete it when there's a shadow of a doubt. I can't trust my friends and associates to thoroughly validate the stuff they send me. To them it's a cute little animated GIF or a YouTube video of a hot girl dripping barbeque sauce over a less hot car. To me, it's probably malware. It's just the way my mind works.
All these years later, you still can't tell people to open e-mails from only people they trust. Targeted spearphishing is becoming more common. You can't count on mispellings (sic) and bad grammar to alert you to a phishing attack. They have your name and your interest [for example, your bank account, Better Business Bureau complaint, 401(k) provider, and so on]. I won't give you my bank logon info, but there's a good chance that I'll respond, strongly, to my Dell laptop warranty expiring earlier than what I paid for or object to an unauthorized change in my 401(k) portfolio. Those malware guys are sneaky.
Today, the frequent advice you'll get, in the face of application malware, is to not open content from or visit untrusted Web sites. That is so 20th century! Unless you've been hiding under a rock for the last few years, security article after security article has been detailing how malware is being served up by the Web sites we trust most. It's the NFL Web site, travel site, news site, political gabfest site, and blog that we all love. They get compromised, we visit, and we get infected.