First, which browsers are the most common these days? Wikipedia has a useful summary of browser usage statistics collected from various sources. The summary statistics look a little off to me (even after considering the note at the bottom of the table), but you get the basic idea: Internet Explorer and Firefox are running away with it.

Security Update

Internet Explorer 6 remains a hopelessly dangerous browser, but I’ve been impressed by Internet Explorer versions 7 and 8. If you haven’t yet upgraded, do so now.

I wanted to update previous comparisons (see here, here, and here) between the two most prominent browsers, but Secunia, the security consultancy I had been getting figures from, now advises against using its statistics for comparison purposes because of the way it reports them.

Fair enough, and it wouldn’t hurt to go to a second source. I recently ran across a report by NSS Labs, which mentions that “53% of malware is now delivered via internet download versus just 12% via email, while IFrame exploits and other vulnerabilities comprise 7% and 5%, respectively…” (If you’re wondering, IFrame exploits are just another flavour of attack aimed at web browsers.)

Check out the report summary, which has two very interesting graphs. It looks like Internet Explorer 8 is beating Firefox (and other browsers) by a wide margin when it comes to protecting against “socially engineered malware” (links that lead to infected downloads), while the two leading browsers provide about the same amount of protection against phishing attempts.

The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky.

What makes a webpage dangerous?

• Risky downloads—Downloadable files that contain viruses, spyware, or adware or make unrelated
  changes to the downloading computer
• Browser exploits—Also known as a driveby download, this type of malicious code enables viruses,
  keystroke loggers, or spyware to install on a consumer’s computer without consent and/or knowledge
• Email practices—Registration forms and other sign-ups that result in high volume email, highly
  commercial email or both. We also test for difficultly unsubscribing.
• Phishing—Scam sites that try to trick visitors into believing the site is legitimate
• Excessive popups—Sites that engage in aggressive popup behavior or display large numbers
  of popups
• Linking practices—Sites that aggressively link to other red- or yellow-rated sites

The report, by McAfee, mentions that hacking for profit has overtaken hacking for fame. I suspect that is why we no longer worry about viruses that will wipe our hard drives clean — the tactic is attention-getting, but is unlikely to be profitable to anybody. Today, viruses that collect information about our computing habits and personal lives are the primary threats.

What Should You Pay to Avoid Viruses and Spyware?

In Consumer Reports’ 2008 State of the Net summary, the odds of contracting a serious computer virus problems are given to be 1 in 7, the yearly costs $2.9 billion. The odds of a serious spyware problem are 1 in 14, with a yearly cost of $3.6 billion. (Note that these figures are for both businesses and consumers.)

From these statistics, it is possible to calculate the amount that the typical person ought to be willing to pay, yearly, in the form of insurance or a preventative product or service, to avoid the consequences of viruses and spyware.

If 1 in 7 computer users had major virus problems, it means that 26 million people suffered expenses of about $110 each. If 1 in 14 computer users had a major spyware problem, it means that about 13 million people took a hit of $275.

Using these numbers and a formula for expected costs (expected cost = average cost per incident multiplied by probability of incidence) we can conclude that the expected yearly loss per person from virus and spyware threats totals $35. Put another way, each of us should be willing to spend up to $35 per year on insurance, services, or products that would shield us from the costs of viruses and spyware.

The Value of Anti-Virus Software

Of course, my calculations could be wrong. But it’s interesting to note that McAfee and Symantec, two of the most popular anti-virus and anti-spyware providers, price their mainstay products at $40, $5 more than our calculation says is reasonable.

Is that extra $5 per year for peace of mind or is it down to overpricing? Or maybe the cost figures that Consumer Reports noted do not include the psychological cost of annoyance and time spent getting rid of viruses and spyware, which could bring the total cost per person higher than what was reported. I’m inclined to give the benefit of the doubt to the millions of consumers who indicate, by their willingness to pay, that a $40 anti-virus solution is worth it to them, but I could be off the mark.

The report is based on a national survey (of America, I believe), and lists the 4 biggest threats on the internet along with their rates of incidence. If you want to know just how likely you are to suffer monetary damages from internet threats, this is a great resource. Here are the findings from survey respondents:

Viruses

1 in 4 had a major, often costly problem. The cost per incident was $109

Spyware

1 in 8 had a major, often costly problem. The cost per incident was $100

Phishing

1 in 115 had a major, often costly problem. The cost per incident was $850

Spam

1 in 2 experienced high levels of spam. Consumer Reports doesn’t mention the costliness of spam, probably because it’s too hard to measure. But it’s still a major nuisance that soaks up valuable time and computer resources for almost everyone who uses the internet.

I hope the readers of this blog are slightly less prone to suffer damages as a result of the advice I give. Best of luck to all of you!

But seriously, remember when all you had to worry about was some dork impressing his friends with some virus named after a girl that kneed him in the balls last week? That was a more innocent time.

Today, viruses have come of age. And they’re not even called viruses anymore. The biggest problems today are spyware and adware. The trouble with viruses was that their sole object was to penetrate your computer, then destroy it. That didn’t make anybody rich, though, because good parasites don’t kill their hosts.

The most sinister and pervasive threats have morphed into commercially propelled vehicles for privacy extraction with a view to profit. These days, when I look at a friend’s computer that has slowed and showed signs of derangement from infection, I don’t find a lot of viruses. But I find boatloads of spyware and adware (and that’s a metric boatload, not one of those sissy imperial boatloads).

So be aware of the threat you face now. A new enemy requires new tactics–this means your anti-spyware and adware programs are more important than ever. I previously recommended Spybot and Adaware for the newly important jobs – read my review of both and find out how to get them (they’re free, of course).

Google, by partnering with the StopBadware Organization, has begun to issue warnings when users click on search results that lead to dangerous websites.

StopBadware keeps a list (so far it appears to be quite limited) of user-submitted websites that are known to host spyware, adware, and other malware. After receiving submissions, the organization analyzes the purported malware using a list of seven categories of bad behaviour that help to identify malicious software.

This list includes:

…deceptive installations, unclearly [sic] identification, causing harm to other computers, modifying other software, transmitting user data, interfering with computer use, and being difficult to uninstall completely.

You can see one of the warnings in action by doing a search for “seriall” and clicking on the first result (SeriAll.com is a website that publishes serial numbers for pirated software). After clicking on the link, you should see a screen similar to the one shown at the top of this post.

Will Google and StopBadware prevail?

Most solutions to this problem, such as downloadable antispyware scanners, are reactive rather than preventative. They help minimize the damage from malware that has managed to nestle into a user’s computer, but do little to prevent the installation in the first place.

Preventative initiatives like Google’s have the potential to greatly decrease the harm and reach of malware. Many websites, including those that deal in malware, depend on search engine results for a good number of their visitors; if this source of internet traffic dries up, malware providers will need to look elsewhere for their victims.

Still, let us hope the execution of this strategy is transparent and level-headed. Because a website’s fortunes can change dramatically depending on the traffic it receives from search engine results, collateral damage to websites that are mistakenly or negligently targeted would be unfortunate indeed.

Happily, the idea so far is not to irrevocably block traffic to a searcher’s intended destination, but to provide a warning en-route. If someone wishes to continue to the website, even after reading the warning, it is fully possible. I hope the policy remains that way and abstains from taking up a censorship position.

Another way to avoid spyware

There is another way to use search engine results to help you vet software before you download it, and I will provide a detailed how-to in an upcoming post. I think you will find it quite useful.

Outbound protection is important because it can prevent spyware on your computer from sending the information it has collected back over the internet to whoever is trying to spy on you.

If your firewall features outbound protection, it means that you can grant or refuse permission to any program that wants to access the internet. So if something does slip through the spyware and adware precautions you have implemented on your computer, you’ll be able to prevent it from doing any real harm.

What you can do about it:

One of the best programs to keep you safe with inbound and outbound protection is the ZoneAlarm firewall. And, of course, it’s free and super easy to set up.

Don’t forget to turn off Windows Firewall after you have installed ZoneAlarm. Here’s how: Start>Control Panel>Windows Firewall> then select “Off” in the tab/section called “General”.

Your computer is hopelessly lost to adware and spyware and viruses. I know because I’ve seen computers like yours. If you upgraded to Firefox as I suggested in the last post, you’re headed in the right direction, but there is more to be done.

Now you need to download two programs (free, of course) that will kill anything that manages to get by your defences.

Spybot Search and Destroy

This extremely well maintained and frequently updated program eliminates all the most common spyware, adware and tracking cookies that infect all computers from time to time. Basically, Spybot will catch whatever your antivirus program misses.

Adaware

Because one anti-spyware program is not quite enough, Adaware will catch anything that Spybot Search and Destroy might miss and vice versa. Both programs are excellent and rarely miss the chance to extinguish the life of spyware, but even the best program will miss something now and again.

Now that you’ve got both of these programs on your computer, you just need to remember to update them often and run them even more often.

Let me make this very clear: you need to be an active participant in keeping your computer clean by running these programs at least once a week and more often if you’ve been infected with a load of spyware recently. They will not actively monitor your computer to catch the bad guys while you sleep.

In upcoming posts, I will recommend free antivirus and firewall programs so that you can finish building an impenetrable fortress around your electronic assets.

Why bother keeping your computer free of spyware and adware? Almost everyone has some type of malware on their computer and I’ll wager that your identity has never been stolen as a result of having it.

On top of that, spyware often helps companies know what you like so that they can market to you better. So it may seem like no big deal, but there are some good reasons why you should take it seriously. Here’s why:

1. Spyware and adware can actually cost you a lot of money. When your computer finally runs out of memory and grinds to a halt because all of its resources are being hungrily consumed by malware, you’ll have to take it to a computer shop to get it fixed, which could cost upwards of $100, or fix it yourself (maybe $50-$200 according to the value of your own time). Either way, you’ll definitely miss the use of your computer for a day or three.

2. You’ll feel safer shopping on the internet knowing that there isn’t a key logger taking down your passwords and credit card numbers, then sending them to www.yourescrewednow.com.

3. You should be keenly aware of how you are trading your privacy in return for “free things”. This is precisely what’s happening when you are surfing the web and decide to download what looks like a free piece of software, but is actually laden with spyware or adware (often, this kind of software comes in the form of screensavers, gambling software, or video games). The company that created that software is making a profit by collecting and selling data about you, about how you use their program, and information about your computer in general.

Your information is very valuable to marketing companies, and you should treat it as such. If you’re going to sell it to them, know how much it’s worth, and get a fair price. For me, the tradeoff is not worth it when the free thing I’m getting is a SpongeBob SquarePants screensaver and the company that created it gets to advertise at me with pop-ups for the rest of my life. You can choose how important your information is to you, and act accordingly.