First, what is an add-on? (Other names include plug-in, extension and sometimes theme. More on that later.) An add-on is an optional software component that, in theory, increases the functionality and/or usability of the original program. Most people learn about add-ons in the context of their internet browser, especially if you are a Firefox user. Add-ons can improve your computer’s security (by blocking scripts and ads), make certain actions easier (like viewing pictures or updating webpages), improve compatibility with other programs such as Java or QuickTime or just customize the look and feel of the computer.

Add-ons can also be malicious trojan horses, bringing along all sorts of viruses and vulnerabilities to your computer. If you find an add-on you like – and there are some good ones out there – be sure that you get it from a reliable source. If you’re looking for add-ons to Mozilla’s Firefox, for example, go to Tools/Add-ons and look for the Browse all add-ons link. That will take you directly to the official Mozilla site. Internet Explorer has a similar path.

Some add-ons can be very helpful. I really like NoScript and AdBlock for Firefox. Between the two of them, they make my browsing much safer.

Many add-ons are neutral from a security point of view – they may make your browsing experience better but they neither help nor hurt your computer’s security.

Some are downright dangerous – add-ons that include some hidden code that lets the author control your computer or that otherwise subvert your security. Those tend to get filtered out of the legitimately sponsored sites pretty quickly but they are a real danger in chat rooms and unmoderated forums.

And an unfortunate number of add-ons are offered with a good heart but either badly written or just don’t take into account all the possible configurations that are out there – and when used in combination with some other add-on or program, they create new vulnerabilities that didn’t exist before. I put all the Google and Yahoo Toolbar add-ons in this category – well-intentioned but fundamentally unsafe.

Add-ons also tend to go out of support fairly quickly. They are often written by volunteers, after all. Microsoft has a financial incentive to keep programmers pounding away, patching their products. If a hacker finds a hole in an add-on, it may or may not get fixed quickly.

If you find an add-on you like, read the reviews to see what other users say about it. See if anyone has had concerns about unexpected interactions or problems. See if it’s been updated recently and find a legitimate download site. Then back everything up on your computer before you install it.

On the other hand, if your computer “spontaneously” offers to install an add-on, the right answer is almost invariably to reject it. If it looks like it might be useful, go to a legitimate site and read the reviews, then decide for yourself.

When an add-on is primarily designed to change the look and feel – background colors, fonts, logos, maybe even layout and organization of buttons – but not to change the underlying function of the program, that’s usually called a “theme”. There are literally thousands of themes available including ones for just about every sports franchise imaginable. They are commonly available not merely for your browser but also for your phone and for many other computer applications such as Media Player. Themes are usually safer to load since they are not supposed to affect the program but be careful. Something advertised as merely a theme can still include malicious code. And a badly written theme can cover up functions you do need, like say, the undo button – it’s still there but you can’t reach it because some other button is in the way. Like other add-ons discussed above, only consider themes from reputable sources. If you’re not sure, stick with the default theme.

SQL stands for Standard Query Language and is the code that almost all databases use when answering your questions. SQL is what brings up your account when you log onto your bank to see your latest statement. Any but the most rudimentary website uses a SQL database to hold, sort and present the content to you, the reader.

As long as the user plugs in things that make sense (like a name into the username field), the query will run properly and will return only the results for your account. But what happens if you type something unusual into that field? What if you put in an account number instead? If the website was well-designed, the request will simply fail. If, however, the website was not designed properly, the computer may return something – but it won’t be anything that you intended.

For example, a hacker might try typing ' OR 1=1 -- into a date field. The “OR 1=1″ part will always be true. The -- characters tell the computer to consider everything after as a comment (that is, a note the programmer left to him/herself as an explanation of the code). The result is a request for all lines of data where the first part is true. But 1=1 is always true so the computer spews out all the data in that table. Not only does the hacker get his own account details, he gets yours and everyone else’s as well.

Other commands can be crafted to modify data, add tables, execute commands, etc. If a site is vulnerable to a SQL-injection attack, there is little that the hacker can’t do.

How do you stop it? The easiest way to prevent a SQL-injection attack is to design your application to validate its inputs. The username field should have only text characters (or maybe also some numbers but nothing that looks like computer code), the credit card number field should only accept numbers, etc. Define the acceptable character sets and enforce those whitelists. Force the inputs to conform to specific patterns when special characters are needed (i.e. dd-mm-yyyy). And validate the data length of all inputs.

These are all basic checks that the folks building your website should be making. Put the IT processes and controls in place to make sure that they are building you a quality product and won’t leave your data vulnerable to the world.

By the way, to test whether a site has their own security in place, type something unusual into a field and see what happens. If you get a simple error telling you the allowable format (or if the computer simply rejects the request), you’re probably okay. If you see a lot of computer gobbledy-gook, you might not want to let that company have your confidential data.

Corporate examples of web filters include Websense and OpenDNS. Home tools might include NetNanny or CyberSitter.

All of these tools work by building long lists of webpage addresses and categorizing each site. Amazon gets classed as a shopping site, Playboy as adult content, YouTube as streaming media, ESPN as a sports site and the local high school as an educational institution. When a user attempts to go to a webpage, the URL is compared to the filter’s master list. If the URL is on the list and allowed, the content flows through to the user’s browser. If the URL is in a blocked category, the user gets an error message on his/her screen instead.

There might be as many as a hundred different categories. You decide whether to permit or block each category on the list based on the risks to your organization including the risk that you will interrupt the business accidentally. Block too much and you’ll find that you’ve gotten in the way of business. Or that you’ve cut off some service that your younger employees take for granted, hurting morale and making retention more difficult. Don’t block enough and you increase legal and employment risks unnecessarily. And no matter how much or little you block, there will always be some false positives – legitimate sites that are mistagged by the vendor. (Breast cancer research sites, for example, are frequently mistagged as adult content.)

The problem now is that the hackers are starting to find ways around the web filters. Inappropriate sites are often up for only a short while, then moved to a new address faster than the filter-makers can update their lists. Inappropriate content is also hidden on hijacked sites that some legitimate business or person failed to properly protect. No matter how hard they try, some inappropriate sites can always slip through. (For more about the limitations of web filters, read this article from CSOonline.)

Even with those limitations, I strongly recommend that every organization install a webfilter to stay safe from hostile workplace suits and other employment risks. It won’t be perfect but it’s still an important part of your layers of defense. I also recommend that any parent with children still living at home install a filter. Kids may seem very web-savvy but they still don’t know how to fully protect themselves from strangers, hackers and other age-inappropriate content. Help to protect them from themselves.

Clickjacking works by hiding code on a webpage that gets activated when the user clicks on a button on the page. The page often appears to be a trusted site (or at least an innocuous site) like a computer game but is overlaid with a transparent page using a technique called frames. The user thinks that he/she is interacting directly with the visible page but in fact is clicking on invisible buttons on the transparent overlay. The buttons on the computer game are then carefully placed to match the location of the buttons on the hijacked screen. As the user plays the game, he/she is simultaneously doing something on that other screen.

If you have your own webpage, you should add some hidden “framekiller” code to your own page which will prevent it from being hijacked by a clickjacker. This will also make it slightly harder to steal any copyrighted content that you publish online though it may disrupt legitimate uses of frames.

As an internet reader, your best defense against clickjacking is to disable JavaScript. If you are a Firefox user, you can add the “NoScript” extension to your browser. NoScript lets users selectively block the scripts on each page. Because clickjacking requires scripts, the attack fails when NoScript is active. If you are an Internet Explorer user, you can control your JavaScript permissions via Tools/Internet Options or you can upgrade to IE 8 for their embedded protection.

You can read more about clickjacking at wikipedia.org.

Certificates are small bits of code used by organizations to show that they are who they say they are online. Certificates are generally purchased from third parties called ‘certificate authorities – trusted companies who give the on-line equivalent of a Good Housekeeping seal of approval on the connection. Note: Certificate authorities do not evaluate the company, the website or their products. A certificate does not mean that the site is free of viruses or other malicious content. Certificate authorities merely verify that the web address actually belongs to the organization buying the certificate. When you type a URL or follow a link to a secure web site, your browser will check the certificate to make sure that the web site address matches the address on the certificate and that the certificate is signed by a certificate authority that the browser recognizes as a “trusted” authority.

If the organization wants to set up a secure website (that is, one that uses https instead of just http and has the yellow padlock in the bottom right of the window), they will need a site or host-certificate to set up the encryption. By making sure that the website encrypts your information and has a valid certificate, you can reduce your online risks.

The problem is that almost anyone can create the piece of code that looks like a certificate. Many legitimate companies want to set up secure connections but don’t want to pay extra to the certificate authority for verification so they self-generate a certificate. Hackers can generate certificates, too, and use them to more closely mimic the legitimate secure site.

If the certificate is not from a trusted authority that your browser recognizes (there are about 100 trusted authorities loaded into your browser by default) or has some error or inconsistency, you have to decide whether or not to trust the web address and allow the connection.

To verify a certificate, look for the certificate feature in the browser’s menus. In Internet Explorer, you can find it under File/Properties when you are on the secured site. When you click on the certificate button, it should show:

• who issued the certificate – Make sure that the issuer is a legitimate, trusted certificate authority.
• who the certificate is issued to – This should match the owner of the web site.
• expiration date – Most certificates are issued for one or two years. Be cautious of certificates that are valid for longer than two years or that have expired.

If you want to see all of the certificates currently on your machine, try Tools/Internet Options/Content and look for the certificate button.

If you have the time and need, you can verify every aspect of the certificate by contacting the company or the certificate authority. For most sites, you don’t need to bother. But if it’s a connection that you’re using for highly confidential information (like your banking website) or if you have a reason to be suspicious of the site (perhaps a phishing site), take the time to verify the certificate. You’ll only have to do it once – your computer will remember your decision thereafter.

A rootkit is a particular type of malicious software. It is different from an ordinary virus in that it is specifically designed to seize control of your computer at the highest possible level. (In the old unix terms, this was called ‘root’ access – the equivalent level of authority in Windows is ‘administrator’.) Once the hacker has a rootkit on your computer, he/she has full access to everything on the computer. More than that, the hacker can usurp control of the computer and make it run other malicious programs (perhaps as part of a botnet) or can use it as a jumping-off point to attack other data on your network. The hacker can do anything on the computer that you can do – and many things that most of us can’t.

Rootkits are also different in that they generally limit themselves to seizing and holding control of one system – a virus, on the other hand, is will try to spread itself to other computers. Rootkits are also often kits, that is, combinations of multiple malicious programs that work together. Ordinary viruses are usually single programs. That said, an ordinary virus can be sent out to infect your computer and can, as its first act, load a rootkit onto your computer. Using a virus as a component of a rootkit is a fairly common attack now. According to some researchers, as many as one in five PCs are infected with a rootkit.

Rootkits frequently masquerade themselves as other files and/or deliberately hide files from programs that are used by legitimate administrators to hunt for viruses. This makes them particularly difficult to clean out once your computer has become infected.

Not all rootkits are created by hackers. In 2005, Sony BMG included rootkit software on some music CDs in an attempt to prevent music piracy. Unfortunately, the rootkit exposed every one of their customers’ computers to exploitation by anyone who knew to look for the backdoor the rootkit created.

To defend against rootkits:

• Practice safe surfing – don’t go to virus-infected websites. Music-sharing, video, software, porn, hacker and other ‘gray’ websites are frequently loaded with virus-infected downloads. While there are some legitimate freeware sites, “there ain’t no such thing as a free lunch“. If they’re not making money through sales or advertising, they’re probably getting something else out of the deal – don’t let that something be your computer.
• Keep your antivirus program on and up-to-date. But recognize that this is probably incomplete. Rootkits are specifically designed to defeat the major antivirus programs.
• Keep all the applications on your computer fully patched.
• Keep your firewall turned on and locked down as far as you can go. This won’t necessarily stop you from picking up that first infection but it might prevent the virus from sending out the command to download the rest of the kit.
• Turn off your computer when you’re not using it. First, restarting the computer each day triggers a number of cleanup activities. More importantly, the computer isn’t exposed to exploit while it’s turned off.
• If you are infected, take your computer to an IT specialist. Rootkits are especially difficult to clean out and will often reinstall themselves if part is missed. The usual practice is to wipe and rebuild the machine – they’re that hard to get rid of.

Filesharing is the term for software designed to make it easier for you to share stuff through your computer with other people. (I use the technical term “stuff” here because you can share literally any electronic file through these tools but the most common shared files are documents, music files and videos – and viruses. More on that in a minute.) The most common form of filesharing is “peer-to-peer” (P2P) sharing, a way to share files directly from your computer to someone else’s computer without needing to store it on a server somewhere. If I want to download a file that you’ve offered up for sharing, I reach through the internet and grab it directly off your computer.

This kind of filesharing requires special software such as Limewire, BitTorrent or Kazaa. These applications create an index of the files that you’ve offered for sharing and publish the index to the Internet so others can find your files. They also let you access the index and download the files you want. Filesharing is an easy way to publish documents widely and can get you access to all kinds of free content. Music is especially easy to find.

The problem with filesharing is that it exposes you and your computer to all sorts of risks that are not disclosed by the filesharing network or those “friends” who are pressuring your kids.

• When you use P2P, it is essentially impossible to verify that the file is trustworthy. Hackers hide spyware, viruses, worms and trojan horses and other malicious code into the files. When you download the file, you infect your own computer.
• P2P also opens up your computer to outsiders. The applications claim to only expose certain directories but 1) you don’t know if the application is locking the folders down properly and 2) it’s too easy to misfile a confidential document in a shared folder. Any little mistake opens up your confidential information to the world.
• Most P2P applications require you to open up certain ports on your firewall so it can send or receive the files. Hackers exploit those open ports to attack your computer directly anytime it is connected to the internet.
• And, of course, the big risk that got so much press when Napster was being sued into bankruptcy is the phenomenally high proportion of copyrighted material being illegally offered for “sharing”. If you download pirated content, even unknowingly, you could face fines or other legal action. The Recording Industry Association of America (RIAA) is especially aggressive about finding and suing individual users who have illegally copied content on their computers.

If you run a network, either at a business or at home, I strongly recommend that you block filesharing sites. Remember, you go to jail or pay the fine whether they downloaded the illegal software with your knowledge or not. If you have kids, turn on your computer’s parental controls and block those sites. Teach your kids to buy their music legitimately.

On the Internet, the domain naming system treats every combination of domains as a unique destination. Owning example.com gives you no special rights to example.org. And while you may be able to make a case for trademark infringement, the domain naming system has a strong bias in favor of "first-come, first-served." If a domain name is important to your brand, you need to act to protect it.

If you’re not already monitoring internet domain registrations that are similar to your trademark and business, you really should start. There are several good monitoring services out there, some that will send daily alerts for free. Remember, however, that you can’t commandeer every possible variation of your domain – there are just too many possibilities. Get the domains that you think are most important and monitor the rest.

The message from the Asian company, however, is a scam. We have traced two different types of these messages so far. In the first case, it was a straightforward con for a credit card number. In the second case, it was an actual domain registrar using questionable tactics to generate business. In both cases, we investigated the company – a Google search on some keywords from the email will often return examples of others who have run into the same con – and decided not to respond to their phishing attempt.

If someone registers a domain name similar to yours, look at the domain registration. (There are several excellent lookup tools on the web. I tend to use whois.domaintools.com). If the other person registering the domain appears to be a legitimate business that just happens to have a similar name to yours, don’t worry too much about it. We regularly bump into the the Westfield Group that owns Westfield Shoppingtown Malls (an Australian firm). We also know about domains registered to a car repair shop on a Westfield Road in Indiana. There’s no connection and no evidence of fraud – and they got to the domain first. As long as they keep the domain out of the phishers’ hands, I can live with that. I also don’t worry too much about the domain resellers who buy the domain name then “park” it with some generic ads. (Here is an example.) As long as there’s no evidence of misuse and no obvious confusion with my brand, I’m willing to let most of those sit.

Technically, metadata is data about other data. If the customer’s address is data, the number of entries in your address book is metadata. If the body of a Word document is data, the date you last opened the file is metadata. If the values in an Excel spreadsheet are data, the formulas in each cell are metadata.

From a legal point of view, metadata is everything about the document that’s not immediately visible when the document is printed. It includes all the MS Office "properties" like file size, author and character count. It also includes any hidden features such as the old versions that are still buried in the document when you leave the Track Changes option on. It includes formulae in spreadsheets and formatting commands like the print area.

For most normal uses, the metadata about a document is just background. We take it for granted and almost always ignore it. But if your metadata reveals facts that you wanted to keep private, it can be embarrassing and expensive. In one case, a major pharmaceutical company deleted some study data from a report – and got caught when the New England Journal of Medicine looked in the Tracked Changes to show the deleted comments. In another case, a confidential White House policy paper about Iraq was outed when a quick command revealed the report’s author. In yet another case, officials covered up classified information with black bars, not realizing that readers could easily uncover the text by copying it from under the black and pasting it elsewhere.

When you get into a legal situation, metadata becomes even more important. Metadata is used to show “who knew it and when they knew it” – to provide the context around the document in question. Metadata can either clear you or convict you. Because of its importance, metadata must be preserved and unaltered when you are collecting documents that will be used in court. This is hard because routine Windows operations will change the metadata just by opening the file. Make sure that you have the tools you need to keep metadata intact before you get into the lawsuit.

And, of course, be very careful before you post a document publicly. Make sure you clean out the metadata that you don’t want public.

• Your IP address – Every computer on the internet is assigned a specific, unique IP (internet protocol) address. That IP address can’t be easily traced to a name directly except by your internet service provider but it can be correlated with your other online activity. So if you disclose your name in a blog or when writing a book review, someone might be able to trace that back and match it to your other internet habits. You can look up your current IP address at showmyip.com.
• Your computer’s software load – Many websites want to know what web browser you are using (including which version). Legitimate sites use this information to adjust for differences between the way browsers display the webpage. A page that looks fine on Internet Explorer may not display properly through Mozilla’s Firefox so the website developer adds code to tweak the display based on your browser. Unfortunately, the information sent to the website does not end with the browser. They may also be able to read your operating system and other details.
• Your page visit history – The website can often track which pages you visited, how long you stayed on a given page and where you were just before you came to the website. (This is often helpful for companies who want to know if you came to the site from a search engine and if their advertising dollars are being well-spent.)

If a web site uses cookies, they can collect even more information. The information they can collect about your browsing habits is limited only by their own privacy policy.

On the other hand, If the site you’re visiting is malicious, all bets are off. Your privacy is completely dependent on the strength of your antivirus/antispyware programs and how up-to-date you keep your patches. Hackers at these sorts of sites can use all sorts of techniques to either steal information or trick you into revealing more than you intended. They will try to steal passwords (knowing that many people reuse the same password and that, by compromising this password, they have a very good guess at your online bank or work password), load viruses and may even attempt to alter the security settings on your computer so that they can access and use your computer for other malicious activity.

You can reduce the amount of information revealed about yourself by only visiting legitimate sites, checking privacy policies and paying careful attention to the personal information you provide. Don’t post your address, password, or credit card information unless you trust the site. Look for indications that the site uses SSL to encrypt your information. Limit what cookies you allow and be careful which web sites you visit; if it seems suspicious, leave the site.

And, of course, always keep your antivirus software up-to-date and your computer fully patched.