Is that online service or print driver safe?Authored by: Fred Morgan, CTO, DocuSend.
Is This Thing Safe? (to Download, That Is)
Everybody likes the selection of tempting apps, add-ins, and utilities we see on the internet nowadays, especially when it’s something free or cheap. One example of a utility could be a macro that helps you write in Word, Excel, etc. But have you ever noticed that downloaded Word files don't have macros enabled?
Now, why would that be?
The software you want to download seems so innocent. A new game that you can play. A streaming service so you can watch a movie, or a funny clip about cats. It might be, as we said, a handy macro or a print driver (more on that later). This is what has made the PC so successful—anyone can write a helpful program, then either give it away free or charge a small fee. This has unleashed a storm of developers who have benefited, and so have we as users.
But unfortunately, it has resulted in some people taking advantage of the system to get what doesn't belong to them.
Programs that come onto your computer for one purpose but, unknown to you, are doing something else are called Trojans.
Why is it called a Trojan, you ask?
In Greek mythology, a war was fought over a woman named Helen, who was stolen from her husband, the king of Sparta, by a man from Troy. For 10 years the Greeks besieged Troy to capture her back. The Trojans were able to fight them off, until one day, the invaders packed up and left, leaving behind a huge wooden horse as a peace offering. The Trojans thought, how nice, they left us a trophy, and they wheeled it triumphantly into their city. Unfortunately for the Trojans, the horse was hollow and filled with elite solders, who opened the gates to the city in the middle of the night. The Greeks had only pretended to leave, and they came in and sacked the city, looting their golden treasures.
So now you probably can figure out why they call some software Trojans. You brought in a nice little utility or app because it was useful or perhaps merely entertaining, and it proceeded to hack into your system to gain access to everything that could be used to get your credit card information, passwords, etc.
That Word file, the one with the fascinating title, may have an embedded macro that will run as soon as you open the file, creeping through your computer and snooping around. This is exactly how so much identity theft occurs.
This is one gift horse you
should look in the mouth!
Windows 10 will stop any new program on your system from accessing the internet, but you can allow it access. If you don't know a company well and haven’t checked them out thoroughly, you should not take their "free" offers. Every unknown piece of software you add increases the risk to your system.
Malicious software, also known as malware, could get into your private data when an infected app is connected to a Windows PC. Once the virus is in a computer, the things it might do are really scary. It could be set up to track keystrokes and disclose credit card numbers, account passwords, and even social security numbers.
If you find you have downloaded an infected app, you should uninstall it and then use a trusted antivirus app to scan your computer—check the reviews by pcmag.com to find one.
This is why we have to be so careful about downloading files, apps or even print drivers.
Oh, but it gets worse...
There’s a type of malware known as ransomware. “Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.” (Wikipedia)
How Important Is Website Security?
A site not being secure is not a problem if it’s merely informational, but any site that accepts your money should be secure.
And even if a website is legitimate, if it is not secure, it can still be risky to download something from it. A hacker can come in and swap out something you are about to download for an infected copy. Maybe 10 of your friends have been using the software and it was fine, but you could be the unlucky one who downloads it right after the hack occurs, before the site owner is alerted to the problem.
How do you know if a website is secure?
Look in the address bar at the first letters of the site. For example: https://www.docusend.biz is secure because it starts with https, but https://www.go2mti.com/ is not secure, because it doesn't have the 's.'
We know that’s a lot to take in already, but stay with us…
How Can You Protect Your Privacy?
Most people are aware that some major sites like Yahoo and Equifax have been hacked, losing customer data, passwords, etc. You might wonder why such large sites can be hacked, and if they can, what chance does the smaller business have of being safe.
Actually, larger companies can be in more danger. Telling a few people to watch what they download and enforcing that rule is much easier than getting every employee in a large company on board. Oddly enough, sometimes the hardest people to get to not take chances are upper management.
Here are a couple of things you can do (if you are a business owner, you don’t want to miss this next part):
1. Have an outside company do your security testing.
Even the most trustworthy people slip up at times, so instead of trying to enforce total employee compliance, the easiest solution is to have an outside company do your security testing. At DocuSend we use https://www.securitymetrics.com/, who frequently runs a rather extensive test on our system. The dark forces are always seeking to find holes, and because of that, programming languages, operating systems, and platforms are constantly updated to fix holes that hackers are attempting to exploit.
For instance, in 2018 we had to completely upgrade our main server to protect against this, although the server was only four years old. We upgraded the operating system, web server, TLS (Transport Layer Security, which encrypts the customer data we send and receive so no one can eavesdrop on it), language, database—pretty much everything.
Check out product reviews and ratings.
You can usually find reviews for the type of software you're considering. A search on “best what-it-does software” or “what-it-does software reviews” should turn some up. Just as (we hope) you don’t put as much weight on medical advice that doesn’t come from a trusted medical reference site like those of the CDC, the FDA, or Mayo Clinic, you should consider some software reviewers more reliable than others. Look for the ones from a major software magazine or other source whose reputation is on the line.
Above all, “A matter must be established by the testimony of two or three witnesses.” See if two or three reputable reviewers agree that the software you want to download is OK. If the software is open source, SourceForge.net is a good place to start.
How Does It Look?
Does the website that's offering the software look professional, or does it seem fly-by-night? Is it carelessly written, with grammatical errors and cheap-looking graphics? Is there significant content or just a page or two?
What you are looking for is a serious investment. The website—is it theirs, or did they clone someone else’s site so they can get you to download their software? That's pretty suspicious. If they stole content from someone, why wouldn’t they rip you off as well? At the very least, the copycat has put no effort into creating a website, which is an indication of how they might approach security issues and customer support.
This raises an interesting question...
How can we know who copied whom?
You can see when the domain name was registered by going to a website like https://www.networksolutions.com/whois/index.jsp and typing in the web address. Even if you don't see two sites that mirror each other, it's not a bad idea to find out how long the site you're considering using has been around.
Don't Let Them Loot You
Especially beware of any software that wants the ability to move things from your system to another. Many of us are using software like that; for example, Google Drive and One Drive both move files from your system to the cloud, and there is nothing wrong with that. In fact, it's great, since it gives you off-site backup. What isn't great is if you were to download Fred's pretty good cloud backup, from a person you don't know, just because it looks useful.
As a recommendation, look for online services that do not require you to download anything.
This is why, when we developed the DocuSend cloud-based mailroom, we wanted people to upload their files to us, instead of giving them a program that would do it for them. Writing a print driver isn't very hard, especially one to create PDF files. Most of them use Ghostscript underneath (which is open source).
Having a PDF print driver on your system is not a problem, since what it produces stays on your system. For those of you who didn’t know, print drivers convert what would be displayed on the screen to a printer. They are part of how modern operating systems work. A PDF print driver creates an electronic image of the text and graphics in your document and saves it as a PDF. So, if you create a mail merge document in Word using the Start Mail Merge command in the Mailings tab, then print it to a reputable print driver like CutePDF (http://www.cutepdf.com/), and then upload the resulting file to us, you know exactly what you are sending out.
This means that with DocuSend, you have complete control over what is leaving your system.
But if you download a print driver that is going to do all of that for you, you have to KNOW that all they are sending is the file you want them to send, because you have let in a potential Trojan that can unlock your computer and everything on it to a hacker.
So, What's the Upshot?
We at DocuSend consider financial documents extremely important and private, which is why we are constantly working at ensuring that only you and your customers see what you mail them. And with our DocuLink feature, even documents you email them can only be viewed by the recipient in a secure link.
We have 25 years' experience in mailing financial documents. We know this business.