Mom and Dad, It's Time To Get Secure

Wednesday, October 27, 2010

Niko DePofi

916cb4b04f32e307ee2a5c32c8d4f7b7

Dear Mom and Dad...

I know that your computer is almost a foreign language, so I thought I'd put together a decent, basic primer of how to keep your information safe when using a PC.

First things first:

Passwords

Never, ever, use the dogs name. Or the kids name, mother, father, high school, college, favorite NASCAR driver (or the word NASCAR), or anything else that somebody who KNOWS you could guess in less than five minutes. 

Recent demonstrations have shown that there are systems that can break any password (Cracking 14 Character Complex Passwords in 5 seconds,) however most 'bad guys' don't have that kind of access, nor would most home users be facing that level of attack.

So, the basics. Pick something that shouldn't be easily guessed, or is totally random.  Totally random is safer, but harder to remember, and writing the password on a sticky note is a bad idea even in your own home. 

For home users, picking something they can see, even if it's just an oak tree outside the window, can provide quick, easy, difficult to guess passwords with a little modification. 

For example, if you are at your desk, and you can see an oak tree outside your window, to the west of your house, you can use "Oaktreewest" with the following changes: Capitalize a couple of letters, change some vowels to symbols, change some letters to numbers. 

This isn't a cut-and-dried method, though some standardization has fallen into place in the gaming community, such as using a '3' for an 'e,'  a '1' for an 'i' or 'l,'  etc. 

Quickly applying that method, we can end up with 'O@ktR33w35T' without much effort.  The beginning letter, 'r,' and 't' are capitalized, the 'a' converted to an '@,' which is easy to remember, all instanced of 'e' have become '3,' and the 's' was swapped out for a '5,' again, easy to remember.

Also, if you live in a house with other people who you do not want to have administrative rights, set up your screensaver to ask for a password, and set the timer to just a few minutes. 

(Right click in the middle of the desktop and choose 'Personalize' at the bottom, then in the right hand lower corner, choose 'Screensaver.') 

I've seen people who couldn't figure out how Little Bobby, at twelve years old, got his account promoted to Administrator, when all Little Bobby did was sit down when somebody else who had admin rights was logged in, opened his account and promoted himself.

This isn't corporate security level password methodology, but it helps at home.

Security Software

Yes, you need this. Everyone needs security software.  Most brands of PC come with a suite installed, however make sure you check how long the license is when you start the computer, because you need to pay for updates after a certain amount of time. 

Make sure the updates are set to automatic, if you have an always-on connection to your computer, and make certain that the software is set to update when the computer is turned on, or when it will be on every day. 

Yes, every DAY.  Not every week, not every month, every day.  Bad guys are working to get your money, and there are enough of them that the security industry sometimes puts out updates multiple times in one day, so you need to keep up.

Likewise, make certain that the software is set to do a FULL SCAN at least once per week, this means that the anti-virus software will start on schedule and scan everything on your computer.  Mine is set to do a full scan every day. 

Most suites now also have scans for email (use it) phishing websites (use it) tracking cookies, etc. etc. If you don't know what an option is or does, use Google, or sometimes the tool-tip on the item will describe it for you. 

Either way, the more work you present your security software, the better off you are.

Users

Separate users. I know, I know, 'I'm not a computer person! I don't know how to do these complex things!'

It isn't hard at all, in fact, I'll show you how to do this, right now.

On Window's 7, click Start. On the right hand side of the Start menu, roughly four lines up, you'll see 'Control Panel,' click on that. (I say 'roughly' because this can be customized, and some manufacturers may have changed this menu when installing software on your computer.)

When the Control Panel window opens, on the right hand side, you'll see 'User Accounts and Family Security.'  Take a few minutes to look around in there, I'll wait.

Ok, now that you've looked around, you'll notice that, really, there aren't that many things in the folder.  User Accounts, Parental Controls, Windows Cardspace, and Credential Manager. 

In this instance, click on 'Add or Remove User Accounts' to add a new user.  Now you'll see a list of current users, as icons, and directly under that window, 'Create a new account.' 

Click on that, and for everyone who ISN'T in charge of the computer, but who uses it, create a 'Standard User' account.

It's much harder for Standard User's to break your computer. Much, much harder. One industry best practice (that almost nobody I've met follows) is to even make yourself a standard user account, so that YOU have to think about what you're doing before breaking the computer by accident. 

That extra password entry, or changing to the other account, means you'll have had time for the idea to perk through your brain, or perhaps you'll even say 'nah, that's too much effort just to view a bikini video my friend sent me out of the blue.'

Ok, now, for the other users, I'd suggest making them read this, then log into their new accounts and create passwords using this guide, but afterward, come back, I'm not done yet.

Et tu, Email?

Everyone gets hit in the email department eventually. I've gotten hit, my parents, my ex-wife, everyone.  Sometimes it has NOTHING TO DO WITH YOU. 

Somebody else had their system compromised by a piece of malware, and your email was on their address list, so a huge batch of emails is sent out that looks like you sent them.

It happens. Chill. The first thing to do is scan your computer, right then, with your security software.  DO NOT immediately send everybody on your address list an apology, until you are certain your system is clean, you might just be sending the malware to everybody on that list.

Next, find ANOTHER scanner, something like Malwarebytes, or Trend Micro's online free scan, and run THAT, too.  I always use something from a different company that my primary software, just to cover my bases.

After the system is clean, or after you've found what is wrong (if anything), THEN send out a massive group email, with something like "regarding the email you received from this account earlier (reference the email here), DO NOT click on it, delete it immediately."  Hopefully it's not too late.

Email attachments, unless they are from a very trusted source, and something you were either expecting, or recognize, aren't a good idea. 

I've stopped checking out the often funny PowerPoint (ppt) attachments that come my way, mainly out of paranoia, but every bit helps. 

The same applies to links.  Websites (URL's) have become so complex, that companies actually exist to make the link shorter, even though there have been easy ways to make the link embedded for quite some time, using a process like Bit.ly creates a short, unrecognizable link to whatever the sender chose to shorten. 

Like http://bit.ly/do7fWj (If you clicked on that, start from the beginning and read this whole thing again .)

So be suspicious.  A nice rule of thumb is this: if Aunt Mary walked up to you and spewed "http://bit.ly/do7fWj" out loud, you would think something is wrong with her. If you receive an email from her with just that link, hey, something is wrong here.

Other things to beware of: Nigerian Princes, anyone offering to sell any kind of medication, game company emails that include a link to a non-company specific website (one recent one was for us.battle-cata.net for Warcraft, which is NOT the correct website), which is simple to check. 

If you get a strange email that claims to be from Wal-Mart, and the link included is for www.wal-mart.us.com, guess what? Wal Mart doesn't add 'us' to their address.  

The simple way to check this is to open a browser, go to Wal Mart's page on your own, and search for the 'deal' that was emailed to you.  You won't find it, but that's how you check to be certain.

Kids, Cousins, and Creepy Uncle Bill

One of the major reasons for setting up non-administrator accounts for people earlier is that kids and house-guests who are on your computer may have this annoying tendency to install something they have at home on it, download things, do things you wouldn't want them to do, any one of which can be an opportunity for a security issue. 

This way, if the grand kids let their friends on the computer, again, not much they can do.

A few other ways to take care of this are: don't let anyone else on your computer, set up a 'Guest' account with ZERO privileges, keep an old computer that you've replaced because it was so slow Daylight Savings Time occurs before Windows loads just for those pesky guests, or hey, don't let anyone else on your computer.  

I've even had guests break my computer CHAIR, so this is sage advice from one who has been chair-less.

I don't care if they haven't updated Facebook in over ninety seconds, unless there is a legitimate reason to sit at that computer, like Twitter, tell them 'no.'

FaceBook Twittered me to get LinkedIn to MySpace

Regardless of the social network, and there are more social networks every day, keep this in mind:  if you wouldn't put the information on a BILLBOARD overlooking the closest four-lane highway, don't put it on a social network.  Ever. 

In fact, put as little personal information as possible in your profile, you're more than likely using the network to keep in touch with school friends, family, and extended family, so they don't need all of the claptrap, whereas identity thieves LOVE that kind of information.

On Facebook particularly, there are a lot of confusing settings. Get them wrong, and your complaint to an old college football teammate about how you can't wait to retire, your snot-nosed boss keeps wetting his diaper over productivity could be posted on the bulletin board at work the next day. 

Or you could end up with several thousand dollars of fraudulent credit card debt, and somebody running around buying cars with fake ID in your name, with their picture on it.

In this day and age, it's quite difficult to work, play, eat, sleep, and follow your friends without these social networks, just keep in mind that really, it's a PUBLIC forum, not just between friends, and give the programs the minimum resources they need to accomplish what you want.

Speaking of programs, be wary of the fifty thousand 'apps' for Facebook, you don't need them, and Farmville is annoying.

As is Mafia Wars, Vampire Wars, Dragon Wars, Pencil Wars, and Tomato Wars....  I have a standing 'BAN' threat to everyone on my friends list if I get dumped on by these 'requests.'

But... but... but....

"Antivirus software is expensive!!!"  So is straightening out your credit after buying a use Maserati in Atlanta, even though you live in Tampa and have never bought one in your life.  Seriously, security software is a lot cheaper than having your bank account emptied by a thief.

"I can't remember those nasty long passwords!"  Yes, you can.  How many phone numbers, addresses, birthdays, anniversaries, TV show listings, movie quotes, recipes, sports statistics, roads, etc do you remember right now? 

This is much, much simpler than that, which is why I suggested you use the method above.  5liMj1m5 for slimjims isn't that hard to remember.

"We don't keep anything important on the computer."  Yes, you do.  A list of everyone you keep in touch with, do business with, talk to, etc.  Every email address in your email contact list is a potential target, and hey, even though it's easy to prove you didn't scam them, the email CAME from your account. 

Everyone who has a computer, no matter how clean they think it is, has some information on it they do NOT want falling into the hands of a criminal. 

At the very minimum, if you have a computer installed clean, without even your name on it, it could become a zombie for a botnet, and nobody wants to help the bad guys, so yes, you need security software.

"All those user names are a pain in the butt!" They are there for a reason, keeping information separate, and making sure that only appropriate people can make changes.

"I don't have time to keep installing things for the other people!" Another reason for the user names: it makes people think before asking to have something installed, and prevents 'useless' software, which may be harmful software, from being casually installed. 

"I read the other day that no matter what you do, you can still get a virus on your computer!"  Yep, that's right. 

And no matter what you do, how often you wash your hands, use hand sanitizer, even if you wear a surgical mask, you will still get a cold, but that doesn't mean you use public restrooms without washing your hands, right? 

Looking at it another way, if your security software stops 99% of the threats that are floating around, it has the potential to stop millions of threats.

Millions.  Now, if somebody fired a shotgun at you, would you want 99% of the pellets to get stopped, or would you say 'heck, if one of those is going to hit me, let all of 'em hit me...'

The End

This isn't all that can be done.  There may never be a truly comprehensive list of 'what to do to stay safe,' but this is a decent primer. 

We didn't cover basic spam email issues, knowing when to ask to be taken off of an email list or when  not to, because sending a request to the second address is simply confirming that you exist. 

We didn't discuss shredding printouts, bills, etc, as part of privacy containment.  But this is a start...

Possibly Related Articles:
10176
Security Awareness
Email Passwords Social Networking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.