Computer Security 101

[nerdv2]

Computer threats is everywhere, and in current day and age cyber attack come from many side, viruses, exploits, phishing attempt and so on.

 

This is a quick know-how in an attempt for improving the security and stability of your computer.

 

The Basics

• Update your BIOS
• BIOS/UEFI is used to perform hardware initialization during the booting process, by updating the BIOS it keep the firmware safe from rootkit that hard to detect and remove because it fixed the vulnerability within the motherboard and also sometime BIOS update also improve system stability.
• Configure the BIOS
  • Enable BIOS Setup Password
  • BIOS Password is the first line of defense to prevent malicious modification by a program or a person.
  • [Windows Only] Prioritize UEFI Boot and Enable TPM/SecureBoot (If supported)
  • SecureBoot protect your computer to help make sure that your PC boots using only software that is trusted by the PC manufacturer.
  • Trusted Platform Module offers facilities for the secure generation of cryptographic keys, it is used by BitLocker.
  • [Additional] Disable Webcam and Microphone from the BIOS
  • This is a more elegant solution than taping your webcam and mic, if you really paranoid but don't want to destroy that dBrand skin.
• Run Windows Update
• I'm sure this is annoying, but WannaCry and Petya attack system that is out-of-date.
• Update your Browser, PDF Reader and Office Client
• Most of the attack on the office are coming from Word-macro files, infected PDF files. By updating your software it help to prevent malware from exploiting system vuln.
• Uninstall that Registry Cleaner
• Editing registry is dangerous. Most of the software I known is not fixing your computer, just making it worse. Read more: https://support.microsoft.com/en-us/kb/2563254
• Install Adblock
• While this is a controversial option, malicious advertising is a thing. And with installing AdBlock it help you while browsing from malicious JS injection from third-party ad provider and it also made the web look more cleaner.
• Install a password manager
• Having a multiple password is cumbersome, sometime it's better to remember one really hard and strong password that access the vault of randomly generated password. While it's kinda scary to store all your password in the same place, it's much better than re-using all your password. I recommend using BitWarden as it's much more faster and stable than the well known LassPass for your personal use.
• Windows Defender is a great AV for starter
• If you use Windows 8 and up, Windows Defender is already installed on your system. While there's a lot of AV vendors avalaible, if you really not sure what to use and don't know much about them just use Defender as a default. It's improving day by day.
• Install a third-party AV solution (optional)
• You may not trust the solution and came with default and know there much better solution available, feel free to choose which one you could rely on protecting your system. I included the Microsoft Approved Antivirus Vendor in the second post.
• Enable Windows Firewall
• Windows built-in firewall already capable to protecting you from network attack by blocking imcoming and outcoming connection by your application based on whitelist and blacklist data you provided.
• Change your router default admin password
• This is a best practice, there's a lot of malware try to inject your router using the default password from the manufacturer. By changing the password, it added the first barrier for the attacker before accessing your network.

If you had another suggestion feel free to add.

[nerdv2]

Advanced Stuff

• Update your router firmware
• By updating the firmware, the attacker will be harder to gain access by using exploits and vuln that open in your router.
• Enable Full Disk Encryption
• If you have sensitive data on your hard drive, by enabling Windows BitLocker or VeraCrypt on your computer helps to make your data secure from the attacker.
• Backup your stuff, always.
• In the event of catastrophic failures like your little brother spills his cereal to your rig or even your ex-girlfriend smashing that wonderful fully RGB PC you had, backup is always important. Encrypt your file and then save in the cloud or even do a full disk backup and clone. Either way you will had more confident when shit happens. Read this to learn more.
• Replace your AdBlock with hardware based ad-blocking
• AdBlock has it's downfall, it's slow and heavy for older system. Has controversial decision. If you feeling creative built a hardware based adblocking that rely on your router to do the stuff. Pi-hole are one of many open source solution available.

   

Paranoid Mode

• Enable VPN for everyday usage
• The ISP and any other 3 letter government are always tried to track you, legally or not. VPN are able to help combat this by masking your IP from another country.
• Install Tails
• Tails is an privacy-focused operating system based on Linux, are you sending stuff to WikiLeaks? Browsing that juicy stuff on Tor Network? Or even paranoid about the aliens in general, Tails is built for anonymity and privacy usage.

 

Let's be honest, there wasn't a such thing as a perfect security. Remember the "No system is safe." mantra.

 

Resources for more great stuff.

https://decentsecurity.com/

https://blog.malwarebytes.com/

https://nakedsecurity.sophos.com/

Microsoft Approved Antivirus Vendor

 

[ScratchCat]

You may want to change :

On 18/08/2017 at 9:31 AM, nerdv2 said:

Windows Defender is a great AV for starter

• If you use Windows 8 and up, Windows Defender is already installed on your system. While there's a lot of AV vendors avalaible, if you really not sure what to use and don't know much about them just use Defender as a default. It's improving day by day.

As it has had a couple of security issues and it's recognition rate is not the greatest.

IMHO it is good enough if you don't use the device as your main computer or are constantly downloading things.

 

[Boomwebsearch]

In general you need to use and keep proper security practices like the ones that are mentioned in other posts on this topic. This is because hackers are continually getting better and we need to maintain these practices in order from getting out information compromised. 

[LtStaffel]

NoScript, Ghostery, password manager.

[Boomwebsearch]

Another tip to keep your passwords from getting stolen is to make them with a combination of letters, numbers, and symbols if possible.

[imreloadin]

20 hours ago, Boomwebsearch said:

Another tip to keep your passwords from getting stolen is to make them with a combination of letters, numbers, and symbols if possible.

How exactly does that protect your passwords from getting "stolen"?

[Boomwebsearch]

On ‎9‎/‎28‎/‎2017 at 1:47 PM, imreloadin said:

How exactly does that protect your passwords from getting "stolen"?

This protects your passwords from getting hacked or compromised. 

 

On ‎9‎/‎27‎/‎2017 at 4:53 PM, Boomwebsearch said:

Another tip to keep your passwords from getting stolen is to make them with a combination of letters, numbers, and symbols if possible.

This protects your passwords from becoming hacked or compromised is what I mean. If you follow this tip, generally your passwords become more difficult for hackers to obtain and have access to an account of yours.

Edited October 1, 2017 by Boomwebsearch
I made a grammar(spelling) mistake in my writting.

[Ithanul]

On 9/27/2017 at 8:53 PM, Boomwebsearch said:

Another tip to keep your passwords from getting stolen is to make them with a combination of letters, numbers, and symbols if possible.

And, to never use the same password across several accounts.  Signal Sign On also is not a good idea for sites.

[Boomwebsearch]

One more important thing that I would like to add to this is that generally you should not click on suspicious links or emails, because they could cause harm to your computer, and possibly your data as well (on that computer and mapped network devices also).

[2FA]

On 9/28/2017 at 4:21 PM, Boomwebsearch said:

This protects your passwords from getting hacked or comprom

 

This protects your passwords from becoming hacked or compromised is what I mean. If you follow this tip, generally your passwords become more difficult for hackers to obtain and have access to an account of yours.

It makes it "harder" to guess. Generally if it's 8 or less characters though, a password cracking program can guess it relatively fast regardless of complexity. Length matters much, much more than complexity as it contributes more to entropy.

[SCHISCHKA]

My thoughts are I would write under headings using the types of attack e.g.

Physical 

Phishing/trojan

Worm/virus

For each of the types I would give real examples of each. I don't think noobs need an instruction list but an update in education because most only know two terms, virus and hacker, they don't know when they are being tricked/scammed.

 

You mentioned above about changing router password. I think this should not be an advanced extra but compulsory and high up on the list of things to do. You don't want your router to be part of a botnet.

 

Disk encryption only helps in physical theft. A computer only used for games holds game data that is not actually the property of the computer user. A gamer has no need for disk encryption, they only need security on their steam account access.

 

You mentioned ransomware but you left out backup drives. Must have two USB drives for important data. Malware tends to be released about 30 days after a Microsoft patch. So someone discovers a vulnerability, they tell ms, ms releases a patch and by doing so they tell the whole world this vulnerability exists so you need to upgrade/patch asap.

 

Oh yes one more only download and install direct from software publishers. Those video streaming sites a laden with JavaScript that prompt you to install dodgy "java" or flash plugins.

 

Adblock sucks, pi-hole is better because it catches every device using your router.

 

Passwords: think of a phrase or pick a page in a book, choose a very long one. Run an algorithm in your head or on your computer that will turn this easy to remember into something that looks like random numbers or letters. This way you can have different passwords that are long, randomised, and easy to remember. Do not use same password across different sites.

 

Email: 

Have separate accounts for work, family, for public/junk, for signing up to services like Facebook and this forum. If you have a public junk account that gets compromised you will not loose access to Facebook or steam etc. The account you use for steam or Facebook, never send email from this account or tell anyone it exists. Protonmail and tutanota.com are good free mail services.

[SCHISCHKA]

On 9/28/2017 at 9:53 AM, Boomwebsearch said:

Another tip to keep your passwords from getting stolen is to make them with a combination of letters, numbers, and symbols if possible.

The man who invented this advice was in the news earlier this year apologising for this. How about throw a phrase you can remember into a hashing algorithm? You can remember it, the password is long, the password appears random. The rationale behind the original advice was to make a password that does not exist in a dictionary.

[Boomwebsearch]

On 10/2/2017 at 11:17 AM, SCHISCHKA said:

The man who invented this advice was in the news earlier this year apologising for this. How about throw a phrase you can remember into a hashing algorithm? You can remember it, the password is long, the password appears random. The rationale behind the original advice was to make a password that does not exist in a dictionary.

I apologize for any confusion that I may have caused to anyone. I do not watch the news because I am extremely busy most of the time. Although, if you add numbers and other special characters it prevents someone from writing guesses to your password and getting granted access to one or more account that you are the owner of.

[SCHISCHKA]

4 hours ago, Boomwebsearch said:

I apologize for any confusion that I may have caused to anyone. I do not watch the news because I am extremely busy most of the time. Although, if you add numbers and other special characters it prevents someone from writing guesses to your password and getting granted access to one or more account that you are the owner of.

It is not about human guesses, the reasoning is purely mathematical. There is a video on the computerphile youtube channel that explains this very well.

If you increase the number of potential characters you are using then you increase the complexity, the computing power required to crack the password. The problem was, it made passwords hard to remember so people were using shorter passwords, which defeated the purpose of the advice, to make your passwords computationally expensive.

[Boomwebsearch]

16 hours ago, SCHISCHKA said:

It is not about human guesses, the reasoning is purely mathematical. There is a video on the computerphile youtube channel that explains this very well.

If you increase the number of potential characters you are using then you increase the complexity, the computing power required to crack the password. The problem was, it made passwords hard to remember so people were using shorter passwords, which defeated the purpose of the advice, to make your passwords computationally expensive.

I see your point, also I would like to add that many sites use encryption in order to keep passwords a lot more secure. And it expands the computing power needed exponentially. 

[nerdv2]

On 10/2/2017 at 10:14 PM, SCHISCHKA said:

My thoughts are I would write under headings using the types of attack e.g.

Physical 

Phishing/trojan

Worm/virus

For each of the types I would give real examples of each. I don't think noobs need an instruction list but an update in education because most only know two terms, virus and hacker, they don't know when they are being tricked/scammed.

 

You mentioned above about changing router password. I think this should not be an advanced extra but compulsory and high up on the list of things to do. You don't want your router to be part of a botnet.

 

Disk encryption only helps in physical theft. A computer only used for games holds game data that is not actually the property of the computer user. A gamer has no need for disk encryption, they only need security on their steam account access.

 

You mentioned ransomware but you left out backup drives. Must have two USB drives for important data. Malware tends to be released about 30 days after a Microsoft patch. So someone discovers a vulnerability, they tell ms, ms releases a patch and by doing so they tell the whole world this vulnerability exists so you need to upgrade/patch asap.

 

Oh yes one more only download and install direct from software publishers. Those video streaming sites a laden with JavaScript that prompt you to install dodgy "java" or flash plugins.

 

Adblock sucks, pi-hole is better because it catches every device using your router.

 

Passwords: think of a phrase or pick a page in a book, choose a very long one. Run an algorithm in your head or on your computer that will turn this easy to remember into something that looks like random numbers or letters. This way you can have different passwords that are long, randomised, and easy to remember. Do not use same password across different sites.

 

Email: 

Have separate accounts for work, family, for public/junk, for signing up to services like Facebook and this forum. If you have a public junk account that gets compromised you will not loose access to Facebook or steam etc. The account you use for steam or Facebook, never send email from this account or tell anyone it exists. Protonmail and tutanota.com are good free mail services.

There's a lot of great advice in here, I included some. while I think that I need to separate like Malware Attack, Privacy Issues, and some of more tactical and structured attack like Social Engineering.

[Guest]

I got one. Use an OS that's still supported by the manufacturer. 

[AVLNCH]

On 15/10/2017 at 12:12 PM, Stylized_Violence said:

I got one. Use an OS that's still supported by the manufacturer. 

Shots fired Microsoft.

[Mira Yurizaki]

44 minutes ago, UponAvalanche said:

Shots fired Microsoft.

This applies to more than just Microsoft.

 

Like don't use Ubuntu on versions 16.10 or older (unless it's 14.04 LTS), because Canonical doesn't support those anymore.

[AVLNCH]

49 minutes ago, M.Yurizaki said:

This applies to more than just Microsoft.

 

Like don't use Ubuntu on versions 16.10 or older (unless it's 14.04 LTS), because Canonical doesn't support those anymore.

I hadn’t known that. Good to know, though!

[Cruorzy]

Do not use Bluetooth crap when possible.

[johnjohns111]

About the passwords, check your pass on haveibeenpwned.com, if your pass is in a database, it means that using bruteforce and password databases it's possible to hack even strong pass. There are a lot of password leaks in the history. For example, when River City Media was breached, more than 300k accounts were leaked.

[rheyL]

when on a browser, do not save your password. Never save your account/password on a browser. 

 

don't be lazy, type it when you want to log in.