OT: What Are Your Computer Safety Tips?
Reading about the hackers targeting MSU made me think about potential vulnerabilities on my computer. I have pretty strong passwords, run virus checks, and don't download shady files, but what else should I be doing to protect my computer and files? I guess I could always use the Tor browser but I also don't want to wait forever for pages to load. What all do you do to protect your computers and files?
I don’t use a computer except at work and have zero social media .... works for me.
You could get some open-source encryption software to store really sensitive files. VeraCrypt is my personal favorite. There are also some browser extensions like Ghostery that are good for improving privacy by blocking trackers.
In general though, I think you're doing fine. Really, using strong passwords and avoiding shady emails, websites, files, etc. is about 99% of the battle for a regular computer user (Though large organizations may have different vulnerabilities). Most of the rest is up to luck.
For passwords I devised a system to create a unique, strong password for every site based on rules and knowledge than only I would know. I considered using a password manager but preferred to actually know all my passwords personally.
based on rules and knowledge than only I would know
You sure about that?
I ask not to be argumentative but as I posted elsewhere, the only secure password is one which the hash isn't already known.
I do this for a living. I see and hear all the time "I have complex passwords blah, blah, blah"... and then I compromise their account and show them their password.
If you ever have put family member names, dates, events, locations, etc online, in social media, etc., or your PII was compromised (Sony, Target, Ashley Madison, Equifax, yada yada yada) adversaries crawl that stuff all the time and eventually aggregate that metadata to attack you.
If for some reason your password doesn't get cracked and if you're on a Windows host, I can search to see if your token is in memory and I can get full access to your system from that.
Saying "knowledge than only I would know" these days quite honestly and frankly is a lot of bravado. The only sure way to go these days in Identity and Authentication Management (IAM) is multifactor authentication. Password complexity is no longer a defense. Full stop.
Yes, but I would still trust that over using a central password service. A single point of failure isn't really more secure way to go.
I was not talking about a central password service.
Apples and oranges.
I was talking about the claim that the poster's passwords are so private/complex they cannot be compromised.
over using a central password service
Care to explain more? Because using a secrets manager is considered a security best practice.
I wondered in the past if your username is a DISA STIG reference, now I suppose the answer is likely yes.
Wow... I never thought of that before.
It may look the same but username = avatar and not the government. I've learned to hate government work.
Now I work in Big 4 Advisory in cyber defense. I focus on application security and cloud. Between those types of gigs I get farmed out to do audit work.
I just rolled off of some incident response work (because the cyber landscape is going NUTS right now in this crazy COVID world). It involved getting memory dumps of systems running new malware -- which has not yet been identified by the major A/V tools, and creating means in which to identify future threats based upon current analyses.
I have clients in internet and software services, finance, automotive, and media & telecommunications... so I get to see a lot of stuff in how orgs run, what their technologies are, and how they protect it (or not).
Surely everyone has knowledge of themselves no one else knows. I'm not concerned with a Goldeneye battle of wits a la Boris and Natalya or Jurassic Park and someone cracking my password.
What it seems you really meant to say is that reusing passwords is dangerous due to leaks, tokens, etc. And sure, I agree. A compromised password is compromised. That's not quite the same as saying I can't come up with a password right now that no one else can guess even if it's not random.
Not an important point, but then again this is MGoBored, so might as well argue for the sake of arguing.
but then again this is MGoBored [sic], so might as well argue for the sake of arguing.
Ironic you wrote that after you told me "what I meant to say".
I'm quite aware of what I said -- what you said ain't it.
When you go into a Fortune 100 company, dump their SAM files, get 40% hit rate on compromised passwords in spite of password complexity rules, and root on 10,000 hosts in 72 hours, THEN come and tell me what I meant to say.
Until then, troll on!
PornHub isn't a shady website, right?
/Asking for a friend
IDK... they gave a legit 5 figure scholarship to a UM student.
Why would anyone think they're not legit. In 2020 I consider any one who doesn't watch porn to be a little suspect.
In 2020 I consider any one who doesn't watch porn to be a little suspect.
+1
Ha ha ha.
BTW, my wife doesn't. Not that she's a prude or anything but just doesn't.
She totally cool -- which is why I wanted to marry her... but I imagine if she ever caught me looking at a nudie pic online, it would really hurt her feelings. She's just really weird like that.
But otherwise, she's definitely greater than 8 hot and under 7 crazy.
This might be my favorite you tube video ever.
Danger Zone: Redheads, strippers, anyone named Tiffany.
Throw it in the trash and go old school.
A couple:
Run as a non-privileged / non-administrative user unless you need to do some ... administrative task (like install new software). Some exploits rely on the current user having administrative privileges.
Rig your browser so that advertising scripts, etc. don't automatically run when you load a page.
How do I rig it? Just through the settings, or do I need to install an add-on?
Depending on who you ask, the answer you get to the amount of rigging you need to do could vary by who you're asking.
But a good place to start is with the government standards. Go to https://public.cyber.mil/stigs/ -> on the left, click on Document Library -> on the right, scroll to your product. For example, Google Chrome. Download the zips. You're looking for the STIG and sometimes there will be a file there with "benchmark" in the title (all products have a STIG; not all products have a benchmark).
These files are checklists (in a markup language -- there are other tools available for viewing on that page of you wan't want to see the original text) for how to "harden" your software. That's another whole post though.
Please keep in mind, some changes may disable functionality... like if the STIG says to disable JavaScript that could affect a website's content delivery. You'll have to determine your sweet spot between security and functionality based upon your own personal risk appetite.
So ... you do security for a living. (I don't.) How much value does the "run as non-administrator" idea have these days? Seems current, but (again) I.T. security isn't my line of work.
You should always run as a regular 'ol user for day to day operations. The security best practice is you only escalate to administrator for as long as those rights are needed.
As you mentioned, if you get some malware, and you're running as admin, it could install and without being noticed. If you're just running as a user, it won't get installed; Windows will throw a UAC prompt or some other error message. Hopefully.
This is based upon something called the "least privilege principle".
Windows makes it easy these days to escalate just when needed with the "Run as" feature. Linux has something called "sudo".
Just last week I upgraded the external hard drive to 4TB for $112. Seagate backup plus hub (automatic). Fashioned brackets from extruded aluminum L angle & screwed onto back of desk.
What is this cloud people keep talking about?
Not a safety thing, but I came to say something like this. BACK UP YOUR SHIT! I had been, but then for some reason didn't for about 3 years and then my hard drive failed. Some things are on a cloud, but not everything. The main thing I lost and didn't have backed up were photos. Data recovery cost me about 400 bucks. And sorting through that was awful. I'm not even done yet. Lots of things got copied a few times, some at varying quality. I have a folder that's just misc. image files, and they are sorted in no way whatsoever, so it takes forever to put them into various folders. It took so long and I had a problem with the plug for the new external hard drive with my recovered files so I took a long break from it. Then my external hard drive failed too. Awful. Not sure I got everything off of it. A friend who knows computers well helped by giving me a program that lets you copy with commands even though the hard drive wouldn't load on Windows itself.
I have pretty strong passwords
The only secure password is one that isn't in a rainbow table. That includes catchphrases and leet -- people aren't fooling adversaries with that stuff.
The only way to go in this area is multifactor authentication.
worth tacking on that SMS does not count as a second factor. The ease at which people can have their phone numbers switched is really easy. Use something like Google Authenticator, which is free
+1
However, anticipating some potential replies to your point. I could see someone saying if the classic definition of MFA is "something you have and something you know", then how does a mobile device not qualify?
One reason why this is a bad practice is because for uniqueness, SMS auth is tied to your SIM card when setting it up. So if your phone gets stolen and someone has your SIM, they have your additional authentication factor.
If someone has SMS auth configured, and they get compromised, how do you change it? By first authenticating with that SIM. Which you now don't have. Good luck with that hassle.
It's much more than that -- SIM security has been cracked for awhile now. Hackers can spoof any SIM.
Your phone getting a push (ala Okta's app) is actually significantly more secure than SIM, because it uses better encryption.
Incognito tabs
It's private enough for me.
1. Pay as few bills as possible online
2. Never do financial transactions or purchase anything online using Wifi—only use wired ethernet
3. Never click any link in an email from an account you don't know
4. Don't believe Nigerian princes.
+1
Pay as few bills as possible online
My wife and I fuss about this all the time.
She's all about dumping everything in Quicken to automagically get paid.
I still prefer to write checks or in person with cash.
4. Don't believe Nigerian princes.
More money for me!!!
Not sure about personal use, but one of the vendors we use at work was hacked and the hackers held a bunch of files for very high profile clients for ransom. Thankfully we had already produced to the government, and I'm not sure how the issue was resolved, but we won't be using that vendor again.
Norton anti-virus
That's a horrible product.
Google "Magic Lantern" sometime. Not to mention Symmantec has ties to China.
The best rated/peer-reviewed anti-virus product with regard to privacy, security, and functionality is ESET Antivirus.
I have Mac's and PCs. I don't keep any personal data on the PC. I disconnect any computer from the network that I'm not using. I use 14 char + passwords for everything - do not use words or personal reference for passwords. Use encrypted app for passwords and use index cards to keep master passwords.
VPN's are not going to protect you and unless you are running no javascript/cookies etc which means you won't be using most websites you aren't even anonymous using it.
If you have used the same email for like 4+ years chances are it's known and they know probably every password that you have used if you have been using basic passwords.
I would strongly suggest register a new email and use that for your most important logins like bank etc. Basically, anything that you don't want hackers to have access to. Don't use it for anything else and logout if you are using the web if you use Gmail etc. You can secure your end but they get all this info from hacking into other websites that you use.
Additionally
Keep constant track of your credit cards balances and assume that hackers have all of your info which they probably do.. SS#, Credit card numbers.. everything. Turn on notifications for purchases and/or withdrawals. If they haven't used your card yet it doesn't mean they don't have it - it is just a matter of time.
Our company gets hit with multiple fraudulent orders a day using stolen credit cards. They create shipping accounts with your information - and change the delivery info after order. They use VPN etc to hit our website from the city where the card is suppose to be and are able to use a phone number that is in the same city as well.
We need to demand more out of corporations/governments to protect our data.
I always buckle up when a commitment is imminent.
Mainly just go on porn sites and click any and all available links
I feel my Commodore 64 is pretty safe from any hackers.
Don't use in the bath tub.
A part of my security protocol when online is to always wear a condom. Religiously. Because you never know whether the person on the other side is icky and may give you cooties. I urge you to do the same and you should listen up! because I hold an advanced degree in computer science. (They actually gave me one of those paper thingies for a digital degree. Which for me is better than if they had awarded it digitally if you know what I mean, Vern.)
Only use brand name porn sites
- Keep your computer (Windows 10 / OS X) up to date with the latest feature/security patches.
- Use two factor auth for your personal e-mail address, social media, and banking/Paypal accounts.
- If you click a link from social media for a site you don't recognize, wait for someone to give feedback (via a comment) on that content to ensure it's legit.
- Use a computer that was built in the last five years and has a UEFI bios.
- Use the 'Brave' web browser (https://brave.com/) for private sites.
- Don't click on links from strangers or from family members that forward content.
GRU, IRA, and their "associates" already have everything they want.
Basically, if you're online, you're proper fucked.
Sorry, not sorry.