RSS

11 security tips

28 Mar

A lot of people don’t seem to know or care about the security of their computers. If you are reading this site you probably aren’t one of those people but I’m sure you know some, and if you are one of those people then READ THIS! Even if you are a security knowledgeable citizen of the intertubes there may be a few things you don’t know or you can at least share this with your “dumb” friends :).

If you happen to be one of those “dumb” friends and you don’t understand any of this don’t hesitate to ask you “smart” friend for help. We love it when you ask us for help with your computers.

Don’t use Microsoft products:

As a general rule Microsoft products are not the most secure, though thats not to say if its not made by Microsoft it is secure or that only open source software is secure. I’m not just talking about windows here; outlook, IE, MSN messenger, and whatever tend to have more security flaws then their competitors. I believe this is partially due to the way Microsoft makes products (e.g. buy something someone else made and give it to developers that aren’t familiar with it and tell them to screw with it so that it is different then it was when they got it and get it out the door as fast as possible with absolutely no testing), Microsoft’s monopoly, having fewer devs looking at the code than an open source project would. This really is the most important thing you can do to protect yourself. I guess I can’t just tell you to stop using Microsoft products without giving a suggestion on what you should use. Ubuntu is probably the best thing for a non-technical person to use if they want to continue to use the computer they already have. If you are a non-technical person or your “friend” is and you are in the market for a new computer I would suggest apple products. If you insist on using Windows I only ask that you stop using IE. Switch to firefox.

Keep up to date:

In general software becomes more secure with time. So it is generally a good idea to have the latest version of software, or at least the software that is going to be connecting to the internet (i.e. your web browser, email client, or instant messenger). It is especially important that you keep up to date on the updates for you OS.

Browse defensively

It a pun of defensive driving get it? Yeah, I know it wasn’t funny… Anyway, unsafe browsing habits is among the top causes of security problems. Pay attention to what you are doing. If you get an email claiming that paypal needs your password treat it the same way you would if you got a letter in the mail that says Social Security needs your social security number. This is called phishing. You will be sent to a web site that looks a lot like paypal but is not paypal. All you have to do is look at the address bar and see that you are at http://www.someurl.com (that is an example and not really where you will be) instead of at http://www.paypal.com.

Besides getting your information stolen unsafe browsing can lead to viruses and root kits (a program that takes control of your computer so that a cracker can use it). So be careful what you download. If you are doing loading a file and its called 5billionpicsofsexygirl.exe.zip, it is not the porn you wanted but a virus! You should always be leery of files with two extensions. Also, check the file size. if it is really 5 billion pictures it is going to be much larger than 500kb.

This topic is another great example of why you shouldn’t run windows. Windows has many vulnerabilities that will allow an attack to install software onto your computer by simply directing you to a webpage or getting you to open an email.

Use long, random passwords:

Passwords are generally your first line of defense against an attack and the longer and less guessable they are the safer they are. I talked recently about a website that generates a very long password for you. I suggest that you use it.

Don’t right down your passwords:

You remember those dosen long random passwords I told you to use? Yeah, never ever write them done (or give them to others). If you do it completely defeats the purpose of having them because then anyone can just read it! There are some memory tricks you can use remember them if you are having trouble: break each password up into small section of 1-3 characters (e.g. if your password is oetuhc89dh break it into oet uhc 89 dh or oet uhc 89d h), or assign each character in your password to an object and place that object in you memory palace.

To be honest, I don’t remember most of my passwords. I let firefox remember them for me and I just use a master password. I know this isn’t the most secure thing to do but its better than using the same one password I remember for every site. I also keep all of my passwords in an encrypted text file (that is NOT labeled passwords.txt). If you are really paranoid you might want to keep this on a flash drive so that the people in black helicopters can’t steal your hard drive and recover the unencrypted text file from your deleted files. I just use srm.

Use security extension for firefox:

I’ve already said that you shouldn’t use IE because it isn’t secure and that you should use FireFox (or opera if you want). Now I’m going to tell you that FireFox is still not secure enough. FireFox is better than IE but like all things in this world it isn’t perfect. Fortunately, there are some extensions that can bring Firefox closer to perfection.

fireGPG
flashBlock
McAfee Siteadvisor
NoScript
SafeCache
SafeHistory

secure your network:

I’m all for sharing your network with others, but it really isn’t very secure. a lot of people don’t even know that it is possible to log in to their wifi router and change things. Well you can. so lets all go to http:192.168.1.1 and change our routers passwords and then go over to the security tab and turn on encryption (make sure you know the wep key or wpa password).

If you know what your doing and you want your network to be secure but also want to allow others to use it, you can make a section that you use which is secure and a section for others to use that is open.

Turn off file sharing:

File sharing is evil turn it off when you aren’t using it. Next time you stay at a hotel that offers free wifi poke around at the network a bit and you will be amazed to find probably dozens of windows machines that have file sharing (not as in p2p) on and completely open to you. This is yet another reason why you should not use windows. Linux/BSD/Mac OS will make you work to reach this level of insecurity whereas windows does it by default (or maybe it is a toggle in the network settings I can’t remember). However, I do believe that vista is a bit more secure than XP when it comes to file sharing.

Use multiple passwords:

As well as using long, random passwords you should be using multiple passwords. In fact, you should really have a different password for everything. At very least use a different password to login to your computer as you use on to log into the bank’s site and yet another for myspace or whatever.

Encrypt your stuff:

Anytime you are using a computer you should have the expectation that someone could get access to your files if they are determined enough. Thus, the only sure way to protect yourself is to use encryption (unless the FBI, CIA or any other organization with a three letter abbreviation for a name are after you.) You have two options: encrypt only the files that you want to secure or encrypt all of your files. Both have their advantages. If you only encrypt certain files it will be a red flag to anyone who finds them that they are important. Encrypting everything means encrypting the partition that your stuff is on. Recently some security experts have shown thatit is relatively easy to get around this kind of encryption. I presume that the attack used to do that only works if the partition is mounted at start up; so if you don’t mount it at start up and simply mount it yourself after you have logged in I think you may be able to protect yourself from this.

If you want to go with the first method (encrypting individual files) you should check out a series I wrote about GNUPG a long time ago.

If you would prefer to use the second method (full partition encryption) you should check out the series that Zeth over at the Commandline Warriors put together.

Remove important stuff with srm or shred.

If you are using full disk encryption this section probably isn’t for you, but if your not listen up. When you delete things from your computer they are not gone! it simply tells your computer that the space that was used for the old data can now be used to something else. So when you delete a file it can often be recovered by people who have the money to do that kind of thing.

Never fear, you can protect yourself from this one Too! Just use srm or shred to delete those important files (both of these (or maybe just one) should be available in your friendly neighborhood repository). Some people argue about which is better and I don’t know so I’m not going to comment. I think both will probably get the job done, however srm is more widely available.

If you are reinstalling your OS or getting rid of your computer you want to make sure that there is nothing left behind from the old OS that could compromise you security. I suggest using a live disk called Darik’s Boot and Nuke (DBAN). If you don’t want to mess with this when you are just reinstalling your OS that is fine, but This is a must if you are going to be getting rid of your computer/hard drive. If you do not wipe the drive before you get ride of it the person who gets it next will have complete access to all of your files.

If you still need a reason to worry about the security of your computer know this: most spam comes from computers which have been taken over by attackers completely without the knowledge of their owners.

Stay tuned for the second part of my security series where I will try to get you to think like a paranoid person. Also Mr.linuxcrayon that FreeBSD review will becoming any day now.

Advertisements
 
20 Comments

Posted by on March 28, 2008 in security

 

Tags: , ,

20 responses to “11 security tips

  1. linuxcrayon

    April 3, 2008 at 10:07 am

    I’ve been away for several days–sorry.

    I just wanted to comment on one thing–passwords.

    You’re right–your method of storing passwords with one master password isn’t exactly the most secure. If someone were to ever crack the master password and gain physical access (or ssh or similar access) it would take a matter of minutes and everything would be open to him/her. Also, I’m not sure if you’re using letters and numerals, but brute forcing with a dictionary list makes it VERY easy to get through passwords with only letters. Especially when those letters are words or names. Simply food for thought there.

    Additionally, although this is slightly more advanced, something you may or may not want to do (depending on your level of paranoia) is to create a MySQL (or comparable technology) backend that stores your password. Then write a frontend in Python, PHP, or some other similar language. The design idea would be to require a master password to log in, and then additional passwords depending on what information you were trying to retreive. It would require you to categorize your passwords (one for forums, one for e-mail accounts, etc…), but having multiple-tier password retrieval would be beneficial.

    No, I haven’t done it yet, but it’s definitely on my todo list.

     
  2. Justin

    April 4, 2008 at 4:20 pm

    As far as I know Firefox does use an encrypted database (or at least I hope it does) to store passwords. Though I’m sure it doesn’t offer that much protection. As long as a significantly strong password is used, and preferably not the one you use to log in, there should be some level of security. I wrote a post on passwords a while ago which I linked to in the tip titled “use long, random passwords” which should explain a little more about what I think of passwords.

    That does sound like a good idea. Are you suggesting a stand alone program or a add-on? Is it possible to glue a python program to firefox (with out hacking the code), such as in an extension or does it only support java? I hate java so I’m not touching it if that is the case :).

     
  3. linuxcrayon

    April 5, 2008 at 6:58 am

    I’m not sure. I’m not a programming guru by any means. I’m really quite a novice, and I don’t know how Firefox extensions work.

    I was actually suggesting a stand-alone application using an off-line database.

     
  4. Justin

    April 5, 2008 at 8:31 am

    You probably know more about programming than I do. I know a little python, c, and java but not enough to do much with any of them.

    As far as I know Firefox uses java (or maybe its javascript) extensions. I don’t see why you couldn’t write a extension that communicates with a stand alone application though.

    I use Firefox’s password manager because it is convenient. I don’t think a stand alone application would be as convenient, but it would be a better way to store passwords than using an encrypted text file like I suggested.

     
  5. linuxcrayon

    April 5, 2008 at 1:11 pm

    I know diddly when it comes to programming. πŸ™‚ I know some C#. And it’s a wonderful language. But Python’s better. πŸ™‚ I know the very basics of C. The extent of my programming abilities is text-based games, text-based inventory management, text-based address book…you get the idea. Nothing too complex. No shiny graphics.

    But yes, I realize that there is a careful ratio of conveniece : work. It was simply a suggestion…and an idea that I’m interested in exploring in the future.

     
  6. Justin

    April 5, 2008 at 6:08 pm

    Yeah I can’t do guis either. I can find my way around python as long as I have a reference to look at. I don’t really know a whole lot about c and I don’t really know java. I’m talking a java class in school but my teacher is teaching it very poorly.

    Its a good idea (and maybe one that is already implemented), but I think it would be best if it were part of the browser.

     
  7. linuxcrayon

    April 5, 2008 at 8:36 pm

    It would be great if it could be referenced by the browser and remain a stand-alone application, I think. I have instances (instant messengers, games, etc…) that use password outside of Firefox.

    I know how you feel regarding poor teachers. My hardware teacher is terrible. He actually said that the Intel Xeon was the first 64-bit CPU, when it was actually the Intel Itanium. He’s said a lot of other really stupid things, but that one always sticks in my mind.

    Java, I think, is a nasty language. IMO, it barely improves upon C++. It still has some really weird things about it. C#, on the other hand, is excellent. If it had better support (along with the .NET framework) on Unix, I’d use C# more than anything else.

     
  8. Justin

    April 5, 2008 at 8:58 pm

    Maybe something build into gnome then? Gnome has a password manager (keychain I think it is) but I’ve never used it so I don’t know what kind of things it can do.

    Your teacher sounds much better than mine. He bough a book by some guy named DR. Woo (a.k.a Dr caffeine). With this book comes a library that sits on top (or replaces?) the standard library. I think it is meant to make it easier for a non-computer-literate person to learn but all it really does is make people than they are accomplishing more than they really are. It has a bunch of classes for graphical stuff so that you can get a gui with one simple call. The problem with this is that it takes away all of the low level control and reduces you down to just doing some math or something and spiting it out to another mysterious class. The real problem that I have is that I’ve been in the class for 8 weeks now (I think) and if statements were just introduced this week…

    You know about mono right? I don’t really know anything about C#. Its object oriented right? I kind of like procedural. its simpler and I’ve never really had a need for objects (but I don’t do much programming)

     
  9. linuxcrayon

    April 6, 2008 at 1:19 pm

    Eight weeks to learn IF statements? IMO, that’s day 2 material. Or day three if day one was just an introduction to the class. IF and WHILE statements should both be early on, IMO. They’re so incredibly simple. Sounds like you’ve got it worse than I do. πŸ™‚

    Yeah, I know about mono, but I don’t know how well it’s implemented or if it’s even going to become a major *nix platform. I mean, if it’s not going to be something that everyone’s going to have (like Python or Perl), then I don’t want to write code for it. That’s why I don’t use any apps that use Mono. They may be good, but I’m not going to install an entire framework for one program.

     
  10. Justin

    April 6, 2008 at 6:56 pm

    I could see it included by default in some of the major distros in the future (I believe it already comes with suse), but I can’t see it ever becoming a dominant frame work.

     
  11. linuxcrayon

    April 6, 2008 at 10:39 pm

    I’m sure it’s already in some of the more prominent newbie-friendly distributions, but for some reason Mono just does not seem to be a technology in high demand. If people want .NET, they’re running Windows. It’s just that simple. And believe me–.NET is VERY popular. I have a friend who gets paid $60/hour to write programs in C#. It’s a very lucrative (commercial) platform.

     
  12. Justin

    April 7, 2008 at 3:42 pm

    Just because it is lucrative doesn’t mean it is good :).

     
  13. linuxcrayon

    April 7, 2008 at 6:05 pm

    That’s very, very, very true. But it is good. Of course, I haven’t decided how much of that goodness stems from Visual Studio and how much is the actual language. I think I would bend over for any language if I could use Visual Studio. If you haven’t used it, you should run a VM with Windows in it and try it out. It is possibly the best IDE I’ve ever seen.

    That being said, I’m pretty comfortable in a text environment using BASH and VIM…and hopefully I’ll figure ctags out if I ever have time to do anything but eat, sleep, school, work, and code. πŸ™‚

     
  14. Justin

    April 7, 2008 at 6:40 pm

    The only ides I’ve ever used are the crappy one that my school has for java (it came with the book…) and IDLE for about 10 seconds.

    I’m not sure what ctags is. You don’t even have time to poop! I at least find time to do that! πŸ™‚ I know how you feel. I don’t have a job right now (but I’m looking) but I still don’t have a whole lot of time. When I did have a job I once worked about 36 hourl while still in school. I pretty much had to choose to fail algebra 2 or AP chem, and I PASTED both! boya! though I did have an F in algebra for a while (brought it back up to a C+ once I stopped working.)

     
  15. SpellingNazi

    April 7, 2008 at 10:11 pm

    Don’t right down your passwords:
    You remember those dosen long random passwords I told you to use?

    Should be:
    Don’t *write* down your passwords:
    You remember those *dozen* long random passwords I told you to use?

     
  16. linuxcrayon

    April 8, 2008 at 9:17 am

    You should definitely check out ctags if you program in any unix environment. From what I understand, it saves tons of time. It allows you to jump through code and across files. Very cool stuff.

    What’s the JAVA IDE? The only two I really know of are Eclipse and NetBeans.

     
  17. Justin

    April 8, 2008 at 3:19 pm

    Its called Ready to program I think. Its some piece of crap proprietary thing that came with the book (and thus the only good thing in the world according to my teacher). I really wish that this class would do a better job of teaching students that computers aren’t magic and software doesn’t just manifest itself out of thin air.

     
  18. linuxcrayon

    April 8, 2008 at 7:40 pm

    So is it the only good thing in the world because it’s proprietary or because it came from the book? If it’s because it’s proprietary, you should point your instructor to the Sun Microsystems (creators of JAVA) website and let him read up on their open source initiatives…including the acquisition of OpenOffice a while back, the recent MySQL buyout, the release of Open Solaris, and many other fantastic things.

    I’m sincerely sorry your teacher sucks. If it makes you feel better, my instructor for the MCSE/MCSA classes isn’t MCSE/MCSA certified. In fact, his only certifications are CCNA and A+.

    I don’t think I’ll be taking JAVA. I think I’ll go the C route instead. JAVA simply never appealed to me.

     
  19. Justin

    April 8, 2008 at 7:49 pm

    Its because it came with the book. He always complains about the computers because they are old and slow (mostly because they are running windows with a domain) so I suggested that he install linux. He said he would if he could but they won’t let him. I don’t know if he really meant it or not though.

    Java is a despicable language. It takes 20 objects to do things I could do with one call to the standard library in C.

     
  20. linuxcrayon

    April 8, 2008 at 9:43 pm

    He probably didn’t. In my experience, people that say they would but “insert x here” are saying it to save face or to sound cool. It’s possible that he actually would, but he just sounds like a loser to begin with. πŸ™‚

    To be honest, the only good thing I see about OOP is organization. But I can organize procedurally by just placing things in different files…which I do automatically anyway and throughout the process of refactoring. The only time I really use OOP is for complex games. Sometimes it’s more of a hassle than it’s worth.

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: