2018-07-01

Top 21 Home security Steps


Top 21 Home PC Security Steps

Article titles with "top ten lists," are usually trolling for clicks, but these are the things I do, and these are the things I tell my family.

The number one rule
- never click unexpected popups




While surfing, if an unexpected popup appears -- ignore it by closing your browser.  The popup may be delayed, showing an earlier site, but more likely it is from the site you are at.  In either case, close the browser (or end-task on the browser).  Do not interact with the dialog.

Popups can look serious:
"You have a virus!" 
"Google Chrome has detected a problem, click here to fix," 
"In order to view this video, you must install a new driver or CODEC"
"This PDF requires an updated PDF Viewer, click here..."
"You need an updated Flash player to view this video"



No matter how badly you want to see that video, do not click the popup.
 
Because it is admittedly difficult to tell a scam from a legitimate one, abandon all of them. 
On prompts like this, I tell my mom to shut the computer down, as gracefully as possible, then reboot - or at the very least, close the browser.  Likely, the bogus warning won't return and all will be safe. 

When it comes to virus popups, in my experience, 95% of the time, a "You have a virus, click here to fix!" -- means if you click, you will get one.  It will be the exact opposite of what you want. 



If you need a new PDF reader, a new version of Flash, or a new driver, go to the vendor's site and download 




In other words, do not let a surprise popup initiate the download.  You should find and download the software update, driver, what-ever, from the vendor's site.  If it is a virus popup/download/cleanup, start a virus scanner manually.  If it claims it needs a BIOS update, go to the vendor's site and download yourself.  You initiate the update -- not from a popup, not from an email. 

But, when downloading, only download the component you need.  Uncheck all offers for additional software.  For example, Sun Java is notorious for installing McAfee Security Scan Plus -- which amazingly is *not* a virus scanner -- it is an ad-delivery program!  And do not allow them to install browser toolbars!  Curse them all.




 
Do not click unexpected links in email





Even if you know the sender, even if you have a business relationship, be suspicious of embedded links.  Emails are easily spoofed and links may say one thing but go to another.  Instead, go to the vendor's site and manually find the item of interest.  Again, you initiate the transaction. 

Unexpected invoices or purchase confirmations are always scam. 
Do not click the link; do not "login" -- no matter how legitimate the email looks.  Go to the (vendor's) site and manually confirm.

Hint: Hover the mouse over the link to see where it goes, but good scammers can make this look surprisingly realistic.


Your bank, Microsoft, Facebook, the IRS, etc., will never send an email asking for an account update or ask you to login in order to "fix a problem."




Microsoft has 10-billion accounts.  They are never going to call you out-of-the-blue to tell you your little-old PC has a problem.  Your bank already knows your account number and name and they will never call.  If you get a prompt (or phone call), where they have found some kind of problem, be-assured they will ask for a credit card and will "fix" the problem, leaving all kinds of new problems.  If worried or in doubt, contact the institution directly.
 

Do not install browser plugins or tool bars 
Do not install any Coupon programs




This includes "Ask.com", "Jeeves", Yahoo, and Google toolbars, etc.

These are spyware benefiting advertisers, not you. 
If you have them installed, go to to the browser's Add-ins menu and remove. 



The only browser plugin I allow are ad-blockers, such as "UBlock-Origin"  or "AdBlock Plus".  Be wary of copy-cats and lookalikes.


Hesitate at all UAC (User Account Control) prompts
It is trying to tell you something...




If you see a Windows UAC prompt (User Account Control) -- where the whole screen goes dark-grey and the only window you can interact with is the prompt, "Do you want to allow this application to make changes to your PC?"





You answer should almost always be "No" -- even if you were somewhat expecting it.  Unless you know exactly what you are installing, say no.  This prompt, this is serious.  This is how viruses get installed.  See rules 1-5.

An even better safeguard is to create a Windows Administrator account and demote your own account, using these steps:

1.  In Control Panel, User Accounts, Create a new Windows login account.
2.  Name as "admin", Use a "LOCAL" account"
     Change the account from "Standard user" to an Administrator

3.  Logout of your normal account.
     Login with the Admin account.

4.  In Control Panel, Users, find your original account.
     Demote it to a Standard user.

5.  Logout of Admin; log back in as you.



In the future, when UAC prompts to install something, type the admin account's credentials to allow the install.  This keeps family members from making mistakes.  Be sure to record the password.  Use a password scheme (see below).

Many say this is painful.  My response: How often do you install software?  It is rare and a minor inconvenience. 


Have a password scheme 






Use a password-scheme for all important accounts and logons -- making each password different.  Make sure your bank's password is different from Facebook's or Google's.  This is easier to do than you might think, if you follow this keyliner article: Better, safer, stronger passwords:

http://keyliner.blogspot.com/2011/08/grcs-password-haystack.html


In summary, for a two-word company, such as hotmail, invent a password like this:
hK9doggly.barksm   where h and m = hotmail

For a one-word company, such as Amazon, use:
aK9doggly.barksm    where A mazon


For sites you don't care about, such as discussion boards, use a single (same) dumb-password: "DumKats.2aa".  Again, the article discusses the idea.

In all cases, longer passwords are better than short ones.  Aim for 14 to 16 characters, using a password 'phrase.' 

Invent any scheme you like.  Be sure the scheme includes upper and lowercase, a number, and a special character, this way you won't be trapped by sites that require one or the other special characters -- include one of each.  A space or period is a perfectly fine special character, and they are easy to type.

Don't bother with a password vault.  They are cumbersome and you wont want to use it.  For those sites which make you change passwords every 90 days, and other such nonsense, store the password in your phone's address book.


Have a Junk Email account





Create a junk email account on Yahoo.com, Gmail, or other such services.  Use it for vendor and sales traffic - typically for repeat traffic, such as Amazon, Netflix, and the like.  Consider email to this account as third-class email -- worth glancing at, but easily discarded.  Expect this account to fill with spam as your email address is sold.

Use your "real" email for trusted friends and trusted businesses, such as your bank, or government agencies. 


Use Disposable Email accounts
These are so cool!




If dealing with a one-time vendor (or with a vendor who you suspect will pester you with spam), use a disposable email account.  Flowershops, photo-printers, business card companies, motels, and the like, all come to mind.  

Mailinator.com
SharkLasers.com (Mailinator)
guerrillamail.com (if attachments)

Disposable email accounts are strange beasts that take a moment to understand.  Be sure to see this keyliner article:

http://keyliner.blogspot.com/2017/12/disposable-email-accounts.html

When coining a disposable address, use a dumb scheme for your email name.  Be consistent and use the same scheme for all of these types of email.  For example, use johnsmith1123, where "1123" is your house number.  Something easy to remember.

Because disposable emails are so ethereal, what if you want the shipping invoice or other notices, but don't know when they are being sent?   Keep using the disposable account, but do all of your tracking on the vendor's site, ignoring the emails.

When closing an account, first change the address to a disposable address.  Save the changes.  Then close the account. This way, your address falls off the spam-list.




Use two-factor authentication
All major vendors (google, facebook, microsoft, most banks) support this.
Research if you don't know what this is. 



Use  PIN (or other security) on your cell phone
You need this for your two-factor authentication, above.



Speaking of phones, I have a deep distrust of all games - and I am suspicious of most programs -- always looking carefully at the permissions.  It is a dishonest world out there.


Periodically login to your routers and update the BIOS
If your router is more than a (few) years old, replace it.




Record your router IP Addresses and credentials.
Here is a tutorial: First-time router setup
http://keyliner.blogspot.com/2012/06/linksys-ea2700-router-first-time-setup.html


Use a DNS Proxy
Yes, this is geeky and takes a few minutes to setup.
I am 100% sold on this idea




Block nefarious and ad-sites with a DNS proxy. Protect from scams and phishing.

Use either a Raspberry Pi
(See this keyliner article:  http://keyliner.blogspot.com/2018/01/network-wide-blocking-of-ads-tracking.html )

Or use this easier, but less flexible method, "OpenDNS" service, (208.67.222.123 or 208.67.220.123 -- see https://www.opendns.com/home-internet-security ).  Both the Pi and this are good ideas.

 

Claim your logins





Even if you do not use your bank's website for online banking, consider creating an account there, just to claim the real-estate.  Claim an account on every entity that could harm your financial standing - broker accounts, investments, etc., all come to mind.  This suggestion is from security analyst, Brian Krebbs, who I like to follow on Twitter.  Insist on two-factor authentication.


Lock Credit-Reports





With the Equifax breach, all of your personal information has been leaked -- including your billing address, DOB, SSN, etc.   Lock your credit reports, and only open-up when you need it.  This requires pre-planning and it requires good record keeping.

Equifax
Experion
TransUnion
Innovis

When I was talking with my security co-workers, telling them I did this, they said, "Duh!  We did this years ago."  It was that important to them, it should be that important to you.


Use a local SAN drive for data backups





Purchase a SAN drive for the home network. 
I am now using a Synology SAN Drive (no Keyliner Review yet)

These types of drives automatically backup files, keeping multiple generations of your data.  For example, my drive keeps the last 5 versions.  Read the article for important tips and tricks.  There are many vendors with similar products in this arena.  This is a good safety net.


Use a portable (offline) USB drive for "Image" backups
This takes a snapshot of the entire PC, all files, the operating system, and drivers.  Useful in the event of a disaster. 



This is for desktops and laptops.  Use "Acronis" to make the backup.



Virus scanners?





I suppose one is needed.  Use Microsoft's built-in Windows Defender scanner, unless you have a college student who does not follow rules 1-6, above, then I might consider a more industrial and expensive product, but even then, I have reservations about all commercial products. Microsoft's scanner seems pretty good, and it comes with Windows.


Quit giving stuff away 




Don't fill out surveys on Facebook and other such sites.

When registering online forms, password-reset-forms, etc., do not divulge real information.

For example, "what city were you born?"  -- use a scheme, similar to the password scheme above, and answer every question with the word "purple."   On Facebook, you might say the city born was "fPurpleCityBorn.B1aa" -- where you do not list the city, literally saying "cityborn".  For your favorite book, "fPurpleFavoriteBook.B1aa".  This way you never have to remember your favorite book (or city born...). 

See this keyliner article:  http://keyliner.blogspot.com/search?q=password+scheme   (Better, safer, stronger passwords).


Get a Google Voice Number (a new phone number).





Give this number to all vendors.  For example, my dry-cleaner, Lowes, Home Depot, grocery-store-rewards program, etc., all use my phone-number as an account number.  This is less of a security concern than a sanity issue.  No sense getting spam calls when they sell your number, and they will sell your number. 

Some people I know use a phone number scheme -- where they always give a fictitious number, such as 208.123.4567 -- always using the same number. One friend gives an old land-line number, which was probably re-assigned to some poor schmuck who now gets all of his spam calls. 



Drivers License
Nobody should get a copy!



Many hotels and banks scan your drivers license, storing an image, usually of the front and back side, including the CIV number.  For banks, this seems legitimate, but for hotels, they are using the image in case there is a dispute about who charged the room.  Some also scan your credit card.

Admittedly, you can't always avoid them scanning your license, but I am no longer comfortable with the idea.  Lord knows where they keep these files and how secure they are.  Can employees see these?  You bet! 

Your driver's license is used for e-filed taxes and to register online accounts with the IRS.  It is also used for credit applications.  If you can, argue and don't let them scan the license.

I realized this was a problem when a seedy motel scanned (or xeroxed) my driver's license ostensibly to prove that my credit-card was used and authorized -- many, if not most hotels and motels do this.  I have no idea where those images are now.

Consider using tape to cover some of the fields and bar-codes (Younger drivers will have to leave the DOB exposed for obvious reasons).


I have just started doing this and am unsure how well it will be accepted.  If needed, the tape is easily removed.  I will follow-up with this in a later post.


-end.


Your suggestions on this topic are welcome.