There’s been a lot of talk about dumb users and – even worse – dumb IT folks. It’s also getting easier for Joe Foo’ Public to grab freeware tools and get all up in your business. So what’s a typical user to do? Well, Papa Kevlar is here to tell you that all is not lost, even if you’re not super tech savvy.
This list is by no means all-encompassing. It’s a starter guide, meant to ensure that you, the typical user, presents just enough resistance that any script kiddie will pass you over for an easier target.
It’s annoying when that little system tray popup tells you that Java needs another update. I mean, you just updated yesterday and the day before that and the day before that and the day before that… But why do they update so often? Straight from the Java FAQs:
Why should I upgrade to the latest Java version?
The latest Java version contains important enhancements to improve performance, stability and security of the Java applications that run on your machine. Installing this free update will ensure that your Java applications continue to run safely and efficiently.
Not only are there bug fixes, but there are vulnerability fixes. This applies to almost all auto-updating software, especially those that interact with the web, and your OS. Have you ever looked at what updates are included in the typical Windows update package? Security updates make up a large number of them. This is because Microsoft/Java/Adobe/etc have to pay developers and testers to check for holes and patch them, thus limiting the number of people looking for them pre-launch. But there are thousands of people who make a living by exploiting holes, and they will search until they find one they can use. As soon as these are discovered, the developer releases a patch to ensure you can use your computer securely.
What happens if I don’t update? It’s like buying a house, then finding out that your bedroom window is made of Saran Wrap. If you don’t fix the problem, you’ve left yourself open to anyone who pokes around and sees the problem. So update your software, especially Java and Flash. Java and Flash provide a lot of the content on the internet, and if you visit a site that exploits weaknesses of older versions you could be compromised.
Don’t want to shell out $40 a year for Norton or McAfee to protect all of your personal information? Well, that sounds silly, considering it protects you against malware logging your passwords and what-not, but there’s still a solution. Microsoft Security Essentials is widely regarded as the best free anti-virus solution, but Avast and AVG are other solutions, but they’re not as pretty.
They may seem clunky, and you may claim to never visit sites that would give you viruses, but one tainted email from an unknowing relative that asks you to check out the kitten pictures on thisisnotascam.com will ruin your day. It’s much easier to have software that looks out for you, especially if you have friends/relatives over that use your computer.
Use Good Passwords, and use them wisely!
Sure, you’ve heard it a million times. Good passwords are the best. But they’re not very useful if you use one password for every website, and have it on a sticky under your keyboard. A good password is one that isn’t easily guessed by users or computers. XKCD has a thought on the topic of passwords, but not all sites will accept passwords without numbers. So what’s a computer user to do?
For those with horrible memories, try Password Card. It contains a series of randomly printed characters, and you pick where to start and what direction to read from. Another password convention is to have a phrase, mixed with special characters and numbers, that has a replaceable section to coincide with the website it’s used on. For instance, for the base phrase “I lost my shoe” you can change to “Il0stMyshoe@wells” for Wells Fargo, or “Il0stMyshoe@paypal” for your PayPal account. This means if your password is ever compromised on one site, you haven’t lost all hope.
This alone isn’t enough to protect you. Passwords should be tiered by importance. For instance, your banking passwords should be vastly different from your email password, which should be vastly different from your social networking passwords, which should be vastly different from your “play” sites, such as Gawker, or Reddit passwords. That way when someone releases a list of Gawker passwords, your password of “5topW4stingT1me@Gawker!” can’t be changed to “5topW4stingT1me@Chase!” to gain access to what’s left of your stock portfolio, or reset the password via your email account.
If you absolutely must write down important passwords, put them in a safe place, like a safe. And if you like to have your browser remember your passwords, then use the “Set Master Password” feature, which requires you to at least identify yourself once to gain access to your passwords.
Security at home:
Encrypt your Wi-Fi! Seriously. It’s easy to do with modern router tools, and keeps people out of your network, which helps prevent your shady neighbor from packet sniffing his way into your bank account. A friend’s house has a neighbor with unencrypted wireless, and the guy stores his dental patients records on that computer. Not too bright. On that topic, only share folders on your computer that absolutely must be shared. Tax returns and bank statement pdfs shouldn’t be shared, but your media folders are probably okay.
Ensure that your important documents are encrypted. An excellent encryption tool is TrueCrypt, a utility that creates a virtual drive that can be encrypted with a wide variety of formats. Just be careful, there’s no way to recover the data if you lose the password.
User Management: Many households have shared computers. There’s no problem with that. Just ensure that there are at least two user accounts, and both are password protected. Why two? Because one should be Admin, and the other should be a Limited account. Only use the admin account to install and maintain the computer, like updates. The rest of the time, you should be surfing and chatting via the limited account. This prevents malware from instantly gaining admin access via your log-in info. The Limited account should be password protected because, let’s face it, you’ll be doing most of your browsing and downloading on this account, and leaving it wide open wouldn’t be very smart.
The above list is a basic guide that will keep you safer than most. It essentially makes you a hard enough target that (hopefully) the average hacker will avoid you. If you’ve done something to become the target of a pissed off hacker, this won’t save you. So don’t do that. I will leave you with this video from DefCon, showing you how easy it is for anyone with the motivation to get into your workplace. Some of his actions are scary, so when you go to work, be a better informed user.