Author Topic: Personal Information Security - a Letter to Family and Friends  (Read 887 times)

0 Members and 1 Guest are viewing this topic.

Online brilligtove

  • Too Much Spare Time
  • ********
  • Posts: 6815
  • Ignorance can be cured. Stupidity, you deal with.
Personal Information Security - a Letter to Family and Friends
« on: November 06, 2018, 04:49:54 PM »
I was asked to help out a friend of a friend with a THERE'S A VIRUSSSSS! panic about their laptop. Looked to me like the laptop was fine and they'd seen a malicious ad popup while browsing, but OK. After a lot of back and forth I sent them all the following email.

It is targeted at windows users who think monkey123 is a secure password to use for every online account and service they have. These ones were very focused on stopping any infections on the computer and completely ignorant of where they are much more vulnerable.

What should be changed to improve the clarity of the message for a more generic end-user? More detail? Less? On which topics? Am I missing a basic protective action for someone in this category?

Quote
Hi, [name]. Here's some advice about what you can do to make yourself more secure.

Executive Summary
  • Do not install any third party anti-virus (3P AV) software. Windows Defender is built right into windows to quietly keep you safe for free.
  • Use a password manager like LastPass.
  • Never open links or attachments in emails.
  • Use an ad-blocker like uBlock Origin.
  • Keep Windows updated.
You can skip the Understanding... section if you wish. It describes why you don't need Kapersky or any other third party anti-virus program.

Please do not skip the Actions.

_____

Understanding Third Party Anti-Virus Software
Windows Defender is a built-in anti-virus (AV) program that has been very deeply integrated into every aspect of Windows. AV programs, by their nature, have to have access to the most vulnerable and important parts of the operating system - in the same sense that secret security guards have to be able to watch the sleeping President. When you install third-party AV (3P AV) software you are firing the secret service and contracting out your protection to a private company. Unfortunately, that 3P AV does not have the same deep integration that the secret service has. They need to hack into windows - using some of the same techniques that viruses use - to be able to monitor every aspect of what you do with Windows.

Third party anti-virus software has other problems as well. They are expensive, and their business model is based on keeping you scared so you keep paying for unneccessary protection. Even worse, 3P AV can actually increase your risk of infection. Every program you install gives hackers a new attack surface - that is, a new door, window, or wall that could be vulnerable to hacking. The only way for a 3P AV to avoid being a new vulnerability is if the software is 100% perfect - and it just can't be.

On balance it is cheaper, safer, and much less frightening to let Windows Defender take care of your system.

Windows Defender depends on regular updates to be effective. There are two main types of update. The big one is called "Patch Tuesday." On the second Tuesday of each month Microsoft pushes out corrections and fixes to your computer. This is done through a program called Windows Update. These patches repair vulnerabilities, bugs, and other problems with Windows. They generally happen in the background, overnight. This means that you should leave your computer on overnight on that second Tuesday. Many patches will reboot the system, so make sure you have saved your work.

The other kind of update happens in the background every day when Windows Defender checks for updated instructions on how to detect new threats. This should just happen without you having to do anything.
______

Actions
Your computer is well defended as it is. You are vulnerable. These actions will drastically increase your online security. The cost is about an hour of learning.

ACTION #1. Use a Password Manager to Get Rid of Weak Passwords
Your current passwords can be hacked in seconds.

You are vulnerable to identity theft, extortion, ransomware, having your savings taken, and more. Right now your online life is walking around the streets of Detroit in the middle of the night with a big bag of cash carried loosely in one hand. And you left the car running with the doors unlocked. With a map to your house. Which is also unlocked. And the safe is open.

This sounds like hyperbole. It isn't. This is what you should be afraid of, much more than getting a virus. Unfortunately people treat passwords like they handle heart attacks: ignore all the deadly risks until it's far too late.

This problem can be eliminated by using a password manager like LastPass. It is a free browser extension you add it to Google Chrome. (An extension is a little program that extends - adds to - what your browser can do.) Once you start to use it, it will manage your passwords for you. LastPass.com has lots of information about how it works. You should use the free version.

How It Works
Passwords are terrible. To be secure you need to have a different password for every account and service. Oh, and they have to be long strings of random gobbledygook, like this: k&3B9e8D71,m

This is impossible for humans to manage manually - but that's why we have tools that can manage your passwords for you. You still need to remember one secure password. The password manager remembers the rest in a secure, convenient way. For example, LastPass works everywhere: iPad or iPhone, android phones and tablets, MacOS, Windows, and chromebooks. All you need to do is log in to the password manager, go to a site like your bank, and then change your password. LastPass will offer to make a strong password for you, save that password, and make it accessible to you on all your devices.

ACTION #2. Never Open Links and Attachments in Emails
This is the most common way people get hacked. You think you're going to an interesting article from a friend or a service, but you are not. Your bank sends you a note? Open your browser, type in the bank's website (bmo.com etc.) and check your accounts yourself. Your friend sends you a video? Nope. Even if they meant to send it, it could be a virus designed to hack you when you play it. Go to YouTube.com and find it yourself.

The Lone Exception
If you have personally requested a link or attachment, or have been personally told that one is coming you can open it with lower risk.

How It Works
Unsolicited attachments can hold viruses that activate when you open the attachment. If you did not personally request that attachment you should not open it.

Malicious links take you to a website that looks exactly like your bank, or Amazon, or your medical records. They also put a 'man in the middle' to watch and record everything you do. When you type in that password, it records the information. When you log out the hacker logs in and empties your account.

ACTION #3. Use an Ad-Blocker to Stop Malicious Ads While Browsing
Your browser is fairly secure, but there are a lot of ads that can pop up frightening messages, or even hack your system without your knowing. This happens because ads are not just images or animations. They are actually complex programs that can hack and track you.

The simplest fix is to install the uBlock Origin extension in your browser. uBlock prevents most ads, speeds up your browsing on many sites, and helps keep you safe. It can interfere with some video playback from news sites, but it is easy to turn on and off for sites you trust.

ACTION #4. Keep your computer updated
Leave your laptop on overnight on the second Tuesday of each month so Windows can patch itself up.
_____

Final Notes
I am sure that some of the things I've discussed seem strange, difficult, or hypebolic. Perhaps all of the above. Learning to use LastPass, adding uBlock Origin, and not clicking links and attachments all take a bit of effort - but then, so does installing and maintaining a fire alarm. I hope you make the effort to protect yourself, your information, and your accounts.

I'll update the letter based on feedback. Feel free to quote-and-alter without worrying about keeping the QUOTE tags nested around it. Also feel free to share.
evidence trumps experience | performance over perfection | responsibility – authority = scapegoat | emotions motivate; data doesn't

Offline SkeptiQueer

  • Too Much Spare Time
  • ********
  • Posts: 7736
  • DEEZ NUTZ
Re: Personal Information Security - a Letter to Family and Friends
« Reply #1 on: November 06, 2018, 05:42:47 PM »
How does lastpass differ from Google's password manager if you're using 2FA and using randomly generated character strings?
HIISSSSSSSS

Offline arthwollipot

  • Reef Tank Owner
  • *********
  • Posts: 8299
  • Observer of Phenomena
Re: Personal Information Security - a Letter to Family and Friends
« Reply #2 on: November 06, 2018, 06:13:03 PM »
I'm not familiar with Google's password manager, but I'd be surprised if it weren't largely similar in function to LastPass or any one of a number of different password managers.
Self-described nerd. Pronouns: He/Him.

Online brilligtove

  • Too Much Spare Time
  • ********
  • Posts: 6815
  • Ignorance can be cured. Stupidity, you deal with.
Re: Personal Information Security - a Letter to Family and Friends
« Reply #3 on: November 06, 2018, 07:30:43 PM »
How does lastpass differ from Google's password manager if you're using 2FA and using randomly generated character strings?

Are you talking about having the Chrome browser storing your passwords for you? If that's the case there are a few differences.

With Lastpass the only one who can ever unlock your vault is you (or someone with your username and password). I don't know if Google can respond to a warrant and give up your logins - but I'd be surprised if they can't.

Lastpass works on any browser on any platform. Chrome works on Chrome.

I've set up people on Chrome with it remembering passwords because they only use one device - a windows PC, for example. If they use different browsers and OSs in different places - windows at home but have an iPhone - the password management problem gets troublesome again.
evidence trumps experience | performance over perfection | responsibility – authority = scapegoat | emotions motivate; data doesn't

Online John Albert

  • Stopped Going Outside
  • *******
  • Posts: 5412
Re: Personal Information Security - a Letter to Family and Friends
« Reply #4 on: November 08, 2018, 04:24:21 PM »
I think that warning them to never open links or attachments in emails is a bit too much.

Instead I would advise them never to click links or open attachments in emails that they're not expecting, or from sources they don't know. And to validate that the source is legit, advise them to open the email headers (in Gmail, click the menu icon and then "Show original") and double-check the sender to make sure the URL is spelled correctly.

Also, tell them to turn off "Display images" in their email client and only display images after double-checking the sender URL as described above.


Also, one of the most important pieces of general computing advice: never download pirated software, or install or run software from untrusted sources unless you're running a virtual machine. 
« Last Edit: November 08, 2018, 05:05:36 PM by John Albert »

Online brilligtove

  • Too Much Spare Time
  • ********
  • Posts: 6815
  • Ignorance can be cured. Stupidity, you deal with.
Re: Personal Information Security - a Letter to Family and Friends
« Reply #5 on: November 08, 2018, 09:07:51 PM »
We're talking about people who don't understand what 'email client' means, let alone fancyass jargon like "URL" and "virtual machine". The advice is all good, and I follow pretty much all of it - but these people don't have a chance.

I started with a solid rule with one exception because of that level of expertise. Checking the URL spelling isn't good enough. Try going to facebοok.com, for example. The Greek unicode character that replaces one 'o' isn't really visible without extra steps that they don't understand.
evidence trumps experience | performance over perfection | responsibility – authority = scapegoat | emotions motivate; data doesn't

Offline The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Too Much Spare Time
  • *****
  • Posts: 7048
Re: Personal Information Security - a Letter to Family and Friends
« Reply #6 on: November 08, 2018, 10:48:54 PM »
Is it worth warning them not to forward chain E-mails? That’s a big way that their E-mail addresses (and those of everyone they just have to send that fake news or kitten picture to) get exposed to phishers and spammers.  And, of course, they’re annoying as fuck.

One of the huge benefits of LastPass and similar cross-platform password managers is that they can be used in multiple browsers and now can even be accessed in any app on an iPhone through iOS’ password manager API.  It’s made my life a hell of a lot easier.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Online brilligtove

  • Too Much Spare Time
  • ********
  • Posts: 6815
  • Ignorance can be cured. Stupidity, you deal with.
Re: Personal Information Security - a Letter to Family and Friends
« Reply #7 on: November 09, 2018, 04:42:10 PM »
The chain emails hadn't occurred to me. My mom still does that though. I've tried to get her to stop, and made her watch while I delete her emails unopened, but it just won't sink in. Good idea.

I use LastPass on my android phone, android tablet, iPad, windows PC, and Mac Mini. The iOS integration got a ton better with recent updates. I don't run it in the most secure mode though. I have it set up to require fingerprint authentication to autofill anything. The convenience is fantastic, and worth the security trade off for me. Do you do it that way?
evidence trumps experience | performance over perfection | responsibility – authority = scapegoat | emotions motivate; data doesn't

Offline The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Too Much Spare Time
  • *****
  • Posts: 7048
Re: Personal Information Security - a Letter to Family and Friends
« Reply #8 on: November 09, 2018, 08:47:05 PM »
I have mine set up with two-factor authentication for new devices. On my phone and MacBook I remember the authorization for 30 days or any time fingerprints change or are locked out (as, for instance, using the panic function or on restart).  I consider the fingerprint authentication on the iPhone itself sufficient. My MacBook is protected by my work passphrase (one of only three I memorize: work, iPhone, and LastPass—everything else is a 24-character random string).

My mother no longer sends me chain E-mails since the time I blocked her E-mail address for 90 days, bouncing her E-mails with a message saying she’d been banned for spamming. But she still doesn’t get my real personal E-mail address (literally nobody does).
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Online John Albert

  • Stopped Going Outside
  • *******
  • Posts: 5412
Re: Personal Information Security - a Letter to Family and Friends
« Reply #9 on: November 09, 2018, 09:11:13 PM »
We're talking about people who don't understand what 'email client' means, let alone fancyass jargon like "URL" and "virtual machine". The advice is all good, and I follow pretty much all of it - but these people don't have a chance.

So then just tell them not to download and install random software off the Internet, and especially to avoid pirated or "portable" versions of popular programs.

Online brilligtove

  • Too Much Spare Time
  • ********
  • Posts: 6815
  • Ignorance can be cured. Stupidity, you deal with.
Re: Personal Information Security - a Letter to Family and Friends
« Reply #10 on: November 10, 2018, 01:29:33 AM »
We're talking about people who don't understand what 'email client' means, let alone fancyass jargon like "URL" and "virtual machine". The advice is all good, and I follow pretty much all of it - but these people don't have a chance.

So then just tell them not to download and install random software off the Internet, and especially to avoid pirated or "portable" versions of popular programs.

I want to. They just have no idea what any of that means. Seriously: 'download' is a stretch here.
evidence trumps experience | performance over perfection | responsibility – authority = scapegoat | emotions motivate; data doesn't

Offline arthwollipot

  • Reef Tank Owner
  • *********
  • Posts: 8299
  • Observer of Phenomena
Re: Personal Information Security - a Letter to Family and Friends
« Reply #11 on: November 11, 2018, 07:09:07 PM »
We're talking about people who don't understand what 'email client' means, let alone fancyass jargon like "URL" and "virtual machine". The advice is all good, and I follow pretty much all of it - but these people don't have a chance.

So then just tell them not to download and install random software off the Internet, and especially to avoid pirated or "portable" versions of popular programs.

I want to. They just have no idea what any of that means. Seriously: 'download' is a stretch here.

I sympathise. I've had to teach my dad, who is having his 80th birthday next year, how to use computers. He's actually quite good at it now, although I do recall one heated argument I had with him when I said that he'd have to set up an email account. He insisted - very strongly - that it wasn't an "account". An "account" was something that you have at the bank, which holds your money. I pointed out that as an electrical engineer, he shouldn't be using the word "current" because that's something that happens in water.
Self-described nerd. Pronouns: He/Him.

Online brilligtove

  • Too Much Spare Time
  • ********
  • Posts: 6815
  • Ignorance can be cured. Stupidity, you deal with.
Re: Personal Information Security - a Letter to Family and Friends
« Reply #12 on: November 16, 2018, 09:31:33 AM »
If you haven't been to 1.1.1.1 yet it is worth taking a look. I'm using this Cloudflare service to secure my DNS lookups during normal browsing. I still use NordVPN for hotels and cafes.
evidence trumps experience | performance over perfection | responsibility – authority = scapegoat | emotions motivate; data doesn't

Offline Guillermo

  • Frequent Poster
  • ******
  • Posts: 3147
  • (╯°□°)╯︵ ┻━┻
Re: Personal Information Security - a Letter to Family and Friends
« Reply #13 on: November 19, 2018, 04:51:14 PM »
Isn't a set of words: correcthorsebatterystaple or fourwordsalluppercase better than a string of letters and symbols?

My problem with ad bloc software is that I am an advocate for ads on websites. I'd love for a adblocker that would block the ads for nauseous websites but not for the ones that do it properly.  Until recently I had adblock plus and I disabled most websites like youtube and some news aggregators. I'd block any that have popups, audio, running videos, or more than 40% of the screen with ads.  But Adblock Pro is not a good platform for that level of control.

"There will one day be a member named "No Lynch" and he won't be able to play mafia.  :P"

Offline The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Too Much Spare Time
  • *****
  • Posts: 7048
Re: Personal Information Security - a Letter to Family and Friends
« Reply #14 on: November 19, 2018, 05:32:25 PM »
A passphrase like that isn’t stronger than a similar random password, it’s just easy to remember.  But if you’re following best practices and using unique passwords on each site it’s pretty much impossible to remember unique pass phrases for the dozens of sites we regularly use anyway. And at least theoretically such a password is susceptible to a dictionary attack.

I use a strong passphrase as my LastPass master password and for my work account, both of which I need to remember myself.  Otherwise I let LastPass generate long random passwords for me.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

 

personate-rain
personate-rain