 |
 |
Smart and simple security recommendations
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
I believe if changing a user's behavior is relatively simple and straight forward and will result in an increase in personal security, they should go for it. In many cases, it doesn't take much, and there is no significant downside.
Here are some recommendations of my own, feel free to add to this list or ask any questions if you'd like to learn more about securing your system:
1) Do not use insecure protocols such as telnet, FTP, non-SSL encrypted IMAP/POP, or http to send passwords or other relatively important data. Where these options are available from the server hosting this data, all that is necessary to use them is to simply change a setting in your client. If these options aren't available, it doesn't hurt to request them or reconsider your workflow. Even if your data is not terribly sensitive, your password being obtained can almost always be used to wreak havoc. Secure replacements to these protocols will encrypt the transmission of your username/password.
2) Learn about what a firewall is and how to use it. Just turning it on is better than nothing, but it is even better to learn about what you are doing. A firewall is not just some sort of magic piece of software that makes everything automatically secure for you.
3) Where passwords have to be sent "in the clear", such as forum passwords, use a different password than the one you use for accessing your email or computer
4) Be responsible. This especially goes for Windows users. Even if you have absolutely nothing on your computer that you'd consider private, a lot of inconvenience can be caused if your computer is turned into a zombie. The virus threat on OS X is indeed much lower, and I realize that there currently no known viruses in the wild, but one could definitely write something that would cause people a major inconvenience (deleting your entire home directory, for instance, can be done without any special permissions). The trick is in getting the virus to propogate, and that is where we are far more safe. Still, don't think for a moment that it is impossible to write a harmful program. Do not run programs downloaded from strange sources. If you pirate software, realize that you are putting yourself at risk.
I could go on, but this is probably a good start.
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
5) Don't run as anything that can install software without asking you for a password. That means that you shouldn't run as the Owner on Windows, and you shouldn't run as root on Macs.
It may seem like an inconvenience, but this one simple measure will by itself stop nearly all malware dead in its tracks before it can even install itself. When the machine asks for your password, it is asking the machine's owner to give the go-ahead for a sensitive task (like software installation). The only way it can be sure that the owner is OK with this is to ask for something only the owner has: the password.
Note to Apple and Microsoft: would it really kill you to explain this properly in your default dialog boxes?
|
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by Millennium
5) Don't run as anything that can install software without asking you for a password. That means that you shouldn't run as the Owner on Windows, and you shouldn't run as root on Macs.
It may seem like an inconvenience, but this one simple measure will by itself stop nearly all malware dead in its tracks before it can even install itself. When the machine asks for your password, it is asking the machine's owner to give the go-ahead for a sensitive task (like software installation). The only way it can be sure that the owner is OK with this is to ask for something only the owner has: the password.
Note to Apple and Microsoft: would it really kill you to explain this properly in your default dialog boxes?
Nice addition!
If you give users a gun, they will most certainly shoot themselves in the head. Best to explain how to not shoot yourself in the head 
|
|
|
| |
|
|
|
|
|
|
|
Administrator  Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Computers are a wonderful way of giving you enough rope to shoot yourself in the foot with. (I have a book on programming with a title similar to that-the C language is dangerous in inexpert hands.)
6) NEVER believe that your machine is impervious to all attacks-because it isn't and believing it is makes you complacent and sloppy. This means that you must pay attention to any odd behavior, unexpected system messages, atypical performance (either slower or faster), and apps that don't do what you expect them to from experience. This might be translated to being aware of your machine rather than just expecting everything to be all sweetness and light.
|
|
Glenn -----
OTR/L, MOT, Tx
|
| |
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Originally Posted by ghporter
Computers are a wonderful way of giving you enough rope to shoot yourself in the foot with.
... you can shoot yourself in the foot with a rope?
|
|
|
| |
|
|
|
|
|
|
|
Moderator  Join Date: Apr 2005
Location: Cambridge, UK
Status:
Offline
|
|
Originally Posted by Millennium
5) Don't run as anything that can install software without asking you for a password. That means that you shouldn't run as the Owner on Windows, and you shouldn't run as root on Macs.
It may seem like an inconvenience, but this one simple measure will by itself stop nearly all malware dead in its tracks before it can even install itself. When the machine asks for your password, it is asking the machine's owner to give the go-ahead for a sensitive task (like software installation). The only way it can be sure that the owner is OK with this is to ask for something only the owner has: the password.
Note to Apple and Microsoft: would it really kill you to explain this properly in your default dialog boxes?
This is good advice and I did it for a while but it requires constantly switching user to install software/hardware or do pretty much anything that I just gave up. Until Microsoft make it easy like Apple (maybe in 10 years when they've finished ripping off Leopard) will I try this again.
|
|
|
| |
|
|
|
|
|
|
|
Administrator Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
|
|
|
Glenn -----
OTR/L, MOT, Tx
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status:
Offline
|
|
I have several:
7. Run a regular user account for day-to-day computing.
8. Don't allow user listing on the login screen.
9. Don't permit autologins and (for laptop users especially) require passwords to turn on/wake the machine.
10. Turn on encryption whenever and wherever you can (e.g. FileVault) - again especially for laptop users.
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Nov 2004
Status:
Offline
|
|
Originally Posted by besson3c
1) Do not use insecure protocols such as telnet, FTP, non-SSL encrypted IMAP/POP, or http to send passwords or other relatively important data. Where these options are available from the server hosting this data, all that is necessary to use them is to simply change a setting in your client. If these options aren't available, it doesn't hurt to request them or reconsider your workflow. Even if your data is not terribly sensitive, your password being obtained can almost always be used to wreak havoc. Secure replacements to these protocols will encrypt the transmission of your username/password.
Can someone explain this in "Dumb and Dumber" terms? For instance, I use Captain FTP to transfer files to my website server. My password being sent to access the server can be compromised, leaving either my website or computer vulnerable?
|
|
I have no lid upon my head. But if I did, you
could look iniside and see what's on my
mind.
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by alphasubzero949
I have several:
7. Run a regular user account for day-to-day computing.
8. Don't allow user listing on the login screen.
9. Don't permit autologins and (for laptop users especially) require passwords to turn on/wake the machine.
10. Turn on encryption whenever and wherever you can (e.g. FileVault) - again especially for laptop users.
Just to elaborate on Filevault, it will offer you protection for when your computer is stolen or physicall compromised somehow - it doesn't offer additional network protection if you are already using encrypted network protocols.
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by GuyWithACamera
Can someone explain this in "Dumb and Dumber" terms? For instance, I use Captain FTP to transfer files to my website server. My password being sent to access the server can be compromised, leaving either my website or computer vulnerable?
Well, I don't want to employ scare tactics, but yes, your password can be intercepted during transmission. If it is encrypted, it is nearly worthless to the hacker. If it isn't, you have a problem.
In this case, your website would certainly be at risk of being compromised. The only way your computer could be compromised is if you have any services open that use this same password. It isn't hard to scan a computer to find open ports (i.e. services enabled, e.g. stuff in your "Sharing" pane), so if you need to keep some services open make sure they use a different password as long as you are using FTP.
Does this make sense?
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Sep 2006
Location: atlanta
Status:
Offline
|
|
what is a good firewall to use?
|
|
|
| |
|
|
|
|
|
|
|
Moderator Join Date: Apr 2005
Location: Cambridge, UK
Status:
Offline
|
|
I use Smoothwall ( www.smoothwall.org). It's a dedicated firewall OS that runs on a PC. Hasn't given me any trouble in the years that i've been using it.
|
|
|
| |
|
|
|
|
|
|
|
Administrator Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Is Smoothwall Linux-based? There are a number of wonderful uses for older PCs, and routers and firewalls top the list as far as I'm concerned.
|
|
Glenn -----
OTR/L, MOT, Tx
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by csu19084
what is a good firewall to use?
ipfw (the OS X Firewall and Brickhouse are ipfw configuration GUI front-ends), iptables (Linux)...
I'd say the ruleset is more important than the firewall software being used though, providing the protection happens at the kernel level, as any firewall can be badly misconfigured.
(Last edited by besson3c; Sep 10, 2006 at 10:12 AM.
)
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
What I don't understand about Windows firewalls other than the built-in XP firewall is if they operate at the kernel level, and if not (as I suspect is the case), how they manage to fend off attacks designed to overwhelm the OS?
If the rejection of packets is happening at the TCP/IP level, why not just close off unwanted ports? It would seem to me that you would get the exact same level of protection. I wouldn't pay a cent for a firewall like this.
|
|
|
| |
|
|
|
|
|
|
|
Moderator Join Date: Apr 2005
Location: Cambridge, UK
Status:
Offline
|
|
Originally Posted by ghporter
Is Smoothwall Linux-based? There are a number of wonderful uses for older PCs, and routers and firewalls top the list as far as I'm concerned.
Yes. You generally don't have to touch the linux part as there's a nice web admin page.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Really that was the title of the book: 
Top
