zs3.me

Computer Security Tips

Revision 57
© 2011-2021 by Zack Smith. All rights reserved.

Caveat: This list is not a comprehensive list of measures to take to ensure the security of your computers and networks. Some would argue that perfect computer security can't be achieved. Use this list as your own risk.

Operating system

  1. Reinstall your operating system periodically.
    • If your OS is compromised or infected with malware, you likely won't see any overt signs. Years could pass without your noticing anything. Therefore reinstall the OS periodically.
    • If your hardware makes reinstalling the OS cumbersome e.g. you run Linux on a Linux-unfriendly device, then get new hardware.
  2. Completely turn off your computer when not in use.
    • This could mitigate problems if there's malware on your computer or if someone has gained remote access.
    • Some kinds of malware are only present in RAM and would be wiped when you reboot or turn it off.
  3. Don't just download and try out any random program for fun.
    • A large percentage of malware infections arise from users downloading and running software.
      1. Don't install random apps.
      2. Don't install random plugins and extensions, which can access and upload your private data.
  4. Beware people who rush you into installing software.
    • They are either ignorant of the risks or may have bad intentions.

Isolation of risks

  1. When you install your operating system, create multiple accounts to isolate different activities from each other, as this could limit damage when you do get infected.
    1. An administrator account for installing software.
    2. Your main personal account for benign non-Web activities e.g. word processing, photo editing.
    3. An account for web browsing using your primary browser e.g. Firefox.
    4. An account in which to run unsafe software, e.g. a video conference app.
    5. An account for running any Google-supplied software e.g. Chrome, Android Studio.
    6. An account for opening possibly unsafe files in.
  2. If your computer is fast enough, run unsafe programs and open unsafe files in virtual machines (VMs) that are created anew each time you start them. This technique is used in university computer labs to great effect.
    • In the same way that the CDC only works on dangerous viruses in a BSL-4 biology lab, you should assume the worst and isolate risky stuff to a confined environment. That is a VM.
  3. If your hardware is compatible, consider using Qubes OS which handles risk isolation for you by using the Xen hypervisor.
  4. Consider isolating all risky Web activity onto an burner device such as a tablet that is used only for that and wipe it after each use (e.g. select Wipe Data or Erase all Contents).
    • Don't connect the burner devices to your main computer and don't enable any cloud feature.
    • Wiping the device will remove any lingering infectious remnants of malware.
  5. If you are using Linux, it is convenient to access different accounts in different desktop workspaces. You must first allow windows from any user to appear on your display with xhost +. Then su into an account from the terminal.

Networks

  1. Change the administration password for your Wifi router to something other than the well-known default.
    • If you don't, someone using your Wifi could decrease your Wifi security.
    • Hackers generally know the default passwords to devices as they are published online.
  2. Enable your computer's firewall and put it in strict mode.
    • Always have a firewall on to block attackers who are on your network. Any compromised device can become an attacker, but some Internet Of Things contain malware out of the box.
    • In a public setting like at a coffeehouse, many other people can potentially try to attack your computer e.g.
      • Other customers
      • People in nearby buildings who are mooching Wifi
      • Compromised devices e.g. IOT devices
      • Security companies who are supposed to be protecting the business
      • The business owners themselves.
  3. Turn off your cell phone's and computer's Wifi when they are not needed.
    • This will block attacks upon your phone or computer if a malicious device is on the Wifi network.
    • This will block attacks by your phone or computer if either is infected.
    • This will prevent spying by your phone or computer e.g. recording of conversations.
    • Some devices like the PinePhone offer a physical kill switch. That is preferable.
  4. Completely turn off your cable modem and Wifi router when not in use e.g. overnight, when you are on vacation etc.
    • Attacks on cable modems and Wifi routers are common.
    • If you turn off Wifi on the device but leave the router powered up, malware can sometimes turn on the Wifi again, and exfiltrate (steal) your data.
  5. Put your phone in airplane mode when you are unlikely to use it.
    • This prevents it from broadcasting your location which doesn't help you and may seriously harm you.
    • You can be accused of a crime for merely passing by a location where one occurred, even if you were travelling at 60 miles per hour. Sounds insane, but such cases have been documented and Big Tech is happy to throw you under the bus, because they profit from it.
  6. Make sure your Wifi router and cable modem have remote administration turned off even if your ISP demanded you keep it turned on.
    • Some ISPs want the right to update your router's or modem's firmware.
    • Hackers however are aware of this and can potentially take over the device.
  7. Turn off your Wifi router's Wifi administation feature, so that a wired Ethernet connection is required to change its settings.
    • This is the best situation: It requires physical access to the router to change its settings.
    • This requires that your computer has an Ethernet port, but if it doesn't these are inexpensive.
  8. Keep your Wifi router in a locked room so that a visitor to your home can't lift it up to see any password that might be written or printed on the bottom of it.
    • Don't write your password on your router.
  9. Disable the Wifi router's universal plug-and-play (UPnP) feature.
    • Gamers may want this turned on, but it makes your Wifi network vulnerable.
  10. Don't use public Wifi. Tether to your mobile phone instead. This avoids many problems, such as spying on and recording of your benign activity by people with bad intentions, including dirty cops, corrupt security company workers, and ISPs snooping for profit.
    • Never sign up for a mobile plans that doesn't allow tethering.

Storage

  1. Turn on hard drive encryption
    • This protects your hard drive so it can't be removed (stolen) and then read.
      1. On Linux, drive encryption is called LUKS (use the cryptsetup command).
      2. On Windows, it's called BitLocker.
      3. On the Mac, it's called FileVault.
  2. Encrypt your external drives such as flash thumbdrives and portable hard drives, and keep them under lock and key if possible.
    • Always work to thwart data larceny e.g. by roommates, landlords, workmen, and other thieves.
  3. Never store your encryption keys in the cloud.
    • The cloud is not secure and never will be.
    • The cloud's owner may be required to turn them over to corrupt officials.
  4. If your OS includes the option to encrypt your hard drive when you install the OS (as Debian does), consider using that.
    • However be aware the hashed password may not be stored securely. It depends on your hardware.
    • It may therefore better to decrypt manually and type in a memorized password.

Computer repair

  1. Before taking your computer or phone in for repair, back up and remove all personal data from it.
  2. Overwrite the empty space on your drive with blank data to prevent undeletion of your deleted files.
    • Just because your tax files and credit reports are deleted and your Trash is emptied, that doesn't mean they can't be undeleted.
    • On Linux, the command is: dd if=/dev/zero of=filler status=progress
    • On Mac, the command is: dd if=/dev/zero of=filler

Web Browser

  1. Resist the urge to install browser plug-ins except perhaps well-known ad blockers, as plugins can access to your private data files and browsing history.
  2. Turn off any provided browser plugins that you don't need e.g. QuickTime, Cisco's codecs, and anything from Adobe.
    • Don't assume a plugin or extension isn't spyware.
    • Every extra piece of rarely used software that is on your system expands the attack surface i.e. it offers hackers another means into your system.
  3. If you will be using Firefox, consider the plugins UBlock Origin and AdBlock Plus.
    • Most plugins are to be avoided (for now) however these are well regarded ad blockers.
  4. For truly sketchy websites, use a text-based browser which does not support Javascript, like Lynx or Links.
    • On Debian: sudo apt install lynx links
    • There are still many websites that do not require Javascript to work.
  5. In your browsers, disable website-provided fonts.
    • There have been exploits that used vulnerabilities in the font file parsers. Fonts are potentially another vector for malware.
    • The loading of each website's custom fonts takes time and uses storage.
  6. In Firefox's about:config screen, disable Web Assembly. It might be called javascript.options.wasm.
    • It has been used for cryptojacking, which is the misuse of a browser to perform cryptocurrency mining, typically of Monero. This usually causes a computer to overheat.

Bloat

  1. Remove applications that you will not use: games, office apps, Java, etc.
    • Every piece of software on your system expands the attack surface that hackers can leverage to exploit your computer or phone.
    • Many examples exist of little-used and long-forgotten features that have been used to take over computers.

Cloud services

  1. Avoid free online email except for one-off needs like signing up for an online forum.
    • There is no free lunch.
    • They profit by spying on you and selling your data.
  2. Cloud companies have too many potential points of failure.
    • On numerous occasions reckless and lazy employees have accidentally left customer data available on servers accessible to criminals and nefarious government agencies.
    • Disgruntled employees may purposely do the same.
    • Corrupt employees may sell your data for money e.g. as call-center workers have been found to do.
    • The company may be obligated by corrupt governments to provide your cloud data.

Files

  1. Keep all critical personal data off of your computer and physically locked up.
    • Isolate sensitive activities (e.g. online banking) and data (e.g. tax files) away from your computer in case it gets compromised.
  2. Try to avoid downloading known-risky files (PDFs, MS Excel files etc.) and if you must, run a virus scanner on them first.
    • These are vectors of infection because the software that interprets these files' contents can have vulnerabilities.
    • Some common document files can actually contain software e.g. PDFs can contain Javascript.
  3. Sterilize PDFs by converting them to PostScript and then back to PDF.
    • This simple procedure can remove embedded Javascript. On Linux, the commands are pdftops followed by ps2pdf.

Email

  1. When sending a private email, consider encrypting it e.g. with PGP or GPG. The recipient will have to have the same encryption software.
    • Emails are like postcards: They ar readable to anyone whole relays the message to its destination. Encrypting an email greatly increases the cost to someone who wants to read your email while it is in transit.
  2. In your email app, disable the feature to automatically load remote images.
    • This prevents tracking because the server that provides those remote images will record your IP address.
    • In some cases, malware has been included inside of images and video files.

473299459