A lot of my real-life friends ask me how I go about securing my PC, mistakenly believing that because I’m a network guy, I also know something about security. I know enough to secure the devices for which I’m typically responsible, but the home-user use-case tends to be so widely different and varied that the answer is always “it depends,” and there are infinite dependent variables. It’s easy for me to secure my LAN against rogue DHCP servers, but less so to (cheaply, in terms of time and money) secure a family PC from a teenager who opens every attachment in their email, or clicks through every page on 4chan. So take what follows with a grain of salt. It’s also written with Windows in mind (in other words, spare me the “use linux!”).
As far as personal, home-use computing goes, I find the talk that goes on about the relative insecurity of my Windows Vista and XP boxes to be little more than histrionics. If someone wants the pictures from my digital camera, it’s easier just to add themselves to the Ottawa, ON network on Facebook, and they can probably get a look at them that way. There are lots of easier ways to steal information about a person than breaking into their PC, when we so readily make information about ourselves available publicly.
(And even once they’ve done that, what can happen, exactly? Steal my banking information? That’s not exactly “risky.” A phone-call to my bank, and the problem goes away. At worst, I show up to a branch in person to verify my identity with all manner of official documentation. Inconvenient, but hardly life-endangering.)
Want to get someone’s phone number? Look them up on Facebook. Check out their friends list. Randomly send messages to people on the list, say that you’re an old friend trying to contact them for a high-school reunion, but they aren’t responding to your notes and you’re not sure if they check Facebook that often. Use your imagination.
From there, you can start to draw the conclusion that security isn’t just technical; it’s social. It’s about who and what you trust.
But since not everyone can root through my trash for banking statements and hydro bills, remote compromise of my machine may be their only convenient option. The goal isn’t complete and total security; as the saying goes, the only way to completely secure your PC is to turn it off. The goal is to make accessing your PC as inconvenient as possible. For many users, sticking their PC behind a broadband router provides a cheap form of firewalling that’s more than enough to protect them from outside threats. Personally, I just turn on Windows Firewall and connect directly to my cable modem. Never was one for trying to hide my PC behind a router.
Next up, the absolute minimum required to easily get around the internets is a browser. I’m primarily a Firefox man; Google Chrome is incredibly fast and lightweight, but seems a bit lacking in the feature department. I’ll confess to not giving it a true college try.
But here’s what I use:
Firefox: http://www.mozilla.com/en-US/firefox/personal.html
With the following addons:
AdBlock Plus: http://adblockplus.org/en/
NoScript: http://noscript.net/getit
Install the add-ons, configure ABP to subscribe to the easylist filter, and that’s it. NoScript is a bit annoying to work with at first, but you’ll soon get a feel for it. Under Firefox’s menu, go Tools -> Options -> Advanced -> Update, and make sure everything is checked off to automatically check for and install updates to the browser and add-ons.
After that, configure Windows Update to check for updates frequently, and to download and install frequently.
I don’t run real-time signature-based AV e.g. Norton Anti-Virus, at all. Vista takes up 800MB of RAM on its own; I don’t need a few million signatures adding another 250MB. Every month, Microsoft releases an updated Malicious Software Removal Tool (MSRT website: http://www.microsoft.com/security/malwareremove/default.aspx) which runs in the background and is very quiet (as in, you don’t even know it’s running unless it finds something). You can force it to run manually so that you can actually watch what it’s doing by going Start -> Run -> mrt.exe.
As a backup to the MSRT, I’ll occassionally run MalwareBytes’ Anti-Malware tool: http://www.malwarebytes.org/mbam.php
I run Threatfire (http://www.threatfire.com/) on its most sensitive settings. It’s another one of those things that appears obnoxious at first, but you get use to it.
For generic cleanup, I run ccleaner (http://www.ccleaner.com/). I check off just about everything possible, with the exception of “Wipe Free Space,” because that takes FOREVER. I clear out all histories and saved-form information. If you’re the kind of person who checks off “Have browser remember passwords,” you may find using this annoying. But that’s the kind of person who makes themselves most vulnerable when sharing their PC/laptop with someone else. If you’re incredibly serious about wanting to secure your information, clear out that crap and start getting better at memorizing complicated passwords. You can configure the program to add itself to your Recycle Bin, so you can just right-click the bin and open it up. Close all your browsers (so it can access and delete browser caches) and run it every few days. Clean out everything, and do the “Clean Registry” step, too.
As a bonus, the program also includes a feature to uninstall programs and disable programs that start on bootup. Check to see if there are programs listed that you don’t recognize, or those which you know don’t need to actually start on boot. Disable them until needed.
Complicated passwords are another obvious thing; the more valuable the information, the harder it should be to access. If you protect it with a username and password of admin/admin, it obviously isn’t that valuable to you.
If you need to fill out a registration form or something, make up a gmail account that you’ll never actually use (I sign up to things using qos.recyclebin@gmail.com, for example, and if you need a gmail invite, let me know), and fill in all the registration forms with fake information unless absolutely necessary.
That way, you hide as many things as you can from being harvested, and you have a convenient place to find your account info when you use it to sign up for something. If you’re trying to get vendor whitepapers from a place like http://techrepublic.com.com/, for example, do they REALLY need your work email and phone number? Hell no. Make some up. The only reason you need a “real” fake email address that you never check is so that you can check it occassionally in the event that they require you to verify your email address. You can publish this email address ANYWHERE and never worry because you know for a fact that there’s nothing useful in it anyway.
If you approach every form on the internet with the attitude that it might some day be used against you, you protect yourself against all manner of information harvesting.
Last and most importantly, I don’t install anything I don’t need, and I don’t open weird shit that I’m not expecting.
The more you add to anything, the more you have to protect/trust. The larger your friends list, the higher probability of someone telling someone else something you don’t want them to know. Do you really need 4-5 different cellphone related applications on your PC? No, get them off there. Limit your exposure to applications to only those which you can easily update, and update often.
And don’t bother giving someone’s chain-letter email due courtesy. It doesn’t deserve it. Especially if there’s some sort of weird attachment or link. Most web-based email clients can disable the display of images or running of scripts, and have good anti-spam and malware practices established. Don’t turn on the display of images or run weird attachments. Chances are, you didn’t request it, ergo you’re unlikely to need it.
As mentioned at the beginning, I am hardly a security professional, and am quite amenable to comments and adjustments. Happy internetting!
