Truly Secure Computing: A Knowledge Share

dranfu · 21 Aug 2010

It's impossible to be 100% protected from viruses and hackers right?

Nah, that's nonsense!

Here is my knowledge share on how to stay almost 100% safe on the web.

Encrypt Your Entire OS and/or HDD: TrueCrypt

This is the highest level of offline file protection possible.

Truly Secure Computing: A Knowledge Share-xps_wizard-v6.1a.png

A. Encrypt your entire drive, not just a file or folder.

B. Use the strongest encryption possible.

C. Use Pre-Boot Authentication: You have to enter a password so True Crypt will decrypt your drive/os.

i. Note that Disk Encryption was not designed to protect your drive when your computer is running, as it has to be decrypted before it is loaded into memory. But…

ii. If someone steals your computer or a hacker snags your data, or even if they discover your windows password, they will need your encryption keys to get at your data, or to launch the OS.

iii. If you’ve protected it with very strong encryption, a thief is left with useless gibberish without your encryption keys.

D. Your encryption software should come with a recovery disk. Don't waste any time: Create the disk immediately!

E. Your encryption software should allow you to authenticate from a USB, CD-Rom, or some other removable device (meaning the boot-loader is on a removable device). In this way, if you want, no one can access your computer without the USB or CD or SD card.

Web Sense & Web Defense:

Going beyond "Common Sense" On The Web

A. Use Fake Challenge Responses And Remember The Answers

i. The easiest way to break into someone's email or website account is by knowing someone's challenge answers.

1. If you forget your password on a site, you are usually asked a challenge question, such as “What City Were You Born In?”

a. Please don’t answer that question with the truth; Remember that your X, your worst enemy, and even best friend all know the answer, too. And they might be curious about you.

b. Answer web challenge questions with fake answers. Example: City I was born in? YomaKabujo99. That’s a fake city and who could possibly guess that?

c. Since nearly all web sites ask the same challenge questions, just come up with three good ones to use at every website and you’re good to go.

B. Use The Firefox Web Browser & The No-Script and Ad-Block Plus Add-ons

i. I know, everyone likes their favorite browser and “Chrome is just so fast,” but honestly: The only way to be nearly always protected from web threats is to use Firefox with No-Script and Ad-Block plus.

I'm not claiming Firefox is the best browser, but the Firefox family of browser's are the only ones that work with No-Script, at least to my knowledge. Use Chrome when you want to go to CNN and MTV.com. Use Firefox with NS and ABP when you want to visit less then trust worthy sites.

Some Info On No-Script: this free, open source add-on allows JavaScript, Java , Flash, IFrames, Meta Redirecions, and other plugins and web technologies to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS (Cross Site Scripting) protection available in a browser. NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality.

Truly Secure Computing: A Knowledge Share-noscript.jpg

Some Info On Ad-Block Plus: Annoyed by adverts? Troubled by tracking? Bothered by banners? Install Adblock Plus now to regain control of the internet and change the way that you view the web. You can also choose from over forty filter subscriptions to automatically configure the add-on for purposes ranging from removing online advertising to blocking all known malware domains.

Truly Secure Computing: A Knowledge Share-blog_using_adblock_plus_in_firefox1.png

C. Don’t click on links if you don’t know the site is secure.

i. Don’t click on anything if you don’t really know the site is secure

a. Don’t click on anything you don’t know is secure

Don't Use Your Password. Use Mine?

Strong Passwords Need To Be Long. But They're Easy To Remember

A. Don’t use a password like: BobTheBear9.That’s not strong.

B. Do use a password like: &^$(383JHdiodjhe(*%^()%^34HR%#(-3HFD^693. Don't worry, you'll remember it, please read on.

The best cracking programs in the world will literally take centuries or millennia to crack a password that long and complex. BobTheBear9 will be cracked easily.

Quick Quiz!

Why is it so easy for hackers to crack passwords?

The Answer is: It's Not! It's actually really difficult. But it's easier when:

1. All the password's letters are in lower case

2. You've use a word from the dictionary in your password

3. You have personal details about yourself in the password (your kids names with a 1 or 0, your pets name, birthday)

When you use a long, nonsensical password, it can virtually take forever to crack it. Most hackers will just give up and move on to a more vulnerable target.

But who wants to remember a 28 character password?

C. Try A Password Manager:

A password manager stores all your passwords and associated websites or applications in a password protected, strongly encrypted drive.

A password manager will remember all your passwords for you.

A lot of password managers will fill in your password for you.

Since you no longer have to type in your password, and because it appears masked [●●●●●●●●●●●●●●●●●●●●●●] on the screen where you log in, you've effectively defeated a key logger, which is either logging your keystrokes or taking screen-shots.

Robo Form - One of the best, nearly fully automated. It can even log you into a site just by typing the URL.

KeePass - Not fully automated, but uses better encryption.

Stop Paying For DNS: Google DNS and Open DNS R Free

A. Use a DNS service, such as Google DNS or Open DNS. These services provide

Faster DNS resolution times

A faster web experience through smart DNS caching

They filter lots of malicious traffic for you.

I. Anti Virus: G-Data

Use an AV that has been tested and proven to catch lots of Malware, both known and especially unknown types.

A. Do get independent data about your AV Solution: AV-Comparatives.org is an independent testing body, not owned by AV companies, that regularly conducts scientific tests on the major Anti Virus vendors.

B. Don’t trust the advice of a source with commercial interest: You can trust your favorite magazines advice if you want to, but sometimes commercial interest outweigh what's "good for the people."

AV Updates:

i. Set your Anti Virus to update automatically

ii. Always let it update exactly when it asks to.

C. Passwords protect your Anti Virus: This is an option in almost all of them, and it comes in handy when some Malware is trying to disable or turn off its services.

D. Check your AV settings: A good one should do most of the following:

i. Test the entire content of a file (some Av’s don’t)

ii. Unpack every compressed file and scan its contents after it is uncompressed (some Av’s don’t)

iii. Unpack a packed executable (like a UPX), so that it can decrypt a suspicious file and see what it’s actually doing.

iv. Scan for Alternate Data Streams:

Alternate Data Streams are simply extra containers within a single file. In NTFS file systems, you can literally place one file inside of another. For example, I can place a 700MB ISO image inside of a text file. If the text file is only 5kb large itself, windows will only report that the file is 5kb large, even with the 700MB ISO image hidden within it.

Make sure your AV checks for these (some AV’s require you to enable this feature). Hackers do make use of Alternate Data Streams.

v. Provide a list of all files that couldn’t be analyzed.

It should also provide the reason why. And its always a good idea to at least check out the file if you're not sure what it is.

E. Perform a boot time scan at least once every couple of weeks. If the AV has the ability to scan before the OS is loaded, Malware has a very, very difficult time hiding.

F. Use Alternate Scanners: Every so often, double check and make sure you are not infected by using a different Anti Malware application to scan your system. Hitman, Malwarebytes, and Hijack Hunter are three great apps.

II. Use a Great Firewall: Outpost Firewall

Use A Good Firewall: One that allows you to, IP by IP and port By port, Deny/Allow Traffic

A. Test out firewalls to find out which one performs best

B. Choose a firewall that lets you view ALL incoming and outgoing traffic

At the very least, it should let you view the IP addresses, Ports, Protocols, and Allowed/Blocked status of each network conversation.

The firewall should be able to monitor Loopback traffic as well, with the same detail.

The firewall settings should be protected by a password.

Knowing The Unknown: AKA, Putting In Work

Discovering Unknown Threats: It is possible that, despite all efforts, you might still one day be infected with a piece of Malware or fall victim to a hack. If this happens, review the steps above and see where you might be able to improve your security posture.

A. Monitor Network Traffic: For those who understand protocols, and for those who want to:

1. Close all web browsers and applications that are likely to access the web, whether for updates or whatever.

2. Wait about 5 or ten minutes and then Load your packet capturing tool and start capturing

3. Go to a movie or a friends house, but let it run for at least an hour or two.

4. Come back, stop the capture, and look for anything strange.

Is there a program that is trying to reach out to a server whose TOP Level Domain is .CN or .RU, then you might have a problem

B. Monitor your systems Activity

1. Load Process Explorer or Process Hacker and Monitor the CPU usage and In/Out Reads and Writes to and from your hard disk.

Is Adobe Reader writing hundreds or thousands of kilobytes to your hard disk? Well, why in the world would it do that? Is it creating a new PDF for you to read? In other words, look for anything out of the ordinary.

Image Is Everything: At Least That's What They Told Us

Check out this excellent Thread by WishMaster

Always have a quick easy way to restore your system to a known clean state if ever necessary.

For the hardcore techs, there are many other things to do: Creating SHA or MD5 hashes of all files on your system and log in a text file. Write a script to to iterate through that file and compare changes. The script could be scheduled as a task.

If you code a bit, there is some great code online for password protecting USB's (no hard switch needed), but the code basically writes random data until the drive is filled up, you're prompted for the password and then the random data is deleted. This is done so that a virus cannot infect your drive when the password is active.

Well, if you bothered to read all that, you know how I keep safe on the web. I would love to hear about everyone else’s set up.

Tews · 21 Aug 2010

Nice post, but you could clean up your language ... profanity isn't necessary to get your point across...

dranfu · 21 Aug 2010

So true. V2.

DarkEnergy · 22 Aug 2010

I use full disk encryption with Truecrypt, but it has nothing to do with viruses at all.

I use it because it encrypts/decrypts faster than most HDD/SSDs can read/write so why not? (anything above AES is a waste of time) There's no performance decrease and if someone however unlikely steals my hard drive they have no chance of getting anything from it, I just set Windows to autologin as pre boot authentication makes it pointless and time consuming.

Everyone nowadays has discovered adblock and noscript, if anything they should come built in with Firefox lol it's true that a good AV can protect you from viruses, but not all of them especially day zero, that's why you use Sandboxing.

There's no such thing as a 100% secure system, I thought I was secure using Deep Freeze 99% of my computing time, there's even a virus that can get round that! (But it doesn't matter if you have your AV running still)

But in this day and age most people (above a certain age) aren't complete idiots with computers, if you forget a password to a website and it promts you to enter a secret answer (such as what city were you born in) you should have no worries at all if it's the truth or not unless it's some seriously dodgy website lol

What I don't understand is where all these people are getting viruses from? Obviously you should be careful online, dodgy sites are normally blatantly dodgy, and with torrents etc just read the comments.

You only need a few things to be really secure, if you're only browsing/messing around- use Deep Freeze.
If you're downloading stuff, sandbox the apps.
If for whatever reason either of those 2 fail (which they won't) you should have a good AV to back it up anyway.

If you want to be anonymous, use Tor. lol

Only reason I say this is because that's all you need- AV (Avast), Firewall (Comodo), Sandboxie, Deep Freeze. There's so many people who use 2xAV's AND Antispyware, Antimalware, Anti rootkit, etc etc with a Firewall with a built in AV lol

dranfu · 23 Aug 2010

Hey Dark Energy,

Thanks for sharing your setup. Sandboxie is a really nice application, one I didn't think to post.

Everyone nowadays has discovered adblock and noscript, if anything they should come built in with Firefox

Haha, if only that were true, but no, not everyone has discovered it. Most IT pro's and Super User's know about it, but I can promise you that millions of vulnerable users still don't use them. But I do agree that it should be standard in Firefox

if you forget a password to a website and it promts you to enter a secret answer (such as what city were you born in) you should have no worries at all if it's the truth or not unless it's some seriously dodgy website lol

I think you may have misunderstood might point on this one, bud. What I meant was, when you are setting up your challenge answers, you should use fake answers, so that other people who know, for instnace, the city you were born in, or who know your highschools mascot, are not able to reset the password to your email account. This is known as challenge hacking, and its the number one way that hackers break into people's email.

The truth is, if your challenge answers are factual, it is just too easy for people to get that information. That is what footprinting in hacking is all about. Using fake challenge answers is not something that everyday users employ.

Tor is very nice, too, but it is also subject to malicious use. Sandboxing is great, but what will a sandbox do for a keylogger? Sure, it's running in an isolated environment, but that doesn't mean that the program can't run normally. If the program was programmed to capture key strokes, it can still do that while running in a sandbox

Depp Freeze is an awesome program, I have to agree.

DarkEnergy · 24 Aug 2010

Sorry I must admit I thought you meant don't put the city you were born in in case the website somehow finds that info out and I was thinking "what does it matter?" lol I suppose the Adblock/Noscript with Firefox isn't known by everyone, but since I started using those 2 a lot of people use it now compared to then. They are 2 very basic extensions that Firefox already has built in to some extent, but they are just not customizeable on the fly

dranfu · 24 Aug 2010

hey dark energy,

Sorry I must admit I thought you meant don't put the city you were born in in case the website somehow finds that info out and I was thinking "what does it matter?"

No big deal at all, I probably didn't word it well the first time. Perhaps I should edit that section for clarity :)

They are 2 very basic extensions that Firefox already has built in to some extent, but they are just not customizeable on the fly

Not sure if we are still talking about the same thing, but neither No-Script nor Ad-Block plus are built into Firefox, nor is their functionality really implemented in another way in Firefox. No-Script, of course, does all sorts of blocking, but its not just the blocking of Java Script or Cookies, such as Firefox might do, but it allows fine grained control over a lot, if not all, web technologies. If you check out the options of the add-on, it actually does have quite a few choices. Also, I wouldn't go so far as to call No-Script basic, as a group of leading security researchers recently stated that using Firefox & No script was the only way to guarantee that a user would not be a victim of a drive by download on a malicious site.

Not sure what you mean by

not customizeable on the fly

, but No-Script does allow you to very easily just select sites you want to trust, and those that you would rather not, "On The Fly." It allows you to choose "web objects" to trust and to not. You can also, with just a click, enable individual blocked content, like a Flash file, without having to trust the entire website.

Add-Block Plus, of course, allows you to add subscriptions to filter list, that will block not just advertisements, but also malicious adverts, containing malicious code, or those that redirect to malicious sites. It's pretty invaluable, but it's not at all built into Firefox yet.

Another good one is the MyWot plugin, which will actually stop you and tell you that the site is malicious. Check it out sometime.

DarkEnergy · 24 Aug 2010

I know Noscript and Adblock are different, I meant to an extent as Firefox already has basic options for them, they should build similar things into the program so it's officialy supported and works out the box. I've tried Wot but I found it quite annoying tbh lol I try to keep my addons to a minumim but lots of people recommend Wot- I'm fine with Adblock, Noscript and TorButton :)

dranfu · 24 Aug 2010

they should build similar things into the program so it's officialy supported and works out the box.

I completely agree. I think the reason they don't comes down to 3 things

1) Their developers are already busy with numerous projects

2) They don't own the rights to the technologies

3) They created Firefox with the ability to be modular/pluggable, so that new functionality could be added on an on-demand basis, and added and removed as user's see fit.

But it would be nice :)