Wednesday 3 January 2018

Getting started with safe internet use

This is written for members of my family who are starting out with PCs on the internet (no comments here about Apple).

Install Webroot WSA - it uses less of your computer power running in the background than other AV tools. Remember to run scans regularly - don't just rely on it working in the background.

Putting your data on a separate 'partition' of the disk to Windows etc. is a good idea and may enable you to recover your data e.g. when Windows dies. If you are new to computers, it is best to get help, even though it is straightforward. This guide seems clear (like much from Tom's Hardware). Make sure your application data (such as email) is on the new partition.

Install CCleaner - this is useful for removing crud from your computer - do regular cleaning, including cookies. It is also good for uninstalling programs, and for choosing which programs you want to run when the computer starts up. CCleaner is also available as a Portableapp (see below).
If you don't want to use CCleaner for some reason, you can set up Windows to remove crud.

This guide is a good introduction to staying safe on the internet.  Read it and then come back here.

Internet security is now so complex, that working out your personal threat profile is probably impossible. Treat security like dieting or exercise. Do the important things first and then keep working at it at a manageable pace.
Now go and read it properly, then come back.

The Robert Graham Project says "I think the most important security precaution is to lie to computers compulsively".  This includes made-up user names, multiple email addresses, fake answers to security questions, and multiple mobile phone numbers. If you think the other side is playing fair, read this (technical, I know).

Security questions are broken - more than you would think. Fake answers (that you record safely!) are becoming essential. The first school Robert Graham went to was &*O)IYHPU&G!!!.
Generating a fake identity can be helped with this.

It is worth remembering that Ross Anderson, Professor of Computer Security at Cambridge, does not use online banking because the risks are all with the customer.

Update: you might want to take the Data De-tox to remove any unwelcome public data about yourself.

1.  Re-using passwords.
Checking for data breaches is very sound advice, and not often given. Do this first and regularly.
Data breach is the main threat for most of us. This is why re-using passwords is such a bad thing.
Google, Facebook, and PayPal seem to take our security seriously. If you can use them as a login, that might reduce the risk. Minimising the number of people with your credit card details is prudent.

Don't let your browser store your passwords and fill in forms - that seems to be broken. See also here. If you have a password manager, it might be as well to disable auto-fill for forms (if it will let you).

My limited experience of a password manager (Dashlane) is mixed.  A book, and a password generator set to give you a readable password (passphrase) might be better to start with. NCSC advice is to use passphrases, 4 random dictionary words or CVC-CVC-CVC style passwords, picked for memorability. Advice from Angela Sasse: "A longer password is preferable overall, but that has its own problems,...More than 50% of passwords are now entered on touchscreen devices, and longer passphrases create a significant burden on touchscreen users.
...Passwords are rarely cracked by brute force. They are mostly captured through phishing and malware, and with those attacks it does not matter how long or complex your password is
."

Unfortunately, password strength meters (things that tell you if your password is weak or strong) are not good indicators of real strength.

Perhaps a Password Manager for all the unimportant sites, and something personal for the vital ones. Using Charles Dickens might (or might not)be helpful. 1Password now checks whether a password has been breached, which is definitely useful. The fact that this is new and novel shows what a way the security industry has to go as regards usability (or utility).

This advice from NCSC is not bad on password re-use.

Mark Burnett‏: "Always remember the three main authentication factors: what can be easily guessed, what can be left in a cab, and what can be chopped off."

Two Factor Authentication (2FA). Yubikey has not got the idea of usability (yet).  This guide  to it was recommended by Zeynep Tufekci. A good idea if you can get the hang of it (not on day one perhaps). Biometrics (including faceID and fingerprintID) look like being more trouble than they are worth, but if long passcodes for a fully-used smartphone are too hard, then they are probably better than nothing. Barton Gellman points out you can make this less painful with an all-numeric PIN: 11 digits or more provide strong security. Big advantage: you get the big-button number pad on the unlock screen. It has to be a truly random number. Your idea of “random” isn’t. [I am not an expert, but I suspect the randomness required and number of digits is a function of how much you are under threat from major adversaries.]

2. Locking phone
How much do you need to use your phone? Maybe it doesn't need to be a repository for your life. Android phones are not a good place to keep secure matters, whereas iPhones can be ok. Maybe you use a cheap feature phone for some / all of the time? Cheap alternative phone numbers sound a worthwhile investment.

SIM hijacking is a real and frightening thing.  My mobile provider (Three) has security questions that you can set up for when they answer the phone. Well worth doing.

4. Adblockers and browsers
Perhaps use Chrome with a particular Google ID for transactions that matter and a different browser for other matters. Your computer may not support two browsers open at once, because they are so resource-hungry. As regards Adblockers, I use Ghostery, happily. Opera has one built in. Chrome is going to get one fairly soon (from Google). Adblockers are worth it. Read Section C from DecentSecurity here.

5. Backups
Using the cloud helps but remember the cloud is short for 'someone else's computer'.  I haven't used Framasoft but it is an alternative to Silicon Valley. Sort out a device to do backups for any data that matter to you. ("you only need to clean the teeth you want to keep" - same thing with data and backups). Freefile sync will give you more capability than you need, is not too hard to learn, and is blisteringly fast. Also available as a Porteableapp. For important items such as photographs, it is worth investing in 'archival Blu-Ray' - an external Blu-Ray read/write drive is not that dear.

6. email accounts
Go and read the advice again.
Email client: You can use webmail for basic purposes just fine, but an email client means you have the emails on your machine (and can back them up). Chaos Intellect is a great client for PCs etc., it can run on a memory stick, and has a great approach to use on phones, It isn't free, but is well worth it - not least for the quality of support. If you are restricted to free, then the Opera email client might be a good choice. If you are into Chat, it can handle that as well.
You will need several email accounts. A Gmail account makes sense, as everyone has one. If your ISP offers email accounts, that is another. Then maybe Yahoo, or Zoho.  If you start to use Zoho seriously, you will need to pay a subscription, but you could do much worse.
@pogue25 recommends using disposable email addresses when you have to give an email address to a site that is bound to spam you.  This generates them.

Update: Ransomware
If you do get stung and locked out of your computer by Ransomware, then it is possible that the keys can be found here.

Applications
MS Office really likes to run macros - the major risk from dodgy email attachments. Unless you really really need it, don't install it. Use LibreOffice instead.
If you are going to be using other people's computers (or the ones at the library) to help you learn, then it may be a good idea to put applications on a memory stick. PortableApps is a bit more complicated to use than having applications installed on the computer - but only a bit - It reduces the demands on the computer and allows you to take just a stick with you. You can also install the Opera browser on a memory stick (or on your computer). It is pretty good, and then it would mean that your bookmarks travel with you easily. PortableApps include the Opera browser and email client but since these are the main applications, it might be worth installing them on the USB stick directly.

Photos on social media
The pace of facial recognition on social media is alarming. The Spartacus Hack may well be worth doing. Just put up some misleading pics and labels.

Further reading
There is good advice here and here. The do's and don't's here are for folk at higher risk than many (including break-ups and stalking), but the more you follow it, the safer you'll be. Advanced material here.