First I'll start with the simple tips that some of you already know.
One basic method to protect your computer when you're not alone is by locking the screen, whatever OS you have, windows, linux, bsd your desktop environment or window manager will already have an option to lock the screen. You'll be surprised if you knew how many private data and passwords leaked because of that. Yes passwords too, all web browsers have the option to reveal saved passwords doh!
Set a strong password for your username, you can go as far as setting a BIOS password, of course you can reset it easily by removing the motherboard's battery in case you forget it
Install an antivirus in case you use Windows, Panda, avast, avg are good enough choices. Of course it never hurts if you install malwarebytes antimalware alongside with them which i highly recommend you to do so.
Another helpful program is Sandboxie which is free for private use. It also creates a shortcut called 'Sandboxed web browser'... Don't forget that your web browser is in the front line of attacks, so you must secure it. About firewall, you should know Windows is having a firewall built-in with fair enough settings.
PS: After you run a program sandboxed, can be an mp3 player or web browser, doesn't matter, do not forget to clean sandboxie's data.
To secure your Web browser let's say you use firefox, download some addons, Adblock Plus (enable malware blocking and track block) is a must as well as NoScript, if you don't trust the web page you're about to visit, simply don't allow javascript from the NoScript bar on the bottom of your web browser window.
If you're using linux you don't need an antivirus, but you need a firewall set up, i have wrote a guide for that few months back Link here. The browser's addons are the same on linux systems as well, NoScript, Adblock Plus, disconnect.me etc.
Do NOT install programs, do NOT execute scripts that you don't know what they do. It doesn't matter what OS you have, just don't install whatever you find online. Both windows and linux have a place where you can get applications, AppStore for Windows package sources for Linux (you can use synaptics too, it's a graphical front-end for package manager and is quite user friendly.)
If you're using Linux you may have a SSH server, that's a little bit off topic but you should disable root login
by simply going to /etc/ssh/ssh_config and set 'PermitRootLogin to 'no'. End of offtopic :)
< *Update*
Some services and applications do more than they should, that gives to the attackers a chance to cause damage to your system or see your private data, that happens on all Operating Systems an it will continue to happen unless programmers go into extreme detail to their programs/services about what to do and what not to do but extreme detail requires extreme amount of time and gets extremely difficult some times. So you'll need AppArmor or SELinux, i chose AppArmor because it's more flexible and you won't end up re-writing your security setup. You can get it by 'sudo apt-get install apparmor with its suggestions (apparmor-utils, apparmor-profiles, apparmor-profiles-extra). Some notes before we start, there are 2 kinds of profile set, complain mode which will write to a logfile when an application does something that it's not supposed to do, and enforce mode which will stop the application from doing an action it should not do, now let's move on... To enable it just do 'sudo [your_text_editor] GRUB_CMDLINE_LINUX_DEFAULT="apparmor=1 security=apparmor" and then update-grub and reboot. Now that you have rebooted your machine here's some basic commands
sudo aa-status (to see the current status of apparmor, currently active profiles, categorize profiles by mode)
sudo aa-complain a.profile e.g: aa-complain bin.ping
sudo aa-complain /etc/apparmor.d/* (setting all profiles to complain mode)
sudo aa-enforce a.profile e.g aa-enforce bin.ping
sudo aa-enforce /etc/apparmor.d/* (setting all profiles to enforce mode)
sudo aa-genprof [application] e.g aa-genprof xchat (it will figure out what that application is and what profile should it build, it's interactive setup with good explanation and you can always place it in complain mode in order to test it before)
ls /etc/apparmor.d (to list all the available profiles)
and finally logs are usually located in /var/log/apparmor
*Update* />
Now that you have your OS a bit more secure let's take a look on your router.
First we must understand that home routers are vulnerable, why? i don't know, the technology to prevent man-in-the-middle attacks exist, corporation just don't want to implement it on home routers.. anyway moving on...
First if you are using ethernet only (cable) disable the Wi-Fi. you really don't need it enabled if you don't use it, but most likely you use it so... we'll talk about it in a minute.
Once you install your new router the first thing you must do is to flip it over and see its IP most likely 192.168.1.1 admin account and password so you can enter its settings. I'm sure it says something like admin password or admin admin or administrator password... i guess you know what i'm trying to tell you... change the password! fast! After you changed the login password move to Wireless network menu, now pay attention... You must rename the SSID (wifi's name) in case it reveals the Router model, put your name or something, then select a strong password (an example of a strong password is: th1s1smyp@55w0rd!!!) i know it's hard to remember something like that but your computer will and whatever OS you have its network manager have the option to reveal it.
After you set your Wi-Fi password you need to set it to WPA2 with AES encryption both WEP and WPA are less secure but WPA2 is still a good choice.
Now it's time to get some filters going on... you don't want foreign devices to enter your network, for that you must find the MAC addresses of all your computers.
Windows way: Start > Run > cmd > ipconfig /all and look up the 'Physical address'
Linux way: Open up a terminal and type sudo ifconfig and look up the HWAddr
A really fast way: connect all your devices/computers to the internet and from a windows machine run wnetwatcher (Download) and voila, all the MAC addresses of your devices.
Now what you need to do, is to go into the router's settings and search the menus until you find something like:
Wireless MAC address filter
On my router it's under 'Interface setup' > 'Wireless'
Here's a picture of it.
(Click to enlarge)
make sure you change the format of your MAC addresses accordingly, for example wnetwatcher and windows' ipconfig displays it like XX-XX-XX-XX-XX-XX and Linux ifconfig like xx:xx:xx:xx:xx:xx but router only recognize a MAC address like XX:XX:XX:XX:XX:XX.
Now if you ask 'why should I do all that? i have an antivirus and a firewall' I must tell you that with a wrong setup on your router you could loose all your passwords and have your private data leaked, how? by MITM (man in the middle) attacks. Setting up a non-default Wi-Fi password and MAC filters you have completed 3 out of 4 steps you should take. Let's review these 3 steps
1) Router password, changed because you don't want your friends that you invited to play a prank on you by messing around with your router's settings.
2) Wi-Fi password, changed for obvious reasons, you don't like your neighbor wasting your bandwidth and be on the same network as you
3) MAC filter, even if you start yelling your Wi-Fi password out loud the router will only accept the devices that have the specified MAC addresses, e.g if someone knows your Wi-Fi he/she will be unable to connect because of this filter, good enough right?
4)The fourth one is about user education, Whenever you are going to connect to your email account, or paypal account etc, type https:// manually first, never visit an important page like: 'gmail.com', 'outlook.com' etc. A MITM attack prevents you from using HTTPS and a smart attack also fakes the indicator that you're using https.
Now that you learned few good practices of security let me say my opinion about few things..
make sure you change the format of your MAC addresses accordingly, for example wnetwatcher and windows' ipconfig displays it like XX-XX-XX-XX-XX-XX and Linux ifconfig like xx:xx:xx:xx:xx:xx but router only recognize a MAC address like XX:XX:XX:XX:XX:XX.
Now if you ask 'why should I do all that? i have an antivirus and a firewall' I must tell you that with a wrong setup on your router you could loose all your passwords and have your private data leaked, how? by MITM (man in the middle) attacks. Setting up a non-default Wi-Fi password and MAC filters you have completed 3 out of 4 steps you should take. Let's review these 3 steps
1) Router password, changed because you don't want your friends that you invited to play a prank on you by messing around with your router's settings.
2) Wi-Fi password, changed for obvious reasons, you don't like your neighbor wasting your bandwidth and be on the same network as you
3) MAC filter, even if you start yelling your Wi-Fi password out loud the router will only accept the devices that have the specified MAC addresses, e.g if someone knows your Wi-Fi he/she will be unable to connect because of this filter, good enough right?
4)The fourth one is about user education, Whenever you are going to connect to your email account, or paypal account etc, type https:// manually first, never visit an important page like: 'gmail.com', 'outlook.com' etc. A MITM attack prevents you from using HTTPS and a smart attack also fakes the indicator that you're using https.
Now that you learned few good practices of security let me say my opinion about few things..
Don't use Windows 10, at least not yet, there are some concerns about privacy settings are not turning really 'off' once you set them to 'off'
Keep your software up to date, especially the web browser and change your passwords often.
Use OpenDNS or Google DNS servers (optional) but from time to time enter your router's settings to see if everything is as it should.
Encrypt your hard drive, it's easy for someone to stick a live liunx usb and browse/copy your drive's content.
Never throw away an old computer with its hard drive still in, either keep the hard drive or destroy it (after you take all of your important files from it.
And finally, do not use abandoned or poorly maintained technologies such as adobe-flash.
Once again i hope you find this article useful.
Δεν υπάρχουν σχόλια:
Δημοσίευση σχολίου