3DSC Day 8: Change Your Passwords

Last week we primarily worked on securing your local computer.  Yesterday we focused on installing a local password manager.  Today our view will expand outward.  On this, the eighth day of the Thirty-Day Security Challenge I will challenge you to change your passwords on your online accounts.  Don’t rush in and try to change them all at once though – that could be a recipe for disaster.  Instead, try to change your passwords during your normal logins.  Time to check your Gmail account? About to settle in for some Netflix?  Getting ready to order that new book on Amazon?  Take an extra couple of minutes and change those passwords.   Your Dropbox account can wait until tomorrow when you will be logging into Dropbox, anyway.

When changing your passwords you should definitely pay attention to the qualitative aspect of the new ones.  All of your passwords should be:

  1. Unique.  Don’t use the same password on any two accounts.  Each account gets its own password – this is critical to good online account security.  This is much more important than even the quality of your passwords.  No ifs, ands, or buts.  This way if one account is hacked it won’t effect any of the others.  Mat Honan is an excellent example of why using the same password on multiple accounts is a bad idea.
  2. Long.  Use the maximum allowable length.  Google accounts allow you to use up to a 99-character password.  Your password manager does all the work and you’ll never enter it manually, so what do you care?  Max it out!
  3. Randomly generated.  Human-designed passwords are terrible, in the vast, overwhelming majority of cases.  We just have a hard time reliably generating truly complex strings of letters, numbers, and special characters.  Don’t try to make one up.  Instead let the password manager do the work and generate one for you.

The password manager you installed yesterday will be fairly critical to this task.  Without it you won’t be able to generate password meeting the above criteria…and if you do, you won’t be able to remember them.  Add each one as a new entry to your password manager when you change it.

This will be a carry-over task that won’t be finished in a day (unless you really work at it).  If you only change your passwords at your normal logins the process will be slower but it will also be more manageable.  By this time next week I bet that the majority of your accounts have been changed, and by the end of this month all of your accounts should have new passwords.

3DSC Day 7: Install a Password Manager

Welcome to the second week of the Thirty-Day Security Challenge!  We are officially one-quarter of the way through the process!  Today’s task is install a password manager on your computer and/or phone. This is an absolutely critical step.  Future posts in this series will ask that you change current passwords and create new accounts with good, strong passwords.  Being limited to feeble human memory requires most of us to choose poor passwords.  We use the same ones on multiple accounts and some of the new ones we will create this month will probably be lost or forgotten.  Storing passwords insecurely on a Word document or spreadsheet isn’t a great idea, either, since it’s really vulnerable to loss.  The password manager will solve these problems for us by creating good passwords, recalling them for us, and storing them securely.

Below I have listed some reputable password management options.  Review these, choose one, and install it.  After you have chosen a password manager, secure it with a good, strong password.  Pin it to your taskbar (Windows) or keep in in your dock (Mac). This will place it within easy access for the remainder of the month.  Take a few minutes to get familiar with creating and accessing entries – you should be using this a lot in the future.

There are a number of good password managers out there and your choice will be somewhat driven by your operating system(s).  The list I give here is by no means exhaustive and there are loads of options.  I am only willing to list the ones that I have used and have familiarity with, however.

FREE OPTIONS

Password SafeWindows:  If you primarily use a single Windows computer, Password Safe is the way to go.  It is widely known for it’s user-friendliness.  Password Safe is what is known as a host-based password manager meaning your password database is stored only on one, single device.  It isn’t transmitted to the cloud or stored on a remote server.  There are variants of Password Safe for other operating systems, too, but none of them are supported by the original developer.

KeePass/KeePassX/MacPassCross-platform:  KeePass and its variants are open-source password managers and perhaps the most universal of the ones listed here.  There are forks that work on nearly any operating system you can imagine and all of the databases are compatible with other versions.  These are not the most user-friendly password managers, however, and they lack some of the functionality and polish of most of the alternatives.  They do enjoy the benefits of being strongly encrypted, cross-platform, and totally free.  Like Password Safe, KeePass (and its sister applications) only stores your AES-256-encrypted password database locally, on a single device.

LastPassCross-platform: LastPass is the only cloud-based password manager I would even begin to recommend.  LastPass stores all of your passwords in an encrypted database in the cloud.  This means that you can access your passwords from any device, as long as you can access the internet.  One other major benefit of a cloud-based password manager is that you will have an offsite backup of your passwords should your computer crash or be stolen. Unfortunately this is exactly the reason I don’t prefer LastPass; being able to access your passwords from the internet means that someone else can, too.  It also means that you might be tempted to enter your master password on a computer that you don’t own or control.  LastPass is free on a single device; to install it on multiple devices will require a premium account, which is only $1/month (which is still really close to free).  Premium accounts can be installed on all your devices and shared among up to five users.

PAID OPTIONS

Codebook Password Manager:  I have a fondness for Zetetic’s Codebook that I have written about it before.  I have used it for years on my iOS devices, and if you only have one or two devices this may be a great option for you.  However it is a paid program and you must purchase a subscription for each device.  Codebook is a host-based password manager that allows you to sync with other devices locally through Wi-Fi.

1Password:  I include 1Password because it consistently ranks among the most popular password managers.  I personally don’t love it but I also don’t have anything against it, and it does have some good things going for it.  1Password is a host-based password manager that allows you to sync with other devices locally through Wi-Fi.  It is also incredibly user-friendly and good looking, but it is expensive.

3DSC Days 5 & 6: Weekend Project #1

This weekend’s project is twofold.  First, make sure your computer is running an up-to-date antivirus application. There is a good chance many of you already are.  If you are running Windows 7 or 10 you probably have a variation of Windows Defender or Microsoft Security Essentials.  You may also have a version of a premium antivirus suite like McAfee or Norton.  If you do not already have antivirus program you should install one immediately, even if you are a Mac user.

The antivirus application I recommend for both Windows and Mac is Avast.  The links are, respectively: Avast Antivirus Free and Avast Free Mac Security.  I like Avast because it consistently performs well in independent testing.  Once you have installed Avast you will be asked to register it with an email address.  Next, allow its defintions to update and let it run.

Antivirus Application

Next, scan your computer with an anti-malware application.  Even if you have a Mac, even if you run antivirus.  While antivirus protects you in near-real-time from malicious applications, anti-malware is reactive in nature and will root out those applications that have already managed to install themselves.  The anti-malware utility I recommend is Malwarebytes Anti-Malware Free.  Though there is a premium version of the application the free version is incredibly capable and will be sufficient for our needs.

This is set aside as a weekend project because it will take some time.  Set your computer up with the application and enable a full scan.  Then hit the gym, take the kids to the zoo, or head out for some drinks with your friends.  When you come home the scan should be finished.  Quarantine all malicious threats and potentially unwanted programs.  If you had positive results (meaning Malwarebytes found something) you should run the program again, or try another application.  Two trusted apps that I have had great results with are Spybot Search and Destroy and Comodo Cleaning Essentials.  Unfortunately Spybot and Comodo are only available for Windows.

Review:  With the first week at a close, let’s review our progress.  You all now running a computer with an up-to-date operating systems and all your applications are updated.  You have created and are using a standard user account.  Your machine has been scanned by anti-malware to remove any malicious programs, and anti-virus is protecting you in real-time.  You are already head and shoulders above the average user and should commend yourself.  You have also planned ahead and requested a ProtonMail account for yourself.  Enjoy the rest of your weekend and I will see you all on Monday!  Next week we will begin protecting some of your online information.

3DSC Day 4: Setup Private & Secure Email

Today will be a change of pace.  It will take five minutes at the absolute most and it does not pertain to securing your local system.  Today your task is to setup a private and secure email account.  Email is a necessary evil.  While most of us think of email as roughly analogous to a mailed letter (sealed in an envelope and opened only by the intended recipient), it is much more like a postcard.  Google’s Erik Schmidt even remarked in all seriousness that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties”.  He was referring to Gmail and non-Gmail users alike.  Our emails are read by various parties along the way and contain a ton of personal information.  Relationship and health information, intimate photographs, the stories that make us who we are.  Today’s security challenge aims to fix that by making encryption the default for your future emails.

Private & Secure Email

ProtonMail is a free, end-to-end encrypted email provider. I have written about ProtonMail twice previously on this blog and in my books.  Due to extremely high demand for ProtonMail accounts the service has experienced a backlog of requests and a new account may take some time.  However, you can still request an account by visiting https://protonmail.com/invite.  The only information that is requested is your desired username and an email address.  The email address is used for notification when your account is ready.  The delay in getting a ProtonMail account is the reason we are breaking so drastically from local computer security tasks this week.  Having a private and secure email account will be important later on this month, so please don’t delay!

By the end of this month-long challenge you should have a new ProtonMail account.  I won’t bore you with all of the details, but I will run down the key features.  First and most importantly, all of your emails to and from other ProtonMail accounts will be automatically encrypted using very strong encryption.  Also, your emails will be stored securely in an encrypted, “zero-knowledge” format.  This means that the email provider will have no access to your messages.  Even if you have to correspond with non-ProtonMail accounts, this alone cuts your attack surface in half.

EXTRA CREDIT: If you really want to go the extra mile you can sign up for accounts for the three personal contacts.  These should be the people you email the most.  This could be your spouse, parents, children, friends, co-workers, or any combination thereof.  This will ensure you enjoy the maximum benefit of ProtonMail’s end-to-end encryption, and create a much broader user base and make us all a little less conspicuous.

3DSC Day 3: Review Privacy Settings

At this point you are running your computer on a standard user account and your operating system and applications are updated.  Though it may not seem like it, you are miles ahead of most users already; the two relatively lackluster tasks we performed over the last two days are the incredibly important.  We still have a long way to go, though, so hang in there.  Today is the day to review those basic privacy and security settings!  If you’ve forgotten where these settings hide, don’t worry – I will walk you through them for Windows 7, Windows 10, and OS X.

Windows 7:  There is only one task that is specific to Windows 7 users only.  This task is to remove the privacy-invading Windows 10 features installed in default updates.  I did a full blog post on this a couple of months ago; it can be found HERE.

Windows 7 and 10:  These tasks should be completed by both Windows 7 and Windows 10 users.

  • Disable AutoPlay:  AutoPlay allows removable media to automatically play or run upon connection with your device.  This introduces a gross vulnerability by potentially allowing malware on these media to execute automatically.  To disable this AutoRun and AutoPlay, navigate to Start>>Control Panel>>Hardware and Sound>>AutoPlay.   This will open a Windows Explorer dialogue allowing you to choose what action the OS should take for various types of media.  The first action you should take within this dialogue is to uncheck the box at the top that states “Use AutoPlay for all media and devices”.  Next, in the drop-down menu for each type of media, select “Take no action” and click Save.
  • Unhide File Extensions:  By default Windows hides the file extensions (like .docx, .exe, or .jpeg) from you on the assumption that most users don’t care (sadly, they are almost certainly correct in this assumption).  Hidden file extensions can cause you to open a file that looks like a .jpeg, but is actually a malicious executable, so it is a good idea to display these extensions.  To do so, open any Windows Explorer menu and click the Organize drop down menu at the upper left of the window.  Next, click Folder and Search Options, which will open a new dialogue.  In this dialogue click on the “View” tab and scroll down to “Hide Extensions for Known File Types”.  Uncheck this box and click Apply.

Hide Extensions

Windows 10: Go over the Windows 7 instructions, and then review the privacy settings specific to Windows 7.  I did a full write up on this HERE, complete with screenshots.  If you are running a Win10 machine go ahead and follow the link and check back in tomorrow.

Mac OS X:  I have not previously written about OS X settings but in gearing up to write Your Ultimate Security Guide: OS X, I am excited to get started!  Here goes: to access these settings first open System Preferences.  Next click the “Security and Privacy” icon.  This will contain most of the settings we will address in this article.

  • General:  Under this tab are a couple of settings, the first of which is “Require password ____ after screen saver or sleep begins”.  This should be set to immediately; as soon as your screen switches off a password will be required to access your desktop, assuming the account in question has a password enabled.  If it does not, go back to System Preferences >> Users and Groups, select your account, and assign it a password.
  • FileVault: If FileVault is not enabled you should take the time to do so now.  This enables Apple’s OEM full-disk encryption.  This means that the data on your computer’s hard drive is fully protected in the event your computer is “borrowed”, lost, or stolen.
  • Firewall: The firewall should also be enabled.  The firewall monitors your computer’s incoming and outgoing internet connections for suspicious activity.  This is an excellent line of defense against many forms of internet-based attack and has almost no impact on the user.
  • Privacy:  Review all of the privacy options (Location Services, Contacts, Calendars, Reminders, Accessibility, and Diagnostics & Usage).  Disallow any applications that do not require this information to function correctly.  Under Diagnostics & usage uncheck both boxes.

Review Privacy SettingsSee, that wasn’t so bad!  See you all tomorrow…

3DSC Day 2: Set Up a Standard User Account

Today’s security task is to set up a standard user account. Though it is a phrase that is normally applied to the corporate or government sectors, personal computers should also employ and adhere to the Principle of Least Privilege (PLP).  The Principle of Least Privilege is a concept stating that any user should have only the permissions necessary to do his or her job.  At the home-user level this means creating and using a Standard User account rather than performing day-to-day operations on an Administrator account. Using an Administrator account is perhaps one of the most common errors I see committed by home computer users. This mistake that has caused me endless frustration in “fixing” friends’ computers that have become thoroughly infected with malware.

These computers become so thoroughly infected because they are always running with administrator-level privileges.  The ability to make system-wide changes like executing programs or deleting other users’ files is not necessary for daily use.  Running on a standard user account still allows you to do these things, but only after entering the administrator password to confirm that you actually want this action to occur.  Though it may not seem like it, this step is so important that even Microsoft recommends it.  To setup a standard user account refer to the following:

Windows 7/10: Windows has two different types of accounts: Standard User and Administrator.  A Standard User account has all of the necessary privileges for most of us to do the jobs we do on home PCs.  Even though I work at a computer daily, I only rarely log into an Administrator account.  User accounts have the privileges necessary to do most day-to-day tasks including creating, opening, editing, and saving documents, browsing the Internet, etc.  There are a very small handful of things a User account does not have the privileges for, the most important of which is installing programs.

Because Administrator accounts have the necessary privileges to install programs, executable files may be able to run on an Administrator account without having to ask permission.  If permission is required, malicious executables are sometimes capable of tricking the user into agreeing to install the program.  Standard User accounts have fewer permissions, and the most important permission a Standard User account lacks is the ability to install programs without permission from the administrator.  When a malicious program attempts to install itself on a Standard User account, a prompt will appear asking for permission from the Administrator (and the administrator’s password if the account is password protected).  Seeing a password prompt alone should be enough to make a user question whether he or she really wants to allow the executable to run.

When you purchase a new Windows computer, the only account that is enabled by default is an Administrator account.  Many home users will never create another account, choosing instead to work only inside this account.  This is problematic as it makes the computer more susceptible to malware and viruses.  To set up a user account, navigate to: Start >> Control Panel >> User Accounts and Family Safety >> Add or Remove User Accounts >> Create a New Account.

Standard User Account

OS X: Setting up a user account in OS X is a relatively uncomplicated affair.  Open the System Preferences and click Users and Groups.  Click on the padlock icon at the bottom left of the interface and enter your password when prompted (assuming your administrator account is password protected).  Click the “+” icon just above the padlock to create a new user account.

Standard User Account

A COUPLE MORE CONSIDERATIONS…

Account Naming:  There is a tendency to give Standard User and Administrator Account distinctive names.  For instance, a family of four might name their accounts Justin, Sarah, David, and Ashley.  Unfortunately, these unique account names associate themselves with many things.  For example, Microsoft Office records the creator of file by recording the User account name under which it was created in the metadata.  If you send out files (of any type) this may leak information about you or your family.  For this reason I strongly encourage using bland generic names such as Administrator, User 1, User 2, and so on

Passwords:  The administrator accounts and user accounts should be password protected with different passwords. Though I recommend using long, complex passwords in most cases, I recommend (and use) easily memorable passwords that are quick and easy to type for the Administrator and User accounts.  This is because the password protection on these accounts offers very little actual security.  Having a password can hinder anyone attempting to install malicious software on your device.

Migrating Your Data:  The unfortunate part of setting up a new account is that you will have to migrate your data, programs, and desktop to a new account.  If you don’t have the time to migrate today, don’t worry about it.  However, you should perform all the future tasks in the 30-Day Security Challenge on your Standard User account.  To ease the process of migrating your data, I recommend taking the following steps:

  • While logged into your administrator account, set up a shared folder
  • Import your documents, photos, and other files into the shared folder
  • Log out of your administrator account, and log into the standard user account
  • Copy all files to a folder that is not shared
  • Finally, log back into the administrator account and delete the shared folder

Thanks for joining, and I’ll see you all tomorrow for the third day of the challenge!

3DSC Day 1: Install OS & App Updates

Welcome to the Thirty-Day Security Challenge! I am looking forward to the coming month and I appreciate all of you who have chosen to follow along!  Today’s task is not flashy or even terribly interesting, but it is one of those tasks that is absolutely critical to security.  Today’s task is to install OS and app updates.  While we are  in the update settings we will also make sure that future updates are downloaded and applied automatically so you don’t fall out of date.

Keeping your software up-to-date is an incredibly important step in securing a computer.  As software ages, security holes are discovered in it.  Attacks are written to take advantage of these holes.  Though software updates are occasionally released to add features and to deal with bugs, they are very often written specifically to patch security holes.  If your software is outdated it becomes vulnerable.  These vulnerabilities are also well-publicized by virtue of the fact that patches exists to fix them.

Windows: To install OS and app updates in Windows, navigate to Start>>Control Panel>>System and Security>>Windows Update.  Select Change Settings from the left sidebar.  Open the dropdown menu.  If you want to go fully automatic (Windows downloads and installs updates as soon as they are available) choose Install updates automatically (recommended).  If you prefer to have your updates downloaded but choose the time and place to install them, choose Download updates but let me choose whether to install themThis also gives you the advantage of being able to research updates before you commit to them (at least in Windows 7), as some updates help Microsoft collect data about you.

Install OS and app updatesTo update your applications in Windows, you have a couple of options.  You can do so manually for every application you have, or you can download an application that will check them for you.  There are two such applications that I recommend.  They are Patch My PC Updater and Secunia PSI.  Both will scan your computer’s installed programs and let you know if updates are available.  Both are also capable of downloading and installing updates for you.

Mac OS X:  To update your OS and applications in OS X, open the App Store.  If a badge is displayed on the App Store icon you have updates waiting.  If you think there may be updates for your machine go to the top of your screen and open the “Store” drop-down menu and select “Reload”.  This will manually check for updates.

To ensure that future updates are downloaded and installed automatically, open your Mac’s System Preferences and click the App Store icon.  Make sure the following boxes are checked:

  1. Automatically check for updates,
  2. Download newly available updates in the background,
  3. Install app updates,
  4. Install OS X updates†, and
  5. Install system data files and security updates.

Install OS and app updates

†You may wish to leave this option un-checked. It will allow you to install OS X updates at your leisure.  Because these updates can take time and require a restart this may be prefereable depending on your situation.  Realize that you will have to be alert for new updates and install them manually.

Tomorrow will be another foundational step and one that will require some thought and decision-making on your part.  Stay with me!

Thirty-Day Security Challenge Details

With just two weeks remaining before the start of the Thirty-Day Security Challenge, I am going to address a few questions I have been asked in the past week.  If you have additional questions or comments feel free to post them in the comments or contact me directly.

What will the Challenge cover?  I have been somewhat (and intentionally) vague on this, but several of you have emailed in asking what the Challenge will tackle.  I’m still going to be a little vague, but this should give you an idea:

  • Week 1 will focus on local security and some basic best practices for your computer.
  • Week 2 will begin dealing with online account, web browser security, and protecting your internet traffic.
  • Week 3 will continue with online account security and deal with some intermediate topics like encryption and system cleaning.
  • Week 4 and on will deal with some mobile device security and encryption, and some personal privacy issues.

Though each week has a sort of theme, the challenge is cumulative, and being engaged from the beginning is important.  If you can’t, don’t worry, and if something is not applicable to you feel free to skip it.

How can I follow the Challenge?  A few of you have asked for alternate ways to follow this month’s challenge.  Here are three:

  • Blog:  The easiest way is to come to blog each day from March 1st through March 30th.
  • Mailing List: Several of you have asked for a mailing list.  I initially wasn’t comfortable with this because I am hestitant to become a repository of email addresses that I risk losing, but you guys have talked me into it.  I won’ t email you for anything else, and this mailing list will be turned off when the Challenge is over.  The mailing list is coordinated through MailChip whose complete privacy policy states,  “Your subscriber lists are stored on a secure MailChimp server. We don’t, under any circumstances, sell your lists, contact people on your lists, market to people on your lists, steal your lists, or share your lists with any other party, unless it’s required by law.”  Thanks to those who reached out and requested this – you know who you are! To get on the mailing list contact me through the contact form.  Supply the email address at which you would like to receive daily updates.  Put “Thirty Day List” in the subject line and you will be added.
  • RSS Feed:  If you have an RSS reader you can follow the blog and the Security Challenge at https://operational-security.com/feed/.

What happens when the Challenge is Over?  Most importantly, you will be much more secure than when you started!  On my end, when the Thirty-Day Security Challenge is over I would love to hear your feedback.  Feel free to let me know what I did well and what could have been better.  Tell me your successes and failures.  Was there something you didn’t like?  Was there something I didn’t include but should have?  Within two weeks of the end of the Challenge I will post an after-action review based on your feedback.  I am very interested to hear how you all did, so please, don’t hesitate to chime in.

See you all in two weeks!