Thanks for lumping North Dakota in with other countries. About time everyone knows it's the United States of North Dakota. :-)
On Thu, Nov 8, 2012 at 5:11 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > Oh heck no - share it all you want, and you don't even have to include my > name if you don't want to. > > A couple of minor fixes: > > "Bulgaria, China and North Dakota are as close and your next door" > should read "Bulgaria, China and North Dakota are as close as your next > door" > > "you're in better shape that would otherwise be the case" should read > "you're in better shape than would otherwise be the case" > > Kurt > > > > On Thu, Nov 8, 2012 at 1:59 PM, Don Kuhlman <drkuhl...@yahoo.com> wrote: > >> Very well done Kurt - Thanks for the efforts. I hope you don't mind me >> sharing it with Stu's link included? >> >> Don K >> >> >> ------------------------------ >> *From:* Kurt Buff <kurt.b...@gmail.com> >> *To:* NT System Admin Issues <ntsysadmin@lyris.sunbelt-software.com> >> *Sent:* Wednesday, November 7, 2012 11:24 PM >> >> *Subject:* Kurt's current security recommendations for your computer - >> the 2012 update >> >> All, >> >> I sent out the last version of this back over a year ago. It's time for a >> refresh. I've only done a few minor updates, as things haven't really >> changed much. However, I'd be pleased if share with me any thoughts you >> have on what I've written. >> >> The first thing to remember is that security (computer or otherwise) is >> not an end state. It's a process, and a mind set. Why do security >> professionals say that? For three related reasons: >> >> * o- The world changes* >> Trite, perhaps, but it's fundamental. For the computing world, this >> means new applications, new versions of applications, new versions of >> operating systems, patches to current operating systems and applications, >> etc. It also means new criminals and new ways of crime - they are tricksy >> beasts. >> >> * o- All software has bugs* >> Lots of them. If (when!) encountered, many of those bugs will cause >> your computer to behave in ways that are much less safe than you would hope >> or expect. >> >> * o- The computing world has more risks than the physical world* >> There are hostile actors in the computing world trying to take >> advantage of the above, which means that what might have been relatively >> safe earlier is unlikely to be so in short order. What you *MUST* >> understand is that, for these people, infecting your computer is a >> business. They make money from it, in several different ways. The specifics >> of the business are beyond the scope of this discussion, but understanding >> that should lead you to understand that you and your computer are a target, >> no matter how insignificant or obscure you think you or your computer might >> be. And, they can be anywhere in the world - Bulgaria, China and North >> Dakota are as close and your next door neighbor. >> >> *But, all is not lost, nor insuperable.* Understanding the above, and >> following a few pieces of advice, will keep you out of most trouble and >> will improve your odds of safe computing over the longer term. >> >> Understand that the situation in the computing world is fluid and that >> the enemy is mobile, agile and hostile, and you're in better shape that >> would otherwise be the case. >> >> So, the advice, in rough order: >> >> *o- Mobile devices are still more dangerous than traditional computers >> such as laptops and desktops* >> They, and the software on them, are still not mature, and methods for >> using and managing them safely are not well developed. In particular, it's >> very difficult to achieve separation of privileges between administrative >> functions and normal user functions, because there aren't any easy ways to >> use more than one account. What that means, and why this is important will >> become a bit more clear if you read this whole message. Right now I'll just >> caution you that mobile devices are under intense scrutiny by computer >> criminals for any advantage, and are the fastest rising targets for >> malicious activity. Be careful with them. >> Don't >> a) install apps without understanding what they do and what >> privileges they require, >> b) open random text messages - especially you shouldn't follow links >> in text message to web sites, or >> c) perform any really sensitive tasks on them - by this I mostly mean >> doing financial tasks or keeping financial data on the device without >> encrypting it. >> >> Do keep your eyes peeled for good security software and for unexpected or >> suspicious behavior on your mobile device. >> >> *o- Keep your machine patched* >> For your computer's operating system (Windows, Mac, Linux or other) >> and for every program that you commonly use on your machine, make sure that >> at least once a month you visit the vendor's web site and keep current with >> the latest security updates. This includes your operating system (Windows, >> Mac, Linux, whatever), and your application software - not only the major >> pieces like MS Office or OpenOffice, and your web browser, but also the >> various Adobe products (including especially Acrobat Reader, Flash and >> Shockwave), Java (if it's installed) and any other free or paid software >> you use. >> Fortunately much software now is capable of updating itself. Pay >> attention though - make sure that if you get a piece of software that wants >> to update itself that it's *really* that software that's asking. >> >> *o- Simple is better* >> Uninstall any software that you don't use any more, or that you don't >> use regularly enough to make it worth keeping around. Also, don't >> gratuitously or promiscuously install software, especially if a web page >> unexpectedly prompts you do to so. This especially means supposed video >> codecs from some web sites, or special drivers to see or work with content >> on their pages. If they want you to do that, be extremely suspicious of it. >> Some software asks if you want to install addons from partners. Decline >> them. Even if they are from legitimate firms, these addons usually cause >> nothing but grief. (The free Adobe Acrobat Reader and Flash Player are two >> of the most egregious in this regard, but Sun's Java is also prone to it.) >> >> *o- Be cautious browsing the web* >> Hover your mouse over any link before clicking on it, whether in >> email or on a web page. You should see either a popup or a notification at >> the bottom of the page of what's really in that link. If the popup doesn't >> match the visible link, don't click on it. >> >> *o- Be cautious reading email* >> If you're using an email application such as Outlook, Pegasus or some >> other non-web-browser email, you should be able to set it so that by >> default it displays only plain text. Don't click on links just because they >> appear in emails that appear to come from someone you know, or from your >> bank or credit card vendor. After inspecting an email and deciding it's >> worthy, you should be able to cause it to display any web content. Most >> emails are not worthy. >> >> *o- Fortify your browser* >> Use browser-based tools to help protect you from malicious web >> content. My favorite browser is Firefox. Hands down, it's the best of the >> browsers, for one simple reason: it has the best security plugins I know >> of. I use bunches of plugins and addons for various purposes (many of them >> not related to security), but these are the ones that I absolutely install >> wherever I can - each covers a different facet of web security: >> >> NoScript >> Request Policy >> Adblock Plus >> Better Privacy >> Ghostery - new for this edition of my advice >> >> Be aware that the first two, in their default configurations, are fairly >> disruptive, until you know what they do and how to work with them. They >> extract a price, in that you must pay attention to them, and understand >> what they are doing, in order to optimise your browsing experience. They >> pay big dividends, though, in much safer browsing. They will also astonish >> you, by revealing how incredibly complex web pages are, and how many agents >> have their fingers in your browsing. >> >> Better Privacy and Ghostery in their default configurations aren't >> intrusive, but can be if you get carried away with them, although they are >> also extremely valuable. >> >> A fascinating addon for Firefox is Collusion. It aims to demonstrate >> which web sites know about you and talk with each other about your browsing >> habits. It doesn't prevent anything - it's merely shows you a graph, but >> it's really useful for understanding how the web is tied together. >> >> >> *o- Get a good antimalware package* >> I like Sunbelt Software's VIPRE. I *don't* like either McAfee or >> Symantec. I've heard good things about Kaspersky, but haven't used it. >> Trend used to be good, but I have no opinion on it currently, because I >> haven't used it in years. Microsoft's Security Essentials is free and does >> a very good job, but it's only for Windows. There are lots of others, and I >> have no way to tell you anything about them, as I haven't used them. >> >> *o- Don't panic* >> If, in spite of having a good antimalware package, your computer does >> get infected, you will need to use other software to help out. Currently, >> I'm a big fan of malwarebytes - you can get a free version from >> http://www.malwarebytes.com. Also recommended is VIPRE Live - get it >> from http://live.sunbeltsoftware.com. Don't run them at the same time - >> let one finish, then run the other. If things are really fubar'ed you'll >> want to engage a professional, as there are other tools out that require >> more expertise to use, such as UBCD4Win, various Linux-based rescue disks, >> etc. Please understand that not all situations can be remedied, so be >> cautious in your computing. >> >> *o- You are not a computer, and your memory is limited and much more >> volatile* >> You probably visit many different web sites, for many different >> purposes, many of which require an ID and password. Use a different ID and >> password for every one of them. You are going to have problems remembering >> that much account information, so use an application to help you manage >> them - there are two that I can recommend: >> >> Password Safe >> Keepass >> >> Both are good, and allow you to use a single master password to protect >> your other passwords and other account details. Both of these, BTW, have >> versions that work on smart phones, too. >> >> *o- Refresh your passwords* >> Change your passwords regularly, for all of your accounts, both on >> your computer and for the various web sites you browse. The fundamental >> rules of passwords are: >> >> - The longer and more complex they are, the better >> - Change web site passwords at least every six months >> - Change each of your passwords at least every six months - though the >> longer the password the longer you can go between password changes >> >> Wherever I can, I use a passphrase, which is really just a very long >> password, but it's easier to type and remember. It's easier because it's a >> regular sentence, with punctuation, spaces and capitalization all correct. >> If you throw in a number, you're especially well off. By way of example, I >> consider the sentence >> >> There are 23 ways to cook pasta. >> >> much easier to remember and type than something like >> >> X8&2Rdd-/az >> >> and it's stronger, too. >> >> For web pages that don't allow really long passwords/passphrases, you >> have your password manager to help generate random passwords of sufficient >> complexity. >> >> *o- Lie to web sites* >> When they are asking you to answer security questions that will be >> used to reset passwords or verify your identity in some way, don't give >> them a real answer. If, for instance, they ask for your mother's maiden >> name, use something else, like the name of your high school PE teacher or >> the kind of car you like, or your favorite sports team. Record that in your >> password management application. Lie to web sites about everything you can. >> Use different answers for different web sites. Why? Two reasons. >> 1) Because it helps keep your privacy - more than would otherwise be >> the case. >> 2) Because if hackers crack the web site and get the data, it won't >> be applicable to your other accounts. >> >> Keep your lies straight with your password manager. >> >> *o- Back up your data* >> If you have data on your machine that you would be unhappy to lose >> permanently, regularly copy that data somewhere else - perhaps even two or >> three places, and if it's *really* valuable data, make sure a copy is >> stored somewhere away from the building in which your computer resides. >> Valuable data comes in many forms: Financial records and pictures/videos >> are the two most common, but only you can judge what's valuable to you. >> Don't forget to include backups of the data in your password management >> system. Pro tip: It's not a really good idea to keep backups from your home >> computer at work. Why? Because your work might consider it *theirs* if you >> do, or you might lose your job and not have time to take it with you after >> being frogmarched out the door due to layoffs, or something stupid like >> that. It's also true in reverse. Storing work data at home is a sin. Don't >> do it. >> >> *o- Keep your passwords on paper, and on your person or another safe >> place* >> If you're away from your computer, and need use someone else's to get >> to a web site that needs a password, you can use the list of your most >> important accounts and passwords that you've printed out and keep safe in >> your wallet or purse. Then, when you get home, you'll change that password >> immediately, because you don't know what else was running on the computer >> you borrowed. >> * >> o- Understand the principle of Least Privilege, and don't be an >> Administrator all the time* >> One of the hardest practices of them all to perform well, because >> everyone (including me!) is lazy, and because operating systems don't >> always make it easy, is to use two different computer account logins on >> your personal computer. Why? Because there are two different sets of tasks >> that you perform on your computer. The first set of tasks is the set that >> you bought your computer to help with - playing games, web browsing, >> reading emails, whatever. This set of tasks should be done with an account >> that has very little power on your machine. You shouldn't be able to >> install software or change major system-wide settings with this account. >> Why? Because this is the account you'll use to do things in the relatively >> dangerous world of the Internet. The other account is the Administrator or >> root account. This is the account you use to perform the other set of tasks >> on your computer - maintenance, including installing software and changing >> major system-wide settings. Never do anything else with this account - >> don't browse the web (other than to get updates from the publishers of the >> software you use) or play games or anything else with that account. This >> approach is called, among other things, Least Privilege Computing. If >> you're running Windows, one tool that helps with this is native to the >> operating system: RunAs. It allows you to log in as your less-privileged >> user, and then run a necessary program as your higher-privileged account. I >> don't know Macs, but for Linux and other Unix variants, there are similar >> tools. And, please, don't use the same password for these two accounts. >> >> If you can follow all of the above, you'll do as well as anyone else - >> and better than many professionals. >> >> I hope this was helpful, rather than overwhelming. >> >> >> Kurt >> >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin