"The Rules" - Basics of Personal Computing Security: Submit Your Rules

If you spend time being 'that computer guy' do yourself a favour and make yourself a copy of UBCD4WIN, makes life a lot easier if you need to save specific non-replaceable files prior to nuking from orbit or if you need to access a drive that has a corrupted windows install.

I would kill for a bootable flash drive that:

runs a malwarebytes scan without booting into the windows install on the hdd
renames the old profile
creates a clean new profile
copies the desktop, favorites, contacts and documents from the old to the new profile

I think it would make a lot of IT professionals' jobs a lot easier.

fangblackbone wrote:

runs a malwarebytes scan without booting into the windows install on the hdd

According to the developers of malwarebytes this cannot happen. Their scanner works by analyzing the currently running system's memory hooks and linked libraries. Scanning a static drive wouldn't catch the real nasties. (I did a bunch of research trying to get a UBCD-WIN image with that capability).

Bummer. Well I guess the features that would be really useflu is for somehow to make the infected windows boot drive act like a secondary drive without removing it from the system or swapping cables/adding another drive. If we could boot off the usb and recognize the windows boot drive that would be ideal.

I think another unique tool would be to have a generic default profile that we could copy onto a drive. We then would rename the user's profile as an old copy and the generic profile as the new user's so that we can then copy the documents, desktop, favorites and contacts over and use the modified generic profile as the new user's profile. It would just save a bunch of log offs and logins when rebuilding the user's profile. (log in as admin; rename user's profile; log in as user to recreate profile; log in as admin to copy personal files over; log in as user to make sure everything works)

I'd say at the point where you're in some live-CD read-only safe windows boot environment backing up all your profile files/folders for fear of the infected host system, it would seem to me that it's much less work to store your profile (or a regular backup) off the OS partition, nuke the OS and reinstall/restore.

I find that it's not the OS which is valuable, but your files. Sure there's all the little setting that are done "your way", but really you can get most of them in about 5 minutes and be 99% up and running.

The bit I hate about pulling files from an old profile is how all the various programs, from MS and 3rd party, store all variety of files, from temp files, to important settings and game save files that you want to keep, to actual program files (chrome) that you'll want to reinstall, in a user profile. It's a mess with little rhyme or reason that I can discern.

Awesome thread. Thanks so much everyone.

Have you guys seen/have opinions on the NotScripts extension for Chrome? Looks like its an attempt to mimic NoScripts. I haven't used a script blocker before, but after reading this thread I'll go ahead and give Legion's suggestion a try.

Up until recently, Chrome had lacked the ability to prevent content from loading. Ad blockers worked by loading the ads and *then* hiding them.

Because of this, I considered Chrome unsuitable for use.

Chrome now has the "beforeload" event which presumably puts an end to this issue.

What would also help is like a list of popular things people do that can infect themselves with viruses.

Like:

clicking a link in your email
downloading and .exe file
clicking on one of those "catch the mouse to win $500" flash ads
opening an email attachment from someone you don't know
clicking anywhere on a popup to close it

etc...

fangblackbone wrote:

What would also help is like a list of popular things people do that can infect themselves with viruses.

Like:

clicking a link in your email
downloading and .exe file
clicking on one of those "catch the mouse to win $500" flash ads
opening an email attachment from someone you don't know
clicking anywhere on a popup to close it

etc...

..turning on their pc..

Prozac wrote:

If you spend time being 'that computer guy' do yourself a favour and make yourself a copy of UBCD4WIN, makes life a lot easier if you need to save specific non-replaceable files prior to nuking from orbit or if you need to access a drive that has a corrupted windows install.

I also recommend Trinity Rescue Kit.

Trinity is a Linux boot CD that is built specifically for repairing and recovering Windows systems.

Also, despite the scary L(inux) word, it is navigated entirely through a keyboard-driven menu. As they say:

Trinity website wrote:

... an easy to use scrollable text menu that allows anyone who masters a keyboard and some English to perform maintenance and repair on a computer, ranging from password resetting over disk cleanup to virus scanning

The first 5 disc slots in my computer first-aid kit CD wallet are Trinity, Hiren's Boot CD, UBCD, UBCD4Win, and SystemRescueCD. (Always good to have multiple different overlapping boot discs, as finicky hardware might boot and work with one disc but not a different one).

Time to bring this thread back.

In light of sites that are sniffing your browser history, I would suggest another rule:

* Disable browser history

Also, while we're at it:

* Disable 3rd-party cookies

If you're in firefox, you can stop the history tracking by going into about:config (in address bar), and setting the boolean setting layout.css.visited_links_enabled to false, or create it if it doesn't exist. The minor downside is that visited links don't show differently if they're styled. (linked in the article from a skim)

Scratched wrote:

If you're in firefox, you can stop the history tracking by going into about:config (in address bar), and setting the boolean setting layout.css.visited_links_enabled to false, or create it if it doesn't exist. The minor downside is that visited links don't show differently if they're styled. (linked in the article from a skim)

You can also go to Edit -> Preferences -> Privacy, and set History to "Never remember history".

As FF tells you when you do this: "Firefox will use the same settings as private browsing, and will not remember any history as you browse the web."

Or, you can instead set it to "Use custom settings" and have more specific control over how history is handled.

Depends whether you make use of your browser tracking your history. Security is unfortunately often about making trade-offs between usability versus not being exploited, but turning off a feature entirely is a big step, versus the smaller step of disabling handling one type of CSS feature.

A good habit, for important sites such as banking stuff : click the log off link when you're done, don't just browse to another site or close the browser window. On public wifi, do this for every site.

For sites where I have to register but I don't want to, I use a weak username/password combo (the same everywhere), and I register with a temporary email address from jetable.org, so that I don't hear from them ever again.

Tip for remembering strong passwords : write it on a piece of paper (you can omit a letter if you don't trust people in your home :p), and don't use the "remember me" feature. After a week or so of meticulously typing it, it'll commit to muscle memory.
But keep in mind that you'll probably be safer using a lot of different passwords than a couple strong ones. Some kind of password management software such as keepass is the way to go.

I wouldn't over-think the password problem though, I think these days you're more likely to fall for a phishing attack or be the victim of some malware.

Be wary of phishing attacks. Make sure evil people don't have your email address (granted, that's hard to avoid). Avoid the MMORPG RMT business. Assume that any account-related email you're getting could be fake. In doubt, don't click any link provided.

Make sure you're connected to the Internet through a router, if you do, then the odds are you typically don't need extra firewall software.

As for evil viruses and trojans, to be blunt: don't install a bunch of crap. I can't remember the last time I had a virus alert. It's still good to have an anti-virus for peace of mind (and for when a friend drops by with an USB key). Stay away from the bloat of Norton and such.

There's a ton of quality free software out there, it's much safer to install those than to install pirate copies. You can generally trust the recommendations from http://alternativeto.net/.

But even with legitimate software, be careful. Like mentioned before in this thread, during installation, they'll often have a pre-enabled checkbox asking you if you want to install a browser toolbar or some other stuff. Make sure you disable that. That's usually more a matter of bloat than security, but if I recall correct, one of those toolbars was involved in a browser security vulnerability.

Privacy is another whole can of worms, but I recommend the firefox extension CS Lite, it uses an automatically updated black list to block the most evil cookies. It doesn't affect your browsing experience.

Here's an interesting and detailed article from the makers of the game EVE Online about account security.

Scratched wrote:

but turning off a feature entirely is a big step, versus the smaller step of disabling handling one type of CSS feature.

A fair point, but restricting/disabling browser history is something people other than Firefox users can do too.

Oh man. Disabling browser history and cookies, that's like kicking yourself in your balls with steel toed boots for your own good.

Scratched wrote:

Depends whether you make use of your browser tracking your history. Security is unfortunately often about making trade-offs between usability versus not being exploited, but turning off a feature entirely is a big step, versus the smaller step of disabling handling one type of CSS feature.

Yeah, usability is important to me. I understand the benefits of being more secure, but if I had to make myself too secure I would end up not even going online. I'll stick to surfing safe.

MrDeVil909 wrote:

Oh man. Disabling browser history and cookies, that's like kicking yourself in your balls with steel toed boots for your own good.

History and 3rd party cookies, not all cookies.

3rd party cookies should always be disabled, period, amen. Safari already comes this way out of the box.

I rarely find much point to browser history anyway. If I'm at a site I'll want to go back to, I click to tag it in Delicious. But at the very least, disabling the CSS styling in Firefox to prevent the history sniffing attack is a good step.

It's a constant arms race though, so it's a question of how far you want to go before you're only using lynx on a live cd. They're already using tech that fingerprints your browser based on various characteristics, meaning the tracking is happening at their end rather than using cookies or snooping your history. Seeing as this is the 'basics of PC security' thread, I don't really think disabling common features to hinder ad companies tracking falls under that remit. If it was a feature that left enabled was a high risk of your computer getting hijacked, then you'd have a point. By and large 'normal end users' don't care too much about what nefarious schemes the ad companies are up to, geeks, sure. For normal people I can see the conversation going like this:

"Honey, what was that website I was looking at about ABC last week?"
"It should be in your histor... oh wait."