Safe Personal Computing (was Re: CRYPTO-GRAM, December 15, 2004)

Wed Dec 15 05:21:33 PST 2004

At 11:41 PM -0600 12/14/04, Bruce Schneier wrote:
>             Safe Personal Computing
>
>
><http://www.schneier.com/blog/archives/2004/12/safe_personal_c.html>
>
>I am regularly asked what average Internet users can do to ensure their
>security.  My first answer is usually, "Nothing--you're screwed."
>
>But that's not true, and the reality is more complicated.  You're
>screwed if you do nothing to protect yourself, but there are many
>things you can do to increase your security on the Internet.
>
>Two years ago, I published a list of PC security recommendations.  The
>idea was to give home users concrete actions they could take to improve
>security.  This is an update of that list: a dozen things you can do to
>improve your security.
>
>General:  Turn off the computer when you're not using it, especially if
>you have an "always on" Internet connection.
>
>Laptop security:  Keep your laptop with you at all times when not at
>home; treat it as you would a wallet or purse.  Regularly purge
>unneeded data files from your laptop.  The same goes for PDAs.  People
>tend to store more personal data--including passwords and PINs--on PDAs
>than they do on laptops.
>
>Backups:  Back up regularly.  Back up to disk, tape or CD-ROM.  There's
>a lot you can't defend against; a recent backup will at least let you
>recover from an attack.  Store at least one set of backups off-site (a
>safe-deposit box is a good place) and at least one set
>on-site.  Remember to destroy old backups.  The best way to destroy
>CD-Rs is to microwave them on high for five seconds.  You can also
>break them in half or run them through better shredders.
>
>Operating systems:  If possible, don't use Microsoft Windows.  Buy a
>Macintosh or use Linux.  If you must use Windows, set up Automatic
>Update so that you automatically receive security patches.  And delete
>the files "command.com" and "cmd.exe."
>
>Applications:  Limit the number of applications on your machine.  If
>you don't need it, don't install it.  If you no longer need it,
>uninstall it.  Look into one of the free office suites as an
>alternative to Microsoft Office.  Regularly check for updates to the
>applications you use and install them.  Keeping your applications
>patched is important, but don't lose sleep over it.
>
>Browsing:  Don't use Microsoft Internet Explorer, period.  Limit use of
>cookies and applets to those few sites that provide services you
>need.  Set your browser to regularly delete cookies.  Don't assume a
>Web site is what it claims to be, unless you've typed in the URL
>yourself.  Make sure the address bar shows the exact address, not a
>near-miss.
>
>Web sites:  Secure Sockets Layer (SSL) encryption does not provide any
>assurance that the vendor is trustworthy or that its database of
>customer information is secure.
>
>Think before you do business with a Web site.  Limit the financial and
>personal data you send to Web sites--don't give out information unless
>you see a value to you.  If you don't want to give out personal
>information, lie.  Opt out of marketing notices.  If the Web site gives
>you the option of not storing your information for later use, take
>it.  Use a credit card for online purchases, not a debit card.
>
>Passwords:  You can't memorize good enough passwords any more, so don't
>bother.  For high-security Web sites such as banks, create long random
>passwords and write them down.  Guard them as you would your cash:
>i.e., store them in your wallet, etc.
>
>Never reuse a password for something you care about.  (It's fine to
>have a single password for low-security sites, such as for newspaper
>archive access.) Assume that all PINs can be easily broken and plan
>accordingly.
>
>Never type a password you care about, such as for a bank account, into
>a non-SSL encrypted page.  If your bank makes it possible to do that,
>complain to them.  When they tell you that it is OK, don't believe
>them; they're wrong.
>
>E-mail:  Turn off HTML e-mail.  Don't automatically assume that any
>e-mail is from the "From" address.
>
>Delete spam without reading it.  Don't open messages with file
>attachments, unless you know what they contain; immediately delete
>them.  Don't open cartoons, videos and similar "good for a laugh" files
>forwarded by your well-meaning friends; again, immediately delete them.
>
>Never click links in e-mail unless you're sure about the e-mail; copy
>and paste the link into your browser instead.  Don't use Outlook or
>Outlook Express.  If you must use Microsoft Office, enable macro virus
>protection; in Office 2000, turn the security level to "high" and don't
>trust any received files unless you have to.  If you're using Windows,
>turn off the "hide file extensions for known file types" option; it
>lets Trojan horses masquerade as other types of files.  Uninstall the
>Windows Scripting Host if you can get along without it.  If you can't,
>at least change your file associations, so that script files aren't
>automatically sent to the Scripting Host if you double-click them.
>
>Antivirus and anti-spyware software:  Use it--either a combined program
>or two separate programs.  Download and install the updates, at least
>weekly and whenever you read about a new virus in the news.  Some
>antivirus products automatically check for updates.  Enable that
>feature and set it to "daily."
>
>Firewall:  Spend $50 for a Network Address Translator firewall device;
>it's likely to be good enough in default mode.  On your laptop, use
>personal firewall software.  If you can, hide your IP address.  There's
>no reason to allow any incoming connections from anybody.
>
>Encryption:  Install an e-mail and file encryptor (like
>PGP).  Encrypting all your e-mail or your entire hard drive is
>unrealistic, but some mail is too sensitive to send in the
>clear.  Similarly, some files on your hard drive are too sensitive to
>leave unencrypted.
>
>None of the measures I've described are foolproof.  If the secret
>police wants to target your data or your communications, no
>countermeasure on this list will stop them.  But these precautions are
>all good network-hygiene measures, and they'll make you a more
>difficult target than the computer next door.  And even if you only
>follow a few basic measures, you're unlikely to have any problems.
>
>I'm stuck using Microsoft Windows and Office, but I use Opera for Web
>browsing and Eudora for e-mail.  I use Windows Update to automatically
>get patches and install other patches when I hear about them.  My
>antivirus software updates itself regularly.  I keep my computer
>relatively clean and delete applications that I don't need.  I'm
>diligent about backing up my data and about storing data files that are
>no longer needed offline.
>
>I'm suspicious to the point of near-paranoia about e-mail attachments
>and Web sites.  I delete cookies and spyware.  I watch URLs to make
>sure I know where I am, and I don't trust unsolicited e-mails.  I don't
>care about low-security passwords, but try to have good passwords for
>accounts that involve money.  I still don't do Internet banking.  I
>have my firewall set to deny all incoming connections.  And I turn my
>computer off when I'm not using it.
>
>That's basically it.  Really, it's not that hard.  The hardest part is
>developing an intuition about e-mail and Web sites.  But that just
>takes experience.
>
>Others have disagreed with these recommendations:
><http://www.getluky.net/archives/000145.html>
><http://www.berylliumsphere.com/security_mentor/2004/12/heres-another-re
>ally-good-twelve.html> or <http://makeashorterlink.com/?Z3772560A>
>
>My original essay on the topic:
><http://www.schneier.com/crypto-gram-0105.html#8>
>
>This essay previously appeared on CNet:
><http://news.com.com/Who+says+safe+computing+must+remain+a+pipe+dream/20
>10-1071_3-5482340.html> or <http://makeashorterlink.com/?V6872560A>

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'