Locked Down: Maximum Security

[John Connor]

Is Linux that much better security-wise or is it that no one bothers writing malware for Linux because of the small installed base vs Win8/7/XP?

Running Damn small Linux (DSL) on a USB or CD is where it's at.

 

[BUTCH1]

All are good advice and I use Noscript and like it. It has a software like Firewall built in too! I use Avira and Comodo. Be sure to install Avira first as it will complain about Comodo. I use DD-WRT in the router and have Active X off and have several IPtables. Read about those. Plus I have a built in SSH tunnel in the router where IPtables block brute forcing it. I also use a port besides 22. It's like 15432. I use OpenDNS. Most of my browsing is done in portable Firefox in a Truecrypt container and the cache is in RAM. All cookies and cache are dumped on exit.

Wow, you sound serious!, most of that is over my head. Cookies are a pain as they allow tracking but then again, like say when I pay my water bill online I don't have to fill in 9 different fields because of cookies. What I do is run a scan now and again to eliminate the cookies that enable targeted ads. I'm still sticking with free Avast, for a free program it seems fully featured and it has yet to let me down..

 

[Chiefcrowe]

You can always use a separate browser for the sites you absolutely need to keep cookies for. Then for the other one you can clear them out regularly.

 

[sphere nothing]

NO. Become sensible user instead.
1. Internet security suite (whats the best? Kaspersky?)

NO, see 1
2. secondary security

NO. see 1.
3. Software firewal

Yes. PFsense or Untagle are great first time options.
4. Hardware firewall via router

NO.
5. Microsoft auto updating

sure
6. Secunia PSI run daily

don't connect to the internets.
7. uninstalling JAVA (is there a better route for compatibility?)

Will you employ sensible password policies or set it and forget it?
9. Setting a password protected administrator account and using a standard user account with a password.

Will proximity device? avoid biometrics
10. Computer locks after several minutes requiring password


NO. Don't use risky software at all. See also 7
13. setting certain possible risky applications to lower user rights

NO. see 7
14. using firefox with noscript
15. setting emails to text-only
16. not using any programs like skype, aim

Use open standards like xmpp+otr or sip+srtp
16b. (any secure solution?)

brush up on sandbox vs virtual machine
17. running any newly downloaded file in sandbox

only if a handful of grenades
18. trip wire

VPN does not provide magical solution. Will other endpoint be secure?
20. connect to internet via a VPN

I'd wait until windows 12 hoping they'll iron out new memory paradigms
21. Windows 8(?) over 7?

no multibooting from a drive. +$0 tco. else OSX.
22. in before run linux

haha
23. UAC control to maximum

usb flash drive is NOT for backup/archival
24. Using keepass database with USB key and salty PW


thinclients, nas4free ZFS & crypto
any better ideas for physical security than tripwire,


cake pipe dream
as secure as I can without too much sacrifice.

WildersSecurity.com BleepingComputer.com

 

[sphere nothing]

Too many sites ask you to use an email address as a user ID

employ more than one.. create new sets monthly

You probably should have a separate email address for sensitive sites such as financial institutions or medical insurance.

NO. online banking not wise. have you READ the ToS for those "services"??

..

"hardware firewall myth"

The distinction is EXTERNAL to workstation firewall appliance or the foolish notion of running firewall software inside the at risk OS/kernel of workstation

 

[John Connor]

No to a separate E-mail address? Are you serious? I use several and banking, Ebay and Paypal go to one E-mail.

 

[PrincessFrosty]

That's all very nice for remote security. However if you're using windows and you're worried about local security (people with physical access to the box) then you have some serious issues to contend with.

You can easily boot off a USB key that contains security tools which can reset the admin password (or any password for that matter) on the windows install, as well as reading the file system directly etc. Once a hacker has admin access it's game over.

Protecting against that is hard, the only truly decent solution is full disk encryption possible with programs like TrueCrypt, encrypt the entire OS disk and have a very strong password.

This stops people from dicking with the files locally, stops resetting of account passwords, in fact stops people from even booting the OS without the encryption password.

When it comes to windows passwords, make sure to disable LM passwords on the box, they're completely beatable at any complexity. The newer NTLM can be brute forced to a high complexity now, Passwords using the full US95 character set up to length 8 can be brute forced in a couple of hours on a decent PC, make sure to aim for passwords length 12+ using a random mix of upper/lower/numeric/special.

 

[Savatar]

This is (basically) a computer which runs an OS which has a firewall component. If you open one of these, you'll find either a SoC or some kind of CPU along with some RAM, NVM along with networking attachments and other various components.

pfSense on the myth of hardware firewalls
You will not find a component whose sole function is to firewall.

Ah, I see what you're saying. An external security appliance that serves as a firewall is usually considered a 'hardware' firewall, though, even though you're right - the firewall itself is really software. It just means that it's dedicated to being a firewall/IDS. Software firewalls are typically considered any software you would run on the same OS that the end-user uses, like Linux (iptables) or Windows (Comodo or Emsisoft Online Armor, or even - dare I say - Windows firewall). For reference, hardly authoritative but on a basic 'common user' level it gets the point across (there are actually more types of firewalls): http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_types.asp

It is generally more considered more secure to run both a 'hardware' firewall (on a separate security appliance) and a 'software' firewall (on your local system), there's several advantages to doing that and it's very common in large companies to do just that. However, most 'hardware' firewalls are relatively expensive.