What Security do you use?

vigman

Unfortunately, glob_al, as an ex IT Manager, I know that most people in the real world (one outside a specialist techie environment) will be using a flavour of Windows as their operating system and will be browsing with Chrome, IE or Firefox.

We have educated users on not opening mails from people they didn't know, or obvious spam (Viagra etc) BUT, as you know, many phising mails are well constructed and can appear as if they come from a person or company they know. Only a good AV/anti-malware program will help then if they then become infected by viruses (the approved plural of computer virus!)

You may confuse people by your comment about using numbers and capital letters in passwords as in most systems in normal use this combination does stop a great deal of basic hacking software which is looking for known words or phrases. The longer and more obscure the mixture of numbers, and mixed case letters, symbols and spaces, the harder to crack.....(and yes, I do have specialist software that will bypass most passwords, but the advice still applies)

As said above, very few of us use Linux still as our main operating system on laptops or PCs so:

Backing up important files to an external source (internet cloud storage or local external hard disk) is critical in case your system is completely 'trashed' by an infection and has to be rebuilt.

Use the best antivirus and anti-malware recommended and keep them up to date DAILY.

Be very wary of emails with attachments of any sort and check emails carefully from companies you 'know' looking for poor grammar or spelling mistakes, which is often a tell tale sign of a phishing email (one trying to get you to log in or give other important information)

The only consolation is that if Linux gets popular on the desktop, people will start writing viruses for it

Vigman

glob_al

While yes, the majority of people use a flavour of windows on thier main computer - that is an example of poor education!

And yes phishing emails are getting better and better but the correct approach is to use more advanced email filtering and to block these email (as there are still ways to identify them) - not saying AV is not needed at all, just that it doesn't keep you safe, only shuts the stable door after the horse has bolted!

RE passwords consider this:
1. most systems require a 6 to 12 character password with mixed capitol letters and numbers and special characters - this makes it hard to remember for us mere mortals? A targeted attack could take 3 days @ 1000 guesses per second.
2. Remove the requirement for special characters and numbers and increase maximum legnth, now consider 4 random words "tabledoortoiletbedsnorkle" easy to remember but more importantly at the same rate would take a little over 500 years to crack. (assuming an attack on a weak web service through brute force)
ie. its the length that makes it difficult to crack and adds security not the 'entropy' - the 'entropy' makes it difficult to remember.

You are right backups are very important but alot of people forget that an incremental backup takes only ten minutes or something like that versus a few hours for a full backup!

Whilst I agree with many of your points the last sentence is naive! The lack of attack vectors in Linux does not stem from its desktop computer market share....as a system it actually has a completely different security model (that w7 is now trying to copy, just not very well) and to quote my previous post:

"a. I use an Operating system based on the Linux Kernel, This is used in everything from cars, smart tv's to Nuclear control systems and deep sea rigs, its runs the internet and most servers in any self respecting organisation - but has less (read "no viable") Virii (lol) to be concerned with (which many postulate is 'security through obscurity' but the fact is - most servers housing data alot more valuable than your holiday snaps run linux based systems)."

So in summation (from someone who is involved in WHH) there are actually less vulnerabilities in Linux an loads of computers (mostly high value targets)so its not security through obscurity as you suggest, actually its just plain harder to exploit, speaking from experience Linux viruses are near impossible to write as vulnerabilities are patched a whole load quicker.

vigman

.......ah but if you had to stick to the 6 to 12 character rule, then "tabledoorbed" would be quicker to crack than "As123!"£^&yP" bearing in mind than many public crackers look for dictionary words/strings first!

I've used Linux based s/w since its inception and although I do agree that it is patched quicker because of the open source and has less inbuilt vulnerabilities, I do think that we would see a significant number of Linux viruses if it were in use as much as Windows!?

Vigman

glob_al

Yes, 6 to 12 character passwords are easier to crack but the spirit of what I am saying is (current rules):
1. must be 6 to 12 characters long
2. must not contain repeating chars
3. must contain a mixture of capitols, numbers and special chars

better rules:
1. must be 1 to 128 chars long
2. you can (but dont need to) use any printable charecter
3. can be any combination of chars.

the current set of rules binds users to create passwords in a certain way that (if the rules are known) actually decrease the security of the password.

The second set of rules allows for an extremely larger set of possible (and probable) permutations - thus making a harder to crack password.

Also by allowing a user to use "iamagodandyouwillbowdowntome" as a password we make it much easier to remember than "P4$sw0rd65#". Its only a different perspective on password security and while its controversial the strict rules can be extrapolated (this is not exhaustive, its from memory, many parts of this may be incomplete, this was research from over a year ago):
1. the letter e can be replaced by '3', a by '4', l by '1', s by '$' or '5'
2. ignore anything with repeating chars.
3. lowercase letters can be capitalised
4. must be greater than 6 chars (skip any permutation under that legnth)

so rather than having to try a large charecter set with an entropy of x^127 (where x is the number of printable chars), we are left with: (y^12)-(anything with repeating chars) where y is the accepted chars and also this ignores rule 4 from the 2nd set. Enough fake maths though, thats the rough idea

vigman

I don't disagree with this at all, glob_al (and welcome to MSE).

I just had to deal with 'real world' computing and a good start (within the limited rules you state) is at least to use something that doesn't have a guessable string, the longer the better (if not restricted!) and certainly the use of number/letters is good like mu51c*t3ach3r for beating the simple cracking programs.

Even so, people are amazed at the software tools I have to hand that use string matching or even brute force that (legally!) crack forgotten/lost passwords!

The best rule is not to store any highly valuable information on a local computer. Websites using high encryption and starting "https" (like banks) have enough layers to make them pretty safe, but you need to keep checking all transactions as often as possible.

Vigman

thunder1

Tim_Walken wrote: »

I agree with the above, Microsoft security essentials ticks all the boxes for me.

I have used NOD32 payed/ then free Avira, Avast, Comodo, and AVG
all the above were consuming CPU like crazy but since i switched to MS software is like i have new box all running smooth and it catches plenty of viruses/malware too. I'm happy with this combination.

vigman

thunder1 wrote: »

I have used NOD32 payed/ then free Avira, Avast, Comodo, and AVG
all the above were consuming CPU like crazy but since i switched to MS software is like i have new box all running smooth and it catches plenty of viruses/malware too. I'm happy with this combination.

MS bought GeCAD and Sybari to beef up their AV offering, but in hard tests it came out quite poorly, especially for virus identity updates.

AVG shouldn't be invasive but you have to know what you are checking in the preferences otherwise almost every action might have to get 'approved'!

Vigman

wouldbeqaulitymoneysaver

I run Microsoft Security Essentials on my Laptop it's FREE, it does the job and no worries.

RealGem

According to the the official VM reports there is nothing wrong in South Wales for Virgin Media Broadband.

But my WIRED connection keeps dropping every few minutes. You wouldn't believe how long it took just to open this site!

Anyone else had this problem today please?

I rang VM and they want to reset my hub to the factory settings, but it took me so long to get it sorted out when I first got it, I said I'd ring back tomorrow in case it's just a glitch today. And he's only guessing; he doesn't know for sure that resetting would solve the problem.

My neighbours are with Sky and BT. I would feel better if someone else in South Wales had similar problems, so I know it's not my hub that needs resetting.

thanks a lot

RealGem

Wow! - I've had a dodgy connection since Thursday and Virgin have only acknowledged today (Sunday) that there is a problem in my area!

So it's acceptable to be without a decent connection for several days before something is done about it!

So if you are told by Virgin that they need to reset their hub, because there is "not a problem in your area" don't take their word for it.