John R Hines’ Basic Computer Security for Mere Mortals How to have the most computer security with the least effort when you don't have quick access to a computer security professional John R Hines Net+ Certified, Security+ Certified, Consulting Security Engineer, LLC JohnRichardHines@ConsultingSecurityEngineer.com Oholiab's first law of security (Murphy's first law of planning): The important things are simple Oholiab's second law of security (Murphy's second law of planning): The simple things are very hard Oholiab's comment on the laws of security: Simple and easy are not the same thing! Fools not know that Copyright © Consulting Security Engineer LLC All rights reserved 2016 ISBN N/A Version 1.2.2.2017090582300 Table of contents Revision History Security What about security? What is security? What is computer security? Is security a new problem? What is in these notes? What about measures? What is a measure? What is a low-reward measure? What is a reasonable measure? What is an unreasonable measure? Feedback What different about this series? Section I: Simple measures to secure Windows 7, 8, and 8.1 Default problem #1: It is possible to enable the Administrator user account What is Administrator (The Administrator) (The one-and-only-real Administrator)? Mistake #1A: Failing to disable the Administrator user account Mistake #1B: Using the Admin account instead of your adminequivalent account Default problem #2: Windows doesn't force you to install hotfixes, patches, and updates What is a hotfix? What is a patch? What's an exploit? What is an update? What is an upgrade? Mistake #2A: Using IE (Internet Explorer 8) (or earlier) to download patches Mistake #2B: Not downloading and installing updates and upgrades for non-Microsoft software Mistake #2C: Downloading and installing software you don't plan to use often Mistake #2D: Downloading software from sites not closely associated with the software Default problem #3: Not all Windows versions automatically download and install hotfixes, patches and updates for you (if you've turned off auto update) Default problem #4: Windows never automatically updates nonMicrosoft applications (even if auto update has been turned on) Default problem #5: You choose your own user ID (user name) (user identity) Mistake #5A: Using PI in your user ID Mistake #5B: Using company information in your user ID Mistake #5C: Failure to store your user IDs (and passwords) (and pins) in a SECURE place Mistake #5D: Storing your user IDs (and passwords) near your computer Default problem #6: Windows doesn't create a standard user-equivalent identity for you Mistake #6A: See Mistake #5A Mistake #6B: See Mistake #5B Mistake #6C: Failure to use standard user-equivalent identity unless you need admin-equivalent privileges Mistake #6D: Creating a generic "convenience" identity to "simplify" Default problem #7: Windows 7, 8, or 8.1 does not require strong (enough) passwords Mistake #7A: See Mistake #5A Mistake #7B: See Mistake #5B Default problem #8: Windows 7, and 8.1 not force you to turn on account lockout Mistake #8A: Leaving your PC turned on overnight and over weekends Default problem #9: Some versions of Windows 7, and 8.1 automatically install Windows Defender What is antimalware (AM) (anti-malware)? Mistake #9A: Failure to keep antimalware software current Default problem #10: Some versions of Windows 7, 8, and 8.1 automatically enable a default "Guest" account What is a guest (guest account)? Section II: Simple measures to secure Windows 10 What simple reasonable measure will improve your security on Windows XP, Windows 7, Windows or Windows 8.1? What simple reasonable measures will improve your security on Windows 10? Default problem #1: It is possible to enable the Administrator user account What is Administrator (The Administrator) (The one-and-only-real Administrator)? Mistake #1A: Failing to disable the Administrator user account Default problem #2: Windows 10 allows you to turn off automatic updating Default problem #3: Windows never automatically updates nonMicrosoft apps (even if auto update has been turned on) What is a bug fix (fix)? What is a patch? What's an exploit? What is an update? What is an upgrade? Mistake #3A: Failing to check for patches and updates for nonMicrosoft software Default problem #4: You choose your own user ID (user name) (user identity) Mistake 4A: Using PI in your user ID Mistake #4B: Using company information in your user id Mistake #4C: Failure to store your user IDs (and passwords) in a SECURE place Mistake #4D: Storing your user IDs (and passwords) near your computer Default problem #5: Windows 10 doesn't automatically create a standard user-equivalent user ID (user identity) for you Mistake #5A: Failure to create a standard user-equivalent user ID for every user who has an admin-equivalent ID Mistake #5B: See Mistake #4A Mistake #5C: See Mistake #4B Mistake #5D: See Mistake #4C Mistake #5E: See Mistake #4D Mistake #5F: Failure to use standard user-equivalent identity unless you need admin-equivalent privileges Mistake #5G: Creating generic "convenience" identities to "simplify" Default problem #6: Windows 10 does not require strong (enough) passwords Default problem #7: Windows 10 does not automatically turn on account lockout Mistake #7A: Leaving your PC turned on overnight and over weekends Default problem #8: Windows 10 automatically installs Windows Defender What is antimalware (AM) (anti-malware)? Mistake #8A: Failure to keep anti-malware software current Section III: Simple measures to secure your router What about routers? What is a router? What is a firewall (hardware firewall)? What is a wireless router? What is a wired router (hard-wired router)? What is router firmware? What is "flashing the ROM"? What simple reasonable measures will improve your router security? Default problem #1: Router firmware (software in hardware) is typically out of date before you buy it What is a zero-day attack (zero-day exploit)? What is an attacker? Mistake #1A: Buying a bargain router Default problem #2: The default password is written on the side of the router What's a dictionary password attack? What's a strong password? Mistake #2A: Not saving the changed password in a secure place Default problem #3: Most router hacks come from WIFI issues, not from cable issues Default problem #4: WIFI networks should always use WPA2 encryption Mistake #4A: Using WEP encryption on your router Mistake #4B: Having no encryption on your router Default problem #5: WIFI name and passwords defaults are often chosen to simplify installation, not to secure the router Mistake #5A: Not saving the changed WIFI name and password (passwords) in a secure place Default problem #6: WIFI signals should not go (too far) beyond your office What is war driving? What is war flying? Mistake #6A: Buying a large area router for a small office Section IV: Simple measures to secure your network Why care about networks? What is a cable modem? What is the internet (public network)? What is an intranet (private network)? What is WIFI (Wi-Fi) (Wifi) (WiFi) (wireless networking) (unbounded media)? What is wired (hard-wired) (direct wired)? What these notes assume you've already done? What simple reasonable measures will improve security on your intranet? Measure #1: Have two routers: one for business use and one for all other uses Mistake #1A: Not moving computers that both business and nonbusiness to the risky intranet Mistake #1B: Not moving friends, family and visitors to WIFI associated with the risky intranet Mistake #1C: Telling friends, family, and visitors that you've put them on the risky intranet Measure #2: Have at least one old slow network computer for nonbusiness (and for friends and family) use Mistake #2A: Not placing this computer on a less secure intranet (the risky intranet, if you have one) Measure #3: Shutdown the business (secure) router when no one is the office What is a zombie (member of a botnet)? Mistake #3A: Letting your business computers participate in zombie herds (botnets) when you're not in the office Measure #4: Shutdown the risky (insecure) router when no one should be on the internet Mistake #4A: Letting your recreational computers participate in zombie herds while everyone sleeps Mistake #4B: Letting others (mostly, your children) run wild on the internet while you sleep Measure #5: Do a quick walk about every quarter (when the season changes) (when TV switches to a different major sport) What is an AUP (Acceptable Use Policy) (fair use policy)? Mistake #5A: Failing to write a brief AUP Measure #6: Do a quick audit of all computers about every quarter (when the season changes) (when TV switches to a different major sport) What is an admin-equivalent (admin-equivalent user)? What is a Guest (Guest account)? What is a standard user? Mistake #6A: Allowing your users to manage their computers Section V: Simple measures to secure your browser What about browsers? What is a browser? What is an html browser (browser)? What is HTML? What is hypertext? What is SGML (Standardized Generalized Markup Language)? What are common browsers (html browsers) for Windows? What is a TOR browser? What is anonymize (verb)? What is the dark web? What is the deep web? What is Tor (the onion router)? What is TOR (Tor Project)? What simple measures will improve browser security? Measure #1: Keep your browser current What is an exploit? What is an update? What is an upgrade? Mistake #1A: Downloading an upgrade from a site not closely associated with the company that develops your browser Measure #2: Browse as a standard user, not as a privileged user What is a privileged user? What is a standard user? Mistake #2A: Your standard user ID (user name) gives away PI Mistake #2B: Your standard user password gives away PI Measure #3: Go (mostly) to websites that have good security for users Mistake #3A: Going to small websites with no obvious source of support Measure #4: Use antimalware that tracks sites with bad reputations Measure #5: Immediately erase browser history of visits to sites where you have entered PI Measure #6: Never click on a website link before you see where it will go What is a rogue link? What is hovering over a link? Measure #7: Never go to a website if you wouldn't want everyone to know that you’ve gone there Mistake #7A: Going to an edgy (seedy) (salacious) website from your good computer What is NSFW (Not Suitable For Work)? Mistake #7B: Failing to erase browser history after you've gone to a questionable website Measure #8: Never walk away from a computer without exiting from the browser then logging out Mistake #8A: Not having a screensaver that requires a password and has a short trigger (time until it activates) Measure #9: Almost never use a browser on a shared computer Mistake #9A: See Mistake #7B Measure #10: Do not attempt to surveil or collect PI belonging other adults or the minor children of other adults Mistake#10A: Looking at browser history on a shared computer or a computer that isn’t yours Mistake #10B: Surveilling someone without having a plausible noncomputer-related explanation for how you know what you shouldn't know Mistake #10C: Install a keyboard logger or other software to collect information Measure #11: Never allow someone to use on your personal computer for any purpose Section VI: Simple measures to secure your smartphone and tablet What about phones and tablets? What is a mobile (mobile device) (handheld computer) (handheld)? What is a phone (wireless phone)? What is cellular connectivity? What is WIFI connectivity to the Internet? What is a smartphone (Smart phone) (phone)? What is direct manipulation? Not shown: 993 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 10 Pro 15063 microsoft-ds (workgroup: WORKGROUP) 554/tcp open rtsp? 2869/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 10243/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Aggressive OS guesses: Microsoft Windows 10 10586 - 14393 (96%), Microsoft Windows 10 build 10074 - 14393 (96%), Version 6.1 (Build 7601: Service Pack 1) (96%), Microsoft Windows 10 build 10586 (95%), Microsoft Windows 10 build 15031 (95%), Microsoft Windows 10 (93%), Microsoft Windows Longhorn (93%), Microsoft Windows Server 2008 (93%), Microsoft Windows Server 2016 build 10586 (93%), Microsoft Windows Professional (93%) No exact OS matches for host (test conditions non-ideal) Uptime guess: 0.026 days (since Sat Aug 19 13:41:40 2017) Network Distance: hops TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: SCE-10PRO-WORKS; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-os-discovery: | OS: Windows 10 Pro 15063 (Windows 10 Pro 6.3) | OS CPE: cpe:/o:microsoft:windows_10::| Computer name: SCE-10Pro-Workstation | NetBIOS computer name: SCE-10PRO-WORKS\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2017-08-19T14:18:11-05:00 | smb-security-mode: | account_used: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2017-08-19 14:18:13 |_ start_date: 2017-08-19 13:42:10 NSE: Script Post-scanning ß Initiating NSE at 14:19 Completed NSE at 14:19, 0.00s elapsed Initiating NSE at 14:19 Completed NSE at 14:19, 0.00s elapsed Read data files from: C:\Program Files (x86)\Nmap OS and Service detection performed Please report any incorrect results at https://nmap.org/submit/ Nmap done: 256 IP addresses (6 hosts up) scanned in 388.85 seconds Raw packets sent: 10799 (489.882KB) | Rcvd: 3247 (143.088KB) What is Nmap? An open source command-line scanner Zenmap is a GUI for Nmap Try https://nmap.org/ Appendices for Section V (browsers) None Appendices for Section VI (smartphones and tablets) Appendix I: How I a screen capture on a phone or tablet? For an Android device Once the screen is ready, press on both the power button and the home button The screenshot can be viewed in (1) the Gallery app or (2) Samsung's built-in "My Files" file browser Using both the sleep/wake button and the volume down button may also works For an iOS device Once the screen is ready, while pressing and holding the Sleep/Wake button on the top or side of your device, quickly press and release the Home button The screenshot can be viewed by going to the Photos app > Albums then tapping Camera Roll How to take a screenshot on your iPhone, iPad, and iPod touch https://support.apple.com/en-us/HT200289 Appendix II: What are the buttons on a phone or tablet? For an Android device Appendices for Section VII (email) Appendix I: After your email is sent, what is the minimum time until you can be sure that no electronic copies exist anywhere except your computer? More than two years if you are using a private mail server managed by a trained technician: private emails are almost always archived to an email backup server that is audited at least yearly to verify retention to prevent legal issues Appendix II: How to increase your chances of avoiding or defeating an evil email attack Do you know the sender of the email? Warning: Look spelling errors in the sender's name: Goggle is not Google (If you are not sure, check it on www.mailtester.com.) Don't open unknown an email from an unknow mailer, just delete it if it Warning: An email from an unknown mailer may be an attempt to see if you are gullible to justify additional effort Sending a "Who are you?" response back will encourage him If the email title looks like it is an attempt to entice you to open the email (i.e., probably written by a marketing flack), don't open it! (No, you don't want to see pictures of some politician en fragrante delicto If you are sure you know the sender and you have opened the email, still be cautious before clicking a link If you are not sure you know the sender, never click a link Never open an email attachment with an executable extension: bat, com, and exe are common executables; msi (Microsoft installer), php (PHP script), pl (Perl script), reg (can be converted to exe), and vbs (VBScript) are less common but still indicate (possibly) bad intent Never open an email attachment unless you are sure you want to see it Never download an email attachment unless you are sure you want keep it Does the email request personal information? If so, not reply Does the email contain spelling or grammatical errors? Does the email look it was written by a person not fluent in English? If so, be suspicious Note: If you send an email with spelling or grammatical errors, you are likely to be ignored If you have a relationship with the company, are they addressing you by name? 10 Have you checked the link? Mouse over the link and check the URL Does it look legitimate or does it look like it will take you to a different Web site? Appendix III: What common actions (may) protect you from evil emails? Disable all executables attached to documents If you have Microsoft Office, go to File Options Trust Center Install and keep up to date an antimalware program that scans your emails before you open them I use Eset Others work, too Keep you contact list up to date Remove anyone who sends you email you don't want from the contact list! What is a contact list (contacts)? List of companies and people you have received or expect to receive email from Many mail services give extra scanning to emails from addresses not in your contact list Appendix IV: What happens to your email on the email server if you use an email client? When you use an email client like Outlook to access a public mail service like ATT email, the usual default is to move an email to a trash folder on the server as soon as it is read and the trash folder is eventually emptied There are usually options for retaining email on the server Appendix V: What happens to your email on the webmail server if you use a browser to read your mail? When you use a browser to access a POP3 webmail server, email is typically uploaded to the browser's workstation and the message is deleted from the webmail server When you use a browser to access an IMAP webmail server, email stays on the webmail server There are usually options for retaining email on the server Appendix VI: What happens when I try to unsubscribe from a news source I don’t remember subscribing to? You get even more junk email An unwanted "news source" is often a phishing expedition You give the "news source" PI you wouldn't normally give out to get them to stop mailing you Instead, they keep emailing you AND they sell your PI to bad guys ' What is PI (personal information)? Information that can be used alone or in conjunction with other information to identify a person (including individual clients, prospects, and employees) either directly or indirectly Assume more than two months after you delete it from your public IMAP mail server Assume more than two months after you send it to your public POP3 mail server These numbers assume you, the recipient, and all BCC'ds and CC'ds delete the email from their computers If someone has intentionally save a copy, it exists until the copy is destroyed Warning: Your email may exist on the mail service in a backup folder or on a backup tape for years although it will more difficult to find as time goes on On a public mail service with lots of hard disk space and an overworked or lazy technician, your email might be found many years after they are sent BTW: The easiest way to find a copy of an email is to look on the sender's computer, the recipient's computer, and all CC'd and BCC'd users' computers Appendix VII: What is a phishing attack (ID theft)? What is social engineering Usually non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures Often the beginning of an attack Contractors, dumpster diving, helpdesk, hoaxes, impersonation, online attacks, phishing, shoulder surfing, tailgating, third-party authorization, vishing, whaling Best defense is education and training! Alternative: An attack against the people element of security Alternative: A game to acquire digital information What is phishing? Attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication A form of social engineering that does not require the man's physical presence Phishing attacks often begins with a link that takes you to a website that wants you to enter information When that happens be very suspicious: pick up your phone and contact the company! What is spear phishing Phishing among some select group (usually big fish) Often begins with a link to a website that caters to some recreational activity the big fish (or some group he is part) has mentioned on Facebook Warning: Facebook is NOT the place for ANY PI What is whaling? Phishing for specific high-level individuals Often begins with a link to a website that caters to some recreational activity the big fish (or some group he is part) has mentioned on Facebook Warning: Facebook is NOT the place for ANY PI Suggested reading (when you have time) 25 Most Common Mistakes in Email Security by WindowSecurity.com Lots of advice, some useful to small businesses, much not Kill Process by William Hertling Security by Poul Anderson badly formatted but great ideas Social Engineering by Vince Reynolds What documents are part of this series? Volume 1: 5-Minute security talk Volume 2: 15-Minute security talk Volume 3: Basic Windows 10 Security Volume 4: Basic Router Security Volume 5: Basic Network Security Volume 6: Basic Browser Security Volume 7: Advanced Windows 10 Security Volume 8: Advanced Router Security Volume 9: Advanced Network Security Volume 10: Advanced Browser Security Volume 11: Basic Windows 7, 8, and 8.1 Security Volume 12: Basic Phone and Tablet Security Volume 13: Advanced Phone and Tablet Security Volume 14: Basic eMail Security Volume 15: Advanced eMail Security Volume 16: Basic Developing Secure Apps (Not available until the others are started) Biography John R Hines has degrees from two party schools (BA-Math from the University of Colorado and BSEE Arizona State University) He has been an analog computer repairman (US Army), a network manager, a professional engineer (Texas), a programmer, a retired guy, a semiconductor engineer, a teacher, and a writer Now he is a certified security engineer In the 1980s, the US Patent and Trademark Office granted him six patents and he began writing about using computers to solve problems He wrote a book about circuit simulation and taught SPICE (Simulation Program with Integrated Circuit Emphasis) classes at Fortune 500 companies In the 1990s, he had computer-related columns in popular trade magazines like Electronic Test and Design Automation and scholarly magazines like IEEE Spectrum and taught C, C++, Delphi and Java In the 2000s, he was a Java developer (and a part-time central office technician) for America’s best telephone company After he retired to Lucas, Texas, he has written ebooks for Amazon, thought about computer security, and taken training classes and CompTIA certification tests (he is A+, CISSP, CCNA, and CEH trained, Net+, and Security+ certified) In late 2016, he started prototyping a security start-up to test a business model for that might employee geek geezers who want to work less than 20 hours a week It serves an underserved market (home business, home users, and small businesses that not have quick access to a professional security engineer) Google him under JR Hines, John Hines and John R Hines Or look at his computer books on Amazon.com ... Hines’ Basic Computer Security for Mere Mortals How to have the most computer security with the least effort when you don'' t have quick access to a computer security professional John R Hines Net+... Administrator user account What is Administrator (The Administrator) (The one-and-only-real Administrator)? Mistake # 1A: Failing to disable the Administrator user account Mistake #1B: Using the. .. #1: It is possible to enable the Administrator user account What is Administrator (The Administrator) (The one-and-only-real Administrator)? Mistake # 1A: Failing to disable the Administrator user