OK, this is an offshoot of the mac/pc soon to be redundant thread. I've been asked to discuss some security bits for folks. This will be Mostly Macintosh based, but the practices are universal.
Setup and Users:
You have a great new computer. You've opened the box and plugged it in. Upon powering it up, you are presented with the first chance to fail at securing your computer! "Please type in your account information...". We do so not being fully aware the way the privileges work on the computer. There are 3 REALMS of control in the computer:
1) System - Located at /System (the / is the top level of the hard drive), this is changeable only by the user "root" or users who have administrative access by typing in their password. This is generally reserved for Apple's software. Anything that wants to install anything in here is suspicious.
2) Machine - Located at /Library, this is changeable by the same as above. Anything done at this level will change the environments for all of the users on the system (fonts, plugins, extensions).
3) User - Located at /Users/<username>, this is changeable by the afore mentioned and the user in question. Changes here will generally only affect this user. These are the users listed in the Accounts control panel.
Best practice in *NIX (any flavor of unix or linux) is to:
1) Have root unavailable as a login (this is not managed through the Accounts CP)
2) Have an admin account that is used only when installing new software or changing something at the System or Machine level.
3) Have a normal User account for EACH of the users (including the owner) of the machine in which you do your day to day work. This way anything nefarious that you happen to double-click will only affect the one user, not the system or any of the other users.
Normally, people hit this screen and use the account setup here as their everyday account for working. This user is considered the owner of the machine and has admin priveleges and access to root level changes out of the box. Apple has made this a little safer by requiring your password for anything that wants to have these priveleges, but it's too often the case that people just type in their password whenever the box is presented without worrying about what's about to happen. 9 times of 10, this is just fine, but that 10th time, as the keylogger transmits all of your online banking passwords back to some random badguy on the internet...this is a bad thing.
E-Mail:
Aunt Gertrude always sends me the funniest power points...I love them. Since she always sends them to me, I expect them and click on them to lighten my day. 9 times of 10... On that 10th time again, I've clicked on something that claimed to be a powerpoint from Aunt Gertrude, and my computer is slowing down. My bank account is showing some strange activity...
This is a common story from the PC side of things. As Macintosh users, we haven't had to worry about this as much yet. But as market share grows, we (the user) are still the weakest and leaset secure part of the computer. In the IT industry, we call it a problem with the PEBKAC file (Problem Exists Between Keyboard And Chair). As we grow more and more aware of the dangers of being on the internet, the bad folks on the internet adapt to take advantage of that knowlege. Ask Aunt Gertie to have a code word that she includes in legit e-mails with attachments...or make sure she hasn't drastically changed her writing style or signature. Better yet (as I've done) ask her not to send you stuff, most of the stuff she sends anyway is what I call a goodwill virus (send this to 10 people within 20 minutes and you'll have good luck). These chain e-mails only serve to slow down the internet by leeching bandwidth away from legitimate traffic. If 10 people send to 10 people who send to 10 people, that 10k message is now 10Mb of traffic. Besides, I find plenty of funny stuff on the net myself.
Don't open installers from sites you don't think are reputable. I have a few software sites that I use. Version Tracker, SourceForge and Freshmeat. There are some windows sites as well, but I tend to stick to VT for that as well. These sites are considered reputable because they scan the software that they post and have a community peer review process in place. Read other people's experiences before you get new software.
Network Security:
Put your computer behind a firewall. Most computers come with one built in. I prefer to put a piece of hardware in between my machine and the internet though. An airport base station (2 ethernet ports) or Linksys router will handle NAT (Network Address Translation - many computers, 1 internet IP address) for you. Since these aren't your computer and don't have terminal service clients on them, your machine is less likely (not impossible) to get broken into. If your firewall allows port level control (it should), CLOSE THEM ALL. Only open the ones you need. This is for both incoming and outgoing traffic as the aforementioned keylogger that came in over e-mail (common port) will make a connection out to a server that collects the information elsewhere on the internet. Put this firewall in place before you connect to the internet. It takes [estimated] 20-30 minutes (broadband) to run all the initial security updates and service patches for windows; it takes [estimated] 7 minutes for your unpatched windows machine to get exploited once connected to the internet. Research on this is being done.
Passwords:
Like the levels of security in your computer, I have levels of security for my passwords. I have 3 levels of security and share none of them:
Priv - this is a password that I don't use anywhere but on my personal machine.
Info - I use this for important things on my computer and on the internet (banking, quickbooks etc.)
Inet - I use this for sites on and around the internet
-note: I also have different passwords I use at work, but this article is more about personal computer security.
I also have alternate passwords for each level. If I ever feel there may have been a breach of these passwords, I change them. I do not subscribe to the change your password every 3 months philosophy. This leads to people writing their passwords down which is the worst thing, besides sharing, you can do with a password. I do think 8 characters both numbers and letters is a good thing, but make it something you can memorize.
Stay paranoid, stay safe!
Not in a black helicopters and tin foil hat sort of way, but in the washing your hands after handling raw meat sort of way.
Setup and Users:
You have a great new computer. You've opened the box and plugged it in. Upon powering it up, you are presented with the first chance to fail at securing your computer! "Please type in your account information...". We do so not being fully aware the way the privileges work on the computer. There are 3 REALMS of control in the computer:
1) System - Located at /System (the / is the top level of the hard drive), this is changeable only by the user "root" or users who have administrative access by typing in their password. This is generally reserved for Apple's software. Anything that wants to install anything in here is suspicious.
2) Machine - Located at /Library, this is changeable by the same as above. Anything done at this level will change the environments for all of the users on the system (fonts, plugins, extensions).
3) User - Located at /Users/<username>, this is changeable by the afore mentioned and the user in question. Changes here will generally only affect this user. These are the users listed in the Accounts control panel.
Best practice in *NIX (any flavor of unix or linux) is to:
1) Have root unavailable as a login (this is not managed through the Accounts CP)
2) Have an admin account that is used only when installing new software or changing something at the System or Machine level.
3) Have a normal User account for EACH of the users (including the owner) of the machine in which you do your day to day work. This way anything nefarious that you happen to double-click will only affect the one user, not the system or any of the other users.
Normally, people hit this screen and use the account setup here as their everyday account for working. This user is considered the owner of the machine and has admin priveleges and access to root level changes out of the box. Apple has made this a little safer by requiring your password for anything that wants to have these priveleges, but it's too often the case that people just type in their password whenever the box is presented without worrying about what's about to happen. 9 times of 10, this is just fine, but that 10th time, as the keylogger transmits all of your online banking passwords back to some random badguy on the internet...this is a bad thing.
E-Mail:
Aunt Gertrude always sends me the funniest power points...I love them. Since she always sends them to me, I expect them and click on them to lighten my day. 9 times of 10... On that 10th time again, I've clicked on something that claimed to be a powerpoint from Aunt Gertrude, and my computer is slowing down. My bank account is showing some strange activity...
This is a common story from the PC side of things. As Macintosh users, we haven't had to worry about this as much yet. But as market share grows, we (the user) are still the weakest and leaset secure part of the computer. In the IT industry, we call it a problem with the PEBKAC file (Problem Exists Between Keyboard And Chair). As we grow more and more aware of the dangers of being on the internet, the bad folks on the internet adapt to take advantage of that knowlege. Ask Aunt Gertie to have a code word that she includes in legit e-mails with attachments...or make sure she hasn't drastically changed her writing style or signature. Better yet (as I've done) ask her not to send you stuff, most of the stuff she sends anyway is what I call a goodwill virus (send this to 10 people within 20 minutes and you'll have good luck). These chain e-mails only serve to slow down the internet by leeching bandwidth away from legitimate traffic. If 10 people send to 10 people who send to 10 people, that 10k message is now 10Mb of traffic. Besides, I find plenty of funny stuff on the net myself.
Don't open installers from sites you don't think are reputable. I have a few software sites that I use. Version Tracker, SourceForge and Freshmeat. There are some windows sites as well, but I tend to stick to VT for that as well. These sites are considered reputable because they scan the software that they post and have a community peer review process in place. Read other people's experiences before you get new software.
Network Security:
Put your computer behind a firewall. Most computers come with one built in. I prefer to put a piece of hardware in between my machine and the internet though. An airport base station (2 ethernet ports) or Linksys router will handle NAT (Network Address Translation - many computers, 1 internet IP address) for you. Since these aren't your computer and don't have terminal service clients on them, your machine is less likely (not impossible) to get broken into. If your firewall allows port level control (it should), CLOSE THEM ALL. Only open the ones you need. This is for both incoming and outgoing traffic as the aforementioned keylogger that came in over e-mail (common port) will make a connection out to a server that collects the information elsewhere on the internet. Put this firewall in place before you connect to the internet. It takes [estimated] 20-30 minutes (broadband) to run all the initial security updates and service patches for windows; it takes [estimated] 7 minutes for your unpatched windows machine to get exploited once connected to the internet. Research on this is being done.
Passwords:
Like the levels of security in your computer, I have levels of security for my passwords. I have 3 levels of security and share none of them:
Priv - this is a password that I don't use anywhere but on my personal machine.
Info - I use this for important things on my computer and on the internet (banking, quickbooks etc.)
Inet - I use this for sites on and around the internet
-note: I also have different passwords I use at work, but this article is more about personal computer security.
I also have alternate passwords for each level. If I ever feel there may have been a breach of these passwords, I change them. I do not subscribe to the change your password every 3 months philosophy. This leads to people writing their passwords down which is the worst thing, besides sharing, you can do with a password. I do think 8 characters both numbers and letters is a good thing, but make it something you can memorize.
Stay paranoid, stay safe!
Not in a black helicopters and tin foil hat sort of way, but in the washing your hands after handling raw meat sort of way.
