Home Computer Security Advice

Tom Van Vleck

Here is a short list of things to do about security for your home computer:

Briefly:

Back up daily.
Be suspicious.
Use a Mac.

1. Back up your data to removable media. Copy your data so that everything you care about is stored in at least two places. This isn't just about security from bad guys: your hard disk might crash, or your computer might be damaged or stolen. Hard drives are made to last only a few years. If you have a CD or DVD burner, burn a backup disc often. If you have a Mac, hook up an external drive and turn on Time Machine, and your data will be backed up hourly.

   Of all the bad things that could happen to your computer, a disk crash is the most likely. A friend had a lot of great Photoshop pictures on her hard drive, and then one day the disk was dead. She was lucky and got her files back. The same thing happened to me in October 2008; my computer's hard drive made a funny noise and wouldn't boot. All my files were lost. I got a new drive, restored from backup, and didn't lose a thing. If you have any important data that's stored on just one computer, you should feel nervous.

2. Understand that electronic mail and web pages can be forged and snooped easily. Don't assume that a mail message was sent by the person named in the From field. If you get mail that appears to be from a bank, or eBay, or the traffic court, or Paypal, asking you to go to a website and fill in your personal info,  it's probably a scam. Your electronic mail travels across the Internet unprotected; strangers can read and change it, so don't send personal details, valuable passwords, or credit card numbers in regular e-mail.

   Web pages may not be what they seem. There are a lot of crooks out there trying to get your credit card and bank account numbers. Consider  this 2008 report of a Windows financial-data-stealing Trojan horse program that was undetected for three years. People viewed a web page that secretly installed this program on their computer; the program waited till they used their online banking website, and modified the user's view of the bank's web page to ask for extra info that got sent to the bad guys. Surf carefully. Undestand the meaning of your web browser's "lock" indicator and that bad guys may try to counterfeit it.

3. Don't run or install programs from strangers. You'd think this is obvious, but many people are too trusting, or don't understand that clicking on an email attachment often runs something. People get an email message claiming to be a picture, or whatever, and click on it, and  their computer gets all messed up. Be careful about clicking on email attachments, even if they appear to be from someone you know, because email can be forged easily (see above). Don't install programs sent to you in email or instant messages or from web pages. You may be installing "spyware" or "adware" or programs that silently steal your bank account details, or use your machine to mail spam to others.

4. Don't read email with Outlook or browse with Internet Explorer. Windows users should avoid using Microsoft Outlook. It has had many documented security holes where a bad guy sends a message that takes advantage of a bug in Outlook to install a virus on your machine, even if you don't open the message. There are plenty of other good free mail-reading programs such as  Thunderbird; use one.

   Internet Explorer on Windows has also shown a large number of exploitable security weaknesses. Just visiting a web page can infect your computer. I use  Firefox instead (it's free). Here's a  story by Aman Gupta, who got mail saying he had one of those electronic greeting cards: he clicked on the message and found that the website code tried five different ways to install a program on his machine that would steal his electronic banking passwords. (If you are an AOL or Earthlink user on a PC, you are probably using a re-branded Internet Explorer. You can use Firefox instead.)

5. Use a firewall if you have a cable or DSL line. Get a combination NAT and firewall box, which should cost less than $50. My  Linksys BEFSR41 works fine; you can find newer units with more features. Even if you have only one computer, a firewall helps isolate your machine from the bad guys on the outside, kind of like a surge protector. (You can get programs that install on your computer to do supposedly the same thing, but a separate box is better.)

6. Install a virus checker and keep its definitions up-to-date, if you are using Windows. (I'd say that even if I had not once worked at a company that makes such things.) You should have a virus checker program, even though fast spreading viruses can hit you before you update.

   Windows users also need to obtain and use "adware" and "spyware" checkers.

7. Install security patches from your software providers regularly. This is important, because many machines get infected by viruses that exploit holes for which patches have been available for months. Once again, though, you can't count solely on these patches for security, because the patches come out after the holes are found.

8. Use a Mac. Macintoshes have far fewer security problems. According to a 2001 UK government report by  Satchell and Peeling, "There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux." That was in 2001; since then there have been thousands more Windows viruses, and only a few Mac viruses.

   (Frankly, I am not really enthusiastic about any of the operating system choices. The Mac is better, but by no means perfect. Windows, Mac OS, Linux, and other Unix descendants are all written in the C language. History shows that software written in this language often has security-related bugs. Brilliant programmers have failed to produce secure systems using this approach in many years of trying. We should do better.)

Further Reading

CMU CERT has a nice tutorial article about  Home Computer Security.

For more information on security, see this article about the  Top 20 Security Vulnerabilities.

Here's a good, but depressing, article about the situation by Scott Granneman:  Joe Average User is in Big Trouble. He also wrote  A Home User's Security Checklist for Windows.

If you insist on using Windows, Terry Gleidt wrote a nice how-to article on  Coping With Windows, and Gina Trapani wrote up how she  disinfected her mom's Windows box (took 3 days).

You may also be interested in how I filter spam.

Wireless

It's cool, it's convenient, and it's also risky: a neighbor can download a program that will crack your WEP key in about an hour, and you'll never know... till you get your bank statement! I have used wireless connections while traveling, but at home I stick to wire. If you really want to go wireless, you have to take responsibility for security. Nobody else will.

There are two issues: securing your router so strangers can't connect to your network, and securing your communication so that strangers can't intercept it.

If outsiders can connect to your network and use your bandwidth, they could

• send out porn or spam and make it look like it came from you.
• use so much bandwidth that your ISP gets mad.
• read and write any unprotected shared files.
• try to inject viruses and worms into your machines.
• try to inject spywyare into your machines that steals your data, for example banking passwords.

You can deal with strangers attempting to use your network by

• Enabling security on your router.
• Making really sure your machine's protection is up-to-date (see above).
• Choosing a long, strong, non-obvious, non-default password.
• Changing and not broadcasting your SSID.
• Using passwords on internal file shares.
• Watching for unexpected use.
• Using MAC filtering, if that works for you.
• Turning off admin access over wireless.
• .. and probably more.

The interception issue is harder to detect. The WPA-2 encryption standard fixes a lot of problems. At home, use only WPA-2, choose a long random passphrase, and change it occasionally. Remember that even if your connection to the access point is encrypted, electronic mail will then pass over the Internet unprotected.

Using "free" wireless is tempting. You may be traveling and have the choice of the hotel's $9.95/day wireless, or another access point that requires no password. The access point may be a fake hotspot, or "Evil Twin," set up by someone who wishes to observe your credit card numbers and banking passwords. People have been arrested for using other's wireless without permission.

If you are using a public access point,

• Assume your communication is being tapped.
• Do anything you care about over SSH or SSL.
• Use a mail protocol that does not expose your account password in clear, e.g. APOP or POPS.
• Enable your software firewall.
• Use software that reports unexpected outbound connections, like Little Snitch or ZoneAlarm.

(If you don't know what this means, maybe you shouldn't use wireless.)

Advanced Mac Security

Here are notes about the tools and practices I use to improve my Macintosh machines' security. (Many of these measures also work or have analogues on other systems such as Linux or Unix.) Some of these steps may be too detailed for the general reader, but perhaps they will suggest the complexity of the security problem and the need to use multiple solutions. Everyone's security situation is different, and these tactics may be too much, or not enough, for people with different concerns. The measures you should take depend on what you are trying to defend against, and the value to you of the information on your computer that you want to protect.

As I mentioned above, I use the Apple-provided backup solution, Time Machine, to back up my data, to protect against hard drive failure. I occasionally burn a backup disc for each machine to back up the backup. I occasionally store copies outside of my house, either on disc or by doing encrypted backup to a network location.

I try to install security patches as they come out; usually I wait a few days and check if others report problems with an update on  MacInTouch before I install.

Viruses and worms are not a big issue for Macs: anti-virus software for the Mac is not worth the trouble and expense for me. I filter out known viruses at my mail server, and use a Firefox add-on, NoScript, that makes it harder for malware to run inside my browser. When I use a web browser for banking or commerce, I avoid having other windows open on untrusted sites. I set my Macs so they don't auto-run anything when external media are connected.

My home Internet connection is behind a firewall; its logs show continual attack attempts, so it's worth having. My websites are hosted at a  well-run ISP that manages the patching and security of the web server, so I don't have to manage a web-facing service; I use SSH and SCP to access external servers so that their passwords won't be sniffed.

I tape my business card to the machine so that if it gets lost, someone can return it to me. In addition, I have set up text in the login window and the terminal banner with my address and phone number.

Passwords

Since my machine is portable, I have set passwords on all accounts on the machine. That way, if the machine goes astray, its contents are not immediately available to whoever finds it. I load the SSH keys I use to access services on other machines into ssh-agent, and give passwords once at boot time. I keep data like credit card numbers and other private account information in a file that is encrypted. When I want to use the data I decrypt it. The easy way to do this is to create an encrypted disk image in Disk Utility: such an image will be strongly encrypted and require a password to mount. Once the image is mounted, it can be used just like a disk volume, to hold any kind of files. I also use  GNU Privacy Guard for the Mac to encrypt some files that I want to be able to decrypt from Unix and Windows machines. Password protected data is only as good as the strength of the passwords used, and so I generate them with the assistance of utilities like my program GPW.

Little Snitch

I bought and installed  Little Snitch, which pops up a dialog box on the screen if any program makes an outbound Internet connection. You can tell it that certain programs are allowed to connect to given destinations. After a few days of training it, you'll rarely see a dialog, until you install a new program that does something unexpected.

Adeona

I installed the free program  Adeona on my machine. Every so often it writes a message to a distributed database on the Internet, saying "here I am." It also takes a picture with the Mac's built-in camera. If my machine is ever lost or stolen, I can use a password to look at the records and find out if the machine is being used on the net, and if so what the IP address is and what the user looks like.

More information

Apple has produced a  security feature guide for system 10.5 (Leopard) with advice from the NSA. There are some options described there that I have not selected. The Mac offers an option to encrypt its swap files, and another that keeps the entire home directory in an encrypted container. I have not used either of these; the second one has been buggy in the past. Both of them defend against sophisticated attackers getting physical access to my computer and working hard to get my files. Similarly I have not set an Open Firmware password, which prevents the machine from being booted from external media and also locks down some FireWire exploits, or disabled Bluetooth, WiFi, infrared, camera, and external device access, as the NSA suggests government users do.

Copyright (c) 2003-2008 by Tom Van Vleck, updated 29 Nov 2008

updated 17 Feb 2004, 12 May 2004, 08 Jul 2004, 01 Oct 2004, 10 Nov 2004, 07 Mar 2006, 06 Jan 2008, 01 Nov 2008, 26 Nov 2008