© Carey Parker 2020
C. ParkerFirewalls Don't Stop Dragonshttps://doi.org/10.1007/978-1-4842-6189-7_12

12. Odds and Ends

Carey Parker1 
(1)
North Carolina, NC, USA
 

At this point in the book, I’ve covered most of the technical topics that require background and longer explanations. However, there are a handful of other topics that I want to touch on because I feel they’re important. In this chapter, each section will have its own checklist with just a brief introduction. It’ll be sort of like a lightning round!

When Bad Things Happen

Up until this point, the entire book has pretty much been about preventing bad things from happening. Sometimes despite our best efforts, we still get bitten by misfortune. In this section, I will try to walk you through the recovery process for some common cyber-calamities, or at least point you to websites that can help you.

Tip 12-1. Email Account Is Hacked

When bad guys manage to guess your email password, they usually use it to distribute spam and malware. If you don’t use your account often, you may first be notified of the problem by a friend or relative who suddenly gets an email from you trying to push pills for male enhancement. Here are some things you should do:
  • Immediately change your password and use LastPass to create a strong, unique one. Until you change your password, the bad guys can continue to use your account for their nefarious purposes, all the while pretending to be you.

  • If you used this same password anywhere else, you need to change the passwords on those sites, as well. Again, let LastPass create strong, unique passwords for those sites.

  • You might want to change your security questions. Consider choosing answers that are not true, or add some strange prefix or suffix to your answers like “not” or whatever—making it basically impossible to guess the correct answers. And then make a note of whatever you used in LastPass for that site (use the notes section at the bottom of the website’s vault card).

  • Look in your inbox for any emails about password changes or password reset requests that you did not initiate—like for your bank account, a social media account, or whatever. As I discussed earlier in the book, most password recovery procedures involve sending you an email to reset your password. If you find evidence of a successful password change, you should assume those accounts are compromised. Inspect them closely for bad transactions and change the passwords on those accounts, as well.

  • Look at your Sent folder to see whether any spam or scam emails were sent on your behalf. You may also want to contact any recipients of those emails to let them know they did not come from you and may be malicious.

  • Check your email settings to see whether anything looks amiss. For example, make sure someone didn’t add or change your email signature (an optional bit of text that is automatically included at the bottom of every email you send). Check your auto-forwarding and vacation/away settings, as well.

  • You should probably inform your email provider that your account was hacked but that you have changed your password. They may be able to take some action against the attackers.

  • Finally , this would be a good time to enable two-factor authentication, if it’s available. If you had had this in the first place, your account probably would never have been hacked.

Tip 12-2. Website Password Breach

If you get a notice from a website where you have an account saying that there has been a “security breach,” they will usually tell you that you should change your password. That’s precisely what you should do, right away. As a further precaution, don’t use any links in the email (just in case it’s a fraud). Log in to your account by manually entering the web address or using a browser bookmark or favorite.

What the email may not tell you is that if you use this same password on any other websites, then you better change your password on those sites, too (and make it unique this time). If the website breach email says that credit card numbers were also lost, you should keep a close eye on your credit card account, looking for purchases that you didn’t make.

There’s a nifty website that helps people figure out whether their account info has been leaked in a breach:

That’s “have I been pwned.” The term pwn (rhymes with “own”) is hacker lingo for dominating or defeating someone. If you’ve been pwned, you’ve been successfully hacked. This site maintains an up-to-date catalog of all the known server breaches, indexed by email address. You enter your email address and the site will tell you whether that address was part of a known breach.

Tip 12-3. You Suspect You Have a Virus

Your best move here is to just not get the virus in the first place because getting rid of malware once your system is compromised can be really tricky. How do you know if you have a virus? Well, it’s hard to say, generically, but some symptoms might include the following:
  • If your files are held hostage for money, see the next tip.

  • Your computer is suddenly more sluggish or less responsive.

  • Your computer appears to be working hard even when you’re not using it. For example, the fans are blowing full tilt or the hard drive light is flashing constantly.

  • Unwanted windows or applications are popping up all the time.

  • Computer or web browser settings change without you doing it.

  • You’re getting windows popping up out of nowhere, including ads or warnings of computer problems.

If you think you might have a virus, try the following remedies, in this order:
  1. 1.

    If you haven’t already installed antivirus software, do that immediately (see Chapter 5) and run a full scan.

     
  2. 2.
    You can download and install special, on-demand virus checkers.
     
  3. 3.

    If you can’t seem to shake the virus, you might have to completely delete this user account. (If the account was your admin account, you might even need to completely wipe the entire computer and start over.) If you are pretty sure you know when things started going haywire, you can try using your backup software to bring your entire computer back to a point in time prior to the suspected infection date.

     

Tip 12-4. You’ve Got Ransomware!

If you get a pop-up message or big scary screen telling you that all of your files have been encrypted and you must pay money to fix it, you’re the victim of ransomware. If you have a full backup of your system (see Chapter 3), you can simply restore your system to a point in time prior to the ransomware infection and you’re done. That’s why the backup is so crucial.

If your backup is only for your files (and not your entire system), then you’ll need to delete the infected user account and then restore the files from backup.

If you do not have a backup, then you really have just one hope remaining: that the bad guys screwed up somehow. It happens more often than you’d think. There’s an entire website devoted to helping victims of ransomware, usually by finding flaws in their software that will allow you to recover your files without paying. Before you pay the ransom, check out these websites:

If all else fails and you really need those files back, then you can always pay the ransom. In most cases, you will get your files back. If you didn’t, word would get around, and no one would pay. It’s in their best interests to bend over backward helping you. Some of these guys actually have tech support that you can call… I’m not kidding. You will probably be asked to pay with Bitcoin or some other anonymous payment method. Again, they should provide with all the help you need to do this.

In some cases today, particularly for business ransomware attacks, the bad guys have added a new twist: if you don’t pay, they will release your files to the public. This is something that having a backup can’t fix. If this happens to you, you’ll have to decide if the ransom is worth paying. Of course, that doesn’t guarantee that they won’t come back again later for more money, if they feel you’re really concerned about the files being put on public display.

Tip 12-5. Restoring a Lost or Messed-Up File

Back at the beginning of this book, we talked about setting up an automated backup for your most important files. This allows you to recover files that you accidentally delete or screw up. We discussed two ways do this this: either an external hard drive plus a backup program built into your OS or using a cloud backup utility like Backblaze. Use the following links to find detailed steps for recovering individual files:

And When I Die…

So, what happens to all your various online accounts when you die? That’s a question most people probably never ask themselves until it’s literally too late. While most people are aware that they should have a will and healthcare directives, only about 40 percent of Americans actually have any estate docs. But how many people take the time to handle their digital estates? What should happen to all your emails, photos, music, forum posts, dating site info, social media accounts, and so on? In this section, I’ll give you some tips on how to manage your digital affairs.

Tip 12-6. Get a Will

I can’t stress this enough. If you have a spouse or children, you really need to have a will in place. Every state has different rules about what happens to your stuff if you die without a will, but these processes can take a long time, and the default rules may not suit your needs at all.

When you go to get your will, talk to your lawyer about handling your digital assets, as well. They should at least be able to tell you what your state law says about this subject. Be aware, however, that this area of law is very new and evolving quickly.

Tip 12-7. Add a Backup to Your Safety Deposit Box

Again, this is not really a digital thing, but it’s important. Many banks will not honor a will or power of attorney to allow access to a safety deposit box. I have no idea why this one thing is treated specially, but it is. So, make sure that your spouse and perhaps one of your children have been approved to access your safety deposit box.

One weird caveat to this. At least my bank, in order to remove someone from this access list, all parties on the list must be present. So don’t go too crazy.

Tip 12-8. Save Your Passwords Somewhere Safe

Your successors may need immediate access to things like bank accounts, investments, insurance, computer accounts, and so forth. You should therefore print off a list of your most important passwords and keep them in a safe place. Better yet, print off some one-time passwords for LastPass, which will work even if you change your master password. You might put these printouts in your safety deposit box or in a fireproof safe. LastPass also has a Family Plan that can allow access after a period of time—sort of dead man’s switch. If you don’t respond within a time period, your chosen successor will be given access to your password vault. Just make sure that whoever needs these passwords knows where they are and knows how to get to them.

Tip 12-9. Ensure Access to Two-Factor Device

If you’ve followed my advice on setting up two-factor authentication where you can, that means your successors will also need access to your two-factor authentication device. This will most likely be your cell phone. So, make sure that your cell phone account can remain active (so your phone can receive SMS messages) and that your authenticator app is accessible. If your cell phone is locked (and it should be), you should write down your PIN or passcode somewhere. You can also usually add a second biometric signature to unlock your device, but sometimes these fail. You want the PIN or passcode.

If by some misfortune your loved one dies without doing this, your best bet will be to try to access their accounts from known devices and in known locations. This might prevent the two-factor code from being needed, at least for a period of time.

You might want to add your cell phone as the two-factor authentication device. If the deceased used Authy or a similar authenticator app that allows for transfer to a new device, you should try to transfer it to your phone.

Tip 12-10. Appoint a “Digital Executor

While you might want to simply hand over all your passwords to your beneficiaries when you die, you might actually have some parts of your digital life that you want to die with you. The only way to accomplish this is to appoint some third party who you trust to take care of this for you after your death. Your lawyer might be a good choice. You will need to carefully document what you want done with each account. You will only want these passwords and instructions to be opened after your death, which is something your lawyer should be able to arrange for you.

If you do a little Googling, you can find that people are starting to write articles about what to do with your digital life when you die. Search for digital estate planning . These services are in a massive state of flux. I had links to two of them in the first edition of my book, and they’re already either out of business or merged with some other company.

Speaking of Google, social media accounts can be particularly finicky. Their policies can be weird and they’ve been changing as this issue has become more prevalent.

Here are a few articles you can start with:

Tip 12-11. Stop ID Theft After Death

Not everyone will get the memo when your loved one has passed and that can allow unscrupulous people to the deceased person’s identity. Here are a few steps you should take to prevent this:
  • Send a copy of the death certificate to the IRS.

  • Send a copy of the death certificate to the Social Security Administration.

  • Cancel their driver’s license (and any other professional license they may hold).

  • Notify the three credit bureaus: Equifax, Experian, and TransUnion.

  • Notify their banks and financial institutions.

  • Notify their health insurance provider(s).

Gold Stars and Tinfoil Hats

We’ve covered well over 150 different tips on mostly simple and mostly free things you can do to improve your computer safety. While some of these tips involved some effort and some of them may have impinged on your convenience, they were quite tame compared to the items in this section! Just for fun, I’m going to lay out some truly “pro” tips for taking things to the next level. These are for the tinfoil hat and black helicopter crowd.1 I am by no means recommending that you need to do any of these things. For that reason, I’m not going to painstakingly lay out the steps required to do them. However, I thought it would be fun to show you the lengths that some people go to in order to be super secure. These are roughly in order of effort and cost or just plain paranoia level.

Tip 12-12. Install NoScript

This plugin for Firefox will completely block just about all “active” content in your web browser: JavaScript, Flash, and so on. You can selectively tell it that certain things and/or particular sites are okay (and it will remember your decision in the future). However, most websites have many sources of active content, and it can be quite daunting to manually enable only the parts you need for the website to function properly. This plugin has grown to include other great security features, as well. Just be prepared to go through a lot of initial pop-ups asking for permissions.

Tip 12-13. Install Haven on an Old Android Phone

Investigative journalists, human rights advocates, dissidents in repressive regimes, and whistleblowers are constantly looking over their shoulders. Being discovered or having their data stolen could result in being jailed or even “disappeared.” Love him or hate him, Edward Snowden knows a thing or two about this situation, and he has created a free Android application called Haven that acts as a super-duper intruder alarm. Using the smartphone’s sensors and communication links, the app will monitor your room or personal space for movement, lights, sounds, and power loss and report these events securely to people who may be able to help, should you become incapacitated. Or just use it as a kick-butt baby monitor.

Tip 12-14. Add a Dedicated Guest Wi-Fi Router

While most modern routers provide a “guest network” option, you still have to trust that the router software maker implemented that security feature properly. If you have some Internet-enabled devices in your home that you don’t fully trust (like Internet of Things devices) or if you have a lot of strangers in your house who want to use your Wi-Fi, you might want to consider beefing up your security and having a dedicated Wi-Fi router for your guests and IoT devices. Having a dedicated router for this untrusted traffic is the safest way to make sure that guests and rogue devices cannot access your private home network.

To do this right, you actually need three routers. You’ll hook them up in a “Y” pattern. You’ll have one wired router connected to your cable modem (or whatever box you use to connect to the Internet), and then you’ll hook two Wi-Fi routers up behind that wired router. This will guarantee that devices on the guest Wi-Fi router will have zero access to the devices on your private Wi-Fi router. Confused? Check out this video podcast for the full details:

Tip 12-15. Install Little Snitch (Mac OS Only)

Sometimes the apps you install on your computer like to “phone home,” providing the software maker or some third party with information you’d rather they not have. Remember that firewalls only prevent unsolicited network connections coming in from the outside. If you’ve installed software on your machine, that software is able to communicate freely with anyone or anything on the outside. Little Snitch is sort of like a reverse firewall, notifying you of all outgoing connections and giving you the opportunity to allow or block them. Fair warning: shortly after install, you’re going to find out that many of your apps want to access the Internet, and you’re going to have to go through a lengthy initial process of determining which of those apps you want to allow to make outgoing network connections.

Tip 12-16. Use Top-Shelf Security and Privacy Tools

When I want to see which tools that truly paranoid types would use, there’s one website that I always go to for reference:

More than any other website I’ve found on privacy, this one always goes the extra mile and doesn’t screw around with half measures. Many of the tools I’ve recommended are listed here, but there are many more. For this book, I’ve tried to find the right compromise between security and convenience. Not these guys. If you really want to take things to the next level, this is the website for you.

Tip 12-17. Install Custom Wi-Fi Router Software

When you buy a Wi-Fi router, you’re actually getting two things: the hardware and the software that controls it. Like a computer, it’s actually possible to replace that software with something better. There are three main projects out there for this purpose: DD-WRT, OpenWRT, and Tomato. (The guys at Tomato definitely won the marketing war here…DD-WRT and OpenWRT just do not roll off the tongue.) These projects offer completely free, open source software that you can install on many modern Wi-Fi routers. This isn’t for the faint of heart, but if successful, you can actually add lots of great security features to your router that would normally be found on more costly routers. The security of these products is probably better, as well.

Tip 12-18. Install and Use PGP

Though PGP stands for “Pretty Good Privacy,” that’s actually being extremely modest. PGP is industrial-strength encryption, mostly used for sending secure email. Unfortunately, it’s a real pain in the butt to set up and use. To make matters worse, everyone you need to communicate with must also set this up. I would actually recommend looking into GPG (GNU Privacy Guard), which is a free, open source implementation of the common OpenPGP standard. Alphabet soup, I know. But if you’re at all curious, check out this website:

Tip 12-19. Use Tor to Protect Your Identity

Tor was started specifically for the purpose of providing anonymity on the Internet. Tor uses an impressive array of technology to hide the location and identity of its users. While Tor is well known and trusted by many, it’s also a magnet for authorities because they pretty well assume that if you’re using Tor, you’re up to no good. However, it’s still worth checking out, even to just understand how it works and how hard it really is to protect your anonymity. You can get a lot of the Tor functionality by using the Tor Browser (a super-private browser based on Firefox). You can find all of this and more at the following site:

Tip 12-20. Need to Blow the Whistle? Use SecureDrop

While you can debate whether people like Edward Snowden are heroes or traitors, there’s no denying that whistleblowers have exposed some pretty egregious behavior by governments and corporations. SecureDrop is a communication system specifically designed to protect the anonymity of whistleblowers and confidential news sources, allowing them to securely communicate with news organizations. For more information, visit the following website. Note that many of the big investigative journalists will have a SecureDrop web page that you can use to communicate with them. So you might try searching on the organization’s name plus “SecureDrop”.

Tip 12-21. Set Up a Virtual Machine

One way to contain some secret activities is to have a whole separate computer specifically for this purpose (see the next tip). However, this will obviously incur some significant costs. You can get many of the same benefits by having a virtual computer running on your regular computer. This is called creating a virtual machine (VM). A VM runs its own operating system that is separate from the OS running on the host computer. So, all the web surfing, file downloads, emails, and so on will exist in a sort of container. VMs have the interesting capability of creating snapshots. You can basically take a picture of the virtual computer in some state and return to that state at any time. So, you can do your dirty deeds and then revert to the snapshot… it’s like it never happened! While you can pay money for VM software, there’s a perfectly good free alternative called VirtualBox. This software runs on both Mac OS and Windows.

Note that you’ll need to install some sort of operating system on this VM, and Windows generally won’t allow you to reuse a license key for free (meaning you would need to buy another copy of Windows for the VM). I recommend Ubuntu, which is a totally free operating system with plenty of security features. See these websites for more info:

Tip 12-22. Use a Dedicated Secure Computer

While a VM is cheap and easy, you can never really be certain that there won’t be some sort of information leakage between your VM and your host operating system. If you want to go full tilt, you really need a dedicated machine that is completely separate from anything you would normally use. You can save money by buying a used machine, but of course you can’t be 100 percent sure that the person you bought it from hasn’t somehow compromised it, so you’d better just get a new one from a big-box store.

If you want to really go the cheap route, you can buy a Raspberry Pi minicomputer. For just $35, you can have a fully functional Linux computer that’s about the size of a deck of cards! Of course, you’ll need to buy a case and a power supply for it, plus an SD card for the “hard drive,” but you can get all of that for about $60. All you need is a monitor, keyboard, and mouse, and you’re set!

If you go the laptop route, you’ll want to replace the operating system with something secure. Look no further than Tails!2 If it’s good enough for Edward Snowden, it should be good enough for you.

Tip 12-23. Sandbox Your Windows Apps

In security terms, "sandboxing" means to run software in a sort of virtual container. The application running inside this container is not allowed to access any files, settings, or devices outside the container—at least not without explicit permissions. Web browsers will sometimes put a media player in a sandbox because these web apps are often targets for hackers.

The Pro and Enterprise versions of Windows 10 have a built-in security feature called Windows Sandbox. But assuming you have the Home version (like most people), that doesn't help you.

If you're really determined, you can use a free, open source tool called Sandboxie. This tool was originally created by Sophos but was released as open source in 2020. You may still be able to find regular Sandboxie installers, but to get the latest features and fixes, you may have to actually compile the software yourself. If you're interested, check it out here:

www.sandboxie.com

Tip 12-24. Shut Your Pi Hole

Here’s another fun use for a Raspberry Pi minicomputer: create a custom DNS server that will block all ads for your entire household. There’s an open source software project called Pi Hole that acts as a custom DNS server. The beauty of this solution is that it can block access to known tracking and advertising websites. And when you set this up as the DNS server for your home network, all the devices in your home will automatically get the benefits.

https://pi-hole.net

These computers have lots of other fun uses, as well, like creating a little VPN server or a Minecraft server or a media server. The possibilities are nearly endless. Check this site for more fun ideas:

https://pimylifeup.com

Tip 12-25. Use Open Source Hardware

I’ve told you about open source software—software code that is available for anyone (including security experts) to review and vet. But what about the hardware? What if China is slipping in little hacking chips into the motherboard3? This is called a supply chain attack: compromise a part of a computer before it’s even assembled.

There’s at least one company I’ve found that strives to address this niche market: Purism. I’m not claiming that these devices are impervious to supply chain attacks, or that the software they put on this hardware is perfectly secure. But I can tell you that these guys are trying really hard to do these things. They make desktop and laptop computers, and even a mobile phone.

Purism: https://puri.sm

Tip 12-26. Go Silent

So far we’ve focused on computers; what about your phone? Well, never fear, the folks at Silent Circle have a product for you! This company claims to provide a mobile device that offers completely secure communications: phone, email, web browsing, and texting. It also offers a portable box that combines a VPN, firewall, and Wi-Fi to protect your other mobile devices and computers.

Tip 12-27. Completely and Securely Erase a Hard Drive

If you have a computer whose hard drive was not encrypted or if you’re just that paranoid that you want to be really sure, you’re going to want to use a nifty little free utility called DBAN (short for Darik’s Boot and Nuke). With this app, you will boot your computer from a CD or USB drive and then scribble all over the hard drive. When you’re done, all the data will be completely unreadable—in fact, the computer won’t even boot because the operating system will be wiped, too.

Tip 12-28. Roll the Dice for Security

For thousands of years, humans have loved a good game of chance. And the go-to method for generating random outcomes was a set of (unloaded) dice. You can use this same time-honored technology to generate some seriously strong passwords. The most common method is using regular six-sided dice—but you don’t use the numbers, you use those numbers to select random words from a special list. The result is a passphrase—like a password, but made of words you can remember. Now you may recall from Chapter 4 that passwords should never contain actual words. But passphrases make up for this by being much longer than a regular password and by being truly random.

The wonderful folks at the Electronic Frontier Foundation (EFF), working with crypto guru Bruce Schneier, developed a system for generating passphrases. See the link below for a full explanation—not only of how to use it, but why it’s truly secure. (Maybe buy some EFF dice and support their work, too.)

https://www.eff.org/dice

Bruce consulted on this next-gen dice generator tool, called DiceKeys, that even kicks this up a notch.

https://dicekeys.com

One of my favorite humorists is Randall Munroe, mostly because he’s geeky like me. He’s written some great books like “What If...”. But he also pens a great comic called XKCD, and this one comic has immortalized the whole passphrase concept.

https://xkcd.com/936

But Randall also addresses the reality of real-life security weaknesses (i.e., you and me).

https://xkcd.com/538

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.112.217