© Carey Parker 2018
Carey ParkerFirewalls Don't Stop Dragonshttps://doi.org/10.1007/978-1-4842-3852-3_5

5. Computer Security

Carey Parker1 
(1)
North Carolina, USA
 

Now it’s time to really get into the meat of the book—computer security! This chapter covers the topics that most people probably associate most with security: Macs versus PCs, antivirus software, and operating system security settings. This chapter will cover those topics and more, with a slew of top-notch tips to make sure your desktop or laptop is locked down tight.

Macs Are Safer Than PCs

Let’s start this chapter by stirring up some controversy: Macs are safer than PCs. That’s right, I said it. However, I had to seriously resist the urge to put “air quotes” around the word safer. So, let me be a little more specific. Macs are “safer” than PCs…because most people who write malware are looking for the largest market, and that would be Windows. Despite the recent resurgence in popularity of Macintosh computers, they still make up only a small percentage of the computers on the Internet. According to NetMarketshare, Macs account for just under 9 percent of all desktop operating systems as of March 2018, while Windows holds about 89 percent. If you were going to try to design some sort of computer virus, which operating system would you focus on?1

This is a form of what we call security through obscurity , which I mentioned in Chapter 2. Macs are more “secure” because they are more “obscure.” Security through obscurity means that you try to lie low and not draw attention. If they don’t see you, they won’t attack you. As a security practice, it’s horrible. It’s sorta like hiding the key to your house under your door mat. Sure, your house is technically locked, but if someone goes to the trouble of looking around for a key, then it may as well not be locked.

Modern operating systems have included lots of great security features over the last decade or so, and I think you’d be hard-pressed to argue that the latest Mac OS is significantly more secure than the latest Windows OS. However, there are a lot more PCs out there running very old versions of Windows than there are Macs running really old versions of Mac OS. Again, according to NetMarketshare, almost half of Windows PCs are still running Windows 7, which was released in 2009 and was cut off from support in 2015 (other than a few critical security patches). Despite a period where Microsoft offered free updates to Windows 10, that version of the OS is on less than 40 percent of all PCs after two years on the market.

In 2013, Apple shifted to a policy of free upgrades for its operating system, which is a huge plus for Mac users and their security (and removes any excuse for not upgrading). As of March 2018, more than half of Mac users are using the latest Mac OS despite being released only six months ago.

So, on some level, you’re marginally safer with a Mac than with a PC. But I’m not going to leave that to chance. Let’s talk about the things you can do to really make yourself safer, regardless of what operating system you’re running.

Nonadmin Accounts

One of the basic principles of security is the practice of least privilege . This is sorta like the “need to know” that we’re familiar with in our spy novels and movies (and of course, it’s a real thing in security agencies). Benjamin Franklin once said, “Three can keep a secret, if two of them are dead.” The idea here is that the fewer people who have access to the truly important stuff, the more likely it is that the important stuff will remain safe.

Let’s look at the castle analogy again. You might give everyone on your guard the keys to the front gate, but you would give the keys to the castle only to your special castle guard. Why? Because the guard at the front gate doesn’t need access to the castle. Likewise, the king might keep the keys to the gold vault on his person, not even trusting the castle guard with that level of access, because at the end of the day, the only person who really needs to access the coffers is the king. If every member of your castle guard had a copy of the castle and vault keys, then what happens when one of the guards is knocked over the head and his keys are stolen? All of a sudden, your most precious items are at risk. Guards don’t have any need to access the gold in the vault to do their job. They just need to protect it. So, guards don’t get that key.

Who has a key to your house? Probably everyone in your family. Maybe you will give a key to a house sitter or pet sitter while you’re away because for that limited period of time, they actually need to be able to get into your house. When you get back, you take back your keys. Who has keys to your safe deposit box, though? Probably just you. You would probably never lend that key to anyone else, at any time, because the only person who needs to get in there is you.

The principle of least privilege says that people should be allowed to access only those things they need to access to do the things they’re supposed to do, and no more. If necessary, you can grant temporary access and revoke it later.

You may already know that your computer allows you to set up multiple user accounts. You’ve probably never used it, but you probably know that it’s possible. What you may not know is that each of these user accounts can have different levels of privilege. That is, you can restrict the level of access—the power to make important changes—for each account. At first you might think that this feature is mainly for parental control, preventing kids from doing stuff they shouldn’t be doing. Actually, it’s for all users—even you! But wait... surely if you can trust anyone, you can trust yourself! Turns out you can’t. It’s not about trusting yourself, it’s about preventing malware that gains access to your account from acting on your behalf. If you accidentally click a bad link, download a virus, or hit a web site with a malicious Java app, then whatever you are allowed to do, the malware can also do.

Let me drive this home with some chilling statistics. According to a 2017 report by a company called Avecto, 80 percent of all Windows security vulnerabilities that were considered “critical” could have been prevented or significantly mitigated if the user had not had full administrator (admin) privileges. Furthermore, removing admin rights could have mitigated 95 percent of the critical vulnerabilities in Edge (the new Microsoft browser).

Great. Now I can’t even trust myself! Now what?

The solution to this problem is to always create at least two accounts on your computer: an admin account, which you use only when necessary, and a regular, nonadmin account for everyday use. When you first pull your shiny new computer out of the box, you’re going to need that admin account to install your software and tweak all your security settings. But after that, you need to create and use a more restrictive account for day-to-day stuff.

I would go further, however. I believe strongly that each person in the household should have their own account. It’s easy to set up, and there’s really no excuse for not doing this. It’s not about keeping secrets—everyone deserves their own space, their own settings and preferences, and some basic privacy. It lets everyone express their individuality and also compartmentalizes any risks. This will also allow you to use parental controls to restrict access for young children, without affecting your ability to…uh…do parent things. And if something goes horribly wrong with one of the user accounts, you can just delete it and create a new one without affecting anyone else or having to completely wipe and reinstall everything on your computer.

There are other interesting reasons to have multiple accounts. If you’re a hard-core gamer or have some other intense application that requires some system tweaks to be efficient, you can create a second account for this purpose. This other account will be stripped down and dedicated to the special task at hand.

If you regularly give presentations for work using your computer, you can log into a special account for when you’re presenting. You can have a special desktop picture, avoid sharing your cluttered desktop, and also avoid annoying pop-up notifications from all your personal accounts.

You can also set up a special guest account so that when someone just wants to check their mail or look something up on your computer, you don’t have to worry about giving them access to your personal stuff (including your password vault).

Microsoft has announced a new feature called “Controlled folder access” (available in Windows 10) whose purpose is to restrict access to your personal files to only a few authorized applications. You select the files as well as the approved applications . While this may seem odd, it’s really just another form of least privilege. If configured properly (and I’ll walk you through this later in the checklist for this chapter), this tool would prevent ransomware from encrypting your irreplaceable files and demanding money to unlock them.

I expect that we’ll see more and more features like this as time goes on from both Apple and Microsoft. As things get worse out there, the balance between security and convenience will necessarily move in the direction of security.

iCloud and Microsoft Accounts

Get ready for a big dose of “good news, bad news.” In the old days (like 2004), your computer was more likely to access the Internet via dial-up modem than always-on broadband. Around this same time, smartphones came on the scene, and suddenly people had not one but two devices that were always connected to the Internet. It was only a matter of time before people wanted their address book, web bookmarks, calendars, and to-do lists to be the kept in sync across their various devices.

Apple and Microsoft heard the call and launched services to meet this growing need. The current versions of these services are iCloud and OneDrive,2 respectively. While these services offer limited Internet-based file storage and sharing, in this chapter I’m focusing on the data synchronization aspects. You can’t argue with the convenience factor here. When you update your vagabond sister’s home address for the umpteenth time or add little Johnnie’s complete Little League spring schedule to your PCs calendar, it’s really nice to have those changes automagically appear on your smartphone and your work computer. Oh, and you can probably also access all of this info from the Web by logging into your cloud account, even from a computer or device you don’t own. Finally, you can use these same services to share this information with the rest of your family. What’s not to like?

Well, that was the good news—arguably great news. It’s a killer feature. Here’s the bad news: you’re not just sharing that all that juicy information with all your devices and your family members, you’re also sharing it with Apple or Microsoft. Here’s the worse news: you’re probably sharing that information with many other companies, too. Apple and Microsoft will argue that this is a feature, not a bug—they’re giving you the opportunity to access this information from within other applications, saving you the trouble of having to manually transfer things like contacts and calendar events to some third party. But you need to stop and think about what all that data is revealing about you. Your address book probably contains more than friends and family. It may also contain embarrassing contact information—maybe your AA sponsor, herpes doctor, or mistress. And if you’re like most other people I know, you put lots of other info in your address book like Social Security numbers, PINs and passcodes, account numbers, and who knows what else.

That said, it’s almost impossible to avoid signing up for these services today. Both Apple and Microsoft have deeply embedded these services into their products to the point where many key features simply won’t function without them. Furthermore, you pretty much need to have one account for each person in your family, not just one shared account. These services are not just about synchronizing data across your devices, it’s about personalization of the experience on these devices for each individual. For example, it allows parents to control what each of their children can access—what’s right for your elementary school son is different than what’s right for your teenage daughter.

Of course, all of these hyper-personalized settings are a gold mine for marketers. If you dig around in the end user license agreements (EULAs) you “sign” by clicking that I Agree button, I’m sure you’ll find references to how you consent to sharing some of your information with “partners.” I guarantee you’ll find language about how Apple and Microsoft will hand over this information to law enforcement authorities “in accordance with the law,” too. That may or may not require a warrant, by the way.

This is the world we live in now. We’re offered enticing and often very valuable services, usually at no (monetary) cost—we just have to sign away our privacy. And this is increasingly becoming unavoidable as these services are tightly integrated with our computer and mobile operating systems. For most of this book, I try to avoid using these accounts. However, in Chapter 9, I’ll show you how to enhance the privacy settings for these accounts.

Built-in Security Features

Computers are meant to make our lives easier and richer by offering all sorts of valuable functions, taking over the drudgery of tedious tasks, helping us to organize our increasingly complex lives, and giving us powerful tools to create documents, presentations, greeting cards, images, and so on. In the early days, before the advent of the Internet, computers were wide open—they were ready and willing to accept instructions from other computers on the home or work network. Our operating systems and software applications were happy and naive, gladly offering their help to anyone who asked. Then came the Internet. It was like transporting Mary Ann from Gilligan’s Island to the Island of Dr. Moreau. The cheerful eagerness to help without question went from being an asset to a serious security liability.

Modern computers have lots of built-in security features, though until recent years, many features were not enabled by default. Security is frequently at odds with convenience, and both Microsoft and Apple want to avoid causing their customers undue grief. Thankfully, however, as computer security has become more important, computer and software makers are finally enabling these features right out of the box.

One of the most important features in modern home computer networks is the firewall . Firewalls keep out unsolicited connections from outside your network but allow you to initiate connections from inside your home to the broader Internet. They also allow you to set up specific rules that explicitly allow certain types of connections from outside your home. It’s sort of like a phone that can only call out by default but will let you give it a list of people who you allow to call you. (Why no one sells such a phone is beyond me. I’d buy it in a heartbeat.) You probably have multiple firewalls in your network. Your ISP’s modem might have a built-in firewall. If you have a Wi-Fi router, it almost surely has a firewall function, enabled by default. Finally, your operating system also has a built-in firewall. These firewalls do an excellent job of protecting your computer.

Another aspect of your Wi-Fi router that helps protect you is a feature called Network Address Translation (NAT). As we discussed earlier in the book, communication with the Internet is like mailing letters: the information you send is chopped up into a letter-sized payload, stuffed in an envelope called a packet, and shipped out with a destination and return address written on it. But to the outside world, every smart device on your home Wi-Fi network looks the same—that is, all the communications appear to come from the same address. This is because your router acts as a sort of local mail delivery system. Think of a large company. When you send a package to someone in that company, you probably just address it to the person at the general company address. You don’t know the specific building and/or mail slot within the company; you just trust the company’s internal delivery service to find them. This also means that the company can filter incoming packages. Your router performs a similar function. This means computers outside your home network have no direct way to contact an individual entity (computer, smartphone, or other Internet-connected device) within your home, even if there was no firewall in place. This is one form of security through obscurity that actually benefits you.

These features may sound nice on paper, but you’d be surprised how well they work—all by themselves—to thwart Internet attackers. Because unprotected computers are so vulnerable, hackers and other bad guys are constantly scanning the Internet for computers without these basic protections. Multiple studies3 have shown that unprotected computers (particularly older models without these modern, built-in protections) connected directly to the Internet are routinely and easily taken over. In fact, if you connect an older, unprotected Windows machine directly to the Internet, it will be subverted, on average, within ten minutes. Before this computer can even download the system updates that would probably protect it, it will be hacked4 by some automated bot. The firewall and NAT functions serve as an excellent first line of defense, and luckily these features are standard in home networks now.

So far we’ve talked only about features that are already in place and working for you right now, and these features tend to be enabled by default. But there are other built-in security features in modern operating systems that are just sitting there, waiting to be used.

Full hard drive encryption is a feature that’s been built into recent versions of Mac OS and Windows. While Apple’s drive encryption utility (FileVault) is available on all of its recent OS variants, Microsoft’s encryption utility (BitLocker) is available only on the Pro, Ultimate, and Enterprise versions of Windows. Encrypting your entire hard drive might seem like overkill, but it’s so easy to do; there’s just no reason not to do it. As a user, you won’t even notice it. The operating system takes care of decrypting all the files (and applications and even the OS itself) on the fly and in the background. What this means is that if someone were to have physical access to your hard drive, they would be unable to read any of the data, unless they were somehow able to guess your encryption password. While this may not be that important for desktop computers that stay inside your house, it can be important for laptops and other devices that you carry around with you—particularly if you travel to foreign countries5 with these devices. If your laptop were to be lost or stolen, you’ll be happy to know that your data is perfectly safe, even if they were to pry open the case and attempt to directly access the hard drive.

One last free feature deserves special mention: Apple’s Find My Device service, where Device is Mac, iPhone, or iPad. Offered with Apple’s iCloud service, this feature allows a person to track the location of all their devices and control them from afar. When you register your device with the Find My Device service, Apple uses the various wireless technologies (mainly Wi-Fi and cellular signals) on the device to help you communicate with the lost device, send remote control commands to it, and, as a last resort, remotely erase the data from the device. It’s truly a marvelous feature, and everyone with an Apple product should take advantage of it.

Let me demonstrate the usefulness of this feature with personal story. My family and I went to Los Angeles last year for a big family vacation, and part of our trip included Universal Studios. I normally carry my iPhone in my shirt pocket, and I do not normally ride theme park rides. However, on this day, we rode several—and at one point when I went to pull my iPhone out to take some pictures, I realized it was gone. It must have fallen out, but I had no idea where. This park is massive, and it could be anywhere. I alerted our tour guide, and she said she would put in a call to their lost-and-found department but that they probably wouldn’t be able to look for it until after the park closed at 10 p.m. We got home around 9 p.m., and I jumped on my laptop to check Find My iPhone on iCloud…and there it was, in the Jurassic Park ride building! As it hit 10 p.m., I was able to actually send signals to my iPhone to make alerting noises and post a message on the main screen with contact information. As I watched the map update, I finally saw it move! Someone had found it! It stopped moving at the building where the lost-and-found office was. I went first thing the next morning and retrieved it!

The Pros and Cons of Antivirus Software

When people think of computer security, they invariably think of antivirus (AV) software. That’s no accident. Companies that make this software spend lots of money marketing their wares and convincing you that you’d be foolish not to buy them. Most Windows PCs come preloaded with all sorts of trial software that claims to protect you from the big bad Internet—for just a small (ongoing, hard-to-quit) service fee! This is a perfect example of what we call FUD, which stands for “fear, uncertainty, and doubt.” Computer malware is a very real problem—don’t get me wrong—but in many cases today, the cure can be worse than the disease. Let me explain…

In simpler times, AV software was essential did a good job at finding malware on your computer. Generally speaking, the core function of AV software is to recognize known malware and automatically quarantine the offending software. Some AV software is smart enough to use heuristic algorithms to recognize malware that is similar to the stuff it already knows is bad or recognize suspicious behavior in general and flag it as potentially harmful. A popular new feature for a lot of AV software is to monitor your web traffic directly, trying to prevent you from going to malicious web sites or from downloading harmful software.

That all sounds good, but the devil (as always) is in the details. First, in the ever-connected world of the Internet, malicious software is produced so frequently and is modified so quickly that it’s really hard for AV software to keep a relevant list of known viruses. Also, the bad guys have moved to other techniques like phishing and fake or hacked web sites to get your information, attacking the true weakest link: you. AV software just isn’t as effective as it used to be.

But the problem is much worse than that. In many cases, the AV software itself is providing bugs for hackers to exploit. Not long ago, Symantec/Norton products were found to have horrendous security flaws6 (which it claims to have since fixed). Increasingly, AV products are offering to monitor your web traffic directly, but this means inserting themselves into all of your encrypted (HTTPS) communications, which has all sorts of ugly security and privacy implications.

So, I strongly believe you don’t need to pay for an antivirus service today. That is, I don’t personally believe that the benefits of the various for-pay services warrant their cost for most people. There are totally free alternatives from the operating system creators that do a good job (which I will be helping you install later in this chapter). Furthermore, if you just do the things I outline in this book, you will significantly reduce your risk. It’s like debating the value of buying a bulletproof vest. While walking around in a bulletproof vest is inarguably safer than walking around without one, it’s actually more important to just avoid war zones and disputed gang turf.

How to Properly Delete a File

Did you ever wonder what happens when you delete a file on your computer? On Windows and Mac OS, this is represented by dragging the file or folder to the trashcan icon. Most of you probably realize that the file isn’t actually deleted until you “empty the trash.” What you may not realize is that even then, the data associated with that file is not really gone. It’s still there on your hard drive. While your file system no longer shows it to you, the actual bits and bytes are still there, and special software can be used to recover that information.

This is sort of like the difference between throwing away a document and shredding it. Just because you threw your old legal will into the garbage and the trash collector took it away doesn’t mean that it can’t be salvaged and read. You can’t see it anymore, but it still exists in a landfill somewhere. It will slowly decay over time, but until then, someone could dig around and find it. This is why document shredders were invented. When your operating system “deletes” a file on your hard drive, all it really does is forget about it. It treats that part of the hard drive as if it were empty. When you want to save a new file, the operating system will put that file in the space on your hard drive that is marked as empty. Someday it will eventually overwrite part or all of your old “deleted” file, but until that day, the data is actually still there and capable of being read by special tools.

So, if you really want to delete a file from your computer, you need to digitally “shred” it. I’ll show you how to do this in the checklist for this chapter.

Summary

  • Macs are targeted less often than PCs by hackers and malware makers, mostly because Windows is a lot more common than Mac OS. Apple computers are also much more likely to be running the latest version of the operating system than their Windows counterparts, largely because Apple has been giving away all updates to its OS for years. Because major security features are added with each OS release, Macs tend to be more secure because they are more likely to be running an OS that has these new features.

  • Modern computers come with firewalls built in and turned on by default. Likewise, modern Wi-Fi routers come with Network Address Translation (NAT) turned on by default. These two features alone are very good at protecting your computer from evildoers on the Internet.

  • Having a separate nonadmin account on your computer can significantly reduce the damage done by malware, particularly on PCs. It also makes sense to have separate user accounts for each person in the family—to provide a personalized space for everyone and also to compartmentalize exposure to malware.

  • Cloud-based storage and data synchronization services have become ubiquitous and nearly impossible to avoid. It’s important to understand what information you’re sharing and do what you can to reduce your exposure.

  • While there are many for-pay services and software tools out there to protect your computer from malware, they’re probably not worth the money. There are free alternatives that do a very good job, especially if you follow the other tips in this book.

  • To truly delete a file, you need to do more than just “empty the trash/recycle bin.” You need to digitally “shred” it.

Checklist

This chapter covers some key things you can do on your computer to reduce your “attack surface” and practice the policy of “least privilege.” That is, you need to reduce unnecessary risks, turn off features you don’t need that might be exploited, and set up some reasonable boundaries on who can do what on your computer.

Note

Many of the items in this checklist will require you to choose a password. In some cases, you will need a really strong password; in others, you will just need something moderately strong. I will make a recommendation in each case. But I want to be clear what I mean by “strong” and “moderate.”

Strong password  Use LastPass to generate a crazy, random password. It should be at least 12 characters long and include all the various types of characters. These passwords are used to protect really important things, specifically things that might be subject to a computerized (offline) attack.

Moderate password  Use the techniques described in Chapter 4 for master passwords to come up with something at least eight to ten characters long that you can easily remember. These passwords will be used to protect your computer login and less important things and/or things that will require a human to sit there and guess them by hand.

If you have the option to specify a “password hint,” just use the phrase LastPass or even LP. All of these passwords should be stored there, even the “moderately strong” ones that you should be able to memorize. You don’t actually want to give someone a hint that might allow them to make educated guesses.

Tip 5-1. Choose a New Computer: Think Different

If you are a PC user, you might want to at least consider switching to a Mac the next time you upgrade your computer. While it’s debatable whether Macs are inherently more secure than PCs, it’s a fact that Macs are targeted by hackers less often than PCs—mostly because there are way more PCs out there than Macs. If you just use your computer for e-mail and web browsing, you would probably not notice the difference. If you’re a hard-core gamer or if you have some very specific applications you use that run only on Windows, then you’re probably stuck with a PC.

If all you do on a computer is surf the Web and check e-mail and you like the portability of a laptop, you might want to seriously consider getting a Chromebook. A Chromebook is essentially a laptop that runs only Google Chrome (web browser) and some Google Play apps. They’re affordable and not nearly as susceptible to malware. The downside is that Google pretty much knows everything you do on it.

Tip 5-2. Require Passwords for Computer Accounts

I know this will seem like overkill, especially for desktop computers in your own home, but you should require a password to log in. If you live alone and never have other people in your house, I suppose you can let this slide. But if you have kids, guests, maids, contractors, or any other visitors, you should set your computer to require a password to unlock your computer.

Note

Some newer computers may have the option to sign in with a fingerprint scan or face recognition. This is better than not having any authentication at all and can be very convenient. However, I personally feel that a password is still the most secure way to go. For one thing, unlike passwords, if someone somehow manages to copy or steal your biometric information, then you’re screwed for life—these things don’t change. Once that information is digitized, it has to be stored somewhere... and if they make a mistake in the software that keeps it secure, then bad guys can pull it out. However, if you choose to use biometrics for convenience, it’s definitely better than having nothing at all.

Tip 5-2a. Microsoft Windows 7

  1. 1.
    Open the Control Panel and search for password (Figure 5-1) . If you have not already set a password for your account, select “Create or remove your account password.” (If you already have a password set, skip ahead to the screen saver part.)
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig1_HTML.jpg
    Figure 5-1

    Windows 7 Search for password

     
  2. 2.
    On the next screen, click “Create a password for your account” (Figure 5-2).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig2_HTML.jpg
    Figure 5-2

    Windows 7 user account settings

     
  3. 3.
    Choose a moderately secure password that you can remember. This password does not have to be crazy strong like Internet account passwords. Nevertheless, I recommend saving this password in LastPass, in case you forget it. I usually put LastPass as my hint, so I know that I saved it there. Click “Create password” (Figure 5-3).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig3_HTML.jpg
    Figure 5-3

    Windows 7 create password for account

     
  4. 4.
    Now search in the Control Panel again for password. This time, click “Lock the computer when I leave it alone…” (Figure 5-4).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig4_HTML.jpg
    Figure 5-4

    Windows 7 Search for password

     
  5. 5.
    Select a screen saver, if you want. Select “On resume, display logon screen.” You can set the timeout to a higher value, if you want, but I wouldn’t go too high or it will defeat the purpose. For a home computer in a secure location, you might go as high as an hour. But for a laptop, I would make it very short (like 1 minute), as shown in Figure 5-5.
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig5_HTML.jpg
    Figure 5-5

    Windows 7 screen saver settings

     

Tip 5-2b. Microsoft Windows 8.1

  1. 1.
    Open the Control Panel and search for accounts (Figure 5-6). If you have not already set a password for your account, select “Create or remove your account password.” (If you already have a password set, skip ahead to the screen saver part.)
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig6_HTML.jpg
    Figure 5-6

    Windows 8.1 Search for account

     
  2. 2.
    Click the account you want to change (Figure 5-7) .
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig7_HTML.jpg
    Figure 5-7

    Windows 8.1 manage accounts settings

     
  3. 3.
    Select “Create a password” (Figure 5-8) . (Again, if you already have a password set, you can skip down to the screen saver part.)
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig8_HTML.jpg
    Figure 5-8

    Windows 8.1 change account settings

     
  4. 4.
    Choose a moderately secure password that you can remember. This password does not have to be crazy strong like Internet account passwords. Nevertheless, I recommend saving this password in LastPass, in case you forget it. I usually put LastPass as my hint, so I know that I saved it there. Click “Create password” (Figure 5-9).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig9_HTML.jpg
    Figure 5-9

    Windows 8.1 create password settings

     
  5. 5.
    Now search in the Control Panel again for lock (Figure 5-10). This time, click “Lock the computer when I leave it alone….”
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig10_HTML.jpg
    Figure 5-10

    Windows 8.1 personalization settings

     
  6. 6.
    Select a screen saver, if you want. Select “On resume, display logon screen.” You can set the timeout to a higher value, if you want, but I wouldn’t go too high or it will defeat the purpose. For a home computer in a secure location, you might go as high as an hour. But for a laptop, I would make it very short (like 1 minute), as shown in Figure 5-11.
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig11_HTML.jpg
    Figure 5-11

    Windows 8.1 screen saver settings

     

Tip 5-2c. Microsoft Windows 10

The following settings will force your PC to lock after a fixed amount of time. There’s a nifty feature in Windows 10 called Dynamic Lock that will allow you to automatically lock your PC when you walk away from it—if you pair a device to your PC. It’s a little beyond the scope of this book, but if you’re interested, check the “Learn more” link under Dynamic Lock in these settings.
  1. 1.
    Open Settings and search for sign-in (Figure 5-12). Select “Sign-in options.”
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig12_HTML.jpg
    Figure 5-12

    Windows 10 sign-in options search

     
  2. 2.
    Click Add under Password (Figure 5-13) . (If you don’t see the red warning about adding a password, then you already have a password, and you can skip ahead to the screen saver part.)
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig13_HTML.jpg
    Figure 5-13

    Windows 10 sign-in options settings

     
  3. 3.
    Choose a moderately secure password that you can remember. This password does not have to be crazy strong like Internet account passwords. Nevertheless, I recommend saving this password in LastPass, in case you forget it. I usually put LastPass as my hint, so I know that I saved it there. Click Finish on the next screen (Figure 5-14).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig14_HTML.jpg
    Figure 5-14

    Windows 10 create password settings

     
  4. 4.
    Return to Settings, but now search for lock. Select “Lock screen settings” (Figure 5-15).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig15_HTML.jpg
    Figure 5-15

    Windows 10 lock screen settings search

     
  5. 5.
    At the bottom of the Lock Screen Settings screen (you may have to scroll down), select “Screen saver settings.” This should bring up a window like the one in Figure 5-16. Select “On resume, display login screen.” You can set the timeout to a higher value, if you want, but I wouldn’t go too high, or it will defeat the purpose. For a home computer in a secure location, you might go as high as an hour. But for a laptop, I would make it very short (like 1 minute), as shown in Figure 5-16.
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig16_HTML.jpg
    Figure 5-16

    Windows 10 screen saver settings

     

Tip 5-2d. Mac OS

The screenshots for Mac OS 10.11, 10.12, and 10.13 are all similar. In this section I show you the view of macOS 10.13 (High Sierra).

Mac OS requires passwords by default in most cases. If you can log in to your Mac without a password, follow the steps here to require a password (and disable automatic login):
  1. 1.

    Open System Preferences.

     
  2. 2.
    Select Users & Groups at the lower left (Figure 5-17).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig17_HTML.jpg
    Figure 5-17

    Mac OS users and groups preferences

     
  3. 3.

    If the lock icon at the lower left is locked, click the icon and enter your password to unlock these settings.

     
  4. 4.
    Select Login Options at the lower left, just above the lock icon. Make sure that “Automatic login” is set to Off (Figure 5-18).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig18_HTML.jpg
    Figure 5-18

    Mac OS users and groups settings

     

Tip 5-3. Create a Separate Admin Account

One of the best ways to limit the damage that can be done by malware is to limit yourself. Malware running on your computer can do whatever you can do. More accurately, malware running on your account will have the same permissions as you do. Therefore, it’s best to have at least two accounts on your computer: an admin account for installing software and making system changes and a nonadmin account for regular, day-to-day stuff.

We’re going to assume that you have only one account on your computer. (If you already have multiple accounts, then you just need to make sure that the special admin account is the only one with administrator privileges.) What we’re going to do here is create a new admin account and then downgrade the level of your current account to normal (nonadmin). After you make these changes, you will need to enter the admin credentials whenever you install software or make certain system changes. The key here is that malware will not be able to use your nonadmin privileges to do anything really nasty.

These accounts will require you to choose a password. While you could use LastPass to generate a strong password, you really need something you can easily remember. So, you should generate a moderately strong password here using the techniques we discussed in the previous chapter. If this computer is a desktop computer that be used only within your home, you really don’t need a crazy long password here—eight characters is probably enough. If this is a laptop or if for some reason many strangers might have easy physical access to this computer, then you should make it 10 to 12 characters. Note that for almost all of my “password hints,” I just use LastPass or even just LP—because I store all these passwords as secure notes in my LastPass vault.

Tip 5-3a. Microsoft Windows 7

  1. 1.
    Open your Control Panel and search for admin account. Click “Create administrator account” (Figure 5-19).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig19_HTML.jpg
    Figure 5-19

    Windows 7 Search for admin account

     
  2. 2.
    You need to create an account name. I personally prefer admin—short and to the point (Figure 5-20).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig20_HTML.jpg
    Figure 5-20

    Windows 7 create account dialog

     
  3. 3.
    Once the account is created, you will need to set a password. Choose a moderately strong password. As always, create a secure note in LastPass so you won’t forget it. Click Create Password to finish (Figure 5-21).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig21_HTML.jpg
    Figure 5-21

    Windows 7 create password dialog

     
  4. 4.

    Now we need to remove admin privileges from your regular account. Click “Manage another account” and select your regular account.

     
  5. 5.
    Click “Change account type.” Select Standard User and then Change Account Type (Figure 5-22).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig22_HTML.jpg
    Figure 5-22

    Windows 7 change account type dialog

     
  6. 6.

    You should set a password for your regular account, as well. It’s just good practice. Use the same steps as earlier to do this now.

     
  7. 7.

    If you have other family members or people in your household, you should take this opportunity to create accounts for each of them, using the same steps as shown earlier—just be sure to only give them Standard User accounts (not Administrator). Also, be sure that whatever backup utility you chose is set up for every account (see Chapter 3).

     
  8. 8.
    Log off and log back in for these changes to take full effect. You can do this from the Start menu (Figure 5-23).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig23_HTML.jpg
    Figure 5-23

    Windows 7 logoff menu

     

Tip 5-3b. Microsoft Windows 8.1

  1. 1.

    As of Windows 8, Microsoft introduced accounts that are tied to a Microsoft online account via an e-mail address. For an admin user, we want a local account.

     
  2. 2.
    Open “Change PC settings” from the right-side menu (Figure 5-24).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig24_HTML.jpg
    Figure 5-24

    Windows 8.1 change PC settings menu

     
  3. 3.
    Select Accounts (Figure 5-25).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig25_HTML.jpg
    Figure 5-25

    Windows 8.1 PC settings account menu

     
  4. 4.
    Select “Other accounts” and then click “Add an account” (Figure 5-26).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig26_HTML.jpg
    Figure 5-26

    Windows 8.1 add account settings

     
  5. 5.
    Ignore the stuff about creating an e-mail address. Find the link at the bottom called “Sign in without Microsoft account (not recommended),” as shown in Figure 5-27.
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig27_HTML.jpg
    Figure 5-27

    Windows 8.1 sign-in without Microsoft account option

     
  6. 6.

    On the next page, click the “Local account” button.

     
  7. 7.
    Create your account name. I personally prefer admin—short and to the point. Choose a moderately strong password and create a secure note in LastPass so you won’t forget it. Click Next on this window and Finish on the following window to complete the process (Figure 5-28).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig28_HTML.jpg
    Figure 5-28

    Windows 8.1 add user dialog

     
  8. 8.
    You need to now enable admin privileges for this account. Once again, select “Other accounts” and then click the new admin account (Figure 5-29).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig29_HTML.jpg
    Figure 5-29

    Windows 8.1 manage other accounts settings

     
  9. 9.
    Click Edit. Change the account type to Administrator. Click OK. (Figure 5-30).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig30_HTML.jpg
    Figure 5-30

    Windows 8.1 change account type settings

     
  10. 10.
    Log out of your regular account, and log back in to your new admin account. This may take a little time while the new account is set up the first time (Figure 5-31).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig31_HTML.jpg
    Figure 5-31

    Windows 8.1 sign-out menu

     
  11. 11.

    Using the same sequence as earlier, open the Accounts settings and click “Other accounts.” Click your regular account, change the account type to Standard User, and save these changes.

     
  12. 12.

    You can now log out of the admin account and log back in under your regular account.

     
  13. 13.

    If you haven’t done so already, you should set a password for your regular user account. Using the same procedure as earlier, re-open the PC Config settings and go to the Accounts page.

     

Tip 5-3c. Microsoft Windows 10

As of Windows 8, Microsoft introduced accounts that are tied to a Microsoft online account via an e-mail address. For an admin user, we want a local account.
  1. 1.
    Open Settings and click Accounts (Figure 5-32).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig32_HTML.jpg
    Figure 5-32

    Windows 10 Accounts button

     
  2. 2.
    At the left, click “Family & other people” (Figure 5-33).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig33_HTML.jpg
    Figure 5-33

    Windows 10 Accounts menu

     
  3. 3.

    Click the plus sign next to “Add someone else to this PC.”

     
  4. 4.

    They make it hard to add a purely local account. Click the link at the bottom that says “I don’t have this person’s sign-in information.”

     
  5. 5.

    At the bottom of the next page, click “Add a user without a Microsoft account.”

     
  6. 6.
    Create your account name. I personally prefer admin—short and to the point. Choose a moderately strong password and create a secure note in LastPass, so you won’t forget it. Click Next on this window and Finish on the following window to complete the process (Figure 5-34).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig34_HTML.jpg
    Figure 5-34

    Windows 10 create account dialog

     
  7. 7.
    You need to now enable admin privileges for this account. Once again, select “Family & other users” and then click the new admin account. When you click it, you should see the options as in Figure 5-35.
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig35_HTML.jpg
    Figure 5-35

    Windows 10 change account type dialog

     
  8. 8.
    Click “Change account type” (Figure 5-36).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig36_HTML.jpg
    Figure 5-36

    Windows 10 change account type to administrator dialog

     
  9. 9.

    Select Administrator from the menu and click OK. Exit Settings.

     
  10. 10.
    Log out of your current account, and log back in to your new admin account. Do this by clicking the Windows icon at the lower left and clicking your current account name at the top. Select “Sign out.” (Don’t just switch directly to the new admin account—you need the current account to be logged out for the changes to take effect.) See Figure 5-37.
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig37_HTML.jpg
    Figure 5-37

    Windows 10 sign-out menu

     
  11. 11.
    Now sign in to your new admin account. Click “admin” on the login screen at the lower left (Figure 5-38).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig38_HTML.jpg
    Figure 5-38

    Windows 10 login screen

     
  12. 12.
    You’ll have to sit through some welcome messages while your new account is set up. When this completes, open Settings and go to Accounts and then “Family & other users” (as we did earlier). This time click your personal account (“john” in our example). Then click “Change account type” (Figure 5-39).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig39_HTML.jpg
    Figure 5-39

    Windows 10 change account type dialog

     
  13. 13.
    Change the account type to Standard User (Figure 5-40).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig40_HTML.jpg
    Figure 5-40

    Windows 10 change account type to standard user dialog

     
  14. 14.

    Repeat the logout and login procedure, switching back to your regular account. This account is now restricted, which will prevent malware that gets by your defenses from doing too much harm. If you run into a situation where you need admin privileges, you can log into your admin account.

     

Tip 5-3d. Mac OS

  1. 1.
    From the Apple menu, open System Preferences. Select Users & Groups at the lower left (Figure 5-41).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig41_HTML.jpg
    Figure 5-41

    Mac OS Users & Groups preferences

     
  2. 2.
    If necessary, unlock the account preferences by clicking the lock icon at the lower left and entering your password (Figure 5-42).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig42_HTML.jpg
    Figure 5-42

    Mac OS users & groups panel

     
  3. 3.
    Click the little + (plus) sign under the list of accounts to create a new account. Choose an account name. I personally prefer admin—short and to the point. (In some versions of Mac OS, there’s an option called “Use iCloud password”—don’t use this; instead, choose “Use separate password.”) You can add a password hint. I usually just use LastPass because that’s where I’ll store a copy of this info for future reference. Click Create User to finish (Figure 5-43) .
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig43_HTML.jpg
    Figure 5-43

    Mac OS administrator password dialog

     
  4. 4.
    Now we need to remove admin privileges from your regular account. To do this, you need to log out of your current account and log back in as the admin account. In the Apple menu, select Log Out <user>. (Figure 5-44).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig44_HTML.jpg
    Figure 5-44

    Mac OS logout menu

     
  5. 5.

    You should now see a list of your accounts. Select your admin account and log in using the password you just chose. You may have to go through some initial account setup questions. You can skip these for now (“setup later”).

     
  6. 6.

    Go back to the Users & Groups settings, as we did earlier. Again, click the lock icon to unlock the settings.

     
  7. 7.
    Click the entry for your original Mac account at the left. Then uncheck the “Allow user to administer this computer” box. You should get a dialog like Figure 5-45. Click OK.
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig45_HTML.jpg
    Figure 5-45

    Mac OS remove administrator confirmation dialog

     
  8. 8.
    From the Apple menu, restart your computer to make the changes take full effect. You can then log back in as your original user (“john” in our example). See Figure 5-46.
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig46_HTML.jpg
    Figure 5-46

    Mac OS restart menu

     

Tip 5-4. Install Free Antivirus Software

Antivirus (AV) software used to be a must for any computer owner. But lately, the effectiveness of AV software has become questionable. Furthermore, many AV products have become rather over-zealous in their protection schemes by embedding themselves deeply into your operating system so that they can monitor network traffic and inspect all files. However, in doing this, they often do more harm than good—in some cases, it’s been shown that AV software itself is either causing problems or creating new vulnerabilities for hackers to exploit.

For these reasons, I feel that most people should forego expensive antivirus software products. You’ll do a better job protecting yourself using all the other tips in this book. However, there are good and totally free software utilities for protecting your computer that I can recommend, if you feel you’d like to have something installed. If you have a teenager in the house, it’s probably best to have AV software installed at least for their account.

Note

If you already have another antivirus program installed, you should disable and remove it before installing something new.

Tip 5-4a. Microsoft Windows 7

  1. 1.

    Go to this web site to download Microsoft Security Essentials (MSE) . If for some reason this link fails, try going to Microsoft.com directly and find the search button (magnifying glass). Search for Microsoft security essentials windows 7.

    https://support.microsoft.com/en-us/help/14210/security-essentials-download

     
  2. 2.
    Last I looked at this page, it was a confusing list of options—by language and computer type. Start with the 64-bit version. If you need the 32-bit version, the installer should tell you this, and you can come back for the other version (Figure 5-47).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig47_HTML.jpg
    Figure 5-47

    Windows 7 Microsoft Security Essentials download

     
  3. 3.
    Download and run the installer. Click the default buttons on the installer as you go. When you reach this part of the installer, make sure that both of these boxes are checked (Figure 5-48).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig48_HTML.jpg
    Figure 5-48

    Windows 7 Microsoft Security Essentials security options

     
  4. 4.
    Click the Next buttons and eventually the Install button. When the installer is finished, check the box “Scan my computer” and click Finish. This will automatically launch MSE and update the virus/spyware definitions, and then it will perform a scan. Let this continue until finished (Figure 5-49).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig49_HTML.jpg
    Figure 5-49

    Windows 7 Microsoft Security Essentials update progress

     
  5. 5.

    The default settings should be good. If you’d like to check them, you can look at the next section on Windows Defender—they are nearly identical.

     

Tip 5-4b. Microsoft Windows 8.1

Windows 8.1 comes with Windows Defender7 pre-installed. You just need to verify that it is enabled and configured properly.
  1. 1.
    Open your Control Panel and search for defender (Figure 5-50). Click Windows Defender .
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig50_HTML.jpg
    Figure 5-50

    Windows 8.1 Search for defender

     
  2. 2.
    You should see a dialog box like Figure 5-51.
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig51_HTML.jpg
    Figure 5-51

    Windows 8.1 Windows Defender home dialog

     
  3. 3.
    Click the Settings tab. Select “Real-time protection” at the left and make sure this is enabled (Figure 5-52).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig52_HTML.jpg
    Figure 5-52

    Windows 8.1 Windows Defender settings

     
  4. 4.

    When done, select the Home tab. If the Update button is orange, go ahead and click it to update your virus scanner. This may take a while. You can close this window, though—it will do it all in the background.

     

Tip 5-4c. Microsoft Windows 10

Windows 10 comes with Windows Defender8 pre-installed. You just need to verify that it is enabled and configured properly.
  1. 1.
    Open Settings and click Update & Security (Figure 5-53).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig53_HTML.jpg
    Figure 5-53

    Windows 10 Update & Security button

     
  2. 2.
    Click Windows Defender at the left. Then click Open Windows Defender Security Center (Figure 5-54).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig54_HTML.jpg
    Figure 5-54

    Windows 10 Windows Defender Security Center button

     
  3. 3.
    You want to see green check marks on all of these, as shown in Figure 5-55. In particular, right now we’re concerned with “Virus & threat protection.” If this item doesn’t have a green check mark, click it and check the settings.
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig55_HTML.jpg
    Figure 5-55

    Windows 10 Windows Defender status

     
  4. 4.
    Under “Virus & threat protection,” click “Virus & threat protection settings.” Make sure the top three items are on, as shown in Figure 5-56. (We’ll talk about “Controlled folder access” in the next tip.)
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig56_HTML.jpg
    Figure 5-56

    Windows 10 Windows Defender virus and threat protection settings

     

Tip 5-4d. Mac OS

Modern Mac computers come with some basic anti-malware protection built into the operating system, but it’s not on the same level as Windows Defender. There are a few decent, free antivirus applications for Mac. Unfortunately, the capabilities and efficacy of these applications change constantly. These third-party programs are often adding features that break your encrypted Internet connections in an attempt to see everything you’re doing. These techniques are dangerous and can lead to some severe vulnerabilities. Honestly, I’ve personally decided not to install AV software at all on my Macs.

If you’d feel better with some type of AV software installed, I recommend a simple and free application like Sophos Home. If you find that Sophos isn’t working for you, you might try Avira’s free Mac product.
  1. 1.

    Go to the Sophos web site and download the free version for Mac.

    https://home.sophos.com/download-mac-anti-virus

     
  2. 2.

    It will ask you to create an account. I know…it’s a pain. But go ahead and sign up. They will send you an e-mail confirmation with a button—click that button to complete your sign up and log in to your new account. It should then offer you a download button. There will also be a link at the bottom of the page—if you have other computers in your house that you’d like to protect with Sophos, use this link to e-mail yourself the download link.

     
  3. 3.

    Download and run the installer.

     
  4. 4.

    You may see a scary pop-up dialog about a system extension being blocked. It’s just Mac OS trying to protect you from malware, which is a good thing! But in this case, we want to allow it, so click Open Security Preferences.

     
  5. 5.
    In Security Preferences, unlock the lock with your password and then click the Allow button for Sophos (Figure 5-57).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig57_HTML.jpg
    Figure 5-57

    Mac OS security extension warning dialog

     

Tip 5-5. Enable Controlled Folder Access (Windows 10 Only)

As of Windows 10 2017 Fall Creators Update (Microsoft has weird names for its Windows 10 updates), you can turn on some really powerful protection for your files called “Controlled folder access.” This feature will restrict the ability for applications to add, change, or delete user and system files by creating a “white list” of approved apps. Microsoft already adds the most common, trusted applications to this list for you, but you can add other apps if you want. But the point is that malicious apps will not be able to mess with any of the protected files or folders without explicit permission. This feature is primary aimed at fending off ransomware, which will attempt to lock up (encrypt) all of your files and hold them for ransom—that is, demand a payment before giving you the key to unlock (decrypt) them. By restricting which applications can modify your files, you’re preventing malware and other rogue applications from being able to alter or delete these files (including encrypting them).

To enable this feature, go to the same Windows Defender Security Center area we went to in the last tip, under “Virus & threat protection settings.” Just scroll down and enable the feature.
  1. 1.
    Enable “Controlled folder access” (Figure 5-58).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig58_HTML.jpg
    Figure 5-58

    Windows 10 “Controlled folder access” setting

     
  2. 2.

    You can see what folders are protected and add other folders by clicking “Protected folders.”

     
  3. 3.

    Most well-known apps will already be allowed to change files from these folders, but if you run into a case where a particular application you want use isn’t on Microsoft’s list of known-safe apps, you can add the app using the “Allow an app through Controlled folder access” here.

     

Tip 5-6. Turn On Disk Encryption (Mac OS Only)

Turning on full disk encryption is an easy step to protecting your precious data, and you won’t even notice it. The process itself can take quite a long time, but you can use your computer while the encryption is going on in the background.

Some versions of Windows have a built-in tool called BitLocker that will encrypt your hard drive. Unfortunately, BitLocker is not available in the Home or regular versions of Windows. You need a Pro or Enterprise version. While there are other alternatives, for non-technical folks I think built-in solutions from the OS maker are best. However, if you really want to do this on Windows, check out VeraCrypt (free).

Tip 5-6a. Mac OS

  1. 1.
    Open System Preferences. Select Security & Privacy (Figure 5-59).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig59_HTML.jpg
    Figure 5-59

    Mac OS Security & Privacy preferences

     
  2. 2.
    If necessary, unlock this preference pane by clicking the lock icon at the lower left. Then select the FileVault tab (Figure 5-60).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig60_HTML.jpg
    Figure 5-60

    Mac OS Security & Privacy FileVault settings

     
  3. 3.
    Click the button Turn On FileVault. You will then be asked where you want to store your recovery key. You can elect to store this with your iCloud account, but personally I prefer to save it myself—in LastPass (Figure 5-61).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig61_HTML.jpg
    Figure 5-61

    Mac OS recovery key location options

     
  4. 4.
    Once you click Continue, you will be shown your recover key. This step is absolutely crucial! If you lose this key, you will not be able to recover any of your files if there’s some problem with your computer down the road. Carefully select the text from the screen and copy it and then paste it to a secure note in LastPass (see the previous chapter for instructions). You might want to also paste this key into a text file and print it off and then save it somewhere very safe (like a safe deposit box). Triple-check it to be certain you copied the entire key faithfully. Then click Continue (Figure 5-62).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig62_HTML.jpg
    Figure 5-62

    Mac OS recovery key

     
  5. 5.
    You will need to enter the passwords for every user on your system before you proceed. Click each Enable User button and enter the proper passwords (Figure 5-63).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig63_HTML.jpg
    Figure 5-63

    Mac OS FileVault account enable dialog

     
  6. 6.
    Once you’ve entered all the passwords, click Continue again. You will be asked to restart your Mac. As the message says, you will be able to use your Mac while the encrypting happens (which is pretty amazing, if you ask me). You can check the progress by going back to the FileVault preference pane. It will give you an estimate of the remaining time. It will probably be many hours, perhaps more than a day, if you have a large hard drive (Figure 5-64).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig64_HTML.jpg
    Figure 5-64

    Mac OS restart dialog

     

Tip 5-7. Encrypt Your Backups (Mac OS Only)

If you used an external hard drive for your backups, then you should encrypt that hard drive, as well. When we set this up a couple chapters ago, we skipped setting up encryption—because I wanted to be sure you had LastPass set up first so you could generate and store the backup password.
  1. 1.
    Open Time Machine Preferences from the menu bar (Figure 5-65).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig65_HTML.jpg
    Figure 5-65

    Mac OS Time Machine preferences menu

     
  2. 2.
    Click the Select Disk button (Figure 5-66).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig66_HTML.jpg
    Figure 5-66

    Mac OS Time Machine preferences

     
  3. 3.
    Select your disk in the “Available disks” list and then check the “Encrypt backups” box at the bottom. Click Use Disk (Figure 5-67).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig67_HTML.jpg
    Figure 5-67

    Mac OS Time Machine disk selection dialog

     
  4. 4.
    You will be asked to enter a password and a hint. Use the steps in the previous chapter to generate a kick-butt password and save it in a secure note in LastPass. Then paste that password here (twice). For the password hint, you can just use LastPass so that you know where you’ve saved this password (Figure 5-68).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig68_HTML.jpg
    Figure 5-68

    Mac OS Time Machine backup password dialog

     
  5. 5.

    Now you can click the Encrypt Disk button. Once you’ve started this, it will take a long time, possibly more than a day. Just let it go. You don’t have to wait for it to complete, it will happen in the background.

     

Tip 5-8. Securely Erase Sensitive Files

If you want to throw away a sensitive file, you need to do more than simply put it in the virtual Trash bin and “empty” it. As discussed in this chapter, when the operating system “deletes” a file, it doesn’t actually erase the bits and bytes; it just forgets about it. That means that it’s technically still there, until it’s eventually overwritten by new files. With the right software tools, these files are recoverable. So if you really want sensitive files to be erased, you have to take some extra precautions.

There’s one gotcha, though... modern computers that use solid-state drive (SSD) technology for their hard drive don’t really have a way to properly delete a file. Because of the way SSD drives work, your files are actually moved around constantly to improve performance and balance the usage of the memory sectors. That means there are potentially several places on the drive where copies of your file’s bits and bytes may be lying around, waiting to be overwritten. So in this case, your best protection is just encrypting your entire drive (the previous tip). Even if there are remnants of the file floating around the disk, they’re not readable by someone who’s not logged into the computer.

Note

that if you’re getting ready to sell, donate, or recycle a computer, you should absolutely wipe the entire drive first. This is covered in the next tip.

Tip 5-8a. Microsoft Windows

Windows does not have a “secure delete” feature built into the operating system, at least as of this writing. If you feel the need to securely erase some files, you can try one of these two free utilities:

Tip 5-8b. Mac OS

The Secure Empty Trash option was removed in OS X version 10.11. In true Apple fashion, since Apple felt this feature would give users a false sense of security, the company simply removed it.

However, the feature is still available if you’re willing to get really geeky and use the command-line interface. That’s honestly beyond the skills of most people likely to read this book, but if you’re determined, you can do the following:
  1. 1.

    Put your file in the Trash.

     
  2. 2.

    Empty the Trash by right-clicking the trashcan icon and selecting Empty Trash.

     
  3. 3.

    Now you need to securely erase the “free space” on your hard drive. To do this, open the Terminal application and find the drive volume for your main hard drive. By default, this would be Macintosh HD.

     
  4. 4.

    At the prompt, type the following (assuming your main drive is Macintosh HD):

    diskutil secureErase freespace 0 /Volumes/Macintosh HD

     
  5. 5.

    You can try higher levels of security by increasing the 0 to 1 or 2.

     

Tip 5-9. Prepare a Computer for Sale/Donation/Recycle

Your computer probably contains a lot of juicy information about you. Before you get rid of it (sell, give, or even recycle), you should make sure that no one else can get to your data. Now, if you’ve fully encrypted your hard drive like I’ve recommended, then you don’t need to bother trying to erase everything. Your data is completely inaccessible—total gibberish, even to the NSA. All you need to do is delete your accounts. (If you really want to be sure, look at the final chapter of the book for tips on how to securely wipe any hard drive.)

Tip 5-9a. Microsoft Windows

Here’s how to prepare a Windows computer for selling or donation. Obviously, before you do this, you’re probably going to want to back up any and all files first. Once you follow these steps, all that data will be gone. So, make sure you’ve backed everything up before you do this!

Do the following steps for every nonadmin account on your PC:
  1. 1.

    If you have an iTunes account, sign out of iTunes and deauthorize this computer. Within iTunes, select the Store menu and then Deauthorize this Computer…. Follow the instructions.

     
  2. 2.

    Sign out of your Microsoft account and any other cloud accounts tied to this computer.

     
When you have completed these steps for all the accounts on your computer, log in to your admin account and perform the following steps:
  1. 1.

    Repeat the previous steps.

     
  2. 2.

    Open the Control Panel and search for remove. Select “Remove user accounts” and delete all the other accounts on the computer.

     
  3. 3.

    The easiest step at this point is to create another admin account (using the steps I showed you before) and then delete this admin account. The new admin account will be fresh and have zero data. You can give the password of the new admin account to the next owner. If you want to be super-thorough, though, you should probably completely reinstall the operating system. That’s beyond the scope of this book, but you can search on the Web for Reinstall Windows for help. If you still have the Windows installation disk that came with your computer, you’ll use that to reinstall the OS.

     

Tip 5-9b. Mac OS

Here’s how to prepare an Apple computer for selling or donation. Obviously, before you do this, you’re probably going to want a full backup of your computer. If you use the Time Machine method, you can easily use this back up to transfer all your data to your new computer. But once you follow these steps, all that data will be gone. So, make sure you’ve backed everything up first!

Do the following steps for every nonadmin account on your Mac:
  1. 1.

    Sign out of iTunes and deauthorize this computer. Within iTunes, select the Store menu and then Deauthorize this Computer…. Follow the instructions.

     
  2. 2.

    Sign out of iCloud. Go the System Preferences and find the iCloud settings. Click the Sign Out button at the lower right.

     
  3. 3.

    Sign out of Messages. Within the Messages app, go to Preferences and then Accounts. Select your Messages account and sign out.

     
  4. 4.

    If you have any other cloud service accounts tied to this computer (like Dropbox, Backblaze, Google Drive, etc.), be sure to sign out of them, as well.

     
When you have completed these steps for all the nonadmin accounts on your Mac, log in to your admin account and perform the following steps:
  1. 1.

    Repeat the previous steps.

     
  2. 2.

    Open System Preferences and select Accounts.

     
  3. 3.

    Delete all the other accounts on the computer.

     
  4. 4.

    The easiest step at this point is to create another admin account (using the steps I showed you before) and then delete this admin account. The new admin account will be fresh and have zero data. You can give the password of the new admin account to the next owner. If you want to be super-thorough, though, you should probably completely reinstall the operating system. That’s beyond the scope of this book, but you can search the Web for Reinstall OS X from Recovery to find detailed instructions from Apple on how to do this.

     

Tip 5-10. Buy a Paper Shredder

Okay, so this isn’t really a computer tip—but it’s hard to talk about securely deleting computer files and securely wiping your computers before selling them without thinking about physical file security, too. Many people don’t realize this, but once you throw something away, it’s fair game for anyone to take. Legally, once you “abandon” your trash and place it off your property (at the curb), you give up any expectation of privacy.

At a high level, you want to shred anything that’s private and personal. That would include financial, medical, and legal papers. That probably seems obvious, but I’ll bet you still throw away a lot of stuff that you should be shredding.

You’re going to want to buy a decent shredder for this work. The main feature you want is cross-cutting. Strip-cutting shredders that just cut paper into long, thin strips are not good enough. Even cross-cut paper can be painstakingly re-assembled, but it’s a lot harder—especially if it’s mixed up with a bunch of other shredded documents.

You can also buy shredders that can handle credit cards and optical disks (CDs and DVDs) in addition to paper, which is handy. We don’t use CDs and DVDs much anymore to store data—which is possibly why you might be throwing them away. When you get rid of old credit cards or when some company sends you a “starter card” as part of a mailed offer, you definitely want to shred them before you throw them out.

The last thing to consider is the size of the output bin. I would just get yourself the biggest one that fits your needs—it means having to empty it less often and mixes a lot more stuff up together. You can find shredders at office supply stores or from Amazon online.

Tip 5-11. Set Up Find My Mac (Mac OS Only)

This is a very nice feature for laptops, which are portable and can be lost or stolen. When this feature is enabled, you will be able to track your Mac, send messages to the screen, and even remotely lock or erase it, if you believe it was stolen. You will need to sign up for a free iCloud account, if you haven’t already. I will not cover this process here, but I’ll get you started.
  1. 1.

    Open System Preferences on your laptop (the computer that you want to be able to find).

     
  2. 2.

    Open the iCloud preferences.

     
  3. 3.

    If you have not signed up for an iCloud account, you can do it here. Click the little “create Apple ID” link under the first text box. Follow the instructions there; it’s very simple. Be sure to do three things, though.

     
  4. 4.

    First, give them a “rescue e-mail” account, if you have a second e-mail account.

     
  5. 5.

    Second, be sure to check the box to enable Find My Mac.

     
  6. 6.
    Finally, when it asks you if you would like to allow Find My Mac to use your Mac’s location, click Allow—otherwise it defeats the whole purpose (Figure 5-69).
    ../images/466102_3_En_5_Chapter/466102_3_En_5_Fig69_HTML.jpg
    Figure 5-69

    Mac OS iCloud sign-in dialog

     
  7. 7.

    Once you’ve signed into iCloud, you should be able to see a list of iCloud features. Scroll to the bottom and check Find My Mac. You will be asked if it’s okay to use location information—select Allow.

     
  8. 8.

    You can now use your iCloud account (in a web browser on another computer, or using the Find My Mac app on an iPhone or iPad) to locate this Mac if it’s lost or stolen.

     

Tip 5-12. Don’t Trust Other Computers

Whenever you’re using a computer that is not your own, you need to be careful what you do. Sometimes bad guys will install software on public computers that can record every single keystroke from the keyboard—these are called key loggers . So, everything you type is saved off somewhere. If you’re just doing some web searches and accessing web sites that don’t require you to log in, then you don’t need to really worry because you’re not typing in anything really valuable. However, you should avoid ever entering sensitive data like passwords, Social Security numbers, credit card numbers, and so on. It doesn’t matter if the web site is secure; the information is being captured before it even gets to the form on the web page.

If you simply have to use a public computer to log into a web site that requires a password, you can try these techniques to protect yourself:
  1. 1.

    If you need to use one of your crazy, random LastPass passwords, you can’t just install the browser plugin or look it up on your iPhone and type it in. Log into your LastPass vault via the web browser ( https://www.lastpass.com ) using one of your one-time passwords (never use your actual master password on a public computer!). Cross off this one-time password on your list since it will no longer work. Find the site you need and view the password. You can copy the password from your vault and paste it into the web site’s login form. (Do not simply type in the password you see in your vault—you must copy and paste it!) After you paste the password, you should make a point to copy some other nonsense text from somewhere to clear out the contents of the copy clipboard.

     
  2. 2.

    You can also try to confuse the key logger. This is a pain in the butt. Start typing your password, one letter at a time. Between each letter, go to some other place—search text box, text document, something—and type some other random characters. The key logger will record all of these keystrokes, in order, and will have no idea which characters are part of your password and which ones are just junk you’re typing somewhere else.

     
  3. 3.

    Be sure to log out of all your web sites when you’re done, especially LastPass!

     
  4. 4.

    If you’re using a computer at a friend’s house, you might ask if they have a guest login account you can use. If so, use this account and log out when you’re done.

     

Tip 5-13. Avoid Foreign/Unknown USB Devices

We don’t think much about all the USB peripherals we attach to our computers…mice, keyboards, printers, webcams, thumb drives, and so on. These devices seem simple enough, but every USB device can contain software—and often, our computers will automatically read and run that software when the device is first plugged in. The point of this is for these devices to have built-in driver software, allowing most devices to “just work” when we plug them in.

To save money, many manufacturers will make this software updatable after manufacture. That is, instead of making this software read-only, they give themselves the option to retroactively change the software—so that if there’s a problem with it, they can simply change the software without having to throw away the hardware and start over.

The bottom line is that it’s possible to install malware on a USB device. Therefore, you should be suspect of any USB device you plug into your computer. Think of it as like having unprotected computer sex. Believe it or not, you can buy a “USB condom” for this exact purpose! It works only for charging devices—it explicitly blocks the data and allows only the power to go through. This can be helpful when traveling and you need to charge your phone on a public USB port (airports, airplanes, coffee shops, etc.).

While spreading malware via infected USB devices is not that common, you should still be aware that it’s possible. Here are some things you can do to avoid catching a virus from a bad USB device or plug.
  1. 1.

    Never pick up a USB flash drive that you find lying around and plug it into your computer. This is probably the number-one way this technique is used by hackers.

     
  2. 2.

    Get your USB devices from a reputable retailer. Make sure they’re new and unopened.

     
  3. 3.

    Don’t buy used USB devices.

     
  4. 4.

    Don’t use USB devices from other people.

     
  5. 5.

    Use “power only” USB cables (no data) or buy a “USB condom” for charging your phone and tablets on public USB ports.

     
  6. 6.

    Set your computer screen to lock right away and require a password to unlock. Don’t leave it alone with others present while it’s unlocked. It’s already been shown that bad guys can completely hack your computer in less than a minute by plugging in a bad USB device. You’ll never even know they were there.

     

Tip 5-14. Don’t Use Adobe Reader to Read PDF Files

Adobe Flash isn’t the only popular program that’s notoriously insecure and buggy. The popular PDF9 viewing app called Reader is also known for its share of problems. This isn’t an issue with Mac OS since Apple provides an excellent PDF viewer called Preview (though some Adobe products will still install Reader). On Windows, however, you should consider downloading and installing a new PDF reader app.

Tip 5-15. Unplug or Cover Webcams When Not in Use

This is going to sound paranoid, but it’s for real. It’s actually possible to remotely enable some webcams and watch what people are doing, in some cases even without turning on the little light that indicates that the webcam is active. This would usually require that your computer has already been compromised with malware—which is to say that if you have this problem, you probably have others, too. Nonetheless, I would unplug webcams if you’re not using them or put a sticky note over the lens if the webcam is built-in. (Mark Zuckerberg, CEO of Facebook, was famously seen doing this.)

Tip 5-16. Beware Cold Calls for Computer Support

If someone calls you out of the blue and tells you that your computer is having problems and offers to remotely debug your computer for you, just hang up. Real computer support companies will never do this. While this company may actually offer computer support services (at a low, low subscription cost of $199/year), you probably don’t need them.

Likewise, if you’re getting a weird pop-up on your computer warning you that you’re infected or your computer’s performance could be optimized or even that some scanner has detected illegal materials on your hard drive, just close the window without doing anything. This is almost surely a scam.

If the pop-up messages continue or you’re just worried that something really is wrong, contact a tech-savvy friend or relative and get their advice. If that’s not an option, call a reputable computer store or call your computer’s support line (even if you’re out of warranty).

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.58.121.131