MongoDB Update Nightmare Lets Encrypt!

Basic Internet Security

01 Sep 2015

I'm often asked by non-tech people what they should do about security on the Internet, and there are some simple steps that you should follow.

But first, I think it's important to understand the types of risks that you're going to try to mitigate.

In order of concern (in my opinion)

  1. Passwords
  2. Sharing Secure Information
  3. Virus'
  4. Browsing the Web
  5. Storing Secure Information

This is not a guide on how to be a spy, or evade the NSA, if you are targeted by the NSA, this guide can not help you. This is for regular people trying to be responsible on the internet. So if you want to contact me about how the NSA could defeat these strategies, please don't.

Secondarily, you should accept these 3 points

  1. Your behavior is the first level of security
  2. You need to pay for software you want
  3. Don't install 'hacked' or random downloaded software

1. Passwords

The number 1 concern about password theft, is that you've used the same password on a pile of sites, an extremely common situation. Secondarily is the concern that you use very bad passwords, which almost everyone does (Passwords Surveyed from leak data ).

The problem here, is that once any site you use is 'hacked', the attacker will then try those user/passwords against other popular sites and banks, then voila. This is not pretend, this happens all the time.

So there are a couple easy rules

  1. Use unique passwords on every site
  2. Use a password manager

You can accomplish #1 by having some personal heuristic, like domain+myname+emailname, so here my pass would be bigmojonetbillbigmojonet .. or something. This is 'ok', its a lot better than using the same password everywhere. But MUCH better is to use a real password manager, I recomend 1Password, it costs a few dollars (about 50) but is by far the best product, and way cheaper than getting hacked. You could also use the free Keepass which works well but is missing synch. between devices and such, or the online tool lastpass.

Using one of these tools, you can easily generate unique strong passwords eg: yeudd6Ij1lea .

FYI, swapping out @ for A, or 4 for R, does not actually provide much if any extra protection for your passwords.

n0t@gre@tp@55w0rd

As soon as you have a solution, go to your most important sites (bank, gmail, etc..) and change your password to a long generated password. This should give you great peace of mind.

For fun, go here haveibeenpwned and see if your email address has shown up in one of the many data breaches. ( hint: It probably has ).

Sharing Secure Information

Lets say you need to send your partner bank information, or more likely a password to some service (gmail/iTunes/whatever), sending someone secure data is a real hassle. If they don't have GPG, or some such tool, then what do you do? Send a user name in one email. password in another most likely.

This isn't great.

That email sits on a server forever! If their email is EVER compromised, then so is your data.

The simplest way you could send this info, (without advanced tools), would be iMessage (end to end encrypted), and have the other person delete that message on receipt.

Even better than that would be to use a 1 time message service, for example Dead Drop , I wrote this service FYI.

There are other services, e.g. onetimesecret , but I like mine.

Virus'

True Virus' are actually pretty rare these days, what is VERY common though, is users installing malicious code that sends spam, mines bitcoins, what have you. Your own behaviour is the primary defence against these things.

I've seen several machines HORRIBLY infected, simply because Microsoft disabled solitaire by default. So, everyone went to yahoo and downloaded random free solitaire programs, which were terrible machine killing malware.

Ask yourself why someone would write that software, and then give it away for free.

If for some reason, that's an issue for you

  1. Click on Control Panel,
  2. Click Add or Remove Programs.
  3. Click on Add/Remove Windows Components
  4. Highlight Accessories and click Details. There's your solitaire, enable it.

Make sure you've run all software updates for your OS

Are you on a mac? try Sophos On windows? run Kapersky

This isnt' really my area of expertise, but will add resources. If you think your machine is compromised, rebuilding with a fresh updated OS is your best bet.

Running 'cracked' software

Don't do that. This is prime virus / malware delivery territory.

Use an Opensource / free alternative

Opensource has come a long way, e.g.

    * photoshop -> [The Gimp](http://gimp.org)
    * office -> [Libre Office](http://libreoffice.org)

Pay for what you want

Many software packages now have a monthly subscription, e.g. office is $45 a month, adobe creative suite is $30 a month, this makes professional software affordable to own.

If it's not worth $20 or $30, maybe it's just not very important and you can live without it.

Browsing The Web

  1. Use Chrome
    • This can be argued, but historically Chrome has been very safe.
  2. Don't have it save passwords, use your password manager.
  3. install ghostery AND adblockplus
    • These will not only block most if not all ads, which are a very popular way for delivering malware to you.
    • Also, the web is MUCH MUCH faster without all that nonsense.

Flash

Don't install it, or turn it off

You don't really need flash anymore, Youtube doesn't need it for example. I haven't had flash in months, and really haven't had any issues. WARNING: You may possibly miss one or two cat videos.

Storing Secure Information

This gets a bit more complicated. But a passwords.txt file on your desktop is easy pickings if your machine does get compromised. Another point is what happens when your machine dies, do you pull the hard-drive and destroy it? Probably not. So that data should be secured. Your password doesn’t do much, if I can take the hard-drive out and pop it in another computer to read it.

  1. Enable full drive encryption, its built into windows AND mac

    Make sure and do the 'make recovery disk' step these things offer

  2. Have some sort of strategy for saving secure files.

    • This should be done, in case your machine is compromised and finds your passwords.txt file

This is a bit more advanced, at its most simple, you could create a password protected zip file using 7Zip, which is also just a great archive utility.

Beyond that, I would recommend True Crypt, although this product has a complicated history, its one of the only open/audited solutions. When used, it creates a .crypt file, that when you open it, shows as a separate drive on your machine, which you can use normally. I for example have all my tax docs in a .crypt file, which I can then safely keep on dropbox.