Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
What amateurs can learn from security pros about staying safe online
Old 07-26-2015, 02:47 PM   #1
Moderator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Rocky Inlets
Posts: 24,406
What amateurs can learn from security pros about staying safe online

ARS Technica has an interesting article on online security, here, titled "What amateurs can learn from security pros about staying safe online", which references a paper (here) that compares safety practices of security experts with non-experts (the rest of us).

The top five practices of experts: install SW updates, use unique passwords, use two factor authentication, use strong passwords, use a password manager. The top five practices of the "non-experts" use antivirus SW, use strong passwords, change passwords frequently, only visit websites they know, don't share personal information.

This hits home to me because I intentionally avoid installing SW updates, First, because I want a stable operating platform, and second, because over time updated SW demands more system resource, which leads to the need to upgrade sooner. From the paper, though, I can see the value in staying current, at least in critical SW.
__________________

__________________
MichaelB is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 07-26-2015, 02:52 PM   #2
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
The top five practices of experts:

install SW updates (even though Windows, Adobe, or Java updates couldn't be any more obnoxious)...check
use unique passwords...check
use two factor authentication (this has been debated, but I still use it when available
use strong passwords...check
use a password manager...check (Keepass/not stored on the computer)
__________________

__________________
Options is offline   Reply With Quote
Old 07-27-2015, 01:01 AM   #3
Recycles dryer sheets
 
Join Date: Aug 2014
Location: Western Canada
Posts: 393
"use a password manager"
------------------------------

While I'm a retired IT security guy, I've never called myself an expert in the field (I don't think there are any). I will suggest that any data (ie. passwords) that exists in digital format is or will be hackable especially if it is stored "in the cloud". Not a good idea.
__________________
I'm not crazy. Honest, the judge had me tested.
Rick_Head is offline   Reply With Quote
Old 07-27-2015, 10:01 AM   #4
Recycles dryer sheets
 
Join Date: May 2015
Location: Atlanta suburbs
Posts: 347
I agree with unique passwords, strong passwords and 2 factor authentication.

Software updates are not bullet-proof, and sometimes cannot be undone. Most companies IT groups do a fair amount of testing of other software before they allow them to be applied everywhere. in their environment. I don't have a test environment for testing, so I wait for a bit to hear the scuttlebutt. Windows 10 may make this waiting not possible, and maybe other companies may follow suit for their software.

I don't think our passwords should be stored digitally.
__________________
DEC-1982 is offline   Reply With Quote
Old 07-27-2015, 10:43 AM   #5
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,815
Check on all except limited two-factor coverage.

I'm surprised at the number of well-informed people that still fear a properly implemented password manager, such as LastPass. If your local machine is compromised, all bets are off, but with a long unguessable pass phrase (that is never stored anywhere and never sent anywhere, encrypted or not) that is only used to locally decrypt your data using appropriately strong encryption, I'm not sure there's too much to worry about. If they get quantum computing going, there's a lot more to worry about than my LastPass vault, lol! I will send my LastPass vault to the NSA (oh, they already have it), and if they figure out a way to undo prime factorization (or is it elliptic curve?) sometime in the future, they'll have all my passwords. But again, if that happens, there will be more shtuff hitting the fan and my vault will not be very high on the list.
__________________
sengsational is offline   Reply With Quote
Old 07-27-2015, 11:24 AM   #6
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,074
Interesting articles, and having started to use Lastpass this year I now do all 5 of the top things the experts recommend.

I was surprised that keeping AV software up to date was not in the top 5 things experts recommend, although they do stay it is good practice to do so. The reason the experts didn't list AV software as highly is because most experts don't use Windows.

Quote:
One likely reason explaining the divide over use of antivirus software is that security experts are more likely than non experts to use a non-Windows operating system. So while it may be tempting to interpret the results as showing experts think AV isn't an effective security measure, that's not automatically the case. The question posed to each group sought the top three things they did to protect their own security online. If experts are more likely to use an OS other than the highly targeted Windows OS, it stands to reason they would be less likely than non-experts to list using AV as one of the top ways they protect themselves.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Old 07-27-2015, 11:37 AM   #7
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,815
Quote:
Originally Posted by Alan View Post
I was surprised that keeping AV software up to date was not in the top 5 things experts recommend...
And if the experts DO use Windows, they (and every one else) get Windows Defender by default, which is fairly light-weight and you'd need to go in and turn it off. If I were asked about top 3, I wouldn't include anything that most everyone will have 'on' by default....it might make people feel better, but would be a waste of a vote.
__________________
sengsational is offline   Reply With Quote
Old 07-27-2015, 12:51 PM   #8
Thinks s/he gets paid by the post
gauss's Avatar
 
Join Date: Aug 2011
Posts: 1,708
Quote:
Originally Posted by sengsational View Post

I'm surprised at the number of well-informed people that still fear a properly implemented password manager, such as LastPass. If your local machine is compromised, all bets are off, but with a long unguessable pass phrase (that is never stored anywhere and never sent anywhere, encrypted or not) that is only used to locally decrypt your data using appropriately strong encryption, I'm not sure there's too much to worry about. If they get quantum computing going, there's a lot more to worry about than my LastPass vault, lol! I will send my LastPass vault to the NSA (oh, they already have it), and if they figure out a way to undo prime factorization (or is it elliptic curve?) sometime in the future, they'll have all my passwords. But again, if that happens, there will be more shtuff hitting the fan and my vault will not be very high on the list.
I guess I fear the likes of LastPass being hacked not through the front door (ie breaking the encryption, but rather through some sort of back door compromise). Storing unique passwords in my head I feel is safer.

-gauss
__________________
gauss is offline   Reply With Quote
Old 07-27-2015, 02:17 PM   #9
Moderator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Rocky Inlets
Posts: 24,406
Quote:
Originally Posted by Alan View Post
I was surprised that keeping AV software up to date was not in the top 5 things experts recommend, although they do stay it is good practice to do so. The reason the experts didn't list AV software as highly is because most experts don't use Windows.
That's a very good point which I missed, and makes a lot of sense. I have reduced the use of windows at home but still use it and should probably start thinking about how to eliminate it completely.
__________________
MichaelB is offline   Reply With Quote
Old 07-27-2015, 03:42 PM   #10
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,707
Quote:
Originally Posted by Rick_Head View Post
"use a password manager"
------------------------------

While I'm a retired IT security guy, I've never called myself an expert in the field (I don't think there are any). I will suggest that any data (ie. passwords) that exists in digital format is or will be hackable especially if it is stored "in the cloud". Not a good idea.
keepass is not a cloud based password manager, you can store it on your computer, or on a thumb drive, and you can keep the key file stored on the other thing, plus keep the password "sentence" long and stored in your brain.

I've used it for years, no connection to the company, use whatever you want. I tried other ways first, but none were as secure.

I have about 200 unique passwords and userNames AND unique answers to "mother's maiden name" or other silly questions.
No way I could remember that.
__________________
Sunset is online now   Reply With Quote
Old 07-27-2015, 06:30 PM   #11
Moderator
Sarah in SC's Avatar
 
Join Date: Sep 2005
Location: Charleston, SC
Posts: 13,456
Another Lastpass user. Nothing is foolproof. You have to stay on top of stuff, and mostly that means financial sites. I use Mint to check my accounts at least once a day, and have fraud alerts set up everywhere. Plus I check my credit karma once a week for anything new.

There's a price to pay for the convenience of online everything, and for me the "cost" of vigilance is a small one.
__________________
“One day your life will flash before your eyes. Make sure it's worth watching.”
Gerard Arthur Way

Sarah in SC is offline   Reply With Quote
Old 07-27-2015, 07:03 PM   #12
Thinks s/he gets paid by the post
 
Join Date: Feb 2007
Posts: 1,903
Quote:
Originally Posted by MichaelB View Post
That's a very good point which I missed, and makes a lot of sense. I have reduced the use of windows at home but still use it and should probably start thinking about how to eliminate it completely.
I just installed linux mint in one of my older computers (that was running Windows XP) a few weeks ago and so far I'm very happy with it and find that I'm using the old computer more and more but coming from the Windows world I wonder if there isn't some complacency going around in linux land regarding security.
__________________
ejman is online now   Reply With Quote
Old 07-27-2015, 07:57 PM   #13
Recycles dryer sheets
 
Join Date: Feb 2009
Location: Cville
Posts: 399
Quote:
Originally Posted by ejman View Post
I just installed linux mint in one of my older computers (that was running Windows XP) a few weeks ago and so far I'm very happy with it and find that I'm using the old computer more and more but coming from the Windows world I wonder if there isn't some complacency going around in linux land regarding security.
You should have a package to. Run updates on a Linux box also. Check something like yum-cron or yum-updatesd. They check for and install updates on regular schedule. Like every day.

Please don't get the idea Linux is secure, there is a greater benefit to hacking a Linux server, as lots of the good stuff from hackers perspective is stored on Unix servers. On my Linux servers I run yom updates every day!
__________________
RetireBy90 is offline   Reply With Quote
Old 07-27-2015, 08:20 PM   #14
Thinks s/he gets paid by the post
 
Join Date: Feb 2014
Posts: 1,044
I would add:

If you need to go to "questionable" (and I think you know what I mean) sites use Virtualbox with a Linux distro. Worst case the virtual machine gets damaged, not your real machine.

Sensitive files can be encrypted independently for an additional layer of protection.

Use whole disk encryption if possible.

Lengthen your passwords to the greatest degree possible.
__________________
jim584672 is offline   Reply With Quote
Old 07-27-2015, 10:06 PM   #15
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,446
I don't put any sensitive data on someone else's server up on the Internet, and that includes a password manager.

I always pay attention to system security updates.

I get rid of software like Adobe Flash that has security holes.

Sensitive docs are in encrypted drives and disk images.

We are very careful about phishing emails and any kind of web download. We only download from certain sites unless it's a PDF.

We don't run virus scanning software on our Macs. Not sure if there is really anything considered good virus scanning software for the Mac. If Apple didn't write it I'm leery adding anything to run as part of the system.

Two factor authentication for financial accounts online plus alerts.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 07-27-2015, 10:11 PM   #16
Thinks s/he gets paid by the post
Katsmeow's Avatar
 
Join Date: Jul 2009
Posts: 3,392
Interesting. I do automatic updates on the OS and usually update immediately. I use a password manager (Roboform) and use some 2 factor authentication although I do need to use it on a few more sites.
__________________
Katsmeow is offline   Reply With Quote
Old 07-27-2015, 10:20 PM   #17
Thinks s/he gets paid by the post
 
Join Date: Feb 2007
Posts: 1,903
Quote:
Originally Posted by RetireBy90 View Post
You should have a package to. Run updates on a Linux box also. Check something like yum-cron or yum-updatesd. They check for and install updates on regular schedule. Like every day.

Please don't get the idea Linux is secure, there is a greater benefit to hacking a Linux server, as lots of the good stuff from hackers perspective is stored on Unix servers. On my Linux servers I run yom updates every day!
As you can tell, I am a total newby to the linux world. So far, I've only installed software that is available thru the linux mint software manager and I install every update the update manager says to install (levels 1-3). I didn't find specifically yum-cron or yum-updatesd listed as part of the approved packages in the software manager but they maybe in some of the more advanced repositories than what I'm currently using.
__________________
ejman is online now   Reply With Quote
Old 07-27-2015, 10:23 PM   #18
Thinks s/he gets paid by the post
 
Join Date: Feb 2007
Posts: 1,903
Quote:
Originally Posted by audreyh1 View Post
I don't put any sensitive data on someone else's server up on the Internet, and that includes a password manager.

I always pay attention to system security updates.

I get rid of software like Adobe Flash that has security holes.

Sensitive docs are in encrypted drives and disk images.

We are very careful about phishing emails and any kind of web download. We only download from certain sites unless it's a PDF.

We don't run virus scanning software on our Macs. Not sure if there is really anything considered good virus scanning software for the Mac. If Apple didn't write it I'm leery adding anything to run as part of the system.

Two factor authentication for financial accounts online plus alerts.
Looks like very reasonable steps. Apparently from the limited research I've done there is no widely recommended virus scanning software for linux either.
__________________
ejman is online now   Reply With Quote
Old 07-28-2015, 04:02 AM   #19
Thinks s/he gets paid by the post
 
Join Date: Feb 2014
Posts: 1,044
Quote:
Originally Posted by ejman View Post
As you can tell, I am a total newby to the linux world. So far, I've only installed software that is available thru the linux mint software manager and I install every update the update manager says to install (levels 1-3). I didn't find specifically yum-cron or yum-updatesd listed as part of the approved packages in the software manager but they maybe in some of the more advanced repositories than what I'm currently using.
I believe Mint is an Ubuntu derivative so yum would not apply. Just follow the update manager in Mint.

If you need to update via the terminal use these two commands:
sudo apt-get update
sudo apt-get upgrade
__________________
jim584672 is offline   Reply With Quote
Old 07-28-2015, 04:04 AM   #20
Thinks s/he gets paid by the post
 
Join Date: Feb 2014
Posts: 1,044
Quote:
Originally Posted by ejman View Post
Looks like very reasonable steps. Apparently from the limited research I've done there is no widely recommended virus scanning software for linux either.
I have been using Linux for years and have never had a virus problem and do not use any anti-virus.
__________________

__________________
jim584672 is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can 95% Safe = 100% Safe? halo FIRE and Money 3 10-14-2008 07:56 PM
Diversification Is For Amateurs sarahsays FIRE and Money 41 05-31-2008 10:53 AM
Staying in a motel ... no really - staying! calmloki Life after FIRE 11 09-20-2007 06:29 PM
LEARN- STOCKS & ONLINE TRADING whattolearn FIRE and Money 42 06-23-2005 05:41 PM
"Is the Safe Withdrawal Rate TOO Safe?" Nords FIRE and Money 13 10-20-2004 11:36 AM

 

 
All times are GMT -6. The time now is 11:57 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.