![]() |
Here you can learn how to secure your computers and devices, with more knowledge to come.
|
I would recommend that you buy and install real-time security software, to protect continuously from viruses, malware, spyware and other online threats, etc. I would recommend Norton Security, this link lists the features of Norton Security and Norton 360, as it utilizes one of the largest global civilian intelligence networks to spot threats faster and it is the number 1 ranked consumer security software for overall protection and performance. You can purchase protection for up to 10 devices, it has anti-virus with advanced machine learning, anti-malware and anti-spyware, multiple layers of protection and artificial intelligence, an intelligent smart firewall, auto protect, intrusion prevention, proactive exploit protection which protects your computers from exploits that take advantage of vulnerabilities in software and your computer's operating system and file insight which provides reputation information on software files gathered from their global network. Also, it has SONAR protection which protects you against malicious code, even before virus definitions are available through LiveUpdate, so that means it proactively detects unknown security risks on your computer. Additionally, it has SafeWeb which shields you from bad websites which includes malware, phishing & scam websites, etc. Finally, it has Safe Surfing, Norton Tamper Protection, browser protection, download intelligence, Norton Power Eraser, it blocks ransomware and it now has Online Banking Protection, which means Norton's servers connect to the banking website for you safely encrypted and you remotely connect into Norton's servers encrypted inside of your browser to browse the banking website, etc. I would like to add that I have paraphrased some of the wording above using information from Norton's website and possibly from other sources. |
Now a new Norton 360 has been released, it replaces Norton Security and it has extra features included like Norton Secure VPN and SafeCam which protects your computers webcam from being accessed without your permission. In the USA extra features are included, as Norton LifeLock is included as well. But remember to turn off auto renewal, as it's charged at a much higher price than if you were to buy it at retail price. I think that Norton Security, Norton 360 and Norton Mobile Security and Antivirus are the most protective real-time antivirus products in the world, this is backed up by actual test results that have been performed on lots of the main antivirus products and Norton came out on top with their Norton Security and Norton 360, but Bitdefender Total Security did come in at a close second. I would like to add that I have paraphrased some of the wording above using information from Norton's website and possibly from other sources. |
Your Norton Security and / or Norton 360 subscription also gives you access to their app counterpart on mobile devices, which can be used with your Norton Security product license key. The app is called Norton Mobile Security and Antivirus, this link lists the features of Norton Mobile Security and Antivirus and it is the most advanced mobile security for Android in the world. It has anti-virus, anti-malware, which now includes protection against trojans and ransomware and it has Norton Safe Search. Also, it has App Advisor powered by Norton Mobile Insight, which automatically checks apps on the Google Play Store before you download them for potential privacy risks, unusual/intrusive behaviour, high battery and data usage, etc. Finally, it has Norton SafeWeb filtering protection to shield you from fraudulent websites that are designed to steal your personal information and money, the ability to block unwanted calls and text messages, contacts backup, privacy report and Link Guard, the LinkGuard feature and its name has now been removed from the user interface, but you will now get the same link protection benefit from the Web Protection feature, etc. LinkGuard, well now the Web Protection feature scans any link you go on via emails and text messages to make sure it is safe, if it's not safe then it will be automatically blocked. Surveilance app protection has been added to the anti-malware feature to help protect your privacy and security by letting you know if an app is sharing your device's location, contacts, photos or messages without your authorisation.
|
Make sure that you do not go back to the previous page when a page is blocked, this is because if you go back it could load that page or another page and an attack could get through that line of defence before it's able to block the same page again or a new page. This is what happened when I went back to the previous page, but luckily Norton 360 blocked the attack. I am so thankful to Norton, as this is why it's so important to have multiple layers of defence security. I would like to add that this is only necessary if the page has been blocked at the software level, but it's OK to go back to the previous page if its been blocked at the network DNS level and also possibly at the hardware level, like when using a UTM (unified threat management) device, for an example the Bitdefender Box 2 that's listed further down this page. This is because if the page wasn't loaded and will not be loaded due to it being blocked at the network DNS and / or hardware level, then this isn't a necessary precaution, but feel free to do it anyway for extra security. And I would like to add that it's OK to go back to the previous page or to carry on to the blocked page if you know that it's a false alarm and if the page has been blocked at the software level and it contains a back button it should be OK to use it, but remember not to use the browser's back button if the page has been blocked at the software level. And instead you could go to a safe page by going forwards using the URL bar or you could look at the previous pages list, if your browser supports it and go back to a previous safe page that you choose, etc.
|
I would recommend that you regularly check Play Protect on Android's Google Play Store, because it warned with things like "Your device may be at risk", "1 privacy warning", "Privacy warning" and "The app was removed from Google Play Store because it can access personal information in call logs or text messages". Which I obviously uninstalled the app, because it said "Uninstall" or "Keep app". So this is another way to protect your devices for free.
|
Norton Power Eraser uses aggressive methods to detect threats, and there's a risk that it can select some legitimate programs for removal. You should carefully review the scan results page before removing files. I would like to add that the above wording is nearly a direct quote from Norton's website page "Run the free Norton Power Eraser tool in Safe mode" and possibly from other sources, as it seems to be on many websites. Also, you should carefully review any security program's scan results page before removing files, as there can be false positives, as for an example a legitimate program / app can use rootkit methods to hide its data from the user or a legitimate program / app in the access control list (ACL) can not have its admin username, that it lists as the owner of a file or folder that it uses, etc. And I would like to add that I have paraphrased some of the wording above using information from Spybot - Search & Destroy's website page "Are the found items really Rootkits?" and possibly from other sources, as I have learned a lot through the years.
|
There are at least two exceptions to running more than one real-time security program, one exception being Android can have more than one real-time security app running at one time without them interfering with each other, so for more features and for extra security use two real-time security apps on Android. Especially if you get Bitdefender Mobile Security & Antivirus included in the yearly subscription fee of the Bitdefender Box 2 listed below (Norton Mobile Security and Antivirus, Norton Security has been proven in tests to be the best at protecting your computers and devices and Bitdefender Mobile Security & Antivirus, Bitdefender Total Security came out near the top in tests as well). But the Bitdefender Mobile Security & Antivirus app can have an issue with its app lock feature with at least the latest software update on the Samsung Galaxy S10+ mobile phones, where it causes the Bitdefender Mobile Security & Antivirus app to repeatedly crash when opening its app and when using other apps, probably when using other apps that are being app lock protected, I have emailed Bitdefender about it and they have now updated their app to correct this issue. The Bitdefender Mobile Security & Antivirus app can have another issue with its app lock feature where it sometimes doesn't lock the settings area of Android properly or at all, an app update and / or an Android update fixed this in the past, but it's now started happening again I think after the latest app update, I have emailed Bitdefender about it. I would like to add that when I said "the latest app update", I meant the latest app update at around the 12th of August 2020.
|
And this is a direct quote from the manufacturer's website "This smart security application focuses on preventing a malware infection by applying smart and intelligent rules that block bad processes behaviors. This tool can block threats not detected by your installed security solution. Add to your system an additional layer of defense to prevent infections by malware and ransomware! You don't have to configure anything, just install it and forget about it. We have already added more than 60 smart policies to improve your system security with this security application.". It blocks processes from running that are not meant to be run, it blocks remote scripts from running, it monitors and protects a wide range of programs and apps including MS Office apps, it blocks USB malware from running, it blocks processes that have command line strings commonly related to malware, it blocks execution of processes with .COM or .PIF, which are obsolete file extensions, it protect shadow copies of files from being deleted, it's very lightweight only using a few MBs of memory, etc. I would like to add that I have paraphrased some of the wording above using information from NoVirusThanks's website and possibly from other sources. And I would like to add that the manufacturer has since updated their product, changed their website and changed their wording, etc. So here is their features page on their website which has more up-to-date wording "Why OSArmor? Read Here".
|
But I have had one instance where I have had to temporarily disable NoVirusThanks OSArmour, which you can use in its settings. As with my custom strict settings that I have implemented in NoVirusThanks OSArmour, it was interfering with the installation process with one program that I was installing. So if you get a popup saying that NoVirusThanks OSArmour has blocked something and if the program and / or game that you are installing has issues, then uninstall the program and / or game, then temporarily disable (for a period of time that you choose) or disable using the normal disable button both in NoVirusThanks OSArmour and then reinstall the program and / or game and it should work correctly now. Then re-enable NoVirusThanks OSArmour, so that you continue to receive its protection. I would like to add that this has happened at least one more time with a different program that I was installing and I sometimes try to run the commands that were blocked to try and complete the installation process. But I think if this happens it's best to either repair the installation if possible or to uninstall the program and / or game and to reinstall it like how I have said above. |
Certain security, privacy and other features are not enabled or disabled or set to the correct values by default in browsers, so for Google Chrome go to chrome://flags and for Firefox go to about:config, etc. Here are some features that you should enable in Google Chrome, some of these features are only available on certain platforms: "Smooth Scrolling", "Site Isolation For Password Sites", "Strict site isolation", "Parallel downloading", "Treat risky downloads over insecure connections as active mixed content", "Detect target embedding domains as lookalikes.", "Strict-Origin-Isolation", "Safety Check on Android", "Show Safety Tip UI when visiting low-reputation websites", "Heavy Ad Intervention", "Heavy ad privacy mitigations" and "Enforce deprecation of legacy TLS versions".
|
I would recommend that you install these browser add-ons for security, for privacy and to block advertisements, etc. They are Norton Safe Web (which is a website grading scanner, a link scanner and which also includes banking protection. It's part of Norton Security and Norton 360.), Bitdefender Traffic Light (which is another website grading scanner, but it's free and part of what it does is it "Checks every web page you access for threats, phishing and fraud attempts.".) Adblock Plus (which is a brilliant free ad blocker), Malwarebytes Browser Guard and LastPass (which is a free encrypted password manager, that has a premium subscription option if you would like to buy it. I would highly recommend that you do, as it offers multiple benefits for your premium subscription.). Here is the premium subscription benefits of LastPass and here is my review of LastPass, this link will take you to another page on my website. I would like to add that it's not necessary to install these browser add-ons into all the browsers that you don't use, as just into the browsers that you use is enough, but I have now installed the supported browser add-ons into my other installed browsers that I sometimes use, just in case. But all these browser add-ons aren't available on every browser, as for an example Bitdefender Traffic Light isn't available on Microsoft Edge and all these browser add-ons are not available on Internet Explorer, etc. I have changed the above browser add-ons list to reflect new browser add-ons that I am recommending. And I would like to add that I found out on one of my current devices, that LastPass was not installed into one of my other installed browsers that I sometimes use, maybe it never was, so I have installed it now.
|
When the Bitdefender Traffic Light free addon is installed, make sure if you have the Norton Safe Web addon installed to turn off "Search Advisor" which "Checks the search results to warn against dangerous web pages before you access them.". This is because in a browser's search results say in Google, it will take the place of Norton Safe Web's search suggestions, which gives you a website grading next to the websites in the search results before you go on a website. So if you want the Norton Safe Web suggestions instead of Bitdefender Traffic Light's search suggestions, then do the above. But if you still want the protection of Bitdefender Traffic Light, make sure to keep turned on in Bitdefender Traffic Light, "Web Protection" which "Checks every web page you access for threats, phishing and fraud attempts.".
|
Buying and installing a UTM (unified threat management) device is a good idea, some can either replace your router or some can either work alongside your router, etc. So if it replaces your router, but you have a combined router / modem then put your router / modem into modem only mode and the UTM device will then become your router or double NAT, double firewall and have your router / modem still in router / modem mode with its DHCP server disabled, but also have a UTM device acting as a router and DHCP server as well. But the idea is that they constantly monitor your network, computers and devices for threats even devices that can not have security software installed on them, like for an example Bitdefender Box 2 does with Brute Force Protection (where it will protect from an attacker trying to brute force passwords and trying to brute force into your network, computers and devices), with Sensitive Data Protection (where it ensures no sensitive data like credit cards, usernames and passwords, personal information and location data is sent unencrypted because it will block the information being sent in that case), with Anomaly Detection (where it monitors your network, computers and devices and it learns how they normally operate and if they deviate from how they normally operate it will warn you), with Exploit Prevention (where it prevents attackers from using exploits that are present in network, computers and devices), with Vulnerability Assessment (where if a device that has vulnerabilities connects to your network it will warn you of this) and with Safe Browsing (where it will block malicious URLs, so this will help even further to block phishing and online fraud). I would like to add that I have paraphrased some of the wording above using information from Bitdefender's website and possibly from other sources, as I have learned a lot through the years. |
Also, with Advanced Parental Control (where it can filter out content that's inappropriate for children, it can warn you if attempts to access blocked websites, it can warn you of attempts to access blocked apps, it can warn you of a call or text from a blocked/unknown phone number, it can allow with the press of a button in the Bitdefender Parental Control Mobile app the sending of a arrived safe message instead of having to call or text to say / send it, it can protect your children's safety like from cyberbullying (only available until August 1, 2020) and online predators (only available until August 1, 2020), it can track where your children are, it can set zones that are restricted to give you warnings when those zones are entered and it can manage when your kids have access to the internet at home. But some of these require the Bitdefender Parental Control app or one of the Bitdefender security apps to be installed on your computers and devices). You can find out more about Bitdefender Box 2 here. I would like to add that I have paraphrased some of the wording above using information from Bitdefender's website and possibly from other sources, as I have learned a lot through the years. |
Some UTM devices come with subscriptions to real time security programs, but Norton Security has been proven in tests to be the best at protecting your computers and devices and some UTM devices will slow down your internet speed if you have a fast internet connection, say over 200 Mbps. Most UTM devices require a paid subscription, but having a paid subscription will usually offer more protection and will usually be updated more often. For home users I would recommend Bitdefender Box 2, as it has got great protection features, as it doesn't slow down your internet connection, as it's fast, as it auto updates itself to keep ahead of identified vulnerabilities, as it's sold at a great price for the features offered and for the inclusion of 1 years worth of subscription in the price, as it has got a pretty good yearly renewal price for the features offered, as it has scored pretty good in reviews and as it has also got pretty good customer reviews, etc. As within the price of the yearly subscription you also get access to the Bitdefender security programs and apps, which provides lots of other benefits, including but not limited to Anti-Theft, App Lock, Malware Scanner, Web Protection, Account Privacy (which keeps a check on if your email addresses have been in a data breach) and a VPN that for each device provides 200MB per day that has no logging of your activities and that has no looking into your encrypted data, etc. I would like to add that I have paraphrased some of the wording above using information from Bitdefender's website and possibly from other sources, as I have learned a lot through the years. |
It can have a few installation issues, but once it's installed it runs fine and it's well worth a bit of your time to secure your network. There can be a few false positives, but it's better to have false positives than false negatives, so in the app it gives you an option to allow what has been blocked, but make sure you check that it's really something that you want to allow and make sure that it's a false positive first before you allow. If the app does not show some of your devices, it could be because if you have a wireless bridge network device that serves clients, the Bitdefender Box 2 might just see the wireless bridge network device and not the clients behind it or it may be that you have deleted the network devices from the list either by accident or on purpose and the devices do not show back up, even after changing the devices IP address because it's MAC address probably does not change or the final thing it could be is that it makes a mistake and doesn't detect the devices MAC address even if the device's IP address is changed and it could be a combination of all of these things. And if you do not want to use its WiFi you can disable its WiFi, say if you already have a device or devices that provide WiFi that you would like to continue to use instead. But there is an issue and / or a bug in its firmware where if you disable its main WiFi then its LAN IP address range setting can get changed back to its default automatic IP address range setting instead of your custom LAN IP address range setting, if you have set a custom LAN IP address range setting. There is a way that I know of to counteract this by enabling its guest WiFi before disabling its main WiFi and if you don't want to use its guest WiFi, then you can disable its guest WiFi.
|
I would recommend that you set your DNS to CleanBrowsing DNS for free, as it will protect your computers and devices from bad websites, including malware, phishing & scam websites, etc. As it checks every website before you go on it to make sure it is safe and if it is not safe then it will be automatically blocked. They do not log any of your data, they are fast and they score very high on tests. Also, they can block adult sites, explicit, other unsafe content and mixed adult content, etc. Additionally, they can enforce Safe Mode on Google, Bing and YouTube and they can block proxy and VPN domains that are used to bypass the filters, etc. Finally, all these additional filter options you can choose whether to use them or not, but all the filter options include protection for malware, phishing and scam websites, etc. This it to keep you safe with this first layer of protection for your network. I would like to add that I have paraphrased some of the wording above using information from CleanBrowsing's website and possibly from other sources.
|
When visiting HTTPS websites your ISP can only see what website you are on, not what page you are on, but with an encrypted DNS your ISP can only see what IP address you have been sent to and as multiple websites can be hosted by a single IP address that's why it makes it much harder for your ISP to know what websites you have been visiting. If you are not visiting HTTPS websites, then your ISP can see what page you are on as well as all the data being transmitted to and from the websites, even with your DNS encrypted and your SNI encrypted. This is due to the websites themselves not transmitting encrypted data. When I said "but with an encrypted DNS your ISP can only see what IP address you have been sent to", I was not including SNI, as with SNI (Server Name Indication) your ISP can still tell what websites you have been sent to because they can see the domain names of the websites. But thankfully encryption for that is now possible due to TLS 1.3, so SNI will soon be encrypted as well.
|
Always remember before doing any update that it's best to check the reviews and / or comments for the update in question, but really it's only worth doing every time if it's an update to an operating system for a critical machine, to a critical piece of software or to a critical app, etc. As you can usually revert back to a previous update version if there is trouble, this is fine if it's an update to nothing that's really important, but it's not fine if it's to an operating system for a critical machine, if it's to a critical piece of software or if it's to a critical app, etc. Because any downtime could either be costly, could take time to fix or could possibly be dangerous to life, etc. |
If not done automatically I would recommend that you always check for new Windows updates manually and that you then choose whether to install important Windows updates. Also, it is a good idea if supported to check for new optional Windows updates manually and to choose which optional Windows updates to install if any, this is so you can get the latest Windows security patches and updates. Like for an example the Windows security patch to block WannaCry ransomware and the Windows security patch to protect against the Meltdown CPU flaw. Additionally, to resolve general Windows issues and bugs, and to access new Windows and software features if supported. But even though optional Windows updates are validated and production quality, they can contain bugs and those bugs could harm your computers, devices and files, etc. So be careful, as if in doubt just wait for the main Windows update releases and the optional Windows updates will dissapear. I would like to add that when I said "and the optional Windows updates will dissapear.", I meant all the optional Windows updates that are replaced by the main Windows update releases will disappear. And I would like to add that this part "optional Windows updates are validated and production quality" was paraphrased from I think this website, because there are also other websites with this information, but there is more information here about Windows updates. There are possibly other websites that helped me, but I think they get their information from this source and / or from this source, these two Microsoft sources probably share information.
|
And you can enable random hardware addresses by going to settings, then to Network & Internet, then to WiFi and by enabling the option, this is to make it harder for people to track your location when you connect to different WiFi networks and this is to prevent listeners from using MAC addresses to build a history of device activity, thus increasing user privacy, this setting applies to new connections. I would like to add that these parts "this is to make it harder for people to track your location when you connect to different WiFi networks and this is to prevent listeners from using MAC addresses to build a history of device activity, thus increasing user privacy" were paraphrased from I think these websites "Privacy: MAC Randomization", "How to enable a randomized MAC address in Android 10" and "How to use random hardware addresses". There are possibly other websites that helped me, but I think they get their information from these sources anyway. |
I would also recommend that you go to settings, then to privacy and that you disable all the settings that are a privacy risk, that could be used to track you in Windows 10 and to set all of the security settings correctly. I would recommend that you go to services.msc and that you disable all of the services that are not needed or that are a security risk, you can find out which those are by searching them online, as each person might have different requirements I would not like to provide exact services and settings to disable or enable, etc. When updating Windows 10 certain settings and services can change. so it's a good idea to re-check your security and privacy settings and your services settings after a Windows 10 update.
|
Also, all this can be done even in Windows 10 Home Edition and you can permanently disable the Windows update service in services.msc to disable all Windows updates, if disabled I would recommend that you enable the Windows update service again when the bad Windows updates have been corrected by new Windows updates. Finally, you can now defer major feature Windows updates for up to 365 days, you can now defer quality Windows updates for up to 30 days and you can pause all Windows updates for 7 days.
|
Always remember to scan archive files before you open and / or extract them, e.g. RAR and ZIP files, etc. This is because they could contain viruses, malware or spyware, etc. And by opening and / or extracting them before scanning them there is a chance that those files could be extracted into the temporary folder. Also, only download from websites that you trust, especially when you are directly downloading EXE (executable files), as they could contain viruses, malware or spyware, etc. But if you do forget to do this like I do sometimes, don't worry, this is because Norton Security and Norton 360 have Auto-Protect which will automatically detect when viruses, malware and spyware, etc. Are extracted and it will quarantine them automatically, but don't rely on that, as it's not fool proof, as nothing really is, that's why you have to be very smart about how you protect your computers and devices and that's why you and I have to keep always remembering to continue to do the best that we can when securing our computers and devices.
|
The bad news is there are CPU security flaws that have been identified on virtually everyone's CPU's that have been manufactured in the last 20 years, they are called Meltdown and Spectre which have many different variants. This is for Intel, AMD and ARM CPU's, etc. Spectre essentially gets programs and / or your systems to perform unnecessary operations - this leaks data that should stay confidential, where as Meltdown also grabs information - but essentially it simply snoops on memory used by programs and / or your systems in a way that would not normally be possible. I would like to add that the parts above about what Spectre and Meltdown does were paraphrased, but I cannot remember which source I got the original wording from, as multiple sources say the same original wording, so here is a link to a source that says the original wording "Meltdown and Spectre: How chip hacks work". The good news is you can protect against the Meltdown and Spectre CPU security flaws and you can do this by updating and keeping up-to-date your browsers, GPU drivers, system monitoring/management programs, Google programs and apps, etc. All to receive security update patches. But most importantly by updating your operating system and your BIOS / CPU microcode frmware, to receive security update patches as well.
|
Intel have released a Spectre security update patch for the different CPU microcode firmware versions, Microsoft have distributed it and it can also be downloaded from Intel directly for Linux, but now they have started manufacturing CPUs that contain hardware protection for Spectre and Meltdown, as they contain hardware fixes. Also each manufacturer should distribute these security update patches as well. AMD have released a Spectre security update patch for the different CPU microcode firmware versions, Microsoft have distributed it. Also each manufacturer should distribute these security update patches as well. Firefox have already released a Meltdown/Spectre security update patch for their browser. Microsoft have already released a Meltdown/Spectre security update patch for their Microsoft Edge and Internet Explorer browsers. Google have released a Meltdown/Spectre security update patch for their Chrome browser. Finally, Apple have also already released a Meltdown/Spectre security update patch for their Safari browser. And the list goes on. |
Make sure your Security is up-to-date, don't click/tap on suspicious links, don't go on suspicious websites, don't download suspicious programs / apps, only download from credible sources and always scan files before extracting and / or installing them. As if you have a secure system then nothing can use the Spectre and Meltdown CPU security flaws before you have fully patched them, because they require malicious code to be running on your system for these CPU security flaws to be acted upon. Also, if your programs are up-to-date and if they have security update patches they will protect against these CPU security flaws even more, as there will be even less of a chance they can be acted upon by malicious code before you have fully patched them. But always remember to apply security update patches as soon as they are released.
|
On Android starting from Android 8 onwards you can enable randomised MAC addresses by going to settings, then to connections, then to Wi-Fi and by enabling this option when you connect to a new WiFi network or by enabling this option in the settings of an already connected WiFi network. You can enable a setting in the developer options to cause this setting to be the default choice when connecting to new WiFi networks even using Android 9. Even better news is that starting from Android 10 this option has been made the default choice when connecting to new WiFi networks. This setting is to make it harder for people to track your location when you connect to different WiFi networks and this is to prevent listeners from using MAC addresses to build a history of device activity, thus increasing user privacy. I would like to add that these parts "This setting is to make it harder for people to track your location when you connect to different WiFi networks and this is to prevent listeners from using MAC addresses to build a history of device activity, thus increasing user privacy" were paraphrased from these websites "Privacy: MAC Randomization", "How to enable a randomized MAC address in Android 10" and "How to use random hardware addresses". There are possibly other websites that helped me, but I think they get their information from these sources anyway. I enable randomised MAC addresses for new WiFi connections away from our home's WiFi. But it's easier to have a static MAC address for our devices connecting to our home's WiFi, as it helps our Bitdefender Box 2 UTM (unified threat managment) device by making sure that it doesn't keep thinking that a new device has connected when it's just the same device with a new randomised MAC address and by the customised settings for that device not having to be set again, etc. |
You can test your browsers to see if they checking for revoked HTTPS certificates on websites using GRC's "HTTPS Certificate Revocation Awareness Test". If they are, that means if a website revokes it's HTTPS certificate you will not be able to access a website that uses that HTTPS certificate. This is so a website can not trick you into thinking that it's the website listed on the HTTPS certificate, but If your browsers don't check for revoked HTTPS certificates on websites, that means if a website revokes it's HTTPS certificate you will be able to access a website that uses that HTTPS certificate, so a website could trick you into thinking that it's the website listed on the HTTPS certificate when it's not. A website could have been made to look like the website listed on the HTTPS certificate. They would have had to have compromised the HTTPS certificate itself to gain access to it, that's why the website listed on the HTTPS certificate would have revoked it to prevent it from being used by anyone else. GRC's "HTTPS Certificate Revocation Awareness Test" is not working at the moment, but here is another website that has loads of browser tests on it, including a "revoked" HTTPS certificate test. The website is called "badssl.com". I emailed GRC to tell them that their website's subdomain is not revoked anymore and to tell them other things, but now their website's subdomain is revoked again, like it should be for their "HTTPS Certificate Revocation Awareness Test" to work. |
You can obtain Perfect Passwords using GRC's "Ultra High Security Password Generator", they are 63-64 characters long and each one is completely random with a GRC guarantee that no similar passwords will ever be produced again. Their page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection. Also, their page is custom generated each time just for you so it will not be cached by the GRC website servers or be visible to anyone else. So the password it generates is private. These passwords use a massive 512 bits of security, so they are perfect for a wireless security password, etc. Finally, if you don't like entering the long password into each device manually, just use WPS Push Button connect or a device's WPS client randomly-generated security personal identification number (PIN) that you enter into your router, both ways can be used to connect your devices to your router and they save time if your router supports it. The other way would be to just copy and paste the long router password into your device if your device supports it. I would like to add that I have paraphrased some of the wording above using information from GRC's website and possibly from other sources, as I have learned a lot through the years. |
You can use GRC's "Interactive Brute Force Password Calculator" to check and see how long it would take to find your password if an attacker had to try every possible combination, as if you don't use passwords with dictionary words in them an attacker has to find your password using brute force by trying every possible combination. Also, the passwords you enter are only locally temporarily stored in your browser, they never leave your browser and that means the GRC website servers do not know the passwords you enter, so your passwords are still private. I would like to add that I have paraphrased some of the wording above using information from GRC's website and possibly from other sources, as I have learned a lot through the years.
|
Choose strong personal identification numbers (PINs) for your mobile devices preferably a minimum of 12 digits or choose strong passwords that are a minimum of 10 characters for your mobile devices and other devices. I would also recommend that you choose to turn off in the Android security settings the "Make passwords visible" option, this is because it will show the last number and / or letter as you type, this could be your lockscreen PIN / password, so it can be a security risk. But do not use fingerprint or face authentication, as they have been proven to have security vulnerabilities that can be exploited. I would like to add that using fingerprint authentication is acceptable on Windows with LastPass, as LastPass doesn't support PIN authentication on Windows, so your potentially very long LastPass master password would have to be entered in each time you login without using fingerprint authentication, but to make it more secure you can use double two-factor authentication by having fingerprint login and then having it request a second two-factor authentication method after. I would like to add that some devices do not support 12 digits for their lockscreen, so on those devices just use the maximum digits they allow, as anything is better than nothing. But our emergency mobile phone that we mainly have just for emergency purposes didn't really need a lockscreen PIN set and a SIM PIN set at all, but I have set them both anyway.
|
For the Windows 10 lockscreen I would recommend that you enable these settings by using these commands in the CMD command prompt "net accounts /lockoutthreshold:5", replacing 5 with the number of times a wrong password has to be entered to trigger the lockout. Then "net accounts /lockoutduration:30", replacing 30 with the duration of time that you have to wait when the number of wrong passwords has been entered that has triggered the lockout. Finally, "net accounts /lockoutwindow:30", replacing 30 with duration of time that you have to wait before the wrong passwords count will be reset to 0 without triggering the lockout. So with the above commands an attacker would have to wait 30 minutes if tried 5 passwords or would have to wait the same 30 minutes if tried less than 5 passwords, this slows down to a crawl the brute force attack speed where an attacker tries every possible combination until they find your password. Like the LastPass encrypted password manager does with their customisable iterations count, which make it harder and more time consuming to the attacker to brute force your master password. Here is information from Microsoft about the "Account Lockout Policy", here is information about "How to Change Account Lockout Duration for Local Accounts in Windows 10" and here is infromation about the "Net accounts command". I would like to add that these websites helped me to learn this knowledge and possibly other sources helped me, as I have learned a lot through the years. And I would like to add that I think I have not enabled these settings on my desktop until recently, but I have now enabled these settings on my desktop to protect its lockscreen from password brute force attacks as well.
|
Enable two-factor authentication in all your accounts that support it, this will add an extra layer of security to your accounts, so when you want to sign in it will ask you to enter your password and it will also send you a temporary random code each time to either your email address or to your phone number via a call or a text or it will generate one in an app like the Google Authenticator app or on a physical hardware key that you will have to plug in each time, etc. Google account's two-factor authentication will popup a yes or no prompt on signed in devices, to ask whether or not to allow the new device to sign into your Google account. I would like to add that other companies can have their own method of a two-factor authentication popup verification prompt, either using their own app or using a different companies / persons app or using another method, etc. I would also like to add that I know sometimes disabling two-factor authentication temporarily is needed or is thought to be needed even if it's not, as even I have to do this if I am changing around settings or if I am testing things out, etc.
|
You can use GRC's "DNS (Domain Name Server) Spoofability Test" to check the spoofability protection of the DNS server(s) you use. As when you visit a website the DNS provider you use has already worked to get you to that website. This is because they have located and identified that website by using that website's domain name to match it to its IP address. Because it's a lot easier to remember a website's domain name instead of its IP address. Spoofability is where an attacker redirects you to a false website even when you have typed in the correct domain name of that website. So that's why spoofability protection is so important, as it prevents an attacker from being able to redirect you to a false website without your knowledge.
|
I would recommend that you disable UPnP in your router / modem and devices, as UPnP basically automatically port forwards ports in your router / modems firewall, this in itself is a bad idea, as it may decide to port forward a bunch of ports leaving your network open and vulnerable to an attack. But it's even worse than that, as there's so many vulnerabilities in UPnP itself, which can allow attackers to tell UPnP to port forward say all your router / modems ports leaving you network totally open and totally vulnerable to the internet and to attackers and UPnP will obey as it has no authentication, so any device inside of your network can just ask UPnP to port forward any port. The better way to port forward is to just do it manually yourself, then you know exactly what ports have been forwarded, as devices could ask for way too many ports to be opened than is needed. Here is information from How-To Geek that helped me, about "Is UPnP a Security Risk?". Also, here is another page from GRC's website that has helped me, it's called "UnPlug n' Pray" and you can use this test to make sure UPnP is disabled on your Windows computers and devices. I would like to add that I have paraphrased some of the wording above using information from How-To Geek's website and possibly from other sources, as I have learned a lot through the years. |
I would also recommend that you uninstall Java if it's not needed or if you want it left installed that you choose for it to ask first to allow activation, so you only choose to activate it in your browser if you trust the website that's asking for your permission to activate Java, as Java has lots of security vulnerabilities in it and I do not think a lot of website's are using Java much now anyway.
|
I would recommend that you enable all security features in your router / modem, like for an example Asus's AiProtection with their enterprise grade security, as it does help to protect your local network and devices from attacks, but AiProtection at the moment can cause a RAM leak on some Asus router / modems, where the RAM usage keeps increasing until it causes the router / modem to crash / freeze / lock up and depending on the settings you choose it will need to disable NAT acceleration to be able to inspect packets more effectively, which will probably slow down your internet speeds if you have internet speeds of over 100Mbps. Here is a YouTube video called Safer Internet for Your Family and Devices - AiProtection | ASUS. Also, YouTube and other websites can be slow on Chrome, because of an experimental feature that routes QUIC Protocol traffic over UDP for certain websites, this is meant to be more efficient and this is meant to improve performance, YouTube being one of them for videos, etc.
|
OpenVPN is excellent if you want to remote into your local network in a safe and encrypted manner. Opening a port specifically for OpenVPN is safe, as OpenVPN doesn't respond to pings and if OpenVPN is configured in a secure manner and properly firewalled. It can further be protected using tls-crypt, as using an additional tls-crypt security key file will mean that the OpenVPN server will not even respond and will not ask for authentication without it receiving the first tls-crypt security key file, etc. Because quantum computers will be around at some point, it's a good idea to make sure that you use post-quantum cryptography, to be more secure against quantum computers, because they will be able to quickly solve the pre-quantum cryptography. Using post-quantum cryptography is a good idea for lots of different applications, like OpenVPN, OpenSSH, HTTPS encryption with SSL/TLS and SSL certificates, etc.
|
I would recommend that you set your router's wireless security encryption to WPA2 if it's available and if it has been vulnerability patched (because WiFi security can have lots of vulnerabilities), WPA2-PSK AES Personal if your a home user or to WPA2 IEEE 802.1X Enterprise if your a business. And even better if WPA3 is available and it has been vulnerability patched (because WiFi security can have lots of vulnerabilities), WPA3-SAE Personal if your a home user or WPA3 IEEE 802.1X Enterprise if your a business, as these provide the highest level of security encryption, if your router supports them. Your device may constantly broadcast its saved networks list of WiFi SSID names that have been saved in your device, I would like to add this is only when your device is probing for a WiFi network to connect to, hence why I said "may constantly". An attacker can pretend to be the open unencrypted WiFi SSID name that's in your device's saved networks list, which means your device will try to connect to their rogue WiFi, because it's using the SSID name that you have connected to using your device in the past and I would like to add that this only works for SSID names that are using open unencrypted WiFi only.
|
I would recommend if you are connecting to open unencrypted WiFi that you also use a VPN (virtual private network) like OpenVPN, if you have a fast enough Internet upload speed at your home and if you have a server at your home, then you can install and setup an OpenVPN Server for free, then you can connect to your home's LAN (local area network) when you are out and about, just as if you were at home and all of your data will be encrypted all the way back to your home. Here is my review of OpenVPN, this link will take you to a different location on this page of my website, it takes you to the previous section directly above. I would like to add that when I said "this link will take you to a different location on this page of my website, it takes you to the previous section directly above.", this was the case when this wording was in the section directly above, but now this wording is in this section. So this link will take you to the same previous section, but it's now further up this page of my website instead. But if you do not have a fast enough Internet upload speed at your home and if you do not have a server at your home, then you can pay to use a commercial VPN (virtual private network) and your data will be encrypted all the way to their server(s), a VPN service may be included with one of your security subscription services, etc. |
I would also recommend that you check your router's firewall to make sure it's set to its maximum setting and if it's not then set it to its maximum setting, if your router supports it. Also, I would recommend that you set your router's firewall to enable DoS protection and / or DDoS protection, if your router supports it and I would recommend that you disable your router's remote management feature / function, as if the remote management function is enabled your router's login page is accessible by anyone on the internet, if your router supports it.
|
I would recommend that you encrypt any data that's personal, I would also recommend that you backup your data whether your data is encrypted or not and that you encrypt any backups, as for an example if an encrypted container gets corrupted you could lose all the data inside of it. Creating an encrypted backup of the encrypted container's volume header is also a good idea to try and prevent you from losing all the data inside of it, in case it gets corrupted you can try and restore its volume header from the encrypted backup. But I would like to add that some countries prohibit the use of encryption / cryptography, so it's a good idea to check your own countries laws on encryption / cryptography. You can check for issues like protected system files data curruption and you can check if protected system files have been replaced by using this command in the CMD command prompt "SFC /SCANNOW". Another way to check for system component store data corruption is by using this command in the CMD command prompt "DISM /Online /Cleanup-Image /ScanHealth" and if there's any system component store data corruption use this command in the CMD command prompt "DISM /Online /Cleanup-Image /RestoreHealth". To check for errors and data corruption on any drive for example a drive formatted in NTFS use this command in the CMD command prompt "CHKDSK C:", replacing C: with your drive's letter, so for an example D: is another drive letter that could be used, if any issues are found run "CHKDSK C: /F", the /F is to fix errors on the drive and again replacing C: with your drive's letter.
|
When you delete files or folders using the recycle bin or using the permanent delete option it doesn't delete them, as it just tells the OS (operating system) to mark the space that the files or folders are occupying as free space, so other files and folders can overwrite the files or folders that you have deleted using the recycle bin or using the permanent delete option, with the exception of SSDs that have TRIM enabled and / or that use TRIM manually, as TRIM tells their garbage collection algorithms to erase the pages in the blocks that fragments of your deleted files are in sooner. But the problem is that this can take a long time for the space of the files or folders that you have deleted using the recycle bin or using the permanent delete option to be overwritten by other files or folders. So the solution is to use a file and folder shredder, that overwrites your files and folders while it is deleting them or after it has deleted them or another solution for hard drives is to wipe their free space, which will make sure that your deleted files and folders are erased.
|
SSDs can only write to blocks once the data in the pages in the blocks has been erased first, so by using TRIM it makes sure that anything that has been deleted is actually marked for erasure, so that the garbage collection algorythm can erase the data in those pages in those blocks. This makes writing faster as when an SSD is writing data to a page in a block that has been marked as free space, but that still contains data in it due to the fragments it contains being deleted, but not actually erased yet, these pages in these blocks don't need to be erased before writing to them anymore, so it speeds up writing. Also, the deleted data in those pages in those blocks doesn't need to be moved around to be written to other blocks, when the garbage collection algorythm has to save some pages in a block that has undeleted data in them. So TRIM saves the SSD from performing unnecessary writes of deleted data to new pages in new blocks and so TRIM just marks the pages in the blocks for erasure that contain fragments of data that has been deleted, but not erased yet.
|
If a drive has bad sectors, then it cannot erase the data stored in the bad sectors, so I would recommend that you also check your drive for bad sectors, so that you know if there is any bad sectors that some data might still remain on your drive in those bad sectors. I would also recommend that you run drive tests and smart tests on your drives, which is a good practice to follow regularly anyway to check the health of your drives. This video from "Vsauce" on YouTube got me thinking about bad sectors when erasing data "Where Do Deleted Files Go". I am sorry when I originally linked to this video, as I had linked to this video but it had been re-uploaded by someone else. Good job I double checked this video that I had linked to, as I had missed this issue, because obviously I want people to watch the original video from "Vsauce" on YouTube. But it was only on my website for a short amount of time anyway. |
When I was much younger before I knew to use all of these programs, apps, settings and this knowledge I had a takeover caused by a virus or viruses, malware and / or spyware, etc. As it was so long ago I cannot fully remember how it happened or what was installed in the form of protection at the time, I think there was just an old version of Norton 360 installed which was new at the time, but I don't think it was properly set up for the highest protection, which you can do in the settings now. And over the years I like anyone have had detections caused by a virus and / or viruses, malware and / or spyware, etc. I am not going to lie and say that I have not, but the difference is while using all of these programs, apps, settings and this knowledge is that they don't takeover, because they get detected, stopped and if they are on your computer and / or device they get removed. The reason I left this wording out was because I thought it would be too hard and / or too messy and / or too lengthy to explain, etc. But in the end I have explained it now.
|
This knowledge was obtained from many sources over a long period of time typed in my own words and parts of this knowledge was copied from many sources and pasted into this page, edited by me (I would like to add when I said edited by me, I meant paraphrased by me), all to help you secure your computers and devices, but that's part of what life is about accumulating knowledge. This page can be modified at any moment, so check back regularly to see the modified version. |