FAQ – Security Handbook logo

Alpha release:

  • unrevised translations – should improve in near future
  • translated chapters: Basics

Computer security’s nowadays a critical – yet, sadly enough, regularly underestimated – matter. Users often fail to understand why they should care. Security is an ubiquitous factor of human life, typically perceived in one of its aspects by people: as their physical security. A person for instance usually doesn’t climb mountains without climbing gear, because they see the risks and possible fatal consequences. Computer security is mostly an abstract term where the risks and possible fatal consequences aren’t visible to the eye and their depiction requires a significant portion of one’s imagination. This attribute along with insufficient education of the general public make for the main reason people don’t understand that neglected computer security may come with similarly fatal consequences as neglected physical security.

Our society largely depends on computer systems and smart devices – e.g. water treatment, food or pharma production, smart cars, home security systems, military, finance management, personal communication,… And this dependance will probably only rise. An attacker can effectively posion a whole city by attacking a water treatment facility, attacking a smart car would probably result in fatal consequences for the passengers. However, even in an event of personal device hack, the extraction and leakage of sensitive data may prove fatal to the user. It’s therefore essential everyone accepts computer security as an everyday factor of their lives and treats it equally as their physical security.

No device can ever be 100% secure as there are too many variables in the process (physical security, HW, SW, user comfort,…). Security’s all about compromise. Chapters of this handbook focus on achieving the most effective security with minimum user comfort loss. If everyone adhered to the provided recommendations and applied the proveded steps, attacking user devices would prove much more difficult and, in result, expensive.


FAQ – Security Basics

Glossary:

  • hacker – an individual misusing their knowledge, e.g. in computer security, for personal gain (definition originally comes from the cracker)
  • malware – generic term for malicious software which further divides into many categories
  • ransomware – software preventing user from accessing their data and demanding payment to reinstate such access
  • adware – software containing ads and displaying them to the user
  • rootkit – code intended to mask the presence of other malware in OS and aggravate their detection
  • exploit – code taking advantage of a software vulnerability in order to perform a specific (typically malicious) action
  • zero-day (0-day) – vulnerability exploited at the day of its disclosure (or prior to it)
  • payload – core part of malware code responsible for the key malicious action

Basic Security Guidelines:

  • Periodically backup user data.
  • Always use the latest patched original version of the OS.
  • Refrain from using illegal software – most cracks are infected.
  • Prior to performing any action, double-check its autencity.
  • Install applications exclusively from trusted sources: official website / Microsoft Store.
    • on mobile devices: Google Play / Apple Store
  • Use strong passwords that are easy to remember. Use different passwords for various services, consider using a password manager.
  • Password Strength. Source: xkcd | CC BY-NC 2.5

    password_strength_sm
  • On mobile devices:
    • don’t perform root / jailbreak – such action destroys the respective OS’s security model
    • avoid installing apps requesting unreasonable permissions (e.g. Flashlight+ demanding access to your SMS and contacts)
  • Pay attention to where you enter your data – selling personal data is a highly profitable business.
  • Don’t forget the physical security factor – lock your device, set a UEFI password, disable boot menu, refrain from unlocking the bootloader,…

Secure Web Browsing:

  • Don’t connect to unknown/public networks and avoid using unsafe protocols – HTTP, FTP,… – or at least don’t send any personal data through them. Consider using a VPN.
  • Use a securely configured web browser.
  • Consider using a separate browser for sensitive business (e.g. online banking).
  • Don’t visit unknown/untrusted sites and never download any files from them.
  • Reduce the visits of pornographic sites, it’s quite common for them to be a victim of malwaretising and serve malicious code.
  • Don’t use social buttons outside the respective social network as it’s trivial to mimick these.
  • Avoid the short URLs – like https://bit.ly/tinyurlwiki – as they can easily mask dangerous links.
  • Only open email attachments / links from trusted senders.

Tip
The safest way to browse the web: securely configured live OS. However, it should be pointed out that this option doesn’t have to be 100% safe as well – for example if the device has been hacked in the past, the EFI may be infected.


Security News Sources:


Online File Analysis:


Recommended VPNs:


Recommended Password Managers:


Changelog



pre-v1:

  • 29.11.2019 – alpha Android OS & Linux OS for the advanced
  • 26.11.2019 – website, Basics
Top