Posting this under Privacy because a) Security is a means to an end, especially in this case b) I don't want "Just use Miracle Product X!" responses Basically, a family friend came to me re: problems with her laptop. It's an older HP model running Windows XP. I removed some gigabytes worth of temp files, defragged the drive, updated it, got the antivirus back in working order, dusted it out, and generally fixed it up. It now runs pretty well. (It'll be slow again in 6 months if the user doesn't start moving her music/movies/pictures off the main drive, but that's another matter.) Problems: The user is a complete novice. She does not have the time to become a power user. She is stuck on Windows XP. (Can't switch to 7/8/10 right now, and forget about Linux.) She has a ton of online accounts, many for paid services. She is mostly browsing with IE 8, which is a huge target. She defaults to using very weak passwords. She likes to install dubious adware games. I don't know if she has a smartphone or tablet. If she does, it's almost certainly not secured (as if such devices can be secured). Furthermore, she's dealing with some difficult life situations right now. So she needs a) Solutions with a very low cognitive burden b) Solutions that actually work in practice When I give her back her XP laptop, I want it to be set up to give her at least a modicum of safety vs. identity theft. ... What I'm thinking so far: Browser security Chrome is kind of the obvious choice as far as protection from local compromise. Unfortunately - Its password storage is no better than plaintext. - Google's privacy track record is IMO awful. (They're an ad company, what do we expect?) OTOH the user does not *need* anonymity (for now!). And Chrome looks better than Firefox as far as ITW attacks and sandboxing. Then again, Firefox actually bothers encrypting account passwords. That's worth something, especially the convenience of having it in the browser. Not sure that's worth giving up the sandbox though, or the separation of password vault and browser. Password security KeepassX or Keepass2, maybe? Those work very well in my experience, but the GUIs might be a bit intimidating. Also, it's Yet Another Application. LastPass might work, too. Never used it. The idea of nonlocal password storage makes me somewhat uncomfortable though. Social engineering prevention This is probably the hardest part. Norton Internet Security has been *RUBBISH* as far as this - it doesn't detect trojan software, adware, etc. at all, even when the stuff is obvious (e.g. using known fraudulent digital certificates). Something is needed to detect this stuff. Phishing prevention seems even harder. Maybe a browser plugin of some sort? How good is e.g. Web of Trust for dealing with phishing sites? Suggestions on any of the above issues, further analysis of the problem, and/or things I haven't thought of would be much appreciated. Thanks!
I think you are a great help already. She could use a Yubikey in order to store a strong password, e.g. to open the keepass safe she'd just have to push the button on the Yubikey for about 2 or 3 seconds and that's it. (She could also combine it with an easy password that she has already remembered or can easily think of). Of course, one could use an usb-key for a keyfile as well. A Yubikey could also unlock the laptop (before booting) or at login (you can change the login that you have to have your Yubikey plugged in to unlock it). This could be a nice addition if she uses the laptop in public or away from home (or fears that it could be stolen from home). Browsers She could use a few of them each for different purposes. Maybe two are enough (Chrome & Firefox for example). Use different addons that she does not have to meddle with. One could be mainly for serious stuff like online banking or just for reading or gathering information (let's call it the secure browser) and one for multimedia and stuff like browser games that do function without having to do much (I don't know, but maybe one could or should nonetheless activate the "always ask option" for flash.) The multimedia browser sounds more likely to be dangerous [edit: in danger] so this should be sandboxed. I am not up-to-date regarding sandboxie but I think a browser can be associated to sandboxie so that it always starts in a sandbox. Maybe sandboxie for both browser or the browser would be a good thing. Some changes in the "about:config" would be good for privacy. You could change some of them that aren't too invasive (like breaking sites). Does she use an email client? Does the email account have different settings for spam? Check it. Two factor authentication could be used where possible. It's easy (receive an SMS, Yubikey) and helps securing online accounts. You could write a list for important stuff so she doesn't have to remember too much at first. With time she will get used to it. I am still of the opinion that one could get used to Linux distros like Ubuntu, Mint, Suse and so on in a short time especially when the computer seems to be used mainly for surfing. It's booting up and starting a browser. Updating is even easier than on Windows but as you wished, I don't even start. (Dual boot... ;-) just kidding) That's what I could think of right now. I think you know very well what you are doing. Maybe an XP expert wants to chip in.
I think the novice won't go for any of this. But let's play anyways. My path for novice: FF not Chrome, PWs I don't believe in any storage (don't bother me right now I'm repeating all 72 of my PW in my head over & over like a mantra), I DO agree with WOT. Hope I don't come off as snarky but I've given up on all who treat computers like toasters.
Okay, point by point: Now this sounds pretty smart. (I wonder if a simpler version could be implemented with a USB stick, using the volume's UUIID as a passphrase-substitute? Or maybe the UUID of a hidden partition...) This *might* work for IE and Chrome, not so much for Firefox. A real local compromise would bust right through that. Might protect a little from man-in-the-browser stuff though. (Keep in mind, XP is barely better than single-user these days. And this is XP as admin. The supposed boundaries between programs are worth very little.) Web mail only, I believe. Probably a good idea. Even with an insecure mobile device, it's probably better than nothing. Too bad a lot of accounts will not provide 2FA. I would seriously consider dual boot, except for lack of disk space. The laptop has a 40 GB hard disk, with the system partition sandwiched between two OEM recovery partitions. Migration to a bigger hard disk would be painful, though I'm seriously considering it. My thought is that, given the profound local insecurity of XP - and of Windows in general, really - it's better to move the focus onto security problems that are fixable, namely protecting the various online accounts. Edit: as for social engineering, I don't know if that's fixable, but it's equally troublesome on every platform. So...
Since you're considering dual boot -- for now, why not set up a virtual machine with mint (or whatever) as guest? Fx has phishing and malware filters built in. To the best of my knowledge WoT has none; strictly a reputation tool. Maybe your friend can handle NoScript. If not, even in its 'allow scripts globally' mode you still have : https://noscript.net/features You could also add ublock origin into the mix. She could use it in the non-advanced mode. You can decide which additional static filters would be appropriate.
1.4 GHz single-core Celeron with 1 GB RAM and 10 GB spare hard disk space. That's probably a good idea - thanks!
Why not try Comodo Firewall? It has a built in virtual desktop, browser etc. My family use it so it's a no brainer to use. I've used it, but it doesn't allow micro control like I want.
If you're thinking dual boot, I was wondering about booting off a USB stick if the laptop bios would support that. Running a Live distro of choice, or indeed a full Mint distro off a fast usb can be quite a pleasant intro to that environment, and it really is pretty disposable. I have family members using Yubikeys as 2FA for Windows login, Password Safe and Lastpass. Keepass also works. For browsing/website passwords, Lastpass is pretty good, though it does demand a little bit of user training. The Lastpass master password can be remembered on the machine, which is OK if you have 2FA I think. But the Windows login with Yubikey isn't supported on XP.
@deBoetie I'd considered live USB. Alas, a BIOS limitation prevents booting from drives larger than 2 GB or so. It may be doable, but the machine is picky, and updates are an issue. @Kobayashi maru NIS is already installed. Also, please see again "just use Product X."
I clean up malware for senior citizens, & routinely give an hour or so How to stay safe, some get it, some don't. The dont's become/are repeat customer(s), Rico I'm infected again, Ugh! For those special people, I become a salesman for "Shadow Defender" with the special instruction of don't go online, unless your in Shadow Mode. This works! I understand your product X from post #1, from here you can spoon feed a little knowledge, make it interesting, so she wants more knowledge & she's safe, in the shadow. Some that I use on the old are: You do maintenance on your car with every use, see the tires aren't flat etc. You know how to deal with this, trouble is no one has taught you routine maintenance for your PC. How about pretend your the bad guy, & how you go about invading a machine. This one everybody gets, why use CCleaner or it's ilk. I tell them temp files are like leaves on a tree, useful on the tree, but trash when they fall, now if you haven't raked your lawn in awhile, try to find something in it. It's like taking out the trash. The more trash you have the longer CCleaner takes to clean up.
I'd go with Firefox and do just a few quick about:config tweaks that can help with privacy/ID theft type stuff. geolocation being a big one. I disable safebrowsing because I'm anal but she could benefit from it. Also a DNS service that blocks known bad sites like Comodo or Nortons. I used Comodo Secure DNS for years when not using VPN's and saw it block lots of sites. I'm not a fan of WOT, and actually heard rumors lately that they harvest user info. Plus it's ripe with abuse wtih people giving misinfo because of axes to grind and fanboy/girl'ism. I removed it recently from my list of addons after using it for years. Even NoScript has benefits if you allow scripts globally and hide all the prompts. The "Embeddings" and "Advanced" tabs have useful stuff. Adblock Plus/Edge too of course, with EasyList, EasyPrivacy, and Malware Domains. Instead of a full blown VM they might be more apt to handle light virtualization, Shadow Defender. v 1.1.0.325 is great for XP. Maybe apply the POSReady registry tweak to keep patches coming for them? I know it's frowned upon but in this situation it's warranted I'd say. Limit attack surface as best you can of course... not that I have to tell you that. Doesn't sound like they'd be able to handle an outbound FW but harden the integrated XP FW against termination at least via GP tweaks > Network > Windows Firewall. Close ports 135 & 445 at the source via registry tweaks. I've posted them in here before. This will leave nothing left listening in except a web scanning module in an AV if you have one. Speaking of AV's I'd recommend Avast Free. Good AV for novices. But you did say you straightened out an AV for them already so that may be out of line. I apologize if so. MBAE Free would be a good layer for Firefox. All this stuff is free! Keep images of their setup at various stages filed away to get it back to tip top shape in that 6 month window you mention expecting it to be a veritable nightmare again. But then again Shadow Defender should help that. It's so much easier to use than people assume and I'll bet they'd not only handle it fine but wondier what took them so long. Use Ixquick as you search engine. Go into the settings to use HTTPS/TLS, disable search suggestions, etc... And both copy & paste the URL as the home page and it'll create a button for "Custom Search" too... use it as default and delete all others.
Chrome + uBock Origin + HTTPS Everywhere + Malwarebytes PRO with website blocking enabled. That is the best you can do with a novice on XP. Maybe find a torrent of Windows 7 Ultimate too and install that.
How is it going? I've been wondering about what you wrote about this browser stuff. I wasn't even thinking of what you wrote. I just thought it to be safer to only use/activate stuff like javascript & scripts, flash and so on when it is really necessary. So instead of always activating when needed (and maybe leaving it activated on other sites) I thought of using just one browser for Netflix and Youtube or something like that. The usual browsing takes place in a browser without flash, javascript and the likes. Wouldn't that be a little safer already?
So... Resurrecting this thread several months down the road. To outline: tragedy struck the friend's family, completely out of the blue, and things did not go as planned. I had to hold the computer for her while she dealt with the aftermath. Things are somewhat worse now on the computing front. Largely my fault for not thinking of this stuff, and not checking up on it. - During the delay, the Norton IS license expired. So I would have to count on a (dodgy) free AV. - Chrome will drop support for Windows XP on April of next year. This gets rid of the only secure browser. So, the computer is usable - it boots in ~1 minute now - but it is not safe to use for any purpose. Meanwhile, the friend called up today. She'll be over to pick up the computer in a little under five hours. There are obviously, shall we say, serious ethical issues with handing her back a working laptop that is not safe to use. ... I'm thinking the best bet would be a USB stick Linux install for browsing, at this point. Not many other ways to deal with the situation that would actually fly.
https://www.360totalsecurity.com/en/features/360-total-security-essential/ supports XP and since it has a huge user base, it will most likely will for a long time. You might find interesting: http://news.softpedia.com/news/Chin...g-13-Hours-of-Continuous-Attacks-436187.shtml
So it turns out the Norton thing was an oversight on my part... Hurray I guess. That at least is kind of solved. @TairikuOkami based on what I've seen with Qihoo's labs pounding my router several times a week, I would not trust that company. Then again, it's not like I trust Symantec much either. The whole industry seems riddled with grayhat behavior. ... I ended up buying an 8 GB USB stick, and installing persistent Xubuntu on it. I will probably advise the user to do banking etc. from this; though I'm worried about crypto libraries on the live medium rapidly getting out of date. Also installed the final updates for WinXP, and added uBlock Origin for Chrome. This should help, if she remembers to use Chrome instead of IE... BTW I would advise the user to buy a new computer, but I'm spooked by how stores like Staples and Best Buy take advantage of customers. Judging from my prior experience, they'd probably pressure her into buying an overpriced machine with badware preinstalled. Also I don't know if she has the cash to spare. ... I think I'll give her the option of taking home my 2008-issue laptop, imaged with Win7, plus the install DVD. I have a workstation and a backup laptop, so it's not an issue to just give her the laptop freely. And it's not like I use Win7 for anything serious. Wish I could set her up with Linux for long-term use, but that does not seem possible.
@Gullible Jones - might I offer a Cunning Plan which I think could work for a novice as follows. I use a Puppy Linux for banking on a Usb stick. It supports persistence, but runs from RAM. In normal banking sessions, I boot up, and then, before browsing, remove the Usb stick physically. The user can browse to the site, but there is nothing, including malware, that can get written back. But this allows the option to update the stick, because if you do a boot and perform update (but do not browse) - then you can save the updates and close. This offers the advantage of a Live distro, but with update possibilities. I'm not sure whether a novice would follow this procedure adequately though, probably there's not much risk with an out-of-date Live distro providing the banking site is the only one visited.
Unfortunately other stuff came up, and she was not able to reclaim her computer yesterday... @deBoetie My preference would be Xubuntu Live or such, which also supports persistence (and runs very fast off a USB stick). Though persistence on a live medium is something like a 50% performance hit vs. running non-persistent, from what I've seen... The elephant in the room, in that case, is the crypto libraries. I don't like the idea of accessing a banking site while using e.g. OpenSSL or NSS versions that are out of date. Not saying it's guaranteed to be an issue, but it doesn't seem wise given the number of recent holes. ... Also, there's another problem: it looks like the computer's hard disk is going to give out soon. Linux shows DMA errors on every boot, and I can't resize the main NTFS partition, because it never unmounts cleanly. (I'd check that out from Windows too, but cannot - the Windows event log viewer is missing.) To add insult to injury, this is one of those stupid Dell consumer laptops, with a recovery partition instead of an install DVD. Probably I'll have to purchase a decently sized laptop IDE drive, and ddrescue the Windows partitions over; then I could install Linux on the remaining space. That would be a long term solution. Alas, what with the holidays, the drive would probably take a while to get here.
I'm currently using Chrome with uBlock Origin + Disconnect.me + HTTPS Everywhere + Malware Bytes Anti-Malware Home Premium which has Web surfing protection enabled. I am thinking about switching browsers though. For passwords I use SuperGenPass. Wouldn't be very good if I used a mobile device, but I'm usually on an actual computer so it works well. Also this is my first post on the forums. Hi!
@mick92z That's a good idea, and the thought has crossed my mind. It would at least give her a way to surf securely, even if it couldn't run her proprietary stuff. ... Maybe? One thing I hadn't thought of. She has this habit of installing all kinds of weird little free games and doodads, some of which have proved to be pretty dubious. And from what I've seen, the Chrome app store has its share of exploitative apps. Sigh. I'd like to be able to solve all these issues with software, but some of it is really more like legal/consumer protection stuff.
Yes, sadly so. I think I'd be tempted to suggest a s/h laptop with usb3. Doesn't have to be fancy, but that would run Linux fine, and with FireJail, you can have browser profiles that wipe themselves, so the dodgy apps would disappear, or it can operate in a sandboxed space with restricted permissions to anywhere. User doesn't have to be aware what's happening, just some desktop icons for different things.
So, an update: I'm biting the bullet here, and setting up a Linux USB stick, for her to do banking and purchasing with. I think it should be good for a while. I'm using Debian Live (Mate) for this, currently. Works okay, but I'd like to make a few tweaks. Anyone know a way to make a live USB stick auto-run a shell script after it finishes booting?
