What is your security setup these days?

I use Zemana just in case the other security software products miss something. As previously stated, it can't hurt.

I forgot to add to my initial post in this thread the other security measures I use. Another time, then.

 

Had a strange thing happen last night. I was running a game from Matrix wargames and noticed my computer hard drive was working overtime. I looked at apps and saw two versions of the game running. Looked further into it and one of the processes was my passwords folder!? Couldn't end the process or shut down the computer, did a hard restart and immediately did a system image install. Needless to say the game is now off my computer. The game installs Active X in order to run, and when first running triggers a Windows firewall alert that it wants to connect out. Looking into Active X I was surprised to see how vulnerable it is and that Matrix would use it for anything. So far no sign that my passwords have been compromised. Maybe encrypting that folder would be a good idea.

 

Hey cool, you are using just the red ribbon on your typewriter.

Just a side note, though you probably know what you are doing: Sometimes doubling up software can hurt, in that they interfere with each other when trying to do the same thing. But I have no idea if that could happen with your setup.

 

Everything is white-listed to prevent / reduce conflict. The only trouble I have had has been with Malwarebytes that caused login issues. I have had it occur a few times. The problem seems to be resolved by un-checking the the start protection module with Windows.

 

Open source KeePass has encryption covered pretty good...

• KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.
  
• The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too.
  
• SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms.
  
• In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.
  
• Protection against dictionary and guessing attacks: by transforming the final master key very often, dictionary and guessing attacks can be made harder.
  
• In-Memory Passwords Protection: Your passwords are encrypted while KeePass is running, so even when the operating system caches the KeePass process to disk, this wouldn't reveal your passwords anyway.
  
• [2.x] Protected In-Memory Streams: When loading the inner XML format, passwords are encrypted using a session key.
  
• Security-Enhanced Password Edit Controls: KeePass is the first password manager that features security-enhanced password edit controls. None of the available password edit control spies work against these controls. The passwords entered in those controls aren't even visible in the process memory of KeePass.
  
• The master key dialog can be shown on a secure desktop, on which almost no keylogger works. Auto-Type can be protected against keyloggers, too.

 

LOL you are exactly like myself.I like that.We know that having extra protection no matter how small it may seem is better then no protection, and even if two products do the same thing (detect keyloggers) that if one product misses something chances are the other products might detect something.

 

If one is good then two must be better? Think how awesome a dozen would be. Unless they are specifically written to work well together, having multiple security programs installed that do the same thing can be counterproductive because while they are interfering with each other something can slip by. Also the more programs you have installed the larger your attack surface is.

 

Thank you for that list, I know you like KeePass, I'm going to give it another try. My choosing LastPass over Sandboxie just for convenience really doesn't make any sense as far as security goes.

The password folder that somehow showed up as running in that game glitch I mentioned earlier has all my non-internet passwords, like for games and other programs. Could KeePass be used to easily encrypt and retrieve the information in there?

What are the steps you go through when signing into a site when using KeePass? Maybe there's an easier way than what I was doing.

 

Yes. I believe that the list I posted covers that info.
"The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too.
Your passwords are encrypted while KeePass is running, so even when the operating system caches the KeePass process to disk, this wouldn't reveal your passwords anyway."

I know that images would work best, but allow me to write the steps down instead (easier for me). Keep in mind that it takes longer to explain it than it does to just do it.

1. I always keep the KeePass main window open & minimized on my desktop.
2. Open site. All of my bookmarks resolve to login pages, so that when I click on them, they are ready for password entry.
3. This step is key... sometimes it is critical to click on the 'Username' field on a site's login page in order to assure that the page is active.
4. Right click on the desired site entry in KeePass window and select 'Perform Auto-Type'. The login data entry fields fill automatically.

That's it. Done.

If preferred, a user can also enter a site's url into KeePass, and then access the site using only KeePass and thus eliminating the 'click on bookmark' step. If you choose this method (I sometimes do), then alter Step 2 above by first doing this...

2. Right click on the desired site entry in KeePass window and select URL(s)/Open with Chrome (or whatever browser you use). Just like in step 2 above, make sure that the url you have entered into KeePass when you created the Entry is the login page. This definitely adds ease to the whole process.

After completing the alternate Step 2 just mentioned, then proceed with 3 & 4. (3 is not always needed. I inserted it because experience has taught me that it is sometimes necessary.)

One reminder, when creating KeePass site entries, remember the Two-Channel Auto-Type Obfuscation tip I posted here. I'd say it is critical.

Hope this helps. If I haven't been clear on something, or you need more info, let me know and I'll help if I can.

 

I have been playing with Winpatrol Plus and Malwarebytes Anti-Exploit and wanted to test out NVT, which I've read so much about. I also see some pair up Winpatrol and NVT, but I'm going to test NVT solo first. My question is of the three in question which combination would be either redundant or unwise to run together? Would MWBAE essentially be doing similar tasks that NVT could handle by itself or a combo of WP and NVT for that matter?

 

I am a firm believer in having an array of protection. Just like with anything else, you want to make sure everything is covered. And they miss things ... sometimes. It doesn't matter which product detects what... as long as it detects it.

How's Qubes OS?

 

MBAE, WP and NVT and completely different products as far as i know. MBAE is anti-exploit, WP is startup monitoring app and NVT is application whitelisting. They all can work in harmony without any conflict and each one targets one specific area. I don't see any redundancy.

 

Windows XP Home SP3 (all updates) Admin account behind a router
1 ESET NOD32 Antivirus 7 with HIPS in Policy-based mode
2 Google Chrome starting with DropMyRights (Adblock Plus: Easylist EasyPrivacy, JavaScript Popup Blocker)
3 Norton DNS
4 MalwareBytes on demand
5 SpywareBlaster
6 No Java installed

Light -- Secure -- Easygoing -- Unintrusive

 

Indeed. To me on the other hand SBIE wouldn't be going anywhere. But then again my preferred method for storing passwords has always been my brain. They can't get stolen from there unless someone is really good. I could never trust a password manager.

I do back them up with pen to paper though. Then keep the piece of paper in a book... one book of many on a large bookshelf on a random page. So I only have to remember the book and the page number instead of all my passwords. But I rarely have to look them up. I did for my EBay PW once because it had been so long since I'd last used it.

 

Yes,yes,but 12 is going overboard think how much cpu usage that is,I can understand where you are coming from but making sure one product doesn't conflict with another is one of the challenges,I am aware of this,for example I believe there was confliction with my avast and superantispyware or I think it was my Malwarebytes and superantispyware,I just don't remember but anyway I was lucky enough to get the famous blue screen of death I say lucky since thanks to the blue screen I knew something was wrong.But thats just an example,and im aware that adding extra software can potentially increase the attack surface,but please keep in mind everything has its goods and bads.

 

The passwords I use, both in length and complexity, are not even close to being easy to remember. A password manager is a necessity for me, given that.
I also wanted to do away with the written page full of passwords.
Your idea about hiding it in a book is a good one, but I wanted to do away with that altogether.
I think we're talking two things here... convenience and trust.
For some folks, only one comes into play.
I found that I can achieve both with KeePass.

 

Exactly right. Many times if you think you have 2 things protecting some vector, you really have none. I like to only use integrated/native OS hardening measures to compliment software that does similar things, and not two softwares.

Sometimes it's not clear when 2 different things accomplish essentially the same task. Like I remember playing around with WehnTrust to try to get a pseudo ASLR on XP, not realizing that the shellcode injection protection in my Comodo D+ did basically the same thing, only much better. It took me awhile to figure out that was the conflict. If I had run both, unaware of this, I'd have had no protection against buffer overflow instead of two things.

I wonder also if having this component in D+ enabled along with EMET would cause problems people are blissfully unaware of?...

 

@joshua19,
You mentioned SAS.
I don't see it in your sig.
Hopefully you deep-sixed it.

 

Believe me, my passwords are very complex too. Often 32 digits long & ASCII. But I make them easier to remember by making them phrases with intentional typos, numbers that mean something to me (a friends phone #), a few capitalizations, and special characters. Not hard to remember after several tries. I have a good memory.

If my house ever burnt down my plan would be out the window though, lol.

I just don't completely trust any password managers. I don't know exactly how they work, but know everything is fallible to some degree.

 

Indeed you must have. I'm impressed.

Cut to a house in flames and luciddream pushing past firefighters on the street... "Out of my way! My passwords are inside!!"

 

I like the response time of my Qubes but I do not like the Hardware vms due to the fact that on my FreeBSD VM's mouse is not working (not moving) I met another person with the same exact problem he gave me a solution but I did not like the solution.Also for my OpenBSD VM I could not install xfce,even though I followed everything correctly.the only thing I managed to install was pico.Also I could not managed to boot into any of my hardened Gentoo distros such as liberte Linux,pentoo,Tin-Hat.For pentoo it was because of Ram,for Tin-hat I do not remember,for liberte linux I also don't remember,overall I like the idea of Qubes using security through isolation.

 

I don't know what SAS is sorry,and not all of my security precautions are in my signature,I don't want it to be too long.

 

After Gullible Jones's awesome findings exposing the importance of patches, I'm just biding time right now waiting until I'm ready to jump into Win7. I really, really love XP so I'm milking it for all I can. Plus he reinforced my impression that as of now I'm quite safe using it, but that will come to an abrupt halt post April 2014.

I'm trying to learn as much as I can about it for now, but have only 1 box that will run it adequately and it's my main box which has XP on. And I'm afraid I might hose something trying to dual boot it, and don't wanna go through that trouble until I make the switch to 7. So I think I'll just go through the grind when the time comes... will probably be reformatting several times until I figure out the way I want to have things.

Major props to Mr. Jones again for his testing. Though I don't believe his views on HIPS were fair, he certainly stressed the importance of patches which was a debate in here, with many still on XP SP2. I believe if his test had been done with a Paranoid D+ that had been set up for a month he'd have found a very quiet component that silently turned back everything, more like hardening than user dependent.

 

I pulled the XP box out of my home network a couple of weeks ago, in anticipation of the coming end of support.
My W7 machines are far faster anyway, in addition to more secure (imo), so there was no motivation for me to postpone the day.
It was a relief to 'let it go'.

 

Oh another thing please keep in mind that I do not use all the security precautions in my signature for example Quantum cryptography would be far to expensive for me to afford also please keep in mind that im not one of the smartest people out there I would probably not have the skill to use wireshark, or Snort, Lynis I don't even know how to use PGP or create something from source or manually remove a virus.So just because I have wireshark or lynis in my signature doesn't mean I use it,it just means I like the software and ideas.