Keeping a novice safe online

Discussion in 'privacy problems' started by Gullible Jones, Aug 11, 2015.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Posting this under Privacy because
    a) Security is a means to an end, especially in this case
    b) I don't want "Just use Miracle Product X!" responses

    Basically, a family friend came to me re: problems with her laptop. It's an older HP model running Windows XP.

    I removed some gigabytes worth of temp files, defragged the drive, updated it, got the antivirus back in working order, dusted it out, and generally fixed it up. It now runs pretty well. (It'll be slow again in 6 months if the user doesn't start moving her music/movies/pictures off the main drive, but that's another matter.)

    Problems:
    The user is a complete novice.
    She does not have the time to become a power user.
    She is stuck on Windows XP. (Can't switch to 7/8/10 right now, and forget about Linux.)
    She has a ton of online accounts, many for paid services.
    She is mostly browsing with IE 8, which is a huge target.
    She defaults to using very weak passwords.
    She likes to install dubious adware games.

    I don't know if she has a smartphone or tablet. If she does, it's almost certainly not secured (as if such devices can be secured).

    Furthermore, she's dealing with some difficult life situations right now. So she needs
    a) Solutions with a very low cognitive burden
    b) Solutions that actually work in practice

    When I give her back her XP laptop, I want it to be set up to give her at least a modicum of safety vs. identity theft.

    ...

    What I'm thinking so far:

    Browser security
    Chrome is kind of the obvious choice as far as protection from local compromise. Unfortunately
    - Its password storage is no better than plaintext.
    - Google's privacy track record is IMO awful. (They're an ad company, what do we expect?)
    OTOH the user does not *need* anonymity (for now!). And Chrome looks better than Firefox as far as ITW attacks and sandboxing.

    Then again, Firefox actually bothers encrypting account passwords. That's worth something, especially the convenience of having it in the browser. Not sure that's worth giving up the sandbox though, or the separation of password vault and browser.

    Password security
    KeepassX or Keepass2, maybe? Those work very well in my experience, but the GUIs might be a bit intimidating. Also, it's Yet Another Application.

    LastPass might work, too. Never used it. The idea of nonlocal password storage makes me somewhat uncomfortable though.

    Social engineering prevention
    This is probably the hardest part. Norton Internet Security has been *RUBBISH* as far as this - it doesn't detect trojan software, adware, etc. at all, even when the stuff is obvious (e.g. using known fraudulent digital certificates). Something is needed to detect this stuff.

    Phishing prevention seems even harder. Maybe a browser plugin of some sort? How good is e.g. Web of Trust for dealing with phishing sites?




    Suggestions on any of the above issues, further analysis of the problem, and/or things I haven't thought of would be much appreciated. Thanks!
     
  2. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    137
    Location:
    Earth
    I think you are a great help already.

    She could use a Yubikey in order to store a strong password, e.g. to open the keepass safe she'd just have to push the button on the Yubikey for about 2 or 3 seconds and that's it. (She could also combine it with an easy password that she has already remembered or can easily think of).
    Of course, one could use an usb-key for a keyfile as well.

    A Yubikey could also unlock the laptop (before booting) or at login (you can change the login that you have to have your Yubikey plugged in to unlock it). This could be a nice addition if she uses the laptop in public or away from home (or fears that it could be stolen from home).

    Browsers

    She could use a few of them each for different purposes. Maybe two are enough (Chrome & Firefox for example). Use different addons that she does not have to meddle with. One could be mainly for serious stuff like online banking or just for reading or gathering information (let's call it the secure browser) and one for multimedia and stuff like browser games that do function without having to do much (I don't know, but maybe one could or should nonetheless activate the "always ask option" for flash.)

    The multimedia browser sounds more likely to be dangerous [edit: in danger] so this should be sandboxed. I am not up-to-date regarding sandboxie but I think a browser can be associated to sandboxie so that it always starts in a sandbox. Maybe sandboxie for both browser or the browser would be a good thing.

    Some changes in the "about:config" would be good for privacy. You could change some of them that aren't too invasive (like breaking sites).

    Does she use an email client? Does the email account have different settings for spam? Check it.
    Two factor authentication could be used where possible. It's easy (receive an SMS, Yubikey) and helps securing online accounts.
    You could write a list for important stuff so she doesn't have to remember too much at first. With time she will get used to it.
    I am still of the opinion that one could get used to Linux distros like Ubuntu, Mint, Suse and so on in a short time especially when the computer seems to be used mainly for surfing. It's booting up and starting a browser. Updating is even easier than on Windows but as you wished, I don't even start. (Dual boot... ;-) just kidding)

    That's what I could think of right now. I think you know very well what you are doing. Maybe an XP expert wants to chip in.
     
  3. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    I think the novice won't go for any of this. But let's play anyways.

    My path for novice: FF not Chrome, PWs I don't believe in any storage (don't bother me right now I'm repeating all 72 of my PW in my head over & over like a mantra), I DO agree with WOT.

    Hope I don't come off as snarky but I've given up on all who treat computers like toasters.
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Okay, point by point:

    Now this sounds pretty smart.

    (I wonder if a simpler version could be implemented with a USB stick, using the volume's UUIID as a passphrase-substitute? Or maybe the UUID of a hidden partition...)

    This *might* work for IE and Chrome, not so much for Firefox. A real local compromise would bust right through that. Might protect a little from man-in-the-browser stuff though.

    (Keep in mind, XP is barely better than single-user these days. And this is XP as admin. The supposed boundaries between programs are worth very little.)

    Web mail only, I believe.

    Probably a good idea. Even with an insecure mobile device, it's probably better than nothing. Too bad a lot of accounts will not provide 2FA. :(

    I would seriously consider dual boot, except for lack of disk space. The laptop has a 40 GB hard disk, with the system partition sandwiched between two OEM recovery partitions. Migration to a bigger hard disk would be painful, though I'm seriously considering it.

    My thought is that, given the profound local insecurity of XP - and of Windows in general, really - it's better to move the focus onto security problems that are fixable, namely protecting the various online accounts.

    Edit: as for social engineering, I don't know if that's fixable, but it's equally troublesome on every platform. So...
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,283
    Oh, bother. I forgot my mantra. :argh:
     
  6. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    202
    Since you're considering dual boot -- for now, why not set up a virtual machine with mint (or whatever) as guest?

    Fx has phishing and malware filters built in. To the best of my knowledge WoT has none; strictly a reputation tool. Maybe your friend can handle NoScript. If not, even in its 'allow scripts globally' mode you still have :
    https://noscript.net/features

    You could also add ublock origin into the mix. She could use it in the non-advanced mode. You can decide which additional static filters would be appropriate.
     
  7. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    1.4 GHz single-core Celeron with 1 GB RAM and 10 GB spare hard disk space.


    That's probably a good idea - thanks!
     
  8. Kobayashi maru

    Kobayashi maru Registered Member

    Joined:
    Nov 7, 2009
    Posts:
    124
    Location:
    Drivin' all night my hands wet on the wheel....
    Why not try Comodo Firewall? It has a built in virtual desktop, browser etc. My family use it so it's a no brainer to use. I've used it, but it doesn't allow micro control like I want.
     
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    If you're thinking dual boot, I was wondering about booting off a USB stick if the laptop bios would support that.
    Running a Live distro of choice, or indeed a full Mint distro off a fast usb can be quite a pleasant intro to that environment, and it really is pretty disposable.
    I have family members using Yubikeys as 2FA for Windows login, Password Safe and Lastpass. Keepass also works. For browsing/website passwords, Lastpass is pretty good, though it does demand a little bit of user training. The Lastpass master password can be remembered on the machine, which is OK if you have 2FA I think. But the Windows login with Yubikey isn't supported on XP.
     
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @deBoetie

    I'd considered live USB. Alas, a BIOS limitation prevents booting from drives larger than 2 GB or so. It may be doable, but the machine is picky, and updates are an issue.

    @Kobayashi maru

    NIS is already installed. Also, please see again "just use Product X."
     
    Last edited: Aug 12, 2015
  11. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    I clean up malware for senior citizens, & routinely give an hour or so How to stay safe, some get it, some don't. The dont's become/are repeat customer(s), Rico I'm infected again, Ugh! For those special people, I become a salesman for "Shadow Defender" with the special instruction of don't go online, unless your in Shadow Mode. This works!

    I understand your product X from post #1, from here you can spoon feed a little knowledge, make it interesting, so she wants more knowledge & she's safe, in the shadow. Some that I use on the old are:

    You do maintenance on your car with every use, see the tires aren't flat etc. You know how to deal with this, trouble is no one has taught you routine maintenance for your PC. How about pretend your the bad guy, & how you go about invading a machine. This one everybody gets, why use CCleaner or it's ilk. I tell them temp files are like leaves on a tree, useful on the tree, but trash when they fall, now if you haven't raked your lawn in awhile, try to find something in it. It's like taking out the trash. The more trash you have the longer CCleaner takes to clean up.
     
  12. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497

    I'd go with Firefox and do just a few quick about:config tweaks that can help with privacy/ID theft type stuff. geolocation being a big one. I disable safebrowsing because I'm anal but she could benefit from it. Also a DNS service that blocks known bad sites like Comodo or Nortons. I used Comodo Secure DNS for years when not using VPN's and saw it block lots of sites. I'm not a fan of WOT, and actually heard rumors lately that they harvest user info. Plus it's ripe with abuse wtih people giving misinfo because of axes to grind and fanboy/girl'ism. I removed it recently from my list of addons after using it for years.

    Even NoScript has benefits if you allow scripts globally and hide all the prompts. The "Embeddings" and "Advanced" tabs have useful stuff. Adblock Plus/Edge too of course, with EasyList, EasyPrivacy, and Malware Domains.

    Instead of a full blown VM they might be more apt to handle light virtualization, Shadow Defender. v 1.1.0.325 is great for XP.

    Maybe apply the POSReady registry tweak to keep patches coming for them? I know it's frowned upon but in this situation it's warranted I'd say.

    Limit attack surface as best you can of course... not that I have to tell you that. Doesn't sound like they'd be able to handle an outbound FW but harden the integrated XP FW against termination at least via GP tweaks > Network > Windows Firewall. Close ports 135 & 445 at the source via registry tweaks. I've posted them in here before. This will leave nothing left listening in except a web scanning module in an AV if you have one.

    Speaking of AV's I'd recommend Avast Free. Good AV for novices. But you did say you straightened out an AV for them already so that may be out of line. I apologize if so.

    MBAE Free would be a good layer for Firefox. All this stuff is free!

    Keep images of their setup at various stages filed away to get it back to tip top shape in that 6 month window you mention expecting it to be a veritable nightmare again. But then again Shadow Defender should help that. It's so much easier to use than people assume and I'll bet they'd not only handle it fine but wondier what took them so long.

    Use Ixquick as you search engine. Go into the settings to use HTTPS/TLS, disable search suggestions, etc... And both copy & paste the URL as the home page and it'll create a button for "Custom Search" too... use it as default and delete all others.
     
  13. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    Chrome + uBock Origin + HTTPS Everywhere + Malwarebytes PRO with website blocking enabled.

    That is the best you can do with a novice on XP. Maybe find a torrent of Windows 7 Ultimate too and install that.
     
  14. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    137
    Location:
    Earth
    How is it going?

    I've been wondering about what you wrote about this browser stuff. I wasn't even thinking of what you wrote. I just thought it to be safer to only use/activate stuff like javascript & scripts, flash and so on when it is really necessary. So instead of always activating when needed (and maybe leaving it activated on other sites) I thought of using just one browser for Netflix and Youtube or something like that. The usual browsing takes place in a browser without flash, javascript and the likes.

    Wouldn't that be a little safer already?
     
  15. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    So... Resurrecting this thread several months down the road.

    To outline: tragedy struck the friend's family, completely out of the blue, and things did not go as planned. I had to hold the computer for her while she dealt with the aftermath.

    Things are somewhat worse now on the computing front. Largely my fault for not thinking of this stuff, and not checking up on it.
    - During the delay, the Norton IS license expired. So I would have to count on a (dodgy) free AV.
    - Chrome will drop support for Windows XP on April of next year. This gets rid of the only secure browser.

    So, the computer is usable - it boots in ~1 minute now - but it is not safe to use for any purpose.

    Meanwhile, the friend called up today. She'll be over to pick up the computer in a little under five hours.

    There are obviously, shall we say, serious ethical issues with handing her back a working laptop that is not safe to use.

    ...

    I'm thinking the best bet would be a USB stick Linux install for browsing, at this point. Not many other ways to deal with the situation that would actually fly. :(
     
  16. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
  17. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    So it turns out the Norton thing was an oversight on my part... Hurray I guess. That at least is kind of solved.

    @TairikuOkami based on what I've seen with Qihoo's labs pounding my router several times a week, I would not trust that company. Then again, it's not like I trust Symantec much either. The whole industry seems riddled with grayhat behavior.

    ...

    I ended up buying an 8 GB USB stick, and installing persistent Xubuntu on it. I will probably advise the user to do banking etc. from this; though I'm worried about crypto libraries on the live medium rapidly getting out of date.

    Also installed the final updates for WinXP, and added uBlock Origin for Chrome. This should help, if she remembers to use Chrome instead of IE...

    BTW I would advise the user to buy a new computer, but I'm spooked by how stores like Staples and Best Buy take advantage of customers. Judging from my prior experience, they'd probably pressure her into buying an overpriced machine with badware preinstalled. Also I don't know if she has the cash to spare.

    ...

    I think I'll give her the option of taking home my 2008-issue laptop, imaged with Win7, plus the install DVD. I have a workstation and a backup laptop, so it's not an issue to just give her the laptop freely. And it's not like I use Win7 for anything serious. Wish I could set her up with Linux for long-term use, but that does not seem possible.
     
  18. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    @Gullible Jones - might I offer a Cunning Plan which I think could work for a novice as follows.

    I use a Puppy Linux for banking on a Usb stick. It supports persistence, but runs from RAM. In normal banking sessions, I boot up, and then, before browsing, remove the Usb stick physically. The user can browse to the site, but there is nothing, including malware, that can get written back. But this allows the option to update the stick, because if you do a boot and perform update (but do not browse) - then you can save the updates and close. This offers the advantage of a Live distro, but with update possibilities.

    I'm not sure whether a novice would follow this procedure adequately though, probably there's not much risk with an out-of-date Live distro providing the banking site is the only one visited.
     
  19. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Unfortunately other stuff came up, and she was not able to reclaim her computer yesterday...

    @deBoetie

    My preference would be Xubuntu Live or such, which also supports persistence (and runs very fast off a USB stick). Though persistence on a live medium is something like a 50% performance hit vs. running non-persistent, from what I've seen...

    The elephant in the room, in that case, is the crypto libraries. I don't like the idea of accessing a banking site while using e.g. OpenSSL or NSS versions that are out of date. Not saying it's guaranteed to be an issue, but it doesn't seem wise given the number of recent holes.

    ...

    Also, there's another problem: it looks like the computer's hard disk is going to give out soon. Linux shows DMA errors on every boot, and I can't resize the main NTFS partition, because it never unmounts cleanly.

    (I'd check that out from Windows too, but cannot - the Windows event log viewer is missing.)

    To add insult to injury, this is one of those stupid Dell consumer laptops, with a recovery partition instead of an install DVD. Probably I'll have to purchase a decently sized laptop IDE drive, and ddrescue the Windows partitions over; then I could install Linux on the remaining space. That would be a long term solution. Alas, what with the holidays, the drive would probably take a while to get here.
     
  20. Foxes

    Foxes Registered Member

    Joined:
    Nov 28, 2015
    Posts:
    8
    Location:
    USA
    I'm currently using Chrome with uBlock Origin + Disconnect.me + HTTPS Everywhere + Malware Bytes Anti-Malware Home Premium which has Web surfing protection enabled. I am thinking about switching browsers though.

    For passwords I use SuperGenPass. Wouldn't be very good if I used a mobile device, but I'm usually on an actual computer so it works well.

    Also this is my first post on the forums. Hi! ;)
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    Hi @Foxes and welcome to the forums :)
     
  22. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    As long as it will do everything she needs, tell her to buy a chromebook.
     
  23. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @mick92z

    That's a good idea, and the thought has crossed my mind. It would at least give her a way to surf securely, even if it couldn't run her proprietary stuff.

    ... Maybe?

    One thing I hadn't thought of. She has this habit of installing all kinds of weird little free games and doodads, some of which have proved to be pretty dubious. And from what I've seen, the Chrome app store has its share of exploitative apps.

    Sigh. I'd like to be able to solve all these issues with software, but some of it is really more like legal/consumer protection stuff.
     
  24. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Yes, sadly so.

    I think I'd be tempted to suggest a s/h laptop with usb3. Doesn't have to be fancy, but that would run Linux fine, and with FireJail, you can have browser profiles that wipe themselves, so the dodgy apps would disappear, or it can operate in a sandboxed space with restricted permissions to anywhere. User doesn't have to be aware what's happening, just some desktop icons for different things.
     
  25. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    So, an update: I'm biting the bullet here, and setting up a Linux USB stick, for her to do banking and purchasing with. I think it should be good for a while.

    I'm using Debian Live (Mate) for this, currently. Works okay, but I'd like to make a few tweaks. Anyone know a way to make a live USB stick auto-run a shell script after it finishes booting?
     
Loading...