Jump to content.

IFX Group


Useful Internet Safety for the Casually Paranoid User

I hear about the risks and I know the rules. The Internet is not a safe place. But there is a growing middle ground between safe and risk that always seems to step on my ability to just do what I want on the Internet. Adding bulky, heavy and sometimes intrusive Internet Safety suites are painful and make my whole computer feel slow even when I'm not using the Internet. So I started asking my computer savvy geek friends what they do for protection and here is my collection of their answers. I arranged the answers in an order that makes it easier for my friends to step from one to the next with minimum effort so you can do as little or much as you want until you feel comfortable. And at the end I'll describe my personal setup.

Step 1: The simple stuff.

  • Passwords. Some of my geek friends can drone on and on about safe password practices for what seems like days on end. My mind goes fuzzy, the expression on my face blanks and I lose my sense of time. They usually stop talking a few minutes after I pass out. But that doesn't make this any less important. The good news is your choice of a password is incredibly simple and can potentially improve your safety more than all of the rest of these suggestions combined.

    My memory is not what it used to be. I need help, but a pile of yellow sticky notes on my computer feels like the wrong way to go. So I combined a couple of different suggestions into something that works for me.

    1. I group everything that wants or needs a password into three classes. The first is anything that involves money. The second is anything that I consider private. The last is everything else where I personally feel a password is a waste of my time.
    2. I make up some simple rules for each of the classes.

      1. The first group is where I want the most security and the safest password. But since I have very limited room in my brain there needs to be a way for me to remember the password without a sticky note. One of the easier ways to remember a password is to use two unrelated words; a noun and a verb or adverb. Join those two words together with some punctuation and it magically turns into a high quality password. The word pig is a very low quality password, but pig-flying! is not only high quality but amazingly easy to remember. It works with almost any two words you want. Put them together with punctuation marks or numbers in between the words and you have a safe password you can remember.
      2. The second group needs passwords that are very hard for someone else to guess but easy for me to remember. These are typically online stores where I want to keep my credit card information safe, but I don't want to spend the time to make up a super secure password. This is where I use a less secure two part password security. The first part is the company name which can come directly from the web site address or some part of the company name I feel is easy for me to remember. Then I add a punctuation mark or number followed by a simple word. The same simple word can be used over and over so that part is easy for me to remember, but when combined with the company name and the punctuation or number it becomes much safer.
      3. The third group is easy - use the same simple password everywhere because I don't care if someone gets that password or whatever it protects. All web sites that require me to create an account just to do something stupid get the same stupid password. So there.
    3. Exceptions to the rules. Some password management systems force you to change your password on a regular basis. When I encounter these annoying speed bumps I first check to see how many times I get to enter a wrong password before it stops asking then I add a number to the end of my password to match. Since most of the rotating password situations allow a minimum of three wrong attempts, all of my passwords on those systems have 1, 2 or 3 at the end.
  • Firewall. Every external window and door in your house has a lock of some kind. In fact it is likely almost every door in your whole house has a lock. This is even true for those extremely rural houses that never actually lock the doors. The lock is not there to restrict the owner of the house from getting out. It is there to allow the owner to restrict unexpected or uninvited guests. This is the most simple description of an Internet firewall.

    If you are connected to the Internet and don't have a firewall, get one right now! If the only firewall you have is software built into your computer, get an external firewall. External firewalls can be low cost and ensure if your computer is ever compromised that your firewall has a better chance of still working. Typically every Cable modem and DSL modem already has a simple firewall inside. This is good enough for most home uses, but a business or more security conscience home user wants something better. Your budget is the only limit. But don't just look at the purchase price, consider the cost to replace or repair all of the information on your whole computer if/when something bad happens to get through.

Step 2: Moving out of the target zone.

I had almost no idea what target zone meant until my old computer died. I started looking around at the choices and comparing the different offerings. I narrowed down my choices to three; Microsoft Windows, Apple Mac and Linux Mint. Each have plenty of features and strengths in common, but interestingly there is a very big difference between them when it comes to the number of attacks. This gets a little easier to understand when you consider the numbers. There are way more desktop computers running Windows than any other operating system. A bad guy that wants to attack a computer is more likely to encounter Windows so building an attack for that operating system works a lot of places. If you imagine a bull's eye target, Windows is the center dot - a really big one. The Mac is less common but still well known enough to attract some attacks. This is the inner ring of that target. All of the other operating systems are beyond the outer ring. This does not mean any one operating system is significantly less or more secure, just that an attacker is likely to target the most common one first.

The Web Browser

The same goes for web browsers. The most common desktop web browser on the Internet is Microsoft Internet Explorer. This means anyone wanting to attack your computer through the web browser (yes it is a very common way to attack you) is likely to design their attack for Internet Explorer first. The easy way to avoid these kinds of attacks is to use a different web browser. Fortunately there are plenty of good choices available. My personal favorite is Firefox, but be sure to check out Google Chrome. Each is at least one step removed from the bull's eye target center. If you want an additional layer of protection get the NoScript add-on for Firefox. This shifts the browser default setting to block things that are likely to hurt you until you specifically choose allow. A side benefit is that a large part of the annoying advertising you see on the Internet goes away when you get the NoScript add-on.

The Operating System

So after a lot of consideration I chose to replace my old Windows computer with a Mac, but with a twist. First the Mac was one step removed from the center of the Internet attack target. This was important to me. The fact the Mac came with a bundle of software that directly fit what I did most with my computer was a big bonus. If you have trouble organizing all of your pictures, you must see the iPhoto faces feature in action. But I had over a decade of Windows software collected that I still used and none of it runs directly on the Mac. I think this is typically the main reason why Windows users find it hard to move out of that bull's eye target. But I had a little help from one of my geek friends. There is a free program called VirtualBox that lets me run a complete Windows operating system inside a window on my Mac. All of my old Windows software runs inside that box just like it did before, but there is an added advantage. The default VirtualBox setup has its own firewall to isolate the virtual machine from the real hardware. This gives me an additional layer of protection for the operating system I know is most likely to be attacked. But wait, there's more!

Step 3: Segmenting Function.

Take a minute and think about everything you do on your computer. Try to group them by how you would feel about that specific thing getting published in the public media. For example, you may feel flattered by being on the local news for browsing the web for blogs, recipes or watching cute cat videos, but you would feel very different if all of your banking details and financial activities were on the national news. This makes it easy to recognize the division between entertainment browsing and business browsing. Don't limit your thinking just to web browsing. Think about everything you do with a computer.

I did this and came up with three major groups.

  1. Really sensitive stuff. This includes anything involving taxes, banking and my personal finances like bookkeeping.
  2. Anything that involves money not in the first group. I buy stuff on the Internet. I don't see this in the same class with banking, but it still could be a problem if my credit card number got out.
  3. Everything else. I like to follow a lot of different web sites and blogs. These are so entertaining to me that I would rather read a good blog than watch TV which has saved me close to $100 a month because I no longer need to pay for TV. Take that you expensive cable and satellite providers!

Imagine if you could have a different computer dedicated to each of these functions. What would that look like and how much would that cost?

My Setup.

If you have been reading along you already have all the parts and pieces in my personal setup and how I handle protecting my private stuff. I describe my setup here for my friends so they can make a more informed choice when their old computer needs to be replaced.

Everything starts with the hardware.

I have two hardware firewalls. The first one is the DSL modem. This is included with the DSL line so I don't have much of a choice. It has three different security settings, I chose the highest. The second firewall is an IPAD-OS device (not affiliated or related to Apple's iPad tablet) that has a very high speed proxy firewall. These two layers mean if the DSL modem is somehow compromised the IPAD-OS firewall makes it look like the attacker failed. Using two different hardware firewalls in a row is overkill for a home setup, but that extra protection is priceless compared to the cost of replacing all of the pictures and documents I have made over the past two decades.

My iMac is a stock unit with the maximum memory installed. Since memory is so cheap these days I figured it would be good to get that right up front rather than having to go back and upgrade later. This also allows me to run more than one VirtualBox at the same time. An easy rule of thumb is 1 gigabyte of memory is needed in my real computer for each VirtualBox machine I want to run at the same time. Turning off one VirtualBox machine before starting another is one way to have more virtual computers than physical memory.

One small Mac-related hint here. When setting up the Mac for the first time you will be prompted to create an account. The first account you create is considered the manager of the computer which should be different from the account you use every day. This means you should always make the first account with a name you would not use regularly. Avoid common names like admin or root because these are common accounts that attackers try to access. Always setup at least one additional account for your personal use. This simple step adds another layer of protection against potential attack against your Mac.

Now the software.

My computer geek friends helped me get started with some Free Open Source Software (FOSS). This covered everything not included with the Mac - Firefox with NoScript, LibreOffice.org and VirtualBox.

With VirtualBox I can create fake computers that don't take up any space on my desk, don't cost me a thing to maintain and run on hardware that never ages or breaks. At first this can sound a little confusing, but I can tell you this is amazingly easy to use much easier than plopping another box of electronics on my desk.

  • The first virtual machine was for Microsoft Windows. I installed my old copy of Microsoft Windows (which I already owned the license and install CD) and then the Windows-only software I used most. This includes accounting software, tax software and my old copy of Microsoft Office for those rare times when LibreOffice.org would not yet do what I need.
  • The next virtual machine is using Linux Mint - a free Linux operating system that is known to be at least two steps removed from the bull's eye target while still being very easy for me to use. It comes with all of the software I need already installed. The only thing I had to do was install the NoScript add-on to Firefox.

Why two virtual machines?

Consider the grouping exercise described in part 3 above. I have three groups that match the three machines.

  1. Public. I use the Linux Mint operating system with the Firefox web browser and the NoScript add-on for everything I publicly do on the Internet. All of my web browsing to anyplace that is not private (banking, accounting, buying, etc.) is done in that VirtualBox. If some attacker was able to get through to that machine, they would be stopped cold because they could not see anything on my Mac outside that VirtualBox. If someone was able to get into my Linux Mint machine and search for any email, personal information or account information they would be out of luck because it is not there.
  2. Private. All of my money accounting stuff is done in the Windows VirtualBox. This machine is NEVER used to do anything on the public Internet and absolutely never used for things like web browsing or email. The accounting software I use does have the ability to download financial stuff, but that is not in the same class of risk as visiting a blog, viewing a video or playing an online game.
  3. Personal. For everything involving money on the Internet I use Firefox+NoScript on the Mac outside the VirtualBox. This is the only place where I type any of my secure passwords. If I were really paranoid I could setup another Linux Mint VirtualBox, they don't limit the number of copies you can run, just for the money stuff, but that could get a little confusing for me.

I hope this helps give you some ideas how to improve your own protection even if you don't exactly follow what I did.

~ Cathy Lea

First published 2010-05-11. The last major review or update of this information was on 2014-03-07. Your feedback using the form below helps us correct errors and omissions on this page.