Your essential PC-security guide

Because of the recent DigiNotar-scandal and general questions from friends and clients, herewith my ‘best practices’ when it comes to securing my pc (and online activity).

A few remarks:

  • I use Windows machines – software I discuss might come in other OS-versions – or not. If you feel you don’t need any security because you’re on an Apple, think twice: it might be safer and stabler than Windows, it doesn’t mean you are completely safe: just because there are less Apple users, there are less hackers out there writing viruses etc. Educate yourself: Apple security and anti-virus. There are still some useful tips and links for you here;
  • Almost all software and links that I use/mention are free – MailwasherPro isn’t ($30 a year). Most free versions are ‘doing a good job’, but, sometimes the paid versions are worth it (if only to support the developer(s)).
    I do not get anything from them for endorsing them – it is based on my experience with their products (sometimes for years now) and by sharing it I can assist you and help them a bit. There are no affiliate links here, so there is no commercial interest or incentive from my side – I’m objective and independent;
  • I indicate whether something is critical, strongly advised etc. That’s just my ‘grading’ – based on my experience. So, that is subjective, as you might feel that something is not that needed at all because you have never used it and never ran into trouble. Great, good for you – this is a guide only – not some law. I use everything mentioned here, so you could do so as well – or use something similar (like a different virus scanner). Still, try the stuff I mention here – it won’t hurt your machine or experience, but you will be better protected.
  • No guarantees from me – as they say: “the chain is as strong as the weakest link”. Meaning, if you, for instance, use weak passwords, no firewall can protect you. Follow this guide and you won’t make the rookie mistakes any longer.

Questions? Suggestions? Overwhelmed and confused? Leave a comment below or email me via the contact page. Any feedback is appreciated – always (please leave out comments on ‘better’ OS’s – this is about making Windows safer – comments need approval, so do not waste your time).

In due course I will update this page – better solutions might come available, so I want to add those. Check back every 3 months or so.

At the bottom of this long page, you will find a table that conveniently holds all links from this article – like a summary. Once you know what you need to add or update, you will find it quickly there.


DigiNotar: Critical

DigiNotar issued certificates that verified computers and websites: like a passport, telling you that it really is who they claim to be. That is standard practice and you see certificates each day: Verisign and RSA are the bigger players. Except, the DigiNotar certificates got compromised (‘infiltrated’) and can not be trusted any longer. They are added to your browser, but if you recently updated your browser, they should not be in there any longer. Here’s how to remove them manually (Internet Explorer, Firefox and Chrome): remove DigiNotar from your browser.


Anti-virus & Firewall: Critical

  1. No introduction needed. I don’t like Norton or McAfee, as they are clunky and invasive, clogging up your machine and slowing it down. Much better (!) alternatives are Avast (I got their paid version, but after some update it interfered with my DSL line, so I switched to) and Comodo. Very good products, including firewall;
  2. Although some people feel you need only one anti-virus product, I disagree. Because Microsoft offers an excellent tool to keep you safe(r): Security Essentials. You can run it in conjunction with any anti-virus scanner, so get it now;
  3. Also, make sure you enable Automatic Updates - follow the instructions or click on the left mechanic-image. To manually check for updates, bookmark this page: Windows Update;
  4. WIFI/WAN – check the settings of your router/modem – usually there is a built-in firewall (hardware one, as opposed to software one (see 1 & 2)). Make sure you use a strong access key, so strangers can not access it from outside, stealing your bandwidth – or worse.

Heard of ’scareware’? It’s fake, free online virus-scanning. Fake because it is a virus or malware – by fooling you that you are cleaning your pc, you actually get infected. Use only the above tools to scan – never click on a link in an email or one of those annoying, flashing banners or pop-ups. Even if it displays the contents of your disk (folders/directories and a list of files), do not accept their friendly offer! Without your permission they read the contents of your drive to give you the impression it was a serious virus-scan. To learn more about the risks, read this: avoid scareware scams.


Passwords: Critical
We all ‘know’ we need good passwords, but we also admit that we are lazy, sloppy and un-smart. That’s why hackers love you and will keep returning to your accounts.
A few pointers:

  • don’t use your main/business email account to sign up with websites, newsletters etc. Use one you could afford to ‘lose’ or throw away (Gmail is quite good) – reason being, if some site gets hacked, they only find your disposable address (and password);
  • use unique password for each site – you read about several major sites being hacked and passwords being exposed lately – those password are now tested on other sites, trial and error… A simple trick is to use the first 3 letters of a sites’ name before some generic password: ‘gma’ for Gmail, ‘hot’ for Hotmail > gma#Mypwd & hot#Mypwd – far from perfect, but much better than no site-variation at all;
  • Don’t use (pet)names, words from the dictionary, birth-dates only etc. Also, use at least 8 characters (Capitals, digits, special chars: !_+@#$-~%()

Good passwords are usually hard to remember – certainly the first few times – and once you start remembering them, you should change them as they might be a bit too ‘old’ now… But what is a ‘good’ password? There are many articles out there – here’s a good one: Simple Formula for Strong Passwords.

Skip the boring stuff and jump to their Appendix A (page 40) – use it as a guideline – you can change anything you like, as long as you make it yours so you can remember it easily:

How to create a password:
A.

  1. Pick any special character. You will always use it for your passwords (like !@#$%^& (*+)=-;:’”~`][}{\|><?/.,`)
  2. Pick a secret 3 or 4 digit number (could be birthday, like April 5, 1956 or 4/5/56, written without the slashes= 4556 (this is your secret code)
  3. Pick a very simple password that you can remember (this is the root of your password – it can be the name of the application/site you are logging into, such as Windows, Hotmail, MS Word, Resume, etc.)

B.

  1. Always surround your root password with your favorite special character
  2. Always insert your special number after the second character of your root password
  3. Always capitalize the first character after your secret code (now you have the unchanging part of your password – the Static Password)
  4. (Now for the part of your password that changes every 90 days when you are forced create a new password) Always add the creation date to the end your new static password. Add it as a combination of the calendar quarter plus the calendar year (Quarter 1, or Q1 of 2005 would be 1 and 2005 written together as 12005 – Now you have your Full Password)

Example 1
(Password = ~Ti4556M~12005)
Step 1: ~
Step 2: 4556
Step 3: Tim
Step 4: ~Tim~
Step 5: ~Ti4556m~
Step 6: ~Ti4556M~
Step 7: ~Ti4556M~12005

Example 2
(Use the same technique for each account that you have. Just change the root password to the name of the account or application and everything else is the same)

Hotmail (Password = #ho4556Tmail#12005)
Step 1: #
Step 2: 4556
Step 3: hotmail
Step 4: #hotmail#
Step 5: #ho4556tmail#
Step 6: #ho4556Tmail#
Step 7: #ho4556Tmail#12005

Example 3

Windows (Password = $wi4556Ndows$12005)
Step 1: $
Step 2: 4556
Step 3: windows
Step 4: $windows$
Step 5: $wi4556ndows$
Step 6: $wi4556Ndows$
Step 7: $wi4556Ndows$12005

Want to test your password-strength? Go here: Microsoft Password Checker or here: Passwordmeter.

Now that you have more and stronger passwords, you need to keep track of them. Don’t put them in an Excel sheet, as that is not safe enough. Use this: Keepass. Make sure you start with a really strong pass-phrase(!)


Backup: Critical

Even losing 1 file that you worked on all day is a small crisis – imagine losing several folders or email messages. It happens all the time: deleting the wrong files or too many; a power dip that freezes the file(s) you’re working in; uninstalling software which deletes your workfolder without warning. Or your hard disk simply giving up. Just like you have insurance on your car and home, you need to be prepared for the worst case scenario when it comes to your computer. Not only in the cases mentioned earlier, but also fire or theft – you can not afford to lose those files.

I don’t use any software to backup my files – using ‘old’ DOS batch files that I edit myself, I copy my recently changed files to an external drive. To save you the hassle, there are several programs that make it an simple task for you. This one seems very efficient: SyncBack (they offer 3 versions; the free one is basic, but should be enough for starters – you can always upgrade later).

Another option is online storage: no external drive needed (that you have to store away from your PC!) and that you then forget to bring to your pc…. missing your weekly (or even daily) backup. You’re online already and this service helps you out: Comodo Backup - it looks like a good solution (they even help you setting it up).
And, one of the leaders in online backups: Carbonite - not free, but robust and reliable.


Malware: Strongly advised

Malware (trojans, key-loggers etc.) might not always be detected straight away by your virus-scanner(s). Yes, they should protect. No, they don’t as there are now so many different forms and mutations, that it takes specific tools to scan and remove. One of the better ones is Malwarebytes. Run it regularly (weekly) as an extra safety.


Regular clean up:  Strongly advised

Windows is not the best platform when it comes to ‘resources’: it saves a lot of useless files, depending on your settings it keeps all your internet history for ages, the registry gets clogged (no built-in cleaner, not even after all those years…). So, you need to do some extra maintenance there as well…

Two cleaning tools:

  1. CCleaner – excellent tool to clean your internet history (incl. cookies that contain personal/private data) and your registry (so your machine runs a bit better). Also for Mac;
  2. Regseeker –  does a very good job on cleaning your registry (finds other stuff than Ccleaner) and some other clean ups (older tool, might not work on the latest Windows-versions)


Mail:  Strongly advised

The regular warnings:

  • do not open attachments from strangers – never;
  • do not click on links in mail from strangers – not once;
  • do not reply to spam or junk with some smart Alec answer – all you do is confirming your address, so they can sell it, resulting in more…

Now if you are really serious about mail and security, get MailwasherPro. It checks your mail on the server and you delete it there – it never reaches your inbox. Also, it detects spam, so you can delete it even faster. You can set up all kind of rules, making your online life a bit easier. The free version is pretty useful, but Pro is worth the yearly fee of about $30 – seriously!


Other updates:  Strongly advised

Now that you update Windows regularly (see above), you also need to check on other programs (Windows should do this, but hey…). Make sure you stay up to date as much as possible: no use having anti-virus and firewall, but the bad stuff comes in via a backdoor (like outdated software).

Two suggestions (I use both):

  • Secunia - online scanner, checks for the most common programs (run it every 2 weeks)
  • FileHippo – installs a small program – checks for updates on many programs on your pc – great site for finding new software as well! (run it every 2 weeks)


Advanced solutions: Optional

If you really want to protect all sensitive data on your harddisk, use Truecrypt - it ‘locks’ (part of) your disk. As that section is hidden, others don’t even see it when browsing in Windows Explorer (in case they would get access to your pc – either via the web or when it is stolen).

Also, you could install Prey - intended for laptops mainly, it sends data over the internet once in the hands of a thief: screenshots, IP address etc. With that info, you possibly can find your machine and hand it over to the police so they can get it for you – as was the case here: “How I got my laptop back with Prey”

 

SUMMARY (all links together now)

Section Status
DIGINOTAR (section) Critical
Remove DigiNotar click here
ANTI-VIRUS & FIREWALL (section) Critical
Avast click here
or
Comodo click here
MS Security Essentials click here
MS Windows Update click here
PASSWORDS (section) Critical
Keepass click here
Formula for Passwords click here
MS Password Checker click here
Passwordmeter click here
BACKUP (section) Critical
SyncBack click here
Comodo Backup click here
Carbonite click here
MALWARE (section) Strongly advised
MalwareBytes click here
CLEANERS (section) Strongly advised
Ccleaner click here
RegSeeker click here
MAIL (section) Strongly advised
MailwasherPro click here
OTHER UPDATES (section) Strongly advised
Secunia click here
FileHippo click here
ADVANCED (section) Optional
Truecrypt click here
Prey click here
Read More