1

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

Security Tips
Consumer Electronics, and Life, on-line and off-line.

How to protect ourselves, with minimal hassles.

Notes by Alister William Macintyre Last updated 2014 Jan 28
Version 0.4

Table of Contents, 4 levels Introduction (2013 July 05) ................................................................................................ 2 Digital Safety (2013 July 05).............................................................................................. 2 Computer Security Checks (2013 July 05) ..................................................................... 4 Physical World examples (2013 Dec 10)................................................................ 4 Digital World challenges (3 July 05) ...................................................................... 4 Test Cyber Security (3 July 05) .................................................................................. 4 Recovery Insurance (3 July 05) .................................................................................. 5 Do we need a patch or update? (3 July 05) ............................................................. 6 Applying Patches & Updates (2013 July 04).............................................................. 6 Malfunction Repairs (2013 July 15) ........................................................................... 7 On-Line Safety (2013 July 04) ....................................................................................... 7 Parents (2013 July 05) ................................................................................................ 8 e-mail Security (2013 July 05)........................................................................................ 9 Browser Security (2014 Jan 28)...................................................................................... 9 Privacy Settings (2014 Jan 28) ............................................................................. 9 AVG Privacy Fix (2014 Jan 28) ................................................................................. 9 AVG Privacy Fix for me (2014 Jan 28)................................................................ 10 Google Chrome (2013 July 05)................................................................................. 11 Mozilla Firefox (2013 July 05) ................................................................................. 11 First Aid before Disaster (2014 Jan 22)............................................................................ 11 ATM Risks (4 Jan 22)................................................................................................... 12 Check our credit reports (4 Jan 22)............................................................................... 13 Privacy (2014 Jan 28) ....................................................................................................... 13 Scams by Mail or Phone (2013 Dec 10) ....................................................................... 14 Insurance (2013 Dec 10) ............................................................................................... 15 Money in Bank Safety (2013 July 04) .............................................................................. 16 Corporate Security (2013 Nov 19).................................................................................... 17 Other Real World Security (2013 Dec 10) ....................................................................... 17 Answering Police (3 Dec 10).................................................................................... 18 Our Rights (2013 Nov 19) ............................................................................................ 19 Find Lawyer (3 Dec 10) ............................................................................................ 19 Revision History (2014 Jan 28) ........................................................................................ 20

Doc in folder = Studies / Nat Sec / Cyber and Critical

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

Introduction (2013 July 05)

Each chapter heading ends in a date in parentheses, which represents the last time I added something, or re-wrote something, in that chapter. Those with 2013 July 04 are the same as what was shared in version 0.2. This is to help people who have an earlier edition see what I have updated since they got that edition. Although I have been working with computers since the early 1960s, there are many areas where I am not an expert. However, I frequently notice people making mistakes with electronic security and personal privacy safety, so I have collected these tips to share with my friends and family. I do not claim that my tips are all-encompassing. I have been burned several times, so you need more advice than I am sharing here. You could consider this collection of tips to be a sharing of lessons I have learned, on being safe. Also technology evolves, so guidance which is valid at one point in history, might not be good enough forever. After I started these notes, I am frequently adding more info to them, so after you download a copy, you might check back every few months, to see if I have uploaded a revised edition. I increment version #, and date of last update, so easy to know. If I have said something here, which you do not understand, then try to contact me for clarification.1 If it is not clear to any one person who speaks out to me, then probably it is not clear to others, and I need to rewrite it, more clearly.

Digital Safety (2013 July 05)

Here is some advice to help keep ordinary people as safe as is practical. Tips accumulated by Alister Wm Macintyre (Al Mac).2
If you receive an email, from someone you know, who describes some serious trouble they got into, contact that person directly with the number or email address that you have for them, or someone in their family or business who may know more about their current situation. Use contact method OTHER than contact info which is in that email. There are scams where a persons e-mail is compromised, and now controlled by someone painting a horrible story, necessitating rapid delivery of money to get them out of some jam, which is a fabrication of the crook. You send the money to where the crook says, and of course only the crook gets it.

You can post comments where I posted on Scribd & I will see the next time I sign on there, which is usually at least monthly. If you are on social media, you can find me, via my full name Alister William Macintyre or via abbreviated Al Macintyre. Linked In: http://www.linkedin.com/in/almacintyre Google Plus: https://plus.google.com/u/0/108007903544513887227/about Warning I am exiting Facebook I no longer read the flood of e -mail which comes to me from it. 2 I have uploaded this document to here: http://www.scribd.com/doc/149569351/Cyber-Security-PC-Tips-Al-Mac From time to time, after adding more tips to my collection, I plan to upload a revised edition. July 04 mid-day, I uploaded version 0.2 = approx 9 pages with 9 chapters, encompassing safety tips for mixture of home PC, real life, on-line. June 23 evening, I uploaded version 0.1 = approx 4 pages with 3 chapters = Digital Safety; Security Checks; Privacy.

Doc in folder = Studies / Nat Sec / Cyber and Critical

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

NEVER give out personal information over the telephone or online to someone you dont know, even if they are allegedly with some organization which you do know. Microsoft does not call ordinary people to help them with some alleged problem on their computer, when those people never contacted Microsoft in the first place. Anyone calling you who claims to be with Microsoft is probably either a crook, or working for a crook, unless you have had occasion to know some Microsoft employee personally. Because new scams viruses and hacker techniques are created daily, make sure your computer has up-to-date security software and/or hardware, which collectively includes anti-virus, anti-spam, firewall, detect compromised web sites, block unwanted downloads, block invasions of your privacy. Do due diligence to locate security services you trust, and learn how to access their help, so that when there is some security scare in the news, you can go to their site to verify you are protected, instead of relying upon the scaremongers. If you get an e-mail saying that some strange file name, on a computer, is evidence of a virus, so you need to delete it to be safe do NOT follow advice which came from a total stranger in a forwarded e-mail. It is another scam. You need that file for your computer to work properly. Learn how to check these things out. Avoid filling out forms in email messages. You cant know with certainty where the data will be sent, and the information can make several stops on the way to the recipient. NEVER click on links contained in emails you receive from someone you dont know, even if the email looks real. Recognize which of your contacts may or may not be wise to these risks. Some people receive and forward dangerous links, without thinking. If you click on a link in an email message from a company be aware that many scam artists are making forgeries of companys sites that look like the real thing. Verify the legitimacy of a web address with the company directly before submitting your personal information, which includes your sign-on password. If some information is confidential, sending it via e-mail, unencrypted, is risking a breach. e-mail is convenient but not safe. Dont trust email headers, which can be forged easily. Study the HELP on your email system, so you can figure out how to locate headers. Are you using some on-line site for backup, and dont visit there very often? I suggest you visit every few months, to make sure it is still active, because if management thinks 3 your account has gone inactive, they may close it & re-assign it to someone else. All your stuff is now gone for good. Any time you get some hardware or software which has built in default passwords, you 4 need to change them, and have a system for keeping track of your passwords. Some cell phones have a default password which is the same serial # as the cell phone, so anyone who finds list of customers and what cell phones they have, can hack into those phones, if the customers have not yet changed the passwords. This logic applies to all kinds of hardware.

There is no such thing as one simple computer security tool, which will protect you from all different kinds of attacks. You need to have a suite or package of different defense-in-depth, tools,5 to protect against different kinds of attacks, such as: Malware attached to e-mail Hackers trying to get past your fire-wall

3 4

http://www.wired.com/threatlevel/2013/06/yahoos-very-bad-idea/ https://krebsonsecurity.com/tools-for-a-safer-pc/ 5 https://krebsonsecurity.com/tools-for-a-safer-pc/

Doc in folder = Studies / Nat Sec / Cyber and Critical

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

Web sites with drive by malware infection.6 Scams delivered by phone, snail mail, e-mail, social networking. Breaches at places which have data about you.

Computer Security Checks (2013 July 05)

Security in the physical world is simple, for most people compared to the digital world.

Physical World examples (2013 Dec 10)

Whenever I am about to leave some place, a restaurant, a theater, etc. I check my pockets to make sure nothing critical fell out keys, wallet, etc. Whenever I leave my parked car, home, or office, I double check that I turned out the lights, did not leave anything turned on eating electric bill, locked the door, etc. This is simple to do. During cold weather, we sometimes do different things from our normal routine, to improve odds that our car doors are not frozen, that the engine will start, protect our windshield wiper blades survive the ice, tec. Note that some actions are a trade-off, can help one area, hurt another. Yak Trax are inexpensive buy to put on shoes, so we can walk on the ice. De-icer can help melt car door locks, expedite clearing ice off windows, but not help if left inside a car, whose door locks are frozen. Windshield wipers standing up, will accumulate less ice, but if standing up in a strong wind, we can lose them. Also I had a situation with dead battery, could not get all ice off car, could not open hood for jump start, because of standing up windshield wipers area totally iced anyway. Find parking spots where we wont have to back out when rear windshield totally iced over. You probably dont want to park where need to put on brake, since it also could get frozen there. Also check brake did not get on by accident, if caught on coat, while climbing over chairs from not normal door in, when normal door is frozen.

Digital World challenges (3 July 05)

In the digital world, it can be more challenging to verify that our Internet and other electronic security is an up-to-date version working properly.7 Some flawed patch, or other action, could have messed it up, and we are not aware of this. The thought of wading through configuration options and feature menus to see if everything is correctly selected and properly operating, seems like a headache, plus there is the risk that our brain might not recognize everything needed.

Test Cyber Security (3 July 05)

The Anti-Malware and Testing Standard Organization (AMTSO http://www.amtso.org/), has published a simple set of tests we can take to be confident our Internet security is
6 7

https://krebsonsecurity.com/2013/06/web-badness-knows-no-bounds/ I have security protection in both software and hardware.

Doc in folder = Studies / Nat Sec / Cyber and Critical

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

awake and fully functional.8 Many vendors, of personal computer security services, also provide sites where people can run tests, to find out: Do I have up-to-date cyber security protection? Is it running correctly? Is my PC currently free of threats? Different sites provide different kinds of tests, different kinds of help documentation explaining the consequences of the tests. Typically if we find we have some problem, we research it, fix it, then go back and do a retest. One of my personal favorites is Shields Up,9 from Gibson Research.10 When you are at that site, check out some of his other services. You can test the security certificates of websites, to see if there is a man in the middle attack against you. Although Steve Gibson has had some research insights, he is mainly a technical commentator, explaining things with great skill.11 As with any writer, as technology evolves, we cannot possibly comprehend all the threats.

Recovery Insurance (3 July 05)

Before applying any update or patch, I first make a Sys Config backup, because occasionally a patch is flawed, and I then want to undo it. Heres how to make such a backup:12 START All programs Accessories System Tools System Restore I have made a short cut of the last bullet onto my desk top and in my PC Security folder, for convenient access to all PC security options. When I create a restore point, I give it a name like before / after whatever named application, and if known, the version #. To be able to do what I just said, I cannot have automatic patching turned on, or only have it turned on for vendors I trust. Every vendor has messed me up one time or another, some frequently, some rarely. Warning: even when we have settings a particular way, theres no guarantee the vendor coding or policies obey those settings. So when they dont seem to work right, it might not be your mistake. It might be the vendor is untrustworthy.
8 9

http://blogs.avg.com/consumer/internet-security-solution-working-correctly/ https://www.grc.com/x/ne.dll?bh0bkyd2 10 https://www.grc.com/intro.htm 11 https://krebsonsecurity.com/2013/06/web-badness-knows-no-bounds/ 12 I am on Windows XP. The process may be a bit different for people on other PC OS.

Doc in folder = Studies / Nat Sec / Cyber and Critical

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

Do we need a patch or update? (3 July 05)

Theres a question whether or not we have the latest security patches , and whether it is wise to have the latest patches, since they can bring in new problems. As we accumulate more and more applications, it can be a royal pain to be checking all of them, to see if some update is needed. I use several tools to let me know whether any of my applications is in need of some patch, but I recognize that false positives can be a constant hassle. False Positive is when the application says we need to apply some patch, when that is not in fact true. I use several tools to help review this topic. Some check the applications on PC, which are irrespective of Internet usage, such as: Belarc Advisor;13 File Hippos Update Checker;14 Secunia Personal Software Inspector (PSI);15 Others check our Browser and its add-ons, such as: Qualsys Browser Check.16 You need to research similar products out there, to figure out which are best fit to your needs. I also use RSS to subscribe to web sites, so that I know when there have been postings of interest to me. They are organized into various categories, one of them being SECURITY-CYBER (as opposed to SECURITY-REAL). Some sites let us know when there are patches arriving from major vendors, links to help us get them, and any gotchas associated with those patches. One such site is: Krebs on Security.17 Krebss 3 Basic Rules for online safety18 drastically reduce the chances of handing control over your computer to the bad guys. In short, If you didnt go looking for it, dont install it; If you installed, update it. If you no longer need it, get rid of it!

Applying Patches & Updates (2013 July 04)

Some patches ask us to deactivate some security features, before applying them. I do not do this, because some vendors, during their process of applying the update, take us to their Internet site, to register the update. Going on the Internet without all the proper security settings can be suicide. If I need some patch, and it is impossible to install, without deactivating some security, I pull the plug on my Internet connection, before doing the deactivation, and I reactivate before plugging back in.

13 14

http://www.belarc.com/ctadvisor.html http://www.filehippo.com/updatechecker/ 15 https://secunia.com/vulnerability_scanning/personal/ 16 https://browsercheck.qualys.com/ 17 https://krebsonsecurity.com/ 18 https://krebsonsecurity.com/tools-for-a-safer-pc/

Doc in folder = Studies / Nat Sec / Cyber and Critical

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

A risk with many sites is they add new features, which have security privacy implications. Ask yourself if you want this or that place to have your address or phone #, which they later may give out to advertisers. You NEVER want to give out enough info that some crook can later use to do identity theft against you. Another risk with sites we frequently visit, sometimes doing a mass update of their privacy settings, because they think they know better than us, what is in our best interests. Sometimes we have gone to a great deal of trouble to figure out the best settings, which are contrary to the mass update, which we were not told about, and suspect the real reason for the update was to make it easier for advertisers to get to us. After I have tweaked some security so it is the way I want it, I sometimes copy-paste the screens into a folder named based on the place with the settings, so I can compare screens later, to see if anything got changed other than how I wanted them. Many applications want us to agree to their Terms of Service, before we upload their software. I copy paste them into docs in a folder on my PC, named after the outfit and their application. In the business world, we dont have to agree to their TOS. We can have a separate contract between the company using the software, and the application provider, which supersedes the TOS associated with individual downloads. For a lot of this stuff, I am not an expert. I have accumulated some pals, to whom I can go for guidance when I get in over my head.

Malfunction Repairs (2013 July 15)

If something is not working properly, maybe it is a trick to get you to lower your security, so that malware can infect you. Here are tips how to deal with some video not playing properly on your PC.19

On-Line Safety (2013 July 04)

I do not believe it is possible to be 100% safe on-line, but it is possible to improve our safety. Here are some sites with tips about that.20 From time to time, we ought to audit what info is available to the general public about ourselves. Here is how to do that.21 Some of this advice says to use a nick name, or other than your real name. That sort of behavior is becoming illegal in the USA and other places. There are some people, who have permission to use false names, such as those with a provable fear of violence from a
19 20

http://diyrickytlc1985.blogspot.com/2013/07/how-to-fix-any-video-playback-issue-on.html http://www.getsafeonline.org/ http://www.saferinternetday.org/web/guest/sid-2013 http://www.saferinternet.org.uk/ http://www.thinkuknow.co.uk/ 21 http://blogs.avg.com/consumer/audit-public-information/ http://www.bbc.co.uk/webwise/0/21259413

Doc in folder = Studies / Nat Sec / Cyber and Critical

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

past domestic abuse relationship. Try to stay current on the laws, before using a false name for yourself. Just because someone asks for info about ourselves, we dont have to give it out, unless it is the government, and even then some government agents are ignorant. We all should know what they are allowed to ask for, like our name, and what we should not supply, like our social security #, unless it is the taxing authorities. An identity thief can rob us blind, and get us into prison, if all they have is our name, date of birth, and a few other facts. We might think we have given that info to a place which is not crooked, but it could be incompetent protecting that info from cyber crime breach. Any info posted about us, in public, will make its way into the search engines within about a week, so maybe jot down when we joined some site, new to us, or updated our profile privacy settings, then plan a week or so later to conduct this audit. We will need to use a computer other than our own, that of a friend or family, and we will need to know how to clear its cache etc. when we are done. If you are a Google user, you might want to review this advice about Google privacy settings.22

Parents (2013 July 05)

Many of these tips include things you want your children to know. They may start off as users of consumer electronics with a degree of innocence about risks, and denial about what is improper behavior.23 They need to be warned, and I dont know how best to do it. It does not take much info, posted about ourselves, for a crook to use that info for identity theft, or worse. Children who send explicit pictures of themselves to their special boy friend or girl friend, can find themselves on sex offender registry for life. Adolescents who let friends take pictures of them, when they are being foolish or drunk, can find that those pictures, on the Internet, mean that they can never get into College, or get a good job. As they get older, all my tips are relevant, but for the younger ones, you need to be selective. You might start with the links I have in the chapter on On-Line Safety. Also check my School Scandals document,24 about real life risks, such as rapists and pedophiles preying on the routes children use to commute between home and school, and what preventative measures are wise to maximize safety for your kids, and maximize odds of saving them if anything does go wrong.
22 23

http://blogs.avg.com/privacy-and-policy/privacy-fix-check-google-settings/ https://www.schneier.com/blog/archives/2013/07/security_analys_4.html 24 I upload periodic revisions of that document to the same places where I am sharing this one.

Doc in folder = Studies / Nat Sec / Cyber and Critical

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

e-mail Security (2013 July 05)

If your e-mail provider offers enhanced security, seriously consider getting it.25 However, watch out for what info you need to provide them to get it. For example, Facebook wants our phone # for authentication purposes, then in a later enhancement reveals to the world an unlisted phone directory, because Facebook management thinks they know better than us, what is wise to never keep confidential.

Browser Security (2014 Jan 28)

There are add-ons for different browsers, to enhance their security. I am familiar only with some associated with browsers I have been using. Below are some I suggest you consider. I am using such protections after friends brought them to my attention, and I checked them out. I recognize that some people have a love-hate relationship with some brand names, and will make different choices than me. Note that Java and Javascript are two very different things. Java is a widely-installed and quite powerful software package that requires frequent and attentive security patching. It plugs straight into the browser and is a favorite target for malware and miscreants alike. 26 Regardless of your Browser, I suggest you periodically review both settings, and how you can save a reference copy of your settings, in case of some future chaos.

Privacy Settings (2014 Jan 28)

There are Internet resources we may use heavily, such as Adobe, Facebook, Google, Linked In, Twitter, Yahoo,YouTube, etc.. Each has different systems of privacy settings, periodically updated, with poor communication to the users of new risks, and gotchas. Some services assume users did not intend to use some offered settings, change them for us, without notifying us. Different brand names may offer similar fixes.

AVG Privacy Fix (2014 Jan 28)

AVG PrivacyFix is a free tool that helps put you in complete control of your online data. From a single dashboard, you can control privacy settings across sites like Facebook, LinkedIn, YouTube and Google.27 It is an add-on for your browser (PC or MAC), or mobile device.28

25 26

https://krebsonsecurity.com/tools-for-a-safer-pc/ https://krebsonsecurity.com/tools-for-a-safer-pc/ 27 http://blogs.avg.com/news-threats/740-million-reasons-care-data-privacy-day/ http://www.avg.com/us-en/support 28 http://www.privacyfix.com/start/install

Doc in folder = Studies / Nat Sec / Cyber and Critical

10

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

Here is FAQ about it.29 Unfortunately this web page has white print on a black background, which is hostile to the eyes of older persons, such as myself. One of its optional features is to provide a security heads up about sites you visit. 30 If you enable the privacy alerts, PrivacyFix submits your current URL and technical information about trackers attempting to collect data on the page. Your URLs are not retained, nor is your IP address or any personal data. Then there is color coding GREEN for the site having high level of privacy protection, ORANGE for known issues, and RED # in a circle for new privacy issues. I believe this is shown via icon at far right of my tool bar.

AVG Privacy Fix for me (2014 Jan 28)

After the usual, just in case System Restore check point backup, I installed this add-on to my Firefox browser, and enabled this privacy alert option. When I first did so, it told me stuff, which may be different for other people, who are using a different mixture of social media, than me. Facebook I need to log in there, for it to check my settings I did not at this time. It has been many months since I logged into Facebook. Linked In Profile it offered to let me fix 3 things Profile visits visible Check your Profile Profile changes visible o I opted to leave everything as is for now, return to the middle one later, which controls what part of my Linked In Profile is visible via search engines to people who are not yet my connections. I am overdue to redesign my LI profile anyway.31 Linked In Permissions o Remove old aps There are several where I am waiting on upgrades so I can use them again, but it is worth reviewing if there are any I dont need any more. o Connections Visible I opted to leave this as is, but it is nice that this option is here. Google o Protect Search History I have to log in to change this o Protect Video History maybe I should, since I view a wide range of controversial topics, some where I disagree with the political message, do not want observers to think otherwise of me. On the other hand, this is a way for me to find again, some video I vaguely remember. o In Google Ads I can opt out of Google using my +1 etc. to mention me in their ads.
29 30

http://www.privacyfix.com/start/faq https://privacyfix.com/start#welcome 31 Linked In now has sections for volunteer and hobby interests. I created my profile before this was added, and used dummy company names for me working at such interests. I need to restructure them to the proper places now allowed by Linked In.

10

Doc in folder = Studies / Nat Sec / Cyber and Critical

11

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

Tracking o More than 1,200 companies make a practice of tracking me on-line. Wow, I have another ap which kills cookies. Maybe it is time tor review the settings there. Privacy Fix has a button to remove all cookies right now. o Ad tracking is on o Social widgets is on o A problem is that I have some free services, in which part of the cost of those services, is to let the outfits track me. I do not want blanket on-off, but rather selective permissions. Web sites o Web site data checked o PrivacyFix Alerts are on, but I can disable them

Google Chrome (2013 July 05)

Chrome has both built in features, and add-ons which make surfing the Web a safer experience. If you are a Chrome user, note there is a very handy add-on for Chrome called NotScripts that works very much like Firefoxs Noscript. 32

Mozilla Firefox (2013 July 05)

Firefox has many extensions and add-ons which make surfing the Web a safer experience. If you are a Firefox user, I highly recommend NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.33 A risk is you allow a trusted site to run scripts, then if it later becomes compromised.

First Aid before Disaster (2014 Jan 22)

If there is a power outage, can you efficiently get out of your home or work place, or will everything be pitch dark? When we hear about disasters in the physical world, we think what are the odds that might happen where I am, and what should I do in advance, to mitigate the risks of harm to me and my loved ones. We need to do the same thinking and planning for the computer world. We are constantly hearing in the news that this or that popular retail chain has been breached, victimizing everyone who was a customer there in some time period. Details are slow to come out, but eventually we learn that millions of people had their financial identity information stolen. So some day, it is going to happen to a store where we shop. What can we do to limit the damage coming our way? Short of people chopping up their cards and filling their pockets with cash, which makes us vulnerable to another kind of crime, consumers can take steps to minimize their

32 33

https://krebsonsecurity.com/tools-for-a-safer-pc/ https://krebsonsecurity.com/tools-for-a-safer-pc/

11

Doc in folder = Studies / Nat Sec / Cyber and Critical

12

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

exposure to future data heists. Unfortunately, very few places still accept travelers checks. First, do not have all your money in one bank, which is also where your debit or credit card is located. Once crooks are able to drain one of your accounts at a bank, they may be able to drain them all. Depending on how your accounts are setup, the crooks can even drive the balance into the negative, then the bank comes after you to zero out the account. When someone's bank accounts get drained, it may be tough to pay the bills next month,. The inconvenience is potentially massive. Depending on the card issuer's policy, any money that comes out of an account may not be refunded right away. Federal law allows the bank to investigate, before refunding any disputed charges. While you are waiting on the bank, the rent may be due. Shoppers should consider the additional risk that comes with using a debit card vs. a credit card. People have better protection in credit card fraud than debit card fraud. If you promptly notify the bank which issued the card, the credit card losses can be limited to about $50.00. But if the debit card account is breached, you could lose everything in that account, and more. There are ways to check your bank balances, to catch unexpected deductions, then report them promptly to the bank. Be careful when using on-line, since your access to your bank account, can be breached if you are using a poorly secured connection, such as a mobile phone, or Internet connection which is not direct, between you and the bank, but have some ISP in the middle.

ATM Risks (4 Jan 22)

We can also visit ATM and do a balance inquiry. However April 8, 2014, Microsoft cuts off security upgrades to Windows XP, except for people who pay for extended support. There are 420,000 ATMs in the U.S., 95% of them using Windows XP. The industry expects that by the Microsoft deadline, that will have dropped to 80%. 34 Windows 7 requires hardware with more computing power, which most ATMs do not have. Some ATM operators are upgrading to the chip-based hardware at the same time they ditch Windows XP. Those are the chips which a crook, with a cell phone ap or other technology, can read when standing near you, and your card in wallet is not protected from RFID scanning. Perhaps ATM customers should get in the habit of getting their ATM needs served some other way, until the news is better, and when we get cards with embedded chips (how can

34

http://www.businessweek.com/articles/2014-01-16/atms-face-deadline-to-upgradefrom-windows-xp 12 Doc in folder = Studies / Nat Sec / Cyber and Critical

13

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

you tell?), we also get tin foil to wrap around them, in our wallets, or get metal envelopes to keep our plastic cards in, when not in use.

Check our credit reports (4 Jan 22)

We should also check our credit reports. That way we can find out if some crook has opened an account in our name, for the purpose of financial fraud for which we can be held accountable. Federal law entitles consumers to free copies of their credit reports once every 12 months from each of the three main credit bureaus, available at www.annualcreditreport.com or by calling toll free 1-877-322-8228. You could order them from the 3 outfits, one each at 4 month intervals.

Privacy (2014 Jan 28)

Here is info about Privacy Day.35 Someone recently asked me how an ordinary normal person can protect their privacy. Here is my reply. For total privacy, live in a cave or bunker with no street address, no bank accounts, no telephone, no Internet, no public utilities. The reason for this is that courts have ruled that info about customers in the possession of Post Office, banks, phone company, Internet service providers, e-mail systems, etc. etc. can be seized by government agents without notifying the persons for which the data is about, because as soon as your property, whether digital or physical, is out of your hands, and into someone else hands, then it is THEIR property, not yours, so the 4th amendment does not apply. In other words, if you think you are doing nothing wrong, and if you think you can trust the government, then the main challenges are which institutions you trust to store records, on you doing business with them, such that they are not at high risk of being breached or abused, with your info going into hands of various crooks. This is really several related issues: Who can you trust, with your valuables? For starters, most every industry has regulators, and voluntary associations, which in common have rating systems, to evaluate quality of service, risk of the place going bankrupt, how often they get in trouble with the government, and how disputes have got resolved. Check that out, compare ratings for institutions in your community, which are convenient for you to get to. Is the geography such that we can expect floods, other bad weather, earthquakes, etc. If so, do you have valuable property in a facility which is likely to be inundated in the next local weather disaster? If there is only one bridge for miles, and it goes out, are your valuables on the other side? Who can you trust, to do a competent job with cyber security? We do not have, in our civilization, places we can go to tell us which places have passed cyber security inspections with flying colors. Various industries keep it a secret what
35

http://blogs.avg.com/news-threats/740-million-reasons-care-data-privacy-day/ http://www.staysafeonline.org/data-privacy-day/

13

Doc in folder = Studies / Nat Sec / Cyber and Critical

14

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

places have flunked security tests, or which places have never been tested. So we need to figure out how to diversify our valuables, to avoid becoming overly dependent on one institution, which could fail us. Come up with a system for managing your passwords, which wont be lost if you have a computer crash, physical burglary, or untrustworthy associate. The system should be such that if a few of your passwords get breached, it wont be obvious to whoever did so, what all your other passwords are. For example, if you have a password system consisting of 1st letter of outfit, then some digits, then some letters, where same digits, same letters for all, someone only needs to breach you two places, to know all your passwords. For reasonable privacy, use different passwords, user account codes, for different sites where you do business, or engage social media. Thus, if your activity associated with a particular e-mail address is breached, only your activity with that e-mail account is breached, not all activity with all e-mail addresses you may use. You may use the same password for a bunch of sites, where you consider your participation to be public, free for anyone to access, so as not to have to remember hundreds of passwords. We also need to stay current on the law. Many on-line sites ask for more info than they need, because they want to make money either by marketing to us, or selling info about us, so many people lie when answering questions.36 It is becoming illegal to tell falsehoods about ourselves. If you have a cell phone with valuable stuff on it, learn how to do occasional backups, so that if the police seize it, and erase all contents, you can go back to your last backup. If the police stop you, be polite and cooperative. You have to tell them your name. If you are out driving on public highways, the 4th amendment does not apply to the interior of your car. The 5th amendment protection against self-incrimination only applies if you claim it.

Scams by Mail or Phone (2013 Dec 10)

Scams can get to us by any means which people can contact us: In person Note left on our auto Telephone land line or cell phone Snail mail Other deliveries at our residence or work place E-mail Chat or Texting Internet site

36

http://customercommons.org/2013/05/08/lying-and-hiding-in-the-name-of-privacy/

14

Doc in folder = Studies / Nat Sec / Cyber and Critical

15

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

With each method, there are similar scams, and also some unique risks. Here is a US postal site with general tips for detecting and defending against scams by mail or telephone.37

Insurance (2013 Dec 10)

When you go on a vacation, or business trip, do you announce it in advance to all your friends? You might return to find your home has been burglarized by someone who saw your announcement that you would be out of town. I suggest you limit who you tell in advance of any trip, and save the big news for most of the Internet until your return. Do you use Linked In, to help stay in contact with peers, associated with your professional career? Is your contact e-mail address there with your work place? I suggest you have an alternate contact which is NOT that of your job, because if you suddenly lose your job, you might also have a hassle connecting with Linked In, when your work e-mail does not exist any more. MY PC Tower sits on one of those wooden slabs on wheels, that the furniture movers use. This makes it easy to roll out from under computer hutch when access is needed for some hardware work, lifts it off the carpet, so the carpet hairs dont clog up the air cooling, and on the rare occasions when there is some kind of water leak getting close, the tower is actually above the moisture. My Uninterruptable Power Supply (UPS) is on another of these things. Incidentally, the price of UPS protection has come way down. I strongly recommend all PC users get one. They are like a surge protector on steroids. Some come with a crossconnection so on the desk top you can see if it is time to have the batteries replaced. YouTube keeps a history of videos that youve viewed, whether on YouTube.com or when embedded across the web. Having that history can be convenient to re-find something youve already seen. Your history can also help YouTube and Google personalize your video recommendations. Of course, Google also uses the info to select the ads that you see. But your viewing history might include videos you dont want associated with your profile. Your view history might also be inadvertently available to hackers or people who share your computer or devices. Here is how to clear out that history.38 Want to make it difficult for someone to access your documents, without your permission? Use this font.39 For more thoughts on protecting yourself from unwanted intrusion, see some of my other uploads, such as:
37 38

In my Disaster Avoidance collection on Google,40 check out Protecting Your Security On-line,41 aimed at people in repressive states who would like to post

https://about.usps.com/publications/pub281/welcome.htm http://blogs.avg.com/privacy-and-policy/today%E2%80%99s-privacyfix-clean-youtube-watch-history/ 39 http://reason.com/blog/2013/06/21/dont-want-the-nsa-to-read-your-email-use

15

Doc in folder = Studies / Nat Sec / Cyber and Critical

16

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

stuff without drawing the attention of the secret police torturers. Maybe people, in nicer nations, can also learn something from this. Drone Terms search for clothing where I have links to clothing to make people invisible to drones and CCTV. This is a collection of definitions of drone terminology and other national security topics. Petraeus Gate if the director of the CIA cant have privacy, what hope is there for the rest of us? Those notes also have other hot political news which was happening contemporaneously to that scandal. Snowden Leaks explanations of what government is spying on, which I have figured out so far, from many contradictory sources.

I now need to wear glasses and a hearing aid. Also stuff falls out of our brains as we get older. A small risk exists that I might have an accident and suddenly lose them, or someone step on them, or I am away from home, and need to change the hearing aid batteries. So I have the following protections: At home, and in wallet contact info with the folks who issued my glasses and hearing aid, including precise prescriptions needed for both driving and reading glasses. An insurance policy on the hearing aid, to avoid high cost of replacement, just in case. My property insurance policy has a rider on it to protect me if I become a victim of identity theft. Theres a place at home to hold my hearing aid, when I take it out, to go to bed, bathe, etc. Theres also a bag in my jacket pocket to hold it if I need to take it out when away from home. That bag has a spare set of batteries, just in case they need to be changed, when it is not convenient to return home.

Money in Bank Safety (2013 July 04)

If you have bank accounts for both personal and business, do not mix the funds at the same bank. This is because business funds do not have same protection as personal funds. In a personal funds breach, you can irretrievably lose all of your business funds, if they have been intermingled. On-line banking should be done with a computer or digital device used exclusively for that purpose, not also used for e-mail, Internet surfing, and other channels at risk of malware or hacking taking over your bank accounts. If you have a deal with your bank to automatically add funds, deduct funds, based on electronic contact with customers vendors or the government, then have the bank agreements, and your internal business practices audited, by your lawyer, your accountant, insurance company, and/or other reputable advisor(s). This is because

40

https://drive.google.com/folderview?id=0B9euafJH4bZMTA0YTM0YzktNTI0YS00NjVhLTg5NTItY2RiZjhiM2MzODkw&usp=sharing 41 https://drive.google.com/#folders/0B9euafJH4bZMTA0YTM0YzktNTI0YS00NjVhLTg5NTItY2RiZjhiM2MzODkw

16

Doc in folder = Studies / Nat Sec / Cyber and Critical

17

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

thousands of companies have irretrievably lost $ millions in breaches, due to flawed contracts and flawed practices.

Have you managed to accumulate a decent sum of money towards your eventual retirement? Have you noticed that money in banks and credit unions are insured up to $350,000.00? That sum is going to go back down to $100,000.00 soon. The government has changed the schedule a couple times, so if your accumulation is anywhere close to $100k, or higher, I suggest you check out the particulars, and avoid having more in the bank, than it is insured for. This insurance is only in case the bank fails. It is not protection in case of identity theft. I have a rider on my property insurance policy = Identity Theft Protection. I suggest you check with your insurance company to find out if something similar is offered, and how it works. Do you have a bank account for savings, when you only occasionally are able to save anything? Even though it might be months, or even years between your ability to make significant additional savings, better do something to the account every few months. The reason is that a bank can arbitrarily declare an account as being inactive, which means they stop paying interest on the account, then after a few years, they can seize the money on these inactive accounts. So if you put something in a bank, planning to withdraw it 10 years later, it might no longer be there when the time comes. I found this out by accident when I notified my financial accounts of an address change. One savings account had received no interest for 2 years because the bank had declared it to be inactive. Banks can be owned by conglomerates, with branches all over the nation, with their profits going to stock holders. Credit Unions are local, owned by people in a community, with the profits going to benefit the local community. Both have parallel insurance systems, where the Credit Union insurance fund is better protected than the one for the banks. Check it out & verify this info, then ask yourself if your local community needs more help, which you can contribute to, by placing your funds in credit unions, instead of in banks.

Corporate Security (2013 Nov 19)

In the business world, there are all the concerns of home users, and also risks of computers networked to each other, where the weakest link can bring down the entire network and all the devices. Here is a guide to disaster recovery in the cloud. 42

Other Real World Security (2013 Dec 10)

Some people manage to get in trouble with the police. My rule of thumb = AVOID CONFRONTATIONS, by:
42

http://whitepapers.theregister.co.uk/paper/view/3066/quick-guide-to-disaster-recovery-in-the-cloud.pdf

17

Doc in folder = Studies / Nat Sec / Cyber and Critical

18

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

Stay Calm. Keep your hands where police can see them, such as on car steering wheel, so there is no excuse that we were reaching for something. Be polite, honest, firm. Recognize that the authorities can come to a conclusion that we have told a falsehood, which is a crime, so tell them the minimum needed, then let a lawyer do the talking on our behalf, that they need. That way, if they think something is a lie, it went thru the lawyer, not directly from our mouth. If you are driving & police signal you to stop, pull over as soon as it is safe to do so, turn on interior light, turn off car engine, open driver window, keep your hands where police can see them. Be polite, stay calm, dont lose your cool. Offer to show our identification, such as driver license, because that has much greater reliability to police, than what comes out of our mouth. Do not reach for pocket where it is, until asking police officer if thats Ok. You dont want to make any moves the police officer might interpret as reaching for a weapon. If you are doing photography in public, like with a cell phone camera, do not do it in a rude in-your-face manner, which can make police angry. Making police angry at you is really stupid. Also remember that a lot of places, open to the public, are really private property, such as shopping centers, office buildings. The right to do photography in public, means in public places, not necessarily in places open to the public, or us in the public spaces, photographing some private place. If you think anything was done inappropriately, jot down details ASAP, then consult a lawyer on what if anything should be done about it. There are people who claim to be the police, but are really bail bonds agents, or repossession agents, or some other false identification, and sometimes when looking for their targets, they come to the wrong people. See the ACLU guidance for ideas on what to include in your write-up.43 If there is an incident, an accident, and you are not in police custody. Ask witnesses for how to reach them, just in case, and supply that info to your lawyer or insurance agent.

Answering Police (3 Dec 10)

My rule of thumb is to be a polite doormat, because I do not want to risk being killed by mistake. A lot of people disagree with me. They would prefer to be dead right = right by their understanding of law & order, and dead. The police role is not exclusively law enforcement, it is also maintaining order, which a lot of people, who think they understand the law, do not understand, and forget exists. Police officer: We need to search you. Do you have any sharp objects in your pockets which might injure us? YES, I have keys and thingie I use to clean my fingernails. Police officer: May we search your car? Sir, I have stuff in it which is the property of my employer, who has not authorized me to let anyone else access it. If you mess with it, I will have no choice but to report you to my employer. I do not consent to a search, but I wont stand in your way.
43

http://www.aclu.org/drug-law-reform-immigrants-rights-racial-justice/know-your-rights-what-do-if-you

18

Doc in folder = Studies / Nat Sec / Cyber and Critical

19

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

Police officer: May we search your home? Sir, I am not going to stand in your way . If you tell me what you are looking for, maybe I can help you find it. May I have a copy of your search warrant? Here is ACLU guidance on what people should do, if stopped by police, FBI, immigration officials etc.44 I have copied them, and then slightly modified what they say.

Our Rights (2013 Nov 19)

YOUR RIGHTS - You have the right to remain silent. If you wish to exercise that right, say so out loud. I believe the US Supreme Court has stated: 1. If the police ask, we must identify who we are. Having a driver license or other id on our person is a big help. We can ask the police officer I want to show you my identification, which is in my ______ pocket. May I reach for it? 2. While we have the right to remain silent, and have a lawyer, we can lose that right if we do not state that we are invoking it. - You have the right to refuse to consent to a search of yourself, your car or your home. - If you are not under arrest, you have the right to calmly leave. - You have the right to a lawyer if you are arrested. Ask for one immediately. - Regardless of your immigration or citizenship status, you have constitutional rights.

Find Lawyer (3 Dec 10)

I have been fortunate in that I only needed to work with a lawyer once in 20 years,45 so the next time I need one, I probably wont have one, or know one who specializes in the kind of work relevant to whatever my situation is. So in addition to checking your local yellow pages, and guidance from family & friends, you might consider: The American Civil Liberties Union46 (ACLU) stands up for peoples constitutional rights. The National Association of Criminal Defense Lawyers47 (NACDL), has been a huge legal help to US activists who get arrested for exercising what they think are their constitutional rights to peaceful assembly, seeking redress of grievances. NACDL's Find a Lawyer service (closest to your selected geography)48

44 45

http://www.aclu.org/drug-law-reform-immigrants-rights-racial-justice/know-your-rights-what-do-if-you There was a death in family, where inheritance involved. I was a volunteer with a non-profit group, which planned a complex type of incorporation. Once upon a time, someone tried to frame me. 46 https://www.aclu.org/about-aclu-0 http://knowdrones.wikispot.org/ACLU 47 http://www.nacdl.org/about.aspx http://knowdrones.wikispot.org/NACDL 48 http://www.nacdl.org/impak/cms/members_online/members/findalawyer.asp

19

Doc in folder = Studies / Nat Sec / Cyber and Critical

20

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

The National Lawyers Guild49 (NLG) has helped people who were engaged in what they thought they had a constitutional right to do, but got arrested anyway. Many people think they have unrestricted rights to protest grievances, go to government or other sites, and manage to get themselves arrested. Here is a collection of links to legal resources to help people who get into such a situation.50 I have done volunteer research work to help humanitarian volunteers, and activist volunteers, who can go into risky situations without enough advance thought, responding to some crisis or emergency. Many of them were unprepared for encountering realities with less critical infrastructure functioning, than they took for granted, or they had adverse interactions with people who have different beliefs about rights and responsibilities. You might ask me where else I have uploaded my tips, particularly in subject areas of interest to you. They evolve over time, because some cloud sites get shut down, and some get improved so much they cease to be usable.

Revision History (2014 Jan 28)

When there are threats to our security or privacy, either hot in the news, or personal experiences, I review / update advice here, to make sure it is relevant, unless the whole subject is so large that it belongs in a separate write-up.51 This effort can impact multiple chapters, create some new ones. Also, when a chapter gets to be many pages, I notice that, then review the content, to see if it makes sense to split into smaller gulps. Version 0.4 added Privacy Settings chapters to Browser Security, and a section on First Aid before Financial Disaster. I notice Scribd52 statistics show that there have been over 400 reads so far, before uploading the latest update. Version 0.4 was uploaded 2014 Jan 28, with 32 chapters, of which 7 had been updated, or added, since prior sharing, 20 pages, 58 footnote clusters. Version 0.3 of this was uploaded,53 to Scribd54 shortly after some additional links added, in areas of privacy and security in the real (non-cyber) world, when I realized this had grown significantly since the last sharing.

49

https://www.nlg.org/ http://knowdrones.wikispot.org/National_Lawyer%27s_Guild 50 http://knowdrones.wikispot.org/Resources_for_Protesters 51 I have several separate documents on what we have learned, thanks to: Snowden leaks; various terrorist attacks, man made natural disasters, controversial actions of the government. 52 http://www.scribd.com/doc/149569351/Cyber-Security-PC-Tips-Al-Mac 53 PDF for version v 0.3 sharing was 111 k. Scribd reads up to 345. It had hit 100 reads 5 months earlier, some time in July. I also tried to delete an earlier accidental duplicate copy, which had had 38 reads. 54 http://www.scribd.com/doc/149569351/Cyber-Security-PC-Tips-Al-Mac

20

Doc in folder = Studies / Nat Sec / Cyber and Critical

21

Cyber Security Personal Tips

1/28/2014 12:05:39 PM

Version 0.3 was uploaded 2013 Dec 10, with 26 chapters, of which 22 had been updated or added, since the prior sharing, 17 pages, 48 footnotes. After uploading version 0.2, I adjusted all chapter headings to append date of last version (2013 July 04). I plan to change that to today each day I modify the contents of a chapter. That way people who get at a later version, can more easily see which chapters have been updated since. Version 0.2 of this was uploaded,55 to Scribd56 and Google documents,57 2013 July-04 mid-day with 31 footnotes, just over 9 pages, effectively doubling the amount of content which had been in the first public sharing. Most all chapters had had minor re-writes and additional text added. Version 0.2 was uploaded 2013 July 04, at which time it had 9 chapters, 10 pages, 31 footnotes Version 0.1 of this was uploaded,58 to Scribd 2013 June-23 evening with 9 footnotes, just over 4 pages, & the following Contents:
Table of Contents Digital Safety .................................................................................................................. 1 Security Checks .......................................................................................................... 2 Privacy ............................................................................................................................ 4

Version 0.1 was uploaded 2013 June-23, at which time it had 3 chapters, 4 pages, 9 footnotes.

55

The PDF for version v 0.2 sharing was 74 k. At the time of version 0.2 uploading, I adjusted the Scribd description, which took it from 4/5 to 5/5 visibility. By the time I was finished tinkering, Scribd reads were up to 73, probably 6 of them credited to me. 56 http://www.scribd.com/doc/149569351/Cyber-Security-PC-Tips-Al-Mac 57 Here is my Disaster Avoidance document collection on Google Drive Documents: https://drive.google.com/folderview?id=0B9euafJH4bZMTA0YTM0YzktNTI0YS00NjVhLTg5NTItY2RiZjhiM2MzODkw&usp=sharing 58 The PDF for the first sharing was 30 k. After version 0.1 got uploaded, but before I replaced it with version 0.2, there had been 69 reads of it on Scribd, probably 2 of them by me.

21

Doc in folder = Studies / Nat Sec / Cyber and Critical