Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday July 28 2015, @09:22PM   Printer-friendly
from the won't-change-the-users dept.

With the non-stop stream of zero-day exploits, website breaches, and criminal hacking enterprises, it's not always easy to know how best to stay safe online. New research from Google highlights three of the most overlooked security practices among security amateurs—installing security updates promptly, using a password manager, and employing two-factor authentication.

The practices are distilled from a comparison of security practices followed by expert and non-expert computer users. A survey found stark discrepancies in the ways the two groups reported keeping themselves secure. Non security experts listed the top security practice as using anti-virus software, followed by using strong passwords, changing passwords frequently, visiting only known websites, and not sharing personal information. Security experts, by contrast, listed the top practice as installing software updates, followed by using unique passwords, using two-factor authentication, choosing strong passwords, and using a password manager.

"Our results show that experts and non-experts follow different practices to protect their security online," the researchers wrote in a research paper [PDF] being presented at this week's Symposium On Usable Privacy and Security. "The experts' practices are rated as good advice by experts, while those employed by non-experts received mix[ed] ratings from experts. Some non-expert practices were considered 'good' by experts (e.g., install anti-virus software, use strong passwords); others were not (e.g. delete cookies, visit only known websites.)"


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday July 29 2015, @07:50AM

    by Anonymous Coward on Wednesday July 29 2015, @07:50AM (#215320)
    I'm no security pro but some of the things I do to secure my systems I won't recommend for computer novices. Because even though I believe they are effective for me, they aren't suitable for novices.

    For example, I use windows but I don't use realtime antivirus[1] (if necessary I check downloads with virustotal), what I do is I run my browsers with different user accounts. So if a browser gets pwned there's a chance the attackers still need to do another privilege escalation to attack other stuff. The browser I use to access my bank is different from the browser I use for soylentnews etc and is run using a different user account. For some stuff use a browser in a VM with snapshots - then rollback to the pristine snapshot. I also use noscript, adblock and certificate patrol.

    I don't use completely stupid passwords like "password", but I don't bother with highly secure passphrases for most websites, because most of those websites are more likely to get pwned before my "weak" passwords get brute forced, so why care? Why would I even care if someone could post using my account on say Anandtech or Slashdot? I do have secure passwords for webmail.

    By the way, don't bother changing your password at a website when that website gets hacked. If you've been stupid and used the same password in other places that you care about, change the passwords at those OTHER places. Only change your password at the affected site (and to something completely different) when you have confidence that they have secured stuff a bit better (haha).

    Also if you use a Desktop Linux distro with AppArmor you may find that the distro's default apparmor configuration for browsers may not actually be that secure, and you may wish to make things more secure like ensure that your browser can't access your .ssh folder or mailbox/maildir. I haven't bothered to keep up to see if stuff has improved since I've mostly given up on Desktop Linux. Every time Windows gets worse the idiots seem to ensure that Desktop Linux is even worse. I wonder if some developers are actually being paid/encouraged to sabotage things ;).

    [1] Why realtime AV is bad if you know what you're doing: if you run your systems properly and securely, you'll find that Antivirus software is more likely to cause problems to your system than malware.

    0) Realtime AV uses CPU and RAM and slows your system down
    1) Every now and then some AV software marks a critical windows file as a virus, or blocks almost all email, or has some serious bug.
    2) Most realtime scanners are run with system privileges and most are buggy. You could separate the reading part from the analyzing part, the analyzing part doesn't need any special privileges. But how many do that? So if your av software is exploitable and a "carefully crafted binary" ends up getting scanned by it, you get pwned at system level. If you don't believe me google for: exploiting antivirus

    Thus I use virustotal - if I'm going to run AV software, I'll run it on Google's servers ;).