Great advice. How do you minimize the risk of someone running codes on your comp? I run McAffee scans and don't download and install shit...can you suggest other best practices?
Essentially, how difficult defense is depends on what you're defending from. This is true in all of life, not just computer security -- are you trying to keep your house from being burglarized, or trying to keep a SWAT team out?
The first level of security is being secure from non-targeted attacks -- "drive-by" hacking, essentially. These are malicious applications, websites, probes, and networks all meant to attack
anyone they come across. You can make yourself pretty safe from these things -- the overwhelming majority are using known attack methods which have known defenses.
For malicious applications: Run a decent AV package and anti-spyware package. I use AVG and Spybot, but lots of stuff will do. Never download executable files; if you do, upload them to virustotal.com before running. For maximum security, run a non-Windows OS (Linux, Mac, whatever.) It's not that non-Windows OSs are any more secure against malicious apps -- it's that people writing non-targeted attacks write them for Windows, because that's what gets them the most targets.
For malicious websites: Never run a web browser as admin. This means using either Windows 7, Windows Vista with UAC turned on, or a non-Windows OS. Use an ad blocker (I use AdBlock Plus on Firefox, but lots of stuff will work.) Keep your PC fully patched -- turn on automatic updates on Windows, check for updates daily on Linux. For maximum security, don't browse suspicious sites at all (warez, free porn sites, piracy of all kinds), and whenever you access a very sensitive site (i.e. something you log into that you really don't want someone else to access, like your AdWords account or your bank), close the browser entirely before going to any other sites.
For probes (socket-based attacks): Always be behind a firewall or NAT, and keep your PC fully patched. If you have a home router, you've got this covered. Never turn off Windows Firewall or run a Linux machine "bare" on the Internet.
For malicious networks: Never, never connect a computer with any sensitive data to a network you can't trust (e.g. public wifi, or worse, stolen wifi.) It is amazing the kind of shit you can do to somebody whose PC has joined a network that you control. SSL/HTTPS/SFTP will not save you, Linux and Mac will not save you, AV will not save you. The
only safe thing to do on an untrusted network is VPN to a safe network -- anything but VPN and you're totally fucked if the network owner wants to fuck you.
And for most of us, that's all the security we need.
The second level is protecting against
targeted attacks. This is where a skilled hacker doesn't want to attack just anybody -- they want to attack you, specifically. This is much, much harder to defend against. This is where stuff like TrueCrypt and extensive use of VMs comes in. The goal here is not 100% safety -- it's isolation and prevention of cascading compromise. Essentially, a skilled attacker has many, many avenues for reaching you, and he only has to find one to get into all of them. Using TrueCrypt (or similar products, I mention that one because it was already mentioned on the thread and it's a good one) and multiple VMs, you can separate everything you do -- one VM hits your sites, one hits your advertiser accounts, one does your personal browsing to reputable things and your bank and such, one does your personal browsing of... less reputable things, etc. You can snapshot VMs so that when you're done with one you can discard changes and get it back to a known-safe state. Meanwhile, the host OS never does anything risky at all. This way, when an attacker does find a way in, he gets only one small part of your files & online life, and gets shut back out quickly. When it comes to targeted attacks, the goal is not so much
prevention as
resilience -- you minimize harm and recovery time.
Just as it's probably not worth your time and expense to prepare your house to defend against SWAT teams, the U.S. Army, or meteor strikes, it's probably not worth your effort and inconvenience to defend yourself from targeted attacks unless you know you're a target. Anti-virus, Anti-spyware, patching, firewall or NAT, and never using untrusted networks will do it for the average user -- even the average user who makes his living online.
