Hardening Windows

Some of this information may be confusing to basic Windows users, but scan through it, it is not all heavy stuff, some very useful tips are in plain English. Your lack of knowledge makes you one of the main targets for Attackers.
I use the term Attackers instead of Hackers which consist of black, white or gray and can be confusing. Attackers are ALL after your money, your identity, your friends, your family, your associates or just to do malicious damage.

Latest NEWS!
Security news this week was about KRACK where a flaw was found in the WPA2 encryption for modems and routers. This opens up your Wi-Fi to attacks and it is a serious problem with your router/modem and not your password. Luckily it was found by researchers first, but the Attackers will soon follow. See what you do in the interim.

Modem Router Security

Hi, why start with modems and routers? Why scare off the non-technical people? The non-technicals can jump to the other sections and get this modem work done for them by someone else.

This is the gateway to your Windows security. Attackers getting access to your modem can have access to your Windows Operating System (OS) and ALL your connected devices. So find out how to log into your modem and change some settings.

Small businesses normally use a Network person to set up, secure and maintain their Network. There may be switches and two or more servers. Networking is out of the scope of this App. We cover the home user and business person who are looking after their PC or Laptop in a basic Local Area Network (LAN) which connects to a Wide Area Network (WAN).

Harden your modem/router.

Change the modem login username and password. There are websites showing the default log-ins for most of the modems and routers in use today. So, change yours.

Check that you are using at least WPA2 security with your SSID password (your internet login). Most modems are now set up to it by default. October 2017 news is that WPA2 has been compromised, after 13 years. Hopefully your ISP will fix that hole soon.

Switch off WPS (Wi-Fi Protected Setup). This let you type in a short number instead of a password and is easily cracked.

Turn off remote administration from the WAN (Wide Area Network) which is the Internet.

Update your modem firmware. Google the modem name and model number to check if updates are necessary.

Switch of ping requests from the WAN.

Switch of UpnP (Universal Plug and Play). Full of security holes.

Switch on the Firewall

For more security.

Get an I.T. person to change the router firmware and use DD-WRT or Tomato open-source firmware. Modems supplied by ISP’s like iiNet, Optus and Telstra have limited security options for you to use.

Get a pay-as-you-go portable modem with 2-3 GB data and use it only for secure connections like your Banking, MyGov and PayPal.

Check your IoT (Internet of Things) like Smart TV, CCTV Security, Clever Fridge, Baby Cams and other connected things. Check for security and updates. Your phones and tablets are very much insecure and can leave many doors open for attackers. This can be the weakest security point in your house or office. Best to get a separate Internet connection for all of these devices.

Install Xarp from www.xarp.net for detection of ARP spoofing. See the SECURITY TOOLS FOR WINDOWS section of this App for more info.

Other minor settings.

Disable broadcasting your SSID. Easily bypassed and it may even attract attackers.

MAC Filtering. Each of your devices have a specific MAC number. You can set up your modem to only allow your devices access. Means you have to keep it up to date with new devices and guests for access to your network.

Windows Security Controls

Recommendation for starting off with a CLEAN system.

Do a complete and PROPER check and malware and other hidden nasties on your system. The days of trusting anti-virus systems to do it effectively have passed. Pay for a professional to do it to be sure if you are not.
OR
Backup your business docs, photos, videos, photos, music and whatever else you need to a portable hard-drive. Re-install your Windows OS. Maybe save some time and stress and get a Techo to do it all for you. Check your files for malware before you upload them back onto your computer.
THEN
Create a Clean Installation restore point. Search in Google how you can do it in Windows. When anything goes wrong you can get back to this clean install.

Use Windows Update

Set it to default to automatically keep your OS (Operating System) updated. It is a pain in the butt when you switch off or on and have to wait for the updates to finish, but is is neccessary for security.

Update your software

Definitely for Java and Adobe Flash, which are popular attacker tools. Keep your software to only what you really need. If you like to play with all types of software, run it in Oracle Virtual Box, which is explained under the SECURITY TOOLS FOR WINDOWS section of this App.

Use WinPatrol WAR

Get it at winpatrol.com for protection against Ransomware, Malware, Zero-Day Threats and more. Modern protection programs use an Artificial Intelligence engine. Many anti-virus programs still depend on heuristic analysis and virus signatures, which is not sufficient for current attacks.
AND
Install a top antivirus system like Bitdefender or Kaspersky. Use the paid version, the free versions are limited in protection.

Do not use Windows with an Administrator account.

Set up an User account for your every-day use.

Use strong and different passwords.

Use a phrase of 16 or more characters for your password. Use upper and lower case, symbols, and numbers. A phrase is easier to remember than gibberish which is still being recommended by many who are sticking to older and still secure methods. Avoid dictionary words.
Here is an example of a phrase: myTeamHawthornwonthecupafter37years!. Easy to remember, even easier if you are a Hawthorn supporter. The more characters the longer it takes to crack. Google and Paypal will let you use a password like this with spaces between the words. There is a limit for the amount of characters you can use, about 24 is usually the maximum, but some will take 40. Dictionary words may be used here because of the length of the code they need to crack.
Use DIFFERENT phrases for different logins. Facebook should NOT have the same password as your bank account.
OR
Use a reliable Password Manager like LastPass or the open-source KeePass. The concern is that it is online and nothing is totally safe online. Just recently over 140 million Americans and over 40 million British has been affected with critical identity information taken from a very secure network.

Keep your Windows User Account Control active.

UAC pops up to warn you of changes to your Windows. Leave it on.

Your Browser and your Email security

This are the EASY doorways for attackers to compromise your Windows System. This is where they usually get in. Follow our BROWSER AND EMAIL SECURITY section for very important information on how to protect Windows here.

Encryption

You can encrypt your hard-drive to protect your data against someone who may get access to your PC or Laptop. Someone can boot with a Linux boot disk or USB which give them access to all your files without having to crack your Windows password. The latest Windows systems have BitLocker for encryption which you just need to turn on. You can download it on older systems.

Browser and Email Security

Your Browser and your Email are the easy doorways which attackers use to compromise your Windows System. Your security here is most important. Here they can fool even the most vigilant user.

Attackers use spoofing and phishing to disguise their nefarious actions, making you believe you are connected to legit websites, companies or people. At the least, please take note of the DANGEROUS LINKS section.

What to do with Browsers.

You need to add a script blocking add-on or extension. Some examples are in Firefox (NoScript), Opera (NotScripts) and Chrome (ScriptSafe) to block malicious scripts. Javascript runs in browsers like little programs to create activities where you can interact with the webpage. It can also run malicious scripts.

Avoid using auto-fill and saving passwords in your browser.

Do NOT use Internet Explorer. Microsoft has replaced it with Edge which comes with Windows 10. Edge got rid all the security flaws built into Internet Explorer.

Firefox has a Control Center to manage your site privacy and security controls. Search in Google for Firefox Privacy and Security Settings to find out more.

Chrome gives you Gmail with some solid security features. One is a way to easily check for spoofed emails. It is easy to set extra security in your Google account like two-factor authentication.

Opera gives you a free VPN (Virtual Private Network) to encrypt your data travelling in cyber space. It is reliable and fast and it can block Ads and Trackers.

Make sure you see a green lock on the address bar of the browser whenever you log into a secure site, it should be https instead of http. This shows the site has a security certificate for proof that you are not looking at a copy of a your bank or other site. This is not foolproof any more as there are some dodgy Certification Authorities. Chrome, Firefox, Opera and Edge maintain lists of Certificate Authorities they trust. Hover your mouse over the green lock, DigiCert and Comodo are two that are trusted.

What to do with Emails.

Use Gmail. It has all the features of other mail programs and you can add extra security in your free Google account setting. Set up two-factor authentication for every time you use a new device or operating system or browser. Once set up you can mark that login safe so that you do need get a phone message or call every time you access your account. It has an easy and quick check for spoofed mail, see under DANGEROUS LINKS section.

You can also download a sheet of codes to use. You can use these codes to verify it is you when you login while you are away from the office or home.

You can check on your account where your mail was recently logged in. Google send you warning messages of new log-ins to verify it was you.

Use 3 or 4 Gmail accounts. One for secure logins, one for business, one for private and one for signing up for all those other accounts where they want to send you an email to verify your login.

Security for Banking, MyGov, Paypal and other critical information

Do NOT use your Windows OS for banking unless you know the system very well and have advanced security. Windows are made for billions of users so that they can use it easily without much technical knowledge. That is why attackers mainly target Windows because that is where their customers are.
Hundreds of updated hacking tools are freely available online to break into Windows and hide there. Search in Google for Kali Linux. It is an operating system with a lot of these tools built in and is free for you to download and use. It is easy for a couple of malicious 10-year old kids to use with no idea what responsibilty is and how much grief they can cause to your business.
Udemy and other online training organisations have many cheap courses teaching you to be an Ethical Hacker.
So...do NOT use Windows for all critical logins.

Avoid mobile devices for banking

Your phone and tablet are connected to the SS7 network which have security flaws.
Smart phones are so easy to use, but the risk is yours. It may already be comprised if you were using Open Wi-Fi at airports, shopping venues and other places offering free Wi-Fi.
Search in Google for Phone Security at the least and use that information to harden your mobile device. I do not recommend phones and tablets for critical logins. Attackers recently exploited a long-known flaw in the global SS7 cellular network by redirecting two-factor authentication codes to themselves, pretending they are the bank customers. Many bank accounts were drained in Germany during January 2017.

Use a Live System.

Download a free open-source Linux OS like Puppy Linux. Install it on a USB stick with a program like Rufus. Set your PC to boot of the USB. Get some Techo to do it for you and explain to you how to use it, if you are unsure about it. See the WINDOWS SECURITY TOOLS section for information on using a super secure OS.

Use Two Factor Authentication (2FA)

ALWAYS use 2FA. You login, they send you a phone message with a code to type into your login page. In Gmail you can download a set of codes to use whenever you login from a new device. It is not 100% secure, it depends on your phone being secure, but is still better to have this extra authentication.

Dangerous Links

Firstly, your Bank, PayPal, MyGov, etc should NEVER ask you to click on a link in an email or phone message for you to go direct to a log-in page.

Your Council and your utility companies should not do it either, although an Energy company sent out bit.ly links to go to their site for payment. Attackers use bit.ly and other URL Shorteners to lure you to go where they can attack you.

SOCIAL ENGINEERING

The main tool of attackers because it is the easiest to implement. It is a way for attackers to fool you to click on something which will give them access to your system. Say you love cats, they will spoof an email so it looks like it came from your mother or your best friend with a nice cat video or picture or maybe a link to their website full of funny cat videos. I mention cats, because cute things are populer lures attackers use. They are in a business to get new customers every day and they know what most people like. So it adds to your security to be be more private on Social Media about what you love or your favourite music and actors.

Hover your mouse over a link in your browser and a little pop-up appears on most browsers so you can check if it is really going to where it shows on the link. The link may show something.paypal.com, but the pop-up could show something.paypel.com

Email spoofing is big business for cyber-crims. Businesses pay invoices that looks like it came from one of their regular suppliers. They may only discover their mistake when the real supplier confirm it did not come from them.
People are fooled to click on a link that take thm to an exact copy of their Bank website and then they log in with their username an password, giving the attackers that access.

It is very easy to change the Sender Name on an email. Have a closer look at the sender’s name and address. Gmail has a dropdown button under the senders mail, look at the mailed-by and signed-by info. It should show the name of some security company which has secured it by SPF and signed by DKIM. Do a Google search for SPF and DKIM if you are curious about it.

A quick and easy check on spoofed emails is to reply to the sender. The reply does not go back to the attacker, but it will go to the owner of the mail account they spoofed.
Write something like ’ please confirm this mail came from you. ’. This will land in the real owner's mail.

Maltego is a freely available tool that let attackers or anyone do reconnaissance on anyone by scraping up data from all publicly available areas of the Internets. So all your stuff about you on various Social Media sites are available for malicious purposes.
Your friends, your family, your love of cats, your personality, your birthdate, where you live. Please be careful about what you post about your kids online.

Your teens and smaller kids who uses your Windows system is most likely your biggest security hole. Anti-virus progams like Bitdefender give you some control of what they can do online, only if you know how, they are smarter online than what you may realise. Some routers also have parent controls.
They have no fear about security and will go everywhere online and will communicate with anyone.

Privacy is long lost online with break-ins to major databases holding very private information. The large credit firm Equifax database got hacked in 2016 and it exposed personal data of 143 million Americans including their social security numbers.

Security Tools for Windows

Here are some free tools to use with Windows. Some are easy to install, some needs a bit of a tech-head. They all have online instructions and with some you can download the manual.

List of List of free Security Tools from Microsoft

Go to www.thewindowsclub.com/free-security-tools-microsoft Many great tools available for you here. Some are listed below to whet your appetite
* Windows Defender Offline (new tool).
* Enhanced Mitigation Experience Toolkit or EMET
* Microsoft Safety Scanner
* Malicious Software Removal Tool (new tool).

Xarp at www.xarp.net

ARP (Address Resolution Protocol) attacks go undetected by firewalls and your Windows operating system security. With a man-in-the-middle attack the attackers tell your device they are your ISP (Internet Service Provider) and they tell your ISP that they are you. Now they can see and control whatever you send and get back from the Internet.
Highly recommended tool.

Have I Been Pwned? at haveibeenpwned.com

Check if you have an account that has been compromised in a data breach. Your email address or username. Great site to warn you if your email or username have been compromised and where it happened.

Virtual Box at www.virtualbox.org

This and VMWare are Hypervisors. Plain explanation is that it is a box which connect with your PC hardware but are isolated from your Windows OS. You kickstart it in Windows, but whatever you do in it is isolated from your OS. So you can run Linux Mint in it which is the 3rd most popular OS after Windows and Apple. You can also run another version of Windows in it if you have a spare copy.
So if that Windows get compromised, it does not affect your main system. Think of it as a sandbox where you can do stuff you will not normally do on your main Windows Operating System.

Process Explorer at docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

Here you can see a lot of information on all the processes currently running on your PC. Learn how to use it to expose hidden malware in your system.

Not free, but worth looking at

Sandboxie at www.sandboxie.com which works like Virtual Box, but are easier to set up and use.

For SERIOUS SECURITY

There is an operating system rated best in the world for security and it is free. You will need a fairly updated computer to use it and to have a bit of a techo in you. Better suited to a desktop computer. Developed for security, privacy and anonymity. Windows are very weak when it comes to anonymity.
Go look at QUBES at www.qubes-os.org
There is also SubGraph OS which is a desktop computing and communications platform that is designed to be resistant to network-borne exploit and malware attacks.
See SubGraph at subgraph.com
It would be a lot easier to run these two operating systems if you are familiar with Linux.

KRACK WPA2

The current vulnarability affects secure Wi-Fi networks using WPA2 which basically means most home owners and a lot of small businesses are exposed. Changing your password on the router will not fix it.
Hopefully your ISP will update your modem soon. Check with them if you are unsure and you may have to install the update yourself. Check with your modem supplier if you are using your own modem/router.
You can buy a portable Wi-Fi, plug it into your main Wi-Fi and switch off wireless on the main Wi-Fi.
You need to update all your devices as well including your Windows system. Microsoft was one of the first companies to post a security patch. Apple has done it. Google are posting an update on November 6 for their own devices, but Samsung and others may take some time to follow Google. Keep an eye on it. Your Android devices are most vulnerable.
Update your phones, tablets, PC's and Laptops.
Websites with https connections use an encryption technique that is not affected by this flaw.
Using a proper VPN will also protect you.
Avoid open Wi-Fi access points unless they got their systems patched.

So this is another reason why you should have auto-updates switched on across all your devices

© Johan's OBS: online-business-services.com.au