laptopwiki:guides:general:security

Differences

This shows you the differences between two versions of the page.


laptopwiki:guides:general:security [08/03/2025 17:58] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== Security ======
 +
 +A device is just a tool, that is inherently as (un)safe as the user lets it be.
 +
 +===== Anti-virus protection =====
 +
 +There are multiple options for anti-virus protection. Whether it's some pre-installed useless bloatware from the manufacturer, a free downloaded app, a paid one or a built-in application inside your operating system, they all share the same flaw. The program assumes that what user does, user wants to happen. \\
 +Should a user download a program and install it, the anti-virus will assume the user wanted to download and install it. Outside of some preemptive screening that will check for major viruses, after the user approves the installation, the malware will install just like any other program would. And will run in the background just as any other program would. And do everything the user, even if unknowingly and unwillingly, due to a mistake or deception, approved himself. For this reason, the first line of defence, and the one that matters the most, is user's vigilance. Download only from places you trust, only programs you know where they come from and can guarantee they weren't tampered with. An example of a potential threat is a re-uploaded software. If it was made by company A, released on their website or storefront, but someone else downloaded it and put it on their site, you can never know whether they modified the software in any way or not. This is especially a problem with illegal software, as illegal software is often tampered with intentionally, and therefor you can never be sure in what ways was it tampered and what else was modified in the process of stealing it. By for example, including a cryptocurrency miner in it, which will run in your background, eat your system resources (slowing down your PC in the process and increasing electricity bill) and earning a couple cents for the author of the modification. Or adding your PC to a bot network, which will be later used for a DDOS - a distributed denial of service - basically sending so many requests to a website or server that it can't handle and crashing it, bringing the whole system or part of it offline.
 +
 +==== Recommended anti-virus programs ====
 +
 +Due to the above mentioned, there is a limit to how useful an anti-virus protection can be. Just like traction control on your vehicle will try to keep you on the road, it won't stop you if you deliberately steer into a tree. Therefor, some anti-virus protection is always good and welcome, but is an aid, not a replacement, for your system security. There are many options, both paid and free. In our experience, the built-in Windows Defender, which comes along with Windows operating system, is plenty enough. Let it run, let it do its regular checks, let it keep itself updated. At times, you can start a manual checkup, too, if you find something suspicious. However, should an anti-virus (any program, not just Windows Defender) report 0 findings, it is not a guarantee that the file is safe to open. It just means it didn't find any common threat it already knows of. Keeping the anti-virus updated ensures that it knows about as many threats as it can and therefor, can look for them during a checkup.
 +
 +==== Password security ====
 +
 +The most common way a password gets stolen, is by using the same login and password on multiple places. In such case, all it needs is just one place to get compromised, and then, when the thief tries to access other places by randomly using stolen credentials. Especially problematic are forums, which are often ran by fans of a franchise or product, and are not set up properly and securely, but a data breach can happen even to large and established companies.
 +
 +=== 2FA ===
 +
 +Also known as two factor authentication, or strong customer authentication. Adds a second step to authentication process. Should your first set of credentials be stolen, the thief won't get access to your data without the second set, stored in 2FA. 2FA can have many forms, such as an email, mobile phone number, mobile phone app, external tokens, physical authentication cards etc. The vital step to using 2FA is always activating it when you get such option, as well as not using the same credentials for the 2FA as you use for the login. For example if you access Steam using set login+password, don't use the same login+password for email where you get 2FA notification, as it entirely defeats the purpose, besides being a greatly unsafe practice in the first place, even without 2FA being used.\\
 +Another great benefit of 2FA is that it can also detect a password theft. Should someone try to access your data without your knowledge using stolen credentials, you will know that by 2FA notifying you about an attempt at access, provided you set up 2FA properly as the application/website instructed you to do. Always think before approving any 2FA request. Approve only those requests that you made yourself. If you haven't requested 2FA notification by you yourself accessing the website/application that requires it, check why was it requested. A 2FA is requested when someone is trying to access your data. If you are not trying to access your data at the moment, someone else is. Don't let the thief in voluntarily. Better safe than sorry. If unsure, contact the website/application company first.
 +
 +=== Safety tips ===
 +
 +In order to increase your security:\\
 +- Don't reuse the same login + password combination on multiple places. Especially not in vital places. **Never under any circumstances reuse the same password as you use for your email or any extremely important data which may give access to your personal data and banking information or credit cards.** Keep those passwords always unique and follow the recommendations of your bank. \\
 +- If you store passwords, store them in safe places, and generally avoid storing them in applications you didn't program yourself or have complete control of. If you trust your login with some company, make sure you absolutely trust that company in the first place. If you can't be sure about the company, make sure you are ok with the possibility of a data breach, and that your login, should it get stolen, won't provide any usable information.\\
 +- Use 2FA. Always.\\
 +- Keep 2FA login/access separate. Especially don't use the same password for e.g. a website you want to access as you use for the email where you receive 2FA notifications for accessing said website.
 +
 +===== Common threats =====
 +
 +- User being deceived or making a mistake and downloading an application that was tampered with or was generally unsafe. Can lead to, for example:\\
 +--> Stolen identity\\
 +--> Stolen banking details and credit card details\\
 +--> Theft of credentials, that will be used to access your data across multiple websites, applications, etc.\\
 +--> Having a cryptocurrency miner installed, that will eat your resources, slow down your computer, increase the heat generation and your electricity bill\\
 +--> Adding your computer to a bot network, that will be used to attack other websites and servers\\
 +--> Downloading a virus that is designed to break down your system and cause you issues when you try to use your device
 +--> Etc. 
 +\\
 +- Visiting shady websites\\
 +--> For example, websites with pirated software. Pirated software was usually tampered with by the nature of the software piracy, and it's not possible to know in what ways exactly was it modified. Whether just the verification was removed to allowed illegal access to the application, or some other modifications were made \\
 +--> Porn websites. Porn is a common avenue for malware. Beware of shady porn websites. \\
 +\\
 +- Phishing \\
 +--> Usually an email or website pretending to be someone else to obtain your credentials. It can have many forms. One of the most common one is for example pretending to be your bank, and urging you to do some action that involves you using your credentials. You may get an email, that looks like it is from your bank, but the email address of the sender is a tiny bit off even if by only one letter, and the website address looks almost the same, but also has some letter or word different to what your bank uses. The website itself, the graphics and the wording may sound believable, but as always, if you are unsure about your sender, or the website you are visiting, double check it first or contact the company using other, verified channels, about whether they sent you an email. Don't give out your password to anyone who asks you for it just because they did. \\
 +\\
 +- Using the same credentials and passwords to access different websites or applications. Where data breach of one can lead to compromising all other\\
 +- Not using 2FA, which can reveal a password theft. \\
 +- Not using 2FA properly, and approving 2FA requests by mistake when you didn't request the 2FA in the first place. **If a thief tries to use your stolen credentials, and you get a 2FA notification, don't approve it.** You think this may not be needed to be mentioned, you would be surprised how common it is that unsuspecting victim approves the access of the thief.
 +