End-user Computer Security/Preliminaries

 = 𓆉 ≅

 End-user Computer Securitysim Inexpensive security




 * Preliminaries


 * Meta information
 * Table of Contents
 * Index
 * Foreword to first version


 * Main content


 * 


 * Security of BIOS/UEFI firmware
 * Custom BIOS/UEFI and which one to use
 * Regarding operating system
 * Which OS?
 * Qubes OS 4.0.3 side-by-side with other operating systems
 * How to ensure installed operating system is not compromised via an evil maid attack, during periods when machine is not meant to be on
 * Regarding how to obtain software
 * Secure downloading
 * Getting an uncompromised smartphone and obtaining software with it
 * Key advantage
 * Downloading to SD cards
 * Transferring downloads to installation media
 * Cost
 * Old or new phone
 * Some other advantages
 * Similar to ‘burner phones’?
 * Whether to use a Raspberry Pi Zero device instead
 * Pros vs Cons
 * Pros:
 * Cons:
 * Conclusion
 * About using a Wi-Fi enabled SD card
 * Detection of malware in software
 * Compiling from source
 * Reproducible builds
 * Using `diff` utilities
 * Full system encryption, full disk encryption (FDE)
 * Malicious sneaky replacement of FDE system with historic clone of system that has known vulnerabilities
 * Description of attack
 * Remedy
 * Bootloader for FDE
 * Factory resets
 * According to device type
 * Web client computers
 * Smartphones
 * Conventional laptops
 * Some other issues
 * Internet connection during reset process
 * Sufficiency
 * Cookies
 * Sandboxing and cloud computing


 * 


 * Password security
 * Password managers
 * Multi-step authentication and multi-factor authentication
 * Non-Latin alphabet
 * Concerning certain password attack vectors
 * Screen privacy
 * Keyboard privacy
 * Visual spying of keys pressed
 * Complete occlusion
 * Distance-dependent occlusion (privacy keyboard screen)
 * Using morse code
 * Spying of electronic keyboard signals
 * General visual spying
 * Hiding materially-written passwords
 * Overcoming vulnerabilities in visual encodings
 * Psychic spying of password
 * Protection using password management functionality
 * Protection by thinking little
 * Protection using password encryption
 * With technology
 * Without technology
 * Based on password reuse
 * Digital cryptography: security certificates, keys & tokens
 * Disabling TLS security certificates
 * Making sure certificates are genuine
 * Key servers
 * Cross authentication
 * Non-compromised communication of public keys
 * Sending to trusted recipient such that the recipient can hand it over without encountering MITM vulnerabilities, to the end-user
 * Publishing public keys in a “gazette”
 * Piggy-backing over bank transactions and systems
 * Using bank references
 * Using different monetary amounts
 * Using a weak currency
 * Google Authenticator “key and time”-based app for security
 * Tokens for keys
 * External links for further information on security certificates
 * Backing-up security keys and passwords
 * Shamir's Secret Sharing


 * 


 * Wired vs. wireless
 * Shared WiFi
 * Keep communication systems turned off


 * 


 * General security risks in digital storage
 * USB devices vs. SD cards
 * Flash memory: NOR flash vs NAND flash
 * NAND flash memory vs magnetic storage
 * Magnetic storage: tapes vs. discs
 * Rewritable media vs optical ROM discs
 * SD cards and USB memory sticks vs. larger devices
 * Drives able to eject hardware-less media vs. other media
 * More about SD cards
 * How to obtain computer media devices
 * Secure data sanitisation


 * 


 * Physical isolation and locks
 * Physical measures for securing boot-loader when using full-system encryption
 * Padlock-able laptop bag
 * Metal boxes
 * Combination lock briefcase
 * Physically removing storage component(s) from the rest of the computer system, and then securely storing those components separately
 * Physically securing keys
 * Privacy screens
 * Specifically for goods in physical transit
 * Exploiting unrepeatable patterns for tamper evidence
 * Applying glitter nail varnish to computer screws
 * Tamper-evident security-system ideas
 * Main idea
 * Speculating stronger security again with unrepeatable-pattern principle
 * Similar idea for other circumstances (such as for metal boxes)
 * Perhaps the simplest and best idea
 * Software based tamper checking using security images


 * 


 * ‘Inception’ styled attacks


 * 


 * Put computer to sleep when not at it
 * Shut down device when not in use
 * Play sound continuously on computing device


 * 


 * Stop funding the spies and hackers
 * Report cyber-crime to the police
 * Think in terms of gradual movement along a security-level continuum
 * Minimally-above-average security
 * Publishing security methods
 * User randomly selecting unit from off physical shelves
 * When random is not random
 * Ordering many units of same product
 * Using multiple channels to obtain product
 * Discerning unit least likely to have been compromised
 * Measuring physical properties for authentication
 * Weight
 * Volume
 * Magnetic weight and images
 * Electric field imaging/detection
 * Electro-magentic spectrum
 * Visible spectrum photography
 * Infra-red scanning
 * X rays
 * Microwave testing
 * Radio frequency (RF) imaging/detection
 * Ultrasound
 * Other methods
 * Geospatial
 * Based on which region
 * Time based
 * Based on time passed
 * Example 1
 * Example 2
 * Vulnerability when used for software
 * Based on time taken to forge
 * Using most secure window of time
 * Preventing lapses in security
 * DIY security principle
 * “Destroy key when attacked”
 * Relying on high production cost of certain security tokens


 * 


 * Backing-up files
 * When to change digital passwords and keys?
 * Further information


 * 


 * National Cyber Security Centre
 * Cyber-security standards
 * Deep hardware hacking
 * Cryptocurrency security
 * Using phones and computers as motion detector alarms
 * Steganography: easy hiding of information in computer documents


 * Appendix


 * 


 * Cryptocurrency-like mining to increase trust
 * As applied to software
 * As applied to public digital keys (including those used in security certificates)
 * Lock screen with related sound-based security
 * Client-server noise-audio-based secure-password-communication system
 * Port source code to higher-level programming language as a computer-security step having its basis in secure coding
 * Security by pre-loaded private key


 * 

 

 

 This book was first produced in response to a computer hacking incident encountered during 2020 by the author of the first version of this book, in the course of his being a self-employed software developer. He had already adopted some security measures but then felt he really needed an overhaul of the security measures and systems he had in place.  This book is aimed specifically at individuals, sole traders, and small businesses, bearing in mind that they may have shoestring budgets.  It was the author’s belief that end-user security was a real issue of concern because the mindsets of security specialists seemed to be often attuned to examining and proposing solutions within rigid frameworks: such as for example only looking at software security risks but completely ignoring physical aspects of everyday nuts-and-bolts security. A certain element of being able to think ‘outside the box’, and outside one’s own specialised domain, is needed. As such, security is really a multidisciplinary field, requiring the creativity of people from all walks of life.  There is special concern for the highlighted entities (individuals, sole traders, and small businesses), because of their being prone to attack due to budget constraints, and a lack of other important resources.   The author of the first version of the book places his contributions into the public domain (the author’s Google Drive version hosted here [minus the Google Docs comments] will always be in the public domain). He feels that end-user security is so important, that intellectual property obstacles should be removed as much as possible, so as to enable everyday users to be able to undertake computing activities safely. This is especially of concern at the time of writing during the 2020 COVID-19 worldwide outbreak. During this outbreak, individuals are being called upon in great numbers to remote work and also to socialise and conduct recreational activities using computing devices. </P> <p STYLE="margin-top:.7em;margin-left:4em;"> The increasing consumer use of cryptocurrencies is another reason why a work like this is important. </P> <HR STYLE="margin-left:4em;"> <p STYLE="margin-top:1em;margin-left:4em;"> The author only asks in return that you, if possible, do the following:
 * Amend this work to fix mistakes.
 * Add comments indicating your level of agreement or disagreement with different parts that you read/review.
 * Improve it in other ways.

<p STYLE="margin-top:.5em;margin-left:4em;"> Please note that because using your contributions might require that you grant copyright permission for such, it is mostly preferred that you make your contributions to the Wikibooks version of this book. </P>

<BR> <BR> <HR> Footnotes <BR>