Keir Thomas explains in concise and simple terms how to implement just about every common-sense security measure
One thing all computer owners desire is security, but what 99% of computer owners lack is the time and effort to put in place the often complicated procedures – procedures that also demand you understand the complexities of what’s involved.
If you’re one of the 99%, then this feature is for you. Over the next four pages we tell you what to do to achieve maximum security and how to do it. We’re not concerned with explaining anything beyond what you absolutely need to know.
We assume throughout that you’re not a complete idiot and have already taken the basic security measures most of us have learned are necessary. We’re not going to tell you to install anti-virus and adware apps, for example, or tell you to use longer rather than shorter passwords involving numbers and letters.
It’s necessary to realise privacy and security are two separate entities. We’re not interested here in stopping Google track which sites you visit, for example, but we are interested in – among other things – ensuring your everyday web browsing can’t be snooped on in transmit and stopping malicious interests accessing your files.
Secure Boot
We start our journey before the PC has even booted. Those PCs whose motherboards have UEFI firmware rather than a traditional BIOS are fundamentally more secure than those that don’t, because UEFI offers Secure Boot. This locks the computer to the operating system and makes it impossible to install boot-time malware like rootkits.
Secure Boot has a bad rep, because it makes dual booting with Linux tricky (although not impossible), but if you only ever run Windows on your PC, then it really is a no brainer – and additional operating systems are perhaps better run as virtual machines nowadays anyway.
Alas, Secure Boot is only supported by Windows 8 and later, but if you bought an off-the-shelf computer running that version of Windows, then it’s very likely already enabled. You’ll need the 64-bit version, however, although this is pretty much de facto nowadays.
Windows 7 or XP aren’t compatible with Secure Boot so our first piece of easy-peasy advice is to make the switch to Windows 8 and ensure that any computers you buy in future are running Windows 8 (or 10, when it arrives). Believe it or not, there are other benefits to Windows 8, such as better performance and other important security advances. Windows 7 is now nearly six years old. Resistance to new versions of Windows is understandable – perhaps even a tradition – but it can turn into idiocy when security issues are involved.
To Secure Boot, you’ll need to create a fresh Windows installation rather than a simple upgrade from an older Windows release, and before doing so you’ll need to delve into your firmware screen to ensure UEFI and Secure Boot are enabled (and if your computer is older, then it might not be compatible – check the spec list for mention of UEFI). Performing a motherboard firmware update is also a very good idea.
You’ll need a UEFI-compatible installation media. The Windows 8 DVD-ROM is fine, but if you like to use a USB stick to install, then for tedious technical reasons it’ll need to be formatted as FAT32, rather than NTFS, and use the GPT partitioning system. An app like Rufus (rufus.akeo.ie) will do the hard work for you. Note that a minority of computers can’t handle a partition larger than 4GB on the USB stick.
Secure Login
Once a computer’s booted, most of us usually need to type a password. What do you mean you boot straight to the desktop? Change that immediately! On Windows 7, tap Windows+R, and in the dialogue box that appears type ‘control userpasswords2’. Then put a tick in the box that reads ‘Users must enter a user name and password to use this computer’. On Windows 8, tap Windows+R and type ‘netplwiz’. Then put a tick in the same box as mentioned previously.
One of the huge issues with automatic logon – aside from the fact it gives everybody who can boot the PC access to your stuff – is that it stores your password in a relatively unprotected form in the Windows registry. If you absolutely insist on automatic logon, then £17.95 will buy you LogonExpert (goo.gl/YbEmN5), which fixes this and encrypts your password.
Another solution for login issues is to forget about login passwords entirely and use a fingerprint scanner. A variety of models are available and can cost from as little as £12 – see the Neewer USB Biometric Fingerprint Reader (goo.gl/pD46Ke), for example. They typically connect via USB and either tie in with the built-in Windows Biometric Framework or replace it with their own software.
A word of warning, however: fingerprint scanning is still an imperfect technology and prone to frustration. One of the few reliable technologies was produced by AuthenTec, which was snapped up by Apple and turned into TouchID for its iOS devices. Smartcard technology provides an alternative secure login method, wherein Windows login requires you insert a credit card-style card into a special keyboard or reader device (many are available – just search Amazon). Windows again already contains the built-in tools needed. However, smartcards are really designed for corporate use. They usually need to work in concert with a security certificate authority server, for example, and are therefore just too complex to implement for home use.
A simpler alternative to both fingerprint scanning and smartcards is to use a Yubikey (goo.gl/8YlZop), which costs around £25. This is a USB stick containing a two-factor code that you insert when logging in to provide additional verification in addition to your password. Nobody can log into your Windows account without it. A YubiKey is almost indestructible and can be kept on your keyring when not in use, and it can help protect other things too, such as password managers. Setup is a little involved but only needs to be done once, and you’ll find instructions here: goo.gl/uj2WKb.
File System Encryption
Encrypting the entire file system is a no-brainer when it comes to 100% security. It means that even if somebody removes the hard disk from your PC, they won’t be able to access your files. If you’re using the Ultimate or Enterprise versions of Windows 7, or the Pro or Enterprise editions of Windows 8/81, then everything you need is built in. It’s called BitLocker, and it’s essentially invisible in everyday use.
If you don’t have the right edition of Windows, then consider upgrading – on Windows 7 open the Start menu and type ‘anytime upgrade’, then follow the prompts. With Windows 8, return to the main tiles screen and type ‘Add features to Windows 8’, then click the 1 Setting icon in the list of results.
BitLocker works best if you have the Trusted Platform Module (TPM) as part of your motherboard chipset. There’s an easy way to find out if this is the case for your PC, and that’s to try to activate BitLocker. On Windows 7, this can be done by opening the Start menu and typing ‘bitlocker’ into the Search field and hitting Enter. On Windows 8, return to the tiles screen and type ‘bitlocker’. Then click the ‘Manage Bitlocker’ entry in the list of results that appear.
Click the Turn On BitLocker link and, if you don’t see an error message, then congratulations, you need do nothing more than follow the BitLocker setup wizard. Once the disk is encrypted and you’ve created the rescue key (that you MUST NOT lose!), you need not think about it any longer and can use Windows in the same way as you always have.
If you see a message to the effect that you don’t have a TPM, then don’t worry, you can still use BitLocker; setup is just a little more complicated.
To force BitLocker to work without a TPM, on either Windows 7 or 8/8.1, hit Windows+R and type ‘gpedit.msc’ into the Run dialogue box. On the left of the window that appears, navigate through to Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption > Operating System Drives. On the right of the window, double-click ‘Require additional authentication at startup’. In the new window that appears, click the Enabled radio button, and then click the Apply and OK buttons.
Repeat the step mentioned previously to install BitLocker. Once you reboot and log in again after the disk has been prepared on Windows 7, you’ll be offered the choice of saving out the key to a USB stick, which will be required to boot the computer every time. Just follow the instructions. On Windows 8, you can save out the key to a USB stick or alternatively create a passphrase that will need to be entered each time you boot, in addition to your login password.
Encrypting other disks on your computer is simply a matter of opening Computer view in Explorer, then right-clicking the drive and selecting ‘Turn on BitLocker’ from the menu that appears. To encrypt removable storage devices such as a USB stick, start the BitLocker setup routine, and this time choose the BitLocker To Go option, then follow the instructions. Bear in mind that this will mean the data on the removable storage device is only accessible via Windows 7 and later computers.
Securing Apps
Windows 7 and later contain a surprising amount of security features, many of which work in concert with abilities built into the CPU. However, in typical Microsoft, fashion they’re often not enabled, because of compatibility worries.
Enhanced Mitigation Experience Toolkit (EMET; goo.gl/TbamB7) is a free tool from Microsoft that allows you to automatically activate the maximum number of security features for the most popular third-party apps, such as Acrobat Reader, iTunes and Java. This is done with no input required from the user and has been tested to ensure nothing gets broken along the way.
You can also activate security features for built-in Windows apps, like Internet Explorer and Microsoft apps like Office. EMET is designed for use by IT professionals to administer many PCs across a network, but it works equally well on stand-alone PCs and isn’t hard to understand.
During app installation, select the Use Recommended Settings option. Then quit all open apps, and start the EMET GUI app, which you’ll find on the Start menu. Click the Import button at the top left. You’ll find three profiles listed. Select Popular Software. The changes settings take effect immediately, and you can quit the EMET GUI app. Nothing more needs to be done.
You can also attempt to add your own app to the list by clicking the Apps button on the toolbar, then Add Application, Then put a check alongside each of the boxes. Beware that some experimentation will probably be necessary.
Secure Online
So far we’ve secured the physical PC against boot threats, secured the file system, secured the system login and secured apps. There’s only one frontier left: online.
For historical reasons, most data is transmitted on the web in plain form, which means anybody can eavesdrop at any stage of transit. The exception is secure connections such as those made to banks, webmail services and online shopping sites. These use secure HTTP, and you can tell because the address starts with https://. (Okay, so in our post-Snowden world there’s doubts even HTTPS is actually secure, but it’s the best we have right now.)
Wouldn’t it make sense if every site used HTTPS? Making a website secure is a bit more complicated and expensive than running a basic site, but nonetheless there is a slow revolution happening, and several sites are making the switch.
You could try adding an S to the middle of each web address – so that http://example.com becomes https://example.com. There’s an https:// version of the Google home page, for example. However, an easier way is to install the HTTPS Everywhere browser extension (goo.gl/OZAHrs). This simply consults a database of sites that have an optional https:// entrance and switches you automatically should you try to access one. Because some sites implement only part of their data behind HTTPS, it can mean sites look a little incorrect, but this is rare, and usually the content you need is still accessible.
An additional option is to use the Tor browser (goo.gl/n65M2m), a version of the Mozilla Firefox browser that routes your data through an anonymous network of volunteer computers and servers in order to make snooping difficult to the point of impossible. However, useful though it is, Tor is not perfect, and a list of reasons for this are admitted openly by the project (goo.gl/sczxRN). For example, data is encrypted while it travels through the Tor network but not at the random ‘exit point’, where it rejoins the main internet. In other words, Tor is not a replacement for HTTPS, which should still be used, and in fact Tor includes a built-in version of HTTPS Everywhere.
Tor can be a little slower than regular browsers. Additionally, because the exit point might be overseas, you may find that sites that block via geographical IP address don’t work.
Email And Messaging
Email is a mishmash of encrypted and unencrypted communication protocols but in general should be considered as insecure as the web. Securing individual email messages so they can’t be snooped in transit has for a long time been possible via GPG or proprietary solutions such as that built into Microsoft Outlook. These encrypt the message contents, and they typically require the recipient to have the same software installed and also have the correct decoding key. Alas, although fundamentally simple once you’ve grasped the concepts, this technology is often initially baffling even for those who consider themselves computer savvy. It’s for this reason that encrypted email has never become mainstream, and we can’t advocate it here. It’s just too much trouble.
Instead, simple common sense can mitigate potential security problems. If you have to send a username and password to somebody, for example, then send them in separate messages. Additionally, use the POP3 email protocol rather than IMAP to avoid leaving messages on the server, where they’re open to snooping.
Modern messaging systems like Apple’s iMessage, Skype or WhatsApp are securely encrypted by default so are perhaps a better choice for transferring sensitive information. Incidentally, did you know that WhatsApp is accessible via a browser nowdays? Just visit https://web.whatsapp.com.
Two-Factor Everything
Arguably the biggest boost for online security in recent years comes via two-factor authentication. This sounds infinitely more complex than it is. Put simply, two-factor authentication makes you type a PIN along with your regular password to log into various online services. The PIN might be generated via an app on your smartphone or tablet, such as the excellent Authy (goo.gl/HzroxI), or it might be sent to your mobile as a text message. Some services work by phoning with a voice message, which means you can use two-factor authentication even if you only have a landline.
A growing list of online services and sites offer two-factor authentication, including Google, Microsoft, PayPal, DropBox and Apple. There are a few authoritative lists online of who does, such as twofactorauth.org.
Setting up two-factor authentication is easy. If the service works by texting you a PIN, or calling via voice call, then you’ll simply need to provide your phone number. Beware that some services assume American-style phone numbers, so after selecting the UK from the location drop-down list, you might need to drop the 0 from the front your number – that is, type 171 222 1234 rather than 0171 222 1234, for example.
For those services that use an authenticator app, you’ll need to switch to the app on your mobile or tablet, then choose to add a code and simply point the device’s camera at a barcode that the site displays when you opt for two-factor setup. It’s pretty easy. If your device doesn’t have a camera, then you can type the in authentication code manually.
Subsequently logging into the service once two-factor authentication is in place will involve opening the app and typing the code displayed when prompted (usually after you’ve entered your password) or waiting for the text message/voice call to arrive and typing it when prompted.