8 Steps to Online Security Health and Restoral (15 Jan 2021)

  • Note - This is the original advise that was posted on the Proboards forums some time ago. I am FULLY aware that a lot of this advice is no longer best practice and will be updating it shortly and would encourage any thoughts in the comments as well!

    1. Ensure your PC/Mac is running anti-virus software and that the virus definitions are updated. Windows includes a free anti-virus package called Windows Defender and Apple provides very limited protection based on a lower risk profile however you can get a free Mac AV application such as Avira. You should strongly consider installing a free app by the name of Malwarebytes that can run in conjunction with your current AV software to check for additional malware that might of escaped detection from your primary AV software.

    2. Ensure your mobile phones and tablets are secure as well. For Android devices, you can install AV software as you would with a PC and the aforementioned Malawarebytes is available as well. For iPhones, you’re reliant on Apple’s walled garden for security however check the iPhone (or iPad) for any unknown profiles that you might have inadvertently downloaded and installed (Settings - General - Profies or Profiles & Device Management); if using an iPhone provided by your company, there might be an Enterprise profile; don’t remove that.

    3. Ensure your passwords are strong and change them as necessary. A strong password is one that can’t be readily ‘cracked’ - use a site like https://password.kaspersky.com to test the type of passwords you use and fast they can be cracked. If you have too many accounts and don’t want to keep track of all the various passwords, use a password manager. If using a PC, Lastpass is considered one of the best and in the Apple/Mac/iPhone world, 1Password is highly rated but both are cross-platform however. In either case, you must ensure you pick a master password that can’t be readily cracked or all your passwords could be compromised. If your passwords are weak or you use the same password for all sites, change them immediately, especially the passwords for Minecraft/Mojang, Forum (Proboards), Multiplay (if you have Clanforge), Twitter, Skype, Google, Facebook and especially Tapatalk if you use it to access all your forums including TF. NEVER use the same password for different accounts

    4. Use two-factor authentication for services that offer it such as Google, Facebook, Twitter, Amazon, etc. An app called Authy can make it easer to use and includes tutorials - see https://www.authy.com/app/mobile/

    5. At home, ensure your router/WiFi passwords are strong just the same as your online account passwords; you don’t want all your neighbor or drive-by hacker on your network.

    6. On the road, avoid use of open public WiFi or if you must use it, consider using a VPN service that will fully secure your connection between your device and the VPN host. A service such as ExpressVPN is one of many. Do not use VPN services for nefarious activities as these services do not make you anonymous; they only secure your connection between your device and the VPN service provider. If you must use open WiFi without VPN, avoid doing any sensitive activities such as banking.

    7. When reviewing emails or using Skype and files are sent to you for download, ensure you trust who sent it and scan the files for malware as noted above; files can also be surreptitiously downloaded in the course of web surfing.

    8. If you do get breached, run the checklist again from step 1.

    NOTE: When filling out the email address on your forum profile, avoid using an address that's used for your mojang, forum, skype, etc. It's possible for anybody to view that email address and than potentially try to hack it.

    Additional suggestions can reviewed in the replies (feel free to contribute)

    Wild1145

    Network Owner at TotalFreedom

    Managing Director at ATLAS Media Group Ltd.

    Founder & Owner at MastodonApp.UK

    1. Yes: ideally install AV software, though it should be less necessary than in the past if you do the other steps properly. Note that a lot of "antivirus" software in 2021 unfortunately acts very much like the malware it's supposed to prevent—in other words, don't get Avast or McAfee.
    2. I can't exactly say much about these.
    3. Yes—note that password reuse has been the more dominant issue for a long time, to the point that the stereotypical "your password must have 8 to 16 characters, a number, a lowercase letter, an uppercase letter, a symbol, a Greek letter, a symbol, a Chinese character, and an emoji and can't have any word in the Scrabble dictionary like 'qi' or 'euouae'" is definitely* doing more harm than it's worth nowadays.
    4. Definitely do this; Discord has an option to disable some administrative actions on your server from people whose accounts have 2FA turned off.
    5. Also mostly outdated (at least if you live in an area with like one house every 100 metres), but it doesn't really hurt to do.
    6. Mostly outdated. While VPNs encrypt your connection to internet services so your ISP or anyone pulling a man-in-the-middle attack can't see its contents, they aren't unique in doing so. All of these other things use the same "military-grade" encryption nowadays: every website with a padlock in the browser (https), every iPhone app since 2016, every Android app since 2018, even Minecraft multiplayer (but not telnet). This means that, even if you don't use a VPN, your ISP can only see the https://volleo6144.net/ part of https://volleo6144.net/v/rb4rr. There may be good reasons to hide this: perhaps even that part gives something away to your ISP that you might not want, but then you're just moving the problem: your ISP can't see the site, but now the VPN company can, and you still just have to trust them.
    7. Definitely. Also remember that sketchy websites are sketchy.
    8. Also definitely.
    9. Use an ad blocker (uBlock Origin with Firefox was my choice when I first wrote this post; it also removes most anti-adblock scripts). One of the most common ways that malware is delivered nowadays, especially to the kinds of people that properly do the other things here, is through legitimate ad networks that don't properly screen their ads, so never turn it off.

    *yes, I know that those are also used in Japanese and for special purposes in Korea and Vietnam, but I don't care right now, as clarity trumps technical correctness here and I don't have a better name for it

  • About 3 and 4:

    Passwords are shit. I know it sounds weird, but they're actually pretty weak, modern computing can do 1 trillion attempts in a second, breaking the most secure passwords in a couple of minutes..Modern 2FA is also not decent enough, as has been proven by simjacking. A FIDO2 device, preferably a NitroKey, due to the fact that it is FOSS, is actually a really good alternative to these and I would recommend buying one if you have the money. Most big services support it (but sadly, not discord.).

    Use it everywhere you can.

    EDIT: I really hope Flarum supports FIDO2 so we can use it.

  •   iVacon The minimalist nature of Flarum means that there is no built-in 2FA support whatsoever. As far as I can tell, there is no Flarum plugin that adds support for FIDO, although there is one for OAuth.

    I personally use the YubiKey 5 NFC because it has every possible feature that kind of device can have, so you don't have to manage separate things for FIDO, TOTP, PGP, etc.

  •   StevenNL2000 the closest one I could find which we've had for a while is one that doesn't use a password and instead does one time links to your email to Auth you. Though how much you trust your email provider is then the next issue.

    Wild1145

    Network Owner at TotalFreedom

    Managing Director at ATLAS Media Group Ltd.

    Founder & Owner at MastodonApp.UK