body.has-navbar-fixed-top { padding-top: 4.5rem; }

A Defensive Computing Checklist

date Sep 17, 2022
authors Michael Horowitz
reading time 3 mins
category docs

Spams

Be especially careful about doing anything involving money, passwords or personal information based on one lousy email message.

Using ReplyTo for spams

The ReplyTo address can be anything, but copying the sender’s name while changing the domain makes it more likely the scam will not be noticed.

Type in the website to login

an email message has a link to login to a service, DO NOT click it. Go to the website of the service on your own and login there.

Beware of urgency

The more urgent the plea for you to take action, the more likely the message is a scam. Bad guys don’t want you to have a chance to think about the issue or check with others

How to open attachments

Email attachments: Word documents, spreadsheets and PDF files are often malicious. The safest way to open any file attached to an email message is on a Chromebook running in Guest mode. The next safest option is to open it on an iOS device. The third safest environment is from Google Drive (hopefully from a Chromebook or an iOS device). Upload the attachment to Google Drive and open it from Google Drive

Export and keep a local copy of contacts

If you use webmail, you should have a local (on your computer) backup of your contacts/address book. For Gmail, go to contacts.google.com and look for “Export” in the left side vertical column. Google offers three possible formats for the backup file, it can not hurt to make three backups, one in each format. Make a note to do this backup every few months

NEVER re-use passwords

It is tempting to avoid both problems by re-using a password. NEVER re-use passwords

Length » randomness

Typically, the length of a password is far more important than its randomness.

Use randomly generated answers for security questions

Some websites use secret questions as a way to identify you should you forget your password. Never answer these truthfully.

2FA

To take money from an ATM requires both a plastic card and a password. Two things. Two factors. In computing “two factors” refers to needing a password and something else to gain access to a system.

Least secure 2FA is SMS code

Perhaps the least secure type of 2FA, is a temporary code sent in a text message to a cellphone. It is very popular. Less popular, is the use of email for the exact same purpose.

More secure 2FA

Tutanota does not allow two factor authorization with text messages, they only support the stronger options: Time Based Onetime Passwords (TOTP) and physical keys like Yubikey.

SIM swap identity theft

A SIM swap is Identity Theft in which bad guys steal your mobile phone number and get it assigned to one of their phones. They do this because a phone number is often used to prove identity, with forgotten passwords. Other terms for this are SIM hijacking, SIM jacking, SIM porting, phone porting, port out fraud and a port-out scam.

Pulic wifi

Public Wi-Fi is always dangerous, whether a password is required or not.

Paper stickers on router with information

To make this easier, I suggest writing down the necessary info (router IP address or vendor-supplied name, router userid, router password) on a piece of paper and taping it to the router face down. Maybe include Wi-Fi passwords on the paper too.

Wifi password

If given a choice, WPA2 AES is more secure than WPA2 TKIP. Note that a long Wi-Fi password can prevent a brute force guessing attack; passwords should be 14 characters or longer.

Voice assistants - turn them off when not in use

All of the smart assistants (from Amazon, Google and Apple) sometimes record at the wrong time. That is, they record without a person having said the wake word.

Share your location ONCE in any app on iOS

iOS 13 added a new Location permission: share your location with an app just once. The next time the app wants it, it has to ask.