advice on security setup for my elderly inlaws

[Target]

looking for some advice on how best to secure my mother in laws laptop, and I know a lot of others here are well versed so I'm hoping someone can come up with a relatively simple solution (I'll have to maintain it, and most likely over the phone - meh...). 

I already use a firewall (comodo) and AV (AVG free) but she got hit with an apparent ransomware attack sometime last week (she didn't tell us till sometime after, and we still don't know exactly what happened).  She doesn't have a network of any sort, so that's not a consideration.

I'm looking for some sort of proxy/hosts solution that will hopefully block a lot of the dodgy domains, and maybe a better AV (payware if necessary).  I know there are plenty of options available, but given that securities never been a strong point for me being able to pick a good solution is difficult

Of course I can't beat the user (hopefully this has frightened her enough to be a bit more circumspect), but if I can cover off at least some of the other vectors it's got to be an improvement

[eleman]

Make her use the guest account on windows, rather than an ordinary account or administrator. Make the machine start with guest account, and it will be a more effective security solution than any "firewall" or antivirus can ever hope to be. You can convert her account to a guest, if you don't want to mess up with the way she is used to.

And make her understand that never ever should she give her credit card number or similar sensitive information on the web.

I did these with dad, and he's happy ever since. Every now and then he wants to order a few books online, but I do that for him. It takes less time compared to handling the mess his credit card info would cause on sites of ill-repute.

[Target]

I did all that when we got the machine, but as I said, you just can't beat the user

This was reasonably serious as she's done pretty much everything she was warned against (many times), including handing over the guest & admin passwords and personal info on the basis of a popup <sigh...>

As a rule I run light on security but heavy on common sense, and now I need to go the other way

[eleman]

This was reasonably serious as she's done pretty much everything she was warned against (many times), including handing over the guest & admin passwords and personal info on the basis of a popup <sigh...>

-Target (May 09, 2016, 01:57 AM)

I know I'll sound like a wise-ass after the fact, but why does she know her password, let alone the admin password?

Make her machine login right into the guest account, without any password etc.

[dr_andus]

Or get her a Chromebook. No more viruses or ransomware, no more support requests. The thing just works.

[Stoic Joker]

Ransomware - No amount of user lockdown is going to prevent them from breaking their own stuff.

Trying to hide in/on an obscure platform ultimately makes one more vulnerable because in the new platform agnostic attack age everybody gets a turn, and the ones that think they're 'safe' tend to get hit the worst.

Either Malwarebytes, or one of the other anti-ransomware options available probably would be a good thing to add. As well as locking down the outbound firewall rules in an attempt to make Motherships and C&C channels at least a bit harder to contact.

[dr_andus]

Trying to hide in/on an obscure platform ultimately makes one more vulnerable because in the new platform agnostic attack age everybody gets a turn, and the ones that think they're 'safe' tend to get hit the worst.

-Stoic Joker (May 09, 2016, 07:00 AM)

Are you calling Chrome OS an "obscure platform"? 

It might not be the most widely used platform, but it's now used in over 50% of US schools, and part of that is (besides it being idiot-proof) the security. You can't run a .exe file on it. Enough said. How confident is Google about this security? See exhibit 1:

Google Will Pay You $100,000 to Hack a Chromebook

And it's not about just hiding in the platform. It's genuinely easier to use and less hassle to maintain, and quite possibly a faster and better browsing experience. Perfect for minimising service calls from in-laws... I'm speaking from experience. 

[Jibz]

Using Ninite (double-click the 'N' on your desktop if something needs updating), Chrome (keeps itself and flash updated) along with a good adblocker and WoT (only click links with a green thingy next to them when you google) has worked reasonably for my relatives. But there are people who insist on clicking every banner that says "Your computer is in danger!", and they are hard to help.

I would be tempted to suggest a Chromebook for some of my family members as well. You just have to be sure they will not end up needing to run some software that requires Win/Mac. We bought a Chromebook for our son to take to school, since they were using google docs for schoolwork. I think it is a very nice device, and I certainly am thrilled at the prospect of not having to update software and OS myself. (For anyone interested, it's a Dell Chromebook 11 Touch. I chose that because it's light, reasonably sized, can take a beating, and has a keyboard that can survive a spill. He's really happy he got the Touch version, probably mostly because he likes to play games.)

Another option is to make sure a backup plan is in place that allows you to roll back the computer to a working state.

[dr_andus]

Chrome (keeps itself and flash updated) along with a good adblocker

-Jibz (May 09, 2016, 09:07 AM)

Yup, that's essential. uBlock Origin is a good one, and also Magic Actions for Youtube.

Here is a list of suggestions I came up with the other day for setting up a Chromebook for first-time users who are not very computer-savvy:

• Set up their favourite daily services to open in tabs at launch automatically
• Set up the bookmark toolbar for them with bookmarks for their most used services (Google Calendar, Gmail, Google Drive etc.)
• set up Speed Dial 2 for new tabs to make it easy to access content sites such as news and online TV
• Show them how to use full-screen button and the bottom shelf to auto-hide to make screen area bigger
• Show them how to save, keep and organise their files on Google Drive (rather than on the local drive - or how to upload downloaded files such as PDFs from the local drive to Google Drive)
• install uBlock Origin and Magic Actions for Youtube to get rid of all the advertising
• install Tab Activate (to open new tabs immediately instead of in the background)
• teach them some basic trackpad gestures (two-finger scrolling, right-clicking, opening links in new tabs)

[mouser]

what jibz said makes sense -- if they only need what's on a chromebook, it's a nice solution.

[Deozaan]

It sounds like she doesn't really know what she's doing anyway, so if the cost of buying a Chromebook for her is a bit much, she might not be any worse off with an inexpensive SBC (Raspberry Pi or Odroid) running Linux with the basics (Browser, Office Suite) installed.

[Stoic Joker]

Trying to hide in/on an obscure platform ultimately makes one more vulnerable because in the new platform agnostic attack age everybody gets a turn, and the ones that think they're 'safe' tend to get hit the worst.

-Stoic Joker (May 09, 2016, 07:00 AM)

Are you calling Chrome OS an "obscure platform"? 

-dr_andus (May 09, 2016, 08:12 AM)

Not to put too fine a point on it, but...yes I am.

Security by Obscurity = nobody is writing exploits for this platform so it must be secure, because nobody is writing exploits for it... (see where that loops?)

As variety becomes more the norm, the platform isn't always guaranteed, so web based attacks can/will start using more - platform agnostic - web based code.

It might not be the most widely used platform, but it's now used in over 50% of US schools, and part of that is (besides it being idiot-proof) the security. You can't run a .exe file on it. Enough said. How confident is Google about this security?

-dr_andus (May 09, 2016, 08:12 AM)

All the more reason why its user base should start expecting some - unpleasant - attention..

See exhibit 1:

Google Will Pay You $100,000 to Hack a Chromebook

-dr_andus (May 09, 2016, 08:12 AM)

Completely, utterly, and mind-blowingly academic. Nobody cares if you can or can't hack the Operating System, it's not the target ... The user is.

Ransomware targets the user to get them to compromise their own files. Click here...boom! Your stuff is gone (/encrypted). Now what?


Chrome OS probably is just fine for less adept users...but assuming that it will magically defend against ransomware just because it isn't Windows is a very very risky strategy. Because - regardless of how well you lock down any OS - the user will always have full and complete access to their own stuff, and that's what ransomware is counting on.

It doesn't have to be encrypted well, it just has to be encrypted some how.

[dr_andus]

Ransomware targets the user to get them to compromise their own files. Click here...boom! Your stuff is gone (/encrypted). Now what?

-Stoic Joker (May 09, 2016, 12:54 PM)

How would that work on Chome OS though? You don't normally keep your files on the Chromebook, you keep them in Google Drive. So a hacker would need to hack Google's server to be able to access and encrypt the files. At that point it would also become Google's problem, so the user is not entirely alone to face the problem, like when it's your Windows machine that gets infected.

While it's possible to keep files locally in a Chromebook, it is not encouraged, and there is not a lot of space (a typical Chromebook comes with 16GB local drive). But it's not possible to run an executable in Chrome OS, so the risk of ransomware seems remote.

Chrome OS probably is just fine for less adept users...but assuming that it will magically defend against ransomware just because it isn't Windows is a very very risky strategy.

-Stoic Joker (May 09, 2016, 12:54 PM)

Actually security by obscurity worked well enough for quite a few years for those on the Mac and Linux platforms. So if Chrome OS is obscure and its obscurity gives it some safety, maybe there is some value in that, even if it's temporary and not absolute.

Just make sure you're running uBlock Origin and there is very little chance of coming across any advertising whatsoever. That should reduce the chance of ending up on some ransomware website.

[Target]

all very interesting, but largely academic ie I'm not coughing up hundreds of dollars for a new machine when the only problem with the old one is between the keyboard and the chair

A significant part of the problem here is that I don't know what actually happened.  I have a suspicion that there was no malware involved and that she simply responded to a browser popup but I won't know until I can look at the machine (another week), if then

She's not stupid, but she's not very computer literate and she clearly doesn't comprehend the risks (well, maybe she has some idea now) so I've tried to keep things as simple as possible.

I'd like to continue in that vein, so pretty much anything I do needs to be fairly transparent.  I appreciate your assistance so far but security is a complex business (to me, at least) and there's so much contradictory info out there it's difficult to know whats good and whats not so I'm looking for some recommendations that don't involve replacing a perfectly good machine

[dr_andus]

The suggestion to add adblockers to her browsers still stands. I had good results with uBlock Origin in Chrome and Adblock Plus in Firefox.

You could also add Malwarebytes Anti-Malware to complement the a/v software.

[tomos]

uBlock Origin

-dr_andus (May 09, 2016, 06:27 PM)

good ideas, but uBlock Origin may be a bit too conservative -- it blocks a lot of pages for relatively minor stuff imo (using it in FF & PaleMoon at any rate). It does give you the option to proceed to the page, but not sure if that whole scenario is great for a beginner.

[dr_andus]

You're right (it's mainly the blocking of google ad links that might be offputting to a beginner). Adblock Plus might be better then.

[mouser]

one piece of advice given above is good -- make a full drive image of the computer when you get it set up the way you want it, and you keep a copy of that.  then if their set up gets messed up, you can restore it to how you had it in minutes.

[Stoic Joker]

Ransomware targets the user to get them to compromise their own files. Click here...boom! Your stuff is gone (/encrypted). Now what?

-Stoic Joker (May 09, 2016, 12:54 PM)

How would that work on Chome OS though? You don't normally keep your files on the Chromebook, you keep them in Google Drive. So a hacker would need to hack Google's server to be able to access and encrypt the files. At that point it would also become Google's problem, so the user is not entirely alone to face the problem, like when it's your Windows machine that gets infected.

-dr_andus (May 09, 2016, 01:27 PM)

No need to hack anything since the user is already logged in, so anything accessible within the current users context is automatically subsequently...exposed.

While it's possible to keep files locally in a Chromebook, it is not encouraged, and there is not a lot of space (a typical Chromebook comes with 16GB local drive). But it's not possible to run an executable in Chrome OS, so the risk of ransomware seems remote.

-dr_andus (May 09, 2016, 01:27 PM)

People are people... And .exe is not the only 'executable' code, Flash, Java, JavaScript, and friends all have options to reak havoc if applied in that fashion...and once again: There is no security blocking access - by the current user - to the current users files...and those are ransomware's target. That's precisely what makes the damn thing so freaking dangerous.

Chrome OS probably is just fine for less adept users...but assuming that it will magically defend against ransomware just because it isn't Windows is a very very risky strategy.

-Stoic Joker (May 09, 2016, 12:54 PM)

Actually security by obscurity worked well enough for quite a few years for those on the Mac and Linux platforms. So if Chrome OS is obscure and its obscurity gives it some safety, maybe there is some value in that, even if it's temporary and not absolute.

-dr_andus (May 09, 2016, 01:27 PM)

Yeah, unfortunately (back then), it worked just well enough to dramatize the nice big hole in the "Target Market" that is now being closed ... Because now this has become a money game. Back in the day it was about pride, prowess, and bragging rights. Now it's a mercenary money game...and that makes it a very very ugly game indeed.

First rule of security, is to never assume you are safe.

[dr_andus]

First rule of security, is to never assume you are safe.

-Stoic Joker (May 10, 2016, 06:47 AM)

I'm not saying that Chrome OS is undefeatable (there have been a few rogue extensions, and Google makes some effort to weed them out), but it eliminates a lot of sources of threats (such as .exe or Java, which is not allowed to run on Chrome OS, or not storing your personal files locally).

There are just very few things currently that can go wrong when compared to other OS's (especially once kitted out with adblockers), which makes it ideal for less savvy users, and especially to those who are providing the IT support.

All I can say is that since I've replaced Windows machines with Chromebooks in my family (young and old), support requests dropped to zero, viruses dropped to zero (and everybody is super-happy with their machines), while before I had to deal with all kinds of Windows emergencies or cryptic pop-ups, spending hours on the phone or dealing with them in person.

[dr_andus]

...I'm not coughing up hundreds of dollars for a new machine...

-Target (May 09, 2016, 05:52 PM)

You can pick up a new one from Amazon for a hundred and a bit (and refurbished and used ones from various manufacturers' outlets probably for less)

...I'm looking for some recommendations that don't involve replacing a perfectly good machine...

-Target (May 09, 2016, 05:52 PM)

Maybe it's not a "a perfectly good machine" for the given use and user, if it's causing you so much trouble.

Depending on how many hours you spend on supporting this machine, and what your hourly rate is, you can calculate at which point might a Chromebook pay for itself.

But that's me done bigging up Chrome OS. 

[4wd]

...I'm not coughing up hundreds of dollars for a new machine...

-Target (May 09, 2016, 05:52 PM)

You can pick up a new one from Amazon for a hundred and a bit (and refurbished and used ones from various manufacturers' outlets probably for less)

-dr_andus (May 11, 2016, 08:41 AM)

You're forgetting that not everyone lives in the USA, this includes Target.

So find something decent from a seller that ships outside the USA, add shipping costs in USD, then add ~35-40% (currently) if you want to pay either using USD (to cater for the banks ripoff exchange rate) or AUD (to cater for Amazon's ripoff exchange rate).

That hundred and a bit isn't quite that any more, is it?

Plus unless you can also find one that offers true International Warranty, any warranty is probably no longer valid or if it is you're usually stuck with international shipping back to the seller and the attendant possible months long wait in the hope that something is happening.

Besides which, it's more cost effective to install ChromeOS on your existing equipment.

[dr_andus]

Sorry, didn't realise we're talking AUD.

Besides which, it's more cost effective to install ChromeOS on your existing equipment.

-4wd (May 11, 2016, 11:20 PM)

NeverWare's CloudReady is a good solution in terms of cost and usability, but keep in mind that it is not identical with Chrome OS (that is Google's brand and version that is specifically made for Chromebooks), though it is also based on the open source Chromium OS.

AFAIK it does look indistinguishable from Chrome OS in most respects but there are a few features that don't work on it (can't remember if it was Netflix or something like that), so it's worth checking it out first. And I'm not sure if the security is comparable to Chrome OS--that's another thing to look into.

But anyone I've heard of that tried it was raving about it, as it can breathe new life into decrepit laptops, so CloudReady does seem very useful and interesting.