Advice Request security for a paranoid elder

[mathok87]

I'm setting up a computer for my paranoid father. An example of the precautions he takes is to shut down the modem/router when not in use and disconnect the DSL phone line. Also unwilling to use wireless mice or keyboards lest his password keystrokes be logged by rogue hackers in the neighbourhood.

I've taken some notes of posted security configurations on this forum however I initially came here with questions on the following general points:

- Are pi-holes attached to router worth considering?
- What software firewalls are recommended? Is there a better physical alternative for purchase or creation from old computer?
- What's a good VPN either paid or free? The TOR browser is considered but my father would never trust it's nature
- What anti-virus programs are worth considering? Avast had a virtualized environment in the past I recall but I never tested it's efficacy.
- How's Malwarebytes considered these days? I've used it for scans before but how would it's live protection mesh in a good protection scheme?

Let me know what your entry and mid level security recommendations may be please. I'm not well versed in networking but technical enough to implement most things.

Thanks.

 

[peterfat11]

I can maybe answer a few a good free VPN would be windscribe, and I think WD is a very good av so there is no reason to look for another one.

 

[South Park]

Hard Configurator with Windows Defender is as good a solution as any: Hard_Configurator – GUI to manage Software Restriction Policy (SRP) and harden Windows

 

[Gandalf_The_Grey]

IMO don't go overboard and start with the basics.
That is main security of the system.

1) F-Secure Safe with F-Secure Freedom VPN is a great start protection wise.

App Review - The Shadowra's Battlefield Antivirus 2021

Hello and welcome to the antivirus tournament! This is the last video of 2021, because after that I will be with my family. You have chosen your 10 favorite antivirus programs, and these same programs are going to face each other in a merciless duel! Who will be elected number one? Attention...

malwaretips.com

You can harden the system further with Simple Windows Hardening or even further with Hard_Configurator.

New Update - Simple Windows Hardening

Post updated in September 2024. SWH works with Windows 10 and 11 (all versions including 24H2) SWH ver. 2.1.1.1 - July 2023 (added support for Windows 11 ver. 22H2) https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111.zip SWH ver...

malwaretips.com

Hard_Configurator - Windows Hardening Configurator

Post updated in September 2024. The current version can be downloaded from GitHub or Softpedia: https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_setup_7.0.0.0.exe https://www.softpedia.com/get/Tweak/System-Tweak/Hard-Configurator.shtml WARNING! The fake domain...

malwaretips.com

Hard_Configurator – GUI to manage Software Restriction Policy (SRP) and harden Windows

hard-configurator.com

2) You can go with all Window built-in protection by using Microsoft Defender Antivirus and use all modules of Hard_Configurator.

Hard_Configurator - Windows Hardening Configurator

Post updated in September 2024. The current version can be downloaded from GitHub or Softpedia: https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_setup_7.0.0.0.exe https://www.softpedia.com/get/Tweak/System-Tweak/Hard-Configurator.shtml WARNING! The fake domain...

malwaretips.com

Hard_Configurator – GUI to manage Software Restriction Policy (SRP) and harden Windows

hard-configurator.com

3) Comodo Firewall is an option used with @cruelsister settings.

Advice Request - Where can I find @Cruelsisters Config?

I'm thinking of replacing Voodooshield Pro with Comodo's Internet Security but after some searching I can't find any info about his setup. Thanks

malwaretips.com

4) VoodooShield is an option for application control

New Update - VoodooShield CyberLock 7.0

Hey Guys, Here is the first VoodooShield 7.0 beta. The new Contextual Engine is almost 100% complete, but there will be a few blocks, so please let me know if you experience any unwanted blocks. Overall you should see a significant reduction in blocks, but I am certain that I am missing a few...

malwaretips.com

5) Kaspersky Internet Security tweaked for maximum protection

Advice Request - Kaspersky's Application Control: what is it, how it works

I'm pretty sure you have heard about Kaspersky being recommended. Here, by friends, on the internet. But... why? To start with, Kaspersky is a very complete and powerful suite, includes several modules that together can outsmart pretty much most malware if correctly configured. This thread is...

malwaretips.com

Out of these options nr. 2 would be my advice for an elder.

There is a lot of info to be found here and many knowledgeable and helpful members around.

If you pick a solution post your security configuration here so that members can give you advice how to improve it:

PC Setup Configuration Help & Showcase

Share your PC security set-up with the community.

malwaretips.com

 

[cruelsister]

How's Malwarebytes considered these days?

It has been and remains a horror.

What software firewalls are recommended?

An Outbound alerting firewall is always an essential security component. I prefer (surprise) Comodo Firewall.

What anti-virus programs are worth considering?

Gandalf's recommendation #2 above is worthy of consideration for both ease of use and overall security, and paired with CF will allow your Father to relax (a bit).

(in addition, use KVRT as a 2nd opinion scanner. Other choices are not as sensitive in detecting infectious thingies)

 

[Vitali Ortzi]

Don’t use a vpn all they do is literally route all your traffic aka mitm
And for dns use 9.9.9.9 it’s more privacy friendly then most but ofc not enough but wayy better then 1.1.1.1 based on privacy

 

[ScandinavianFish]

Make them use an standard user account, install Hard_Configurator (add EXE and TEMP in Whitelist By Path, launch ConfigureDefender and put it on High protection level, you can also set it on Block under Cloud protection level, also enable Block All Inbound Connections in Firewall & Network protection, also use an adblocker like uBlock Origin.

An VPN does very little for your privacy, let alone security, 90% of connections and websites on the internet are already encrypted using HTTPS, DNS over TLS or HTTPS over DNS/TLS, and modern trackers doesnt need your IP address to track you, for that they use your browsers digital fingerprint, which if you use Chrome or Firefox, is unique, meaning they can follow you around by just looking at the fingerprint, no cookies, trackers or IP addresses needed, instead use an DNS service, like Cloudfare, Quad9, or NextDNS, the latter two includes malware filtering, not only does using an DNS over your ISP one is not only does it encrypt your DNS queries (which VPN's also does, though it doesnt make your surfing habits invisible to your ISP), it also speeds up browsing speed.

Malwarebytes is mediocre, its good at finding unwanted stuff, but not so good at detecting actual malware, and their nagging is on par with Avast, though not as aggressive, its still an good enough tool to run alongside Windows Defender, just make sure to turn off all real time protection and disable Register in Security Center (Disable notifications in it settings to stop it from nagging about disabled real time protection modules)

 

[kC77]

I'm setting up a computer for my paranoid father. An example of the precautions he takes is to shut down the modem/router when not in use and disconnect the DSL phone line. Also unwilling to use wireless mice or keyboards lest his password keystrokes be logged by rogue hackers in the neighbourhood.

I've taken some notes of posted security configurations on this forum however I initially came here with questions on the following general points:

- Are pi-holes attached to router worth considering?
- What software firewalls are recommended? Is there a better physical alternative for purchase or creation from old computer?
- What's a good VPN either paid or free? The TOR browser is considered but my father would never trust it's nature
- What anti-virus programs are worth considering? Avast had a virtualized environment in the past I recall but I never tested it's efficacy.
- How's Malwarebytes considered these days? I've used it for scans before but how would it's live protection mesh in a good protection scheme?

Let me know what your entry and mid level security recommendations may be please. I'm not well versed in networking but technical enough to implement most things.

Thanks.

Pihole - YES along with unbound for recursive DNS & block all other DNS leaks in hardware firewall
Software firewalls - Spyshelter firewall/tinywall/simplewall/windows firewall controll/glasswire etc (spyshelter firewall has the advantage of keystroke protection)
Good VPN - ProtonVPN - free & Paid - only really needed if he doesnt want the isp logging his websites or if torrenting)
AV - Windows defender with Configure Defender in high mode, or KAV
MBAM - no comments

 

[Chuck57]

For me, being probably among the oldest on this forum, Comodo Firewall (CS settings) and Wisevector StopX is a pretty good combination. Once set, both tend to do their jobs and leave me alone. When you get old, crotchety, and annoyed by everything not being pestered is nice.

 

[ForgottenSeer 69673]

For me, being probably among the oldest on this forum, Comodo Firewall (CS settings) and Wisevector StopX is a pretty good combination. Once set, both tend to do their jobs and leave me alone. When you get old, crotchety, and annoyed by everything not being pestered is nice.

Welcome to among the oldest on this forum.

F-Secure has become a very good AV. As far as a firewall, I like Fort Knox but Tiny Firewall is pretty good as well.
If Daddio is really paranoid, install Shadow Defender. For a good second on demand scanner, I would recommend Dr Web's CureIt.
A top of the notch paranoid person would also install Appguard.
And above all else Marcrium Reflect with USB full backups
Now I won't say Comodo products are bad, and I have nothing at all against mt fav shoe model but because of principal personal reasons I won't recommend Comodo anything because of what they did to Kevin. Yes, it is true BoClean was not doing as well and that is because most of his contracts were the government but when new nasties required more, the gov told Kevin he cannot touch the kernel with his software and so that was that. Now look what they decided to use anyway. And if you think Kevin's forum posts are long, you should have seen his e-mail.
In case you are wondering who Kevin was, I am including an old link to Comodo Forums.

Project KNOS ( Kevin & Nancy's OS ): Side Issue - General Discussion (off topic) Anything and everything...

Project KNOS ( Kevin & Nancy's OS ): Side Issue - General Discussion (off topic) Anything and everything...

forums.comodo.com

Happy New Year

 

[ForgottenSeer 69673]

install virtualbox and then create a Tails linux vm
all free & provides what is essential for paranoid user

Tails

Virtual Box is great but really only needed if an install requires a reboot. And requires a bunch of resources. Shadow Defender isn't free but is cheap and a lifetime Lic. I only know of one way to beat Appguard and that is by using one of the rusted signed certs included in the program with your malware. There might be others, but I am not aware of them.

 

[oldschool]

An example of the precautions he takes is to shut down the modem/router when not in use and disconnect the DSL phone line. Also unwilling to use wireless mice or keyboards lest his password keystrokes be logged by rogue hackers in the neighbourhood.

IMO don't go overboard and start with the basics.

The most important first step is to talk with your father about basic computer and intenet hygiene. This is essential. Try to understand the source of his paranoia. Do you live in a place ridden with rampant extortion, civil unrest, other crime, etc.? Or is he spinning these beliefs in his head out of past traumatic experiences, etc. or from some unreliable media sources or security clickbait?

Once you understand where he's coming from you can start to come up with solutions that work for him. I can't stress enough that basic computer and intenet hygiene education is an essential foundation and starting place for computer security.

 

[Digmor Crusher]

Keep it simple with as less user interaction as possible, Andy's tools come to mind.

 

[mathok87]

Wow thank you everyone for all this information! Plenty to sort through and great recommendations! Here is what I'm considering at the moment:

- Antivirus: F-Secure or Kaspersky Internet Security (doesn't look like I'd really need Total Security package). Also will present Microsoft Defender as an option but he'll probably feel better paying for something he feels is even more secure.

- Firewall: Fort Knox (seems pretty complete), TinyWall (doesn't list protection from "outbound" attacks), Comodo (seems appealing especially with Cruelsister settings - is there significant benefit over the other options?)

- Other considerations: Definitely will Harden Windows, VoodooShield Free looks like a worthwhile security addition, KVRT as additional scan option.

Beyond all this his ISP supplied router is old however it lacks WPS which he likes. He's read that WPS sometimes isn't entirely disabled on routers when done through the router interface (I haven't come across this myself). To that end is it likely one could actually encounter attacks directed at the router itself circumventing the software security options above? I'd doubt it but I'm not qualified to back my doubts up. I've always setup my routers with the following guide in mind:

Home Network Security. Secure your Wireless Router & Devices

Enhance your home wireless network security by correctly configuring your Wi-Fi router and connected devices. Step by step guide with examples.

heimdalsecurity.com

With that guide in mind is there really specific 3rd party routers worth considering with further security in mind? As stated I'd presume any half decent router with standard security setup should be absolutely fine with above software options but if there's something with tangible benefit that's not a fortune I can direct it to him for consideration.

By the way my dad doesn't engage in anything nefarious but rather just standard internet browsing. His biggest fear as it stands is suffering a network infection that would log his information when he uses his Chromebook for internet banking. Said Chromebook is only used for this purpose and is otherwise turned off.

Again thanks again everyone for this.

 

[mathok87]

The most important first step is to talk with your father about basic computer and intenet hygiene. This is essential. Try to understand the source of his paranoia. Do you live in a place ridden with rampant extortion, civil unrest, other crime, etc.? Or is he spinning these beliefs in his head out of past traumatic experiences, etc. or from some unreliable media sources or security clickbait?

Once you understand where he's coming from you can start to come up with solutions that work for him. I can't stress enough that basic computer and intenet hygiene education is an essential foundation and starting place for computer security.

Absolutely basic computer and internet hygiene is important is something he's fairly savvy with. He has background as an electrical engineer and thus has worked with computers his whole life. He's pretty good at identifying scam emails and not clicking on potential malware links. He's extra concerned though if he even opens an email that contains a link within it. He once opened a text message on his phone that had a suspicious link and subsequently got a new phone number. Computer security is a grey area for him so his default response is stressed paranoia over every action taken online.

 

[ScandinavianFish]

Absolutely basic computer and internet hygiene is important is something he's fairly savvy with. He has background as an electrical engineer and thus has worked with computers his whole life. He's pretty good at identifying scam emails and not clicking on potential malware links. He's extra concerned though if he even opens an email that contains a link within it. He once opened a text message on his phone that had a suspicious link and subsequently got a new phone number. Computer security is a grey area for him so his default response is stressed paranoia over every action taken online.

NextDNS offer protection against Newly Registered Domains, blocking websites newer than 30 days, useful to ease his paranoia.

Also, aslong as the router is kept up to date, an strong password is used, and attached devices are monitored theres no need for him to worry about network attacks, the inbuilt firewall already offers some degree of protection against such attacks, theres really no need for third party firewalls.

 

[mathok87]

NextDNS offer protection against Newly Registered Domains, blocking websites newer than 30 days, useful to ease his paranoia.

Also, aslong as the router is kept up to date, an strong password is used, and attached devices are monitored theres no need for him to worry about network attacks, the inbuilt firewall already offers some degree of protection against such attacks, theres really no need for third party firewalls.

Well dang that's a nice service! He'll definitely be interested in NextDNS. Thanks also for the router advice!

 

[shmu26]

If you can, try to educate the elder about which security concerns are relevant to home users and which are not. It sounds to me like he wants a setup to protect nuclear secrets, which is overkill.
Nowadays, since we are all behind a router, attackers cannot penetrate the system straight from the internet like they could with the old-style modems. If a user is on a trusted home LAN network, it is not likely that he will be targeted. That happens to businesses and public figures, not to ordinary home users.

 

[Sorrento]

In my opinion, using a program such as Kaspersky Internet Security for example along with AdGuard for Windows, decent router with firewall, maybe Wise Disk Cleaner along with an imaging system will do all you want - Adding a VPN will potentially throw up CAPTCHA's due to sharing IP address & this can worry people - More than that for a low risk user could put you in the paranoid category not your father?

 

[Brahman]

Well dang that's a nice service! He'll definitely be interested in NextDNS. Thanks also for the router advice!

Mikrotik routers support DNS over HTTPS (Doh), am running NextDNS doh on my Mikrotik, it has a pretty decent firewall too.