"Absolute" Security on New System Creation

[Joao Felix]

Greetings.

I don't trust pre-assembled machines, ready to use, that we can buy on stores.

Hence I've taken the step of always installing OS and the rest by myself when making a new machine.

But time goes by and new threats come up:
-> across network infections (avoidable by not connecting to network at the same time as infected machines, solo surfing)
-> heartbleeders, confickers, etc (which remain undetected for years)
-> rootkits and BIOS infecting code (ever heard of them: http://en.wikipedia.org/wiki/BIOS#BIOS_chip_vulnerabilities skip to Virus Attacks)

If I want to build a new system from scratch, what should I really do? I tried to think of a set of steps to execute:

Buy new / erase all data on hard drive > buy new memory (how to reset it?) > how to clear BIOS from all possible infections? (is removing the battery for some secs enough?) > buy new and install original copy of OS > install Int.Sec. package > Create Limited User Account > update I.S. > install drivers

Is this enough?

What advices does anyone have?
(Let's assume all but this: http://www.pcworld.com/article/2060360/security-researcher-says-new-malware-can-affect-your-bios-be-transmitted-via-the-air.html)


Maybe this forum is not appropriate (or vice versa); would you be so kind as to suggest one that is?

Many Thanks

 

[USAFRet]

"Absolute security" does not exist.

Build from new parts, run a good antivirus, routine scans with a good malware application.
The best protection exists between your ears.

 

[Joao Felix]

Hence the use of "".

Please do not answer to this thread if you feel you have nothing to add to it.


The machine is intended for very little, but very important internet use (and nothing else). The "between your ears" (b.y.e.) protection will not come into play much because we'll have to assume the few internet sites visited are reliable. On the other hand, the purpose of this thread is precisely to enhance the protection level provided by that b.y.e. right from the start, prior to usage.

What I am after is a set of steps (procedure) to follow in order to guarantee the highest possible probability of creating a machine with no infection.

I hope this new formulation will satisfy those more in tune with a logical approach to virtual life.

Many Thanks

 

[USAFRet]

Build from new parts
Install a valid, legal OS
Daily use, run as a 'standard user'
Create a strong admin password
Run a good AV application
Be aware of what you download and install
Don't visit dodgy websites

In my house, I also have a border security Linux firewall box.

That's pretty much it. What else are you looking for?

 

[Joao Felix]

Thank you US Air Force riteree for your support.

I'm intrigued by that Firewall Box you mentioned. Could you please provide more detail? Even if only a link.

My level of care borders with Descartes's absolute doubt, so I'll insist on any info that you may have for me regarding the clear of memories that one buys from the store. Is it possible prior to installation on the system?
I will only plan on installing the very basic needed for PC operation like Adobe stuff and maybe not Java. Drivers are a must.

In your opinion, should I buy high end? I know some lower end processors have very little protection, or even none, against common threats, but hate to pay 600 for a new machine, that I'll be using so little.

And what about the BIOS? Is there any real threat that you know, which does not envolve physical access to the PC?


One more question: if I choose Win 8.1 and buy a DVD, can I get a System Builder or should I stick with a Home Edition?
Best Regards

 

[USAFRet]

For that border security box:

A $50 low end PC, bought 5 or 6 yrs ago. Currently runs untangle. Previously, I've used IPCop.

ISP -> modem/router -> firewall box -> almost everything else. The only traffic that does not flow through the firewall box is WiFi, and the only thing I use WiFi for is transferring files from my digital cameras and the kindle. So ALL normal internet usage flows through the firewall box. It alerts if it detects a spamware or phishing site, and only allows you to continue if you specifically say "Yes".
Multiple levels of what is allowed, and if a non allowed site is accessed, you must input the proper password to continue.
Zero maintenance, zero noise, minimal power use. It sits in the corner and does its thing.


For building a new system and ensuring all is well before any installation? With new hardware, there's not much we out here can do. If there is some weirdness burnt into the firmware, consumer level tools probably won't catch that.


Finally, for Windows 8.1, the System Builder version is fine.

 

[Deuce65]

"-> across network infections (avoidable by not connecting to network at the same time as infected machines, solo surfing)"
Are you on the internet? Yes? Then you're connected to a network at the same time as infected machines.
"-> heartbleeders, confickers, etc (which remain undetected for years)"
Overblown. Were your passwords getting stolen left and right last week or the week before? No? Then why would they be all of a sudden?
"Is this enough?"
No, not really. Anyone who would bother to go to the trouble of infecting your bios with malware isn't going to leave it flashable. Assume for the sake of argument that your motherboard manufacture or someone in a position of power over them (think like the NSA) inserts malicious code into your bios. Or the manufacturer of any of your hardware inserts malicious code into your firmware. They almost certainly wouldn't leave it flash able. To be honest, you would never really know about this.

What is it exactly you are worried about, people stealing your data? Here's the thing. Assuming you take even the minimum level of protection for your data, YOU are not the weak link, and your computer is not the weak link. It's the company you are doing business with that is the weak link. You can have the most secure system in the world, if the bank or whatever you are dealing with leaks your information there is nothing you can do. And since there is very little financial incentive for them to spend tons of money protecting your data, they generally speaking don't. Ever taken out a loan, or rented an apartment, or anything like that in the USA? Than all your data exists in a credit profile somewhere. You could have never owned a computer or been on the internet in your life and if experian gets hacked, all your data is out in the open.
Anyways, if anyone wants specifically your information, it is much easier to just call up one of the many institutions you do business with and simply ask for it, rather than hack a system.