How to make it difficult for family members to fall victim to malware, scam, phishing, etc

Most of us have family members, like our grandparents and parents, who are not very tech-savvy and often fall victim to online threats. Often times they barely know how to use a computer and do not follow best practices, such as using password manager, updating software, or verifying sources, due to their lack of familiarity with technology. As a real-life example, one of my family members has sent their bank account number to a stranger over email, and the same person often follows directions from clearly suspicious emails, possibly clicking on suspicious links that download malware or steal their login information. I along with everyone wants our families to stay safe online and avoid these risks.

The threat model in this situation is clearly security > privacy, in other words, the goal is to maximise security, which will inevitably come at odds with most of Privacy Guides’ recommendations.

For people who aren’t tech-savvy, a word editor along with a web browser, should suffice for most, if not all of their needs.

Here are my thoughts, along with my summarisation of the kind people’s advice, who provided their solutions in this thread (let me know if I missed anything):

1. We need to first find a secure operating system (OS) for their device(s); whether they be mobile phones or personal computers, and we need to configure it accordingly. Since mobile phones, e.g., iOS devices are much more secure (or is it more accurate to say they have a smaller attack surface?) compared to personal computers, we will focus on securing personal computers.

Solution: Install ChromeOS on their machine, as it is secure, easy to use and lightweight OR let them use Windows (optional: harden it using the security baselines) with a non-admin account. Is it viable to install ChromeOS on a PC that comes with Windows natively? On such a device, wouldn’t Windows take better advantage of the hardware?

The power usage of the device is not only environmentally important, but often times older family members use netbooks and cheap computers, that have limited resources and performance. Hence, ‘lightweight’ software is preferred. Telemetry, tracking and other non-essential features that companies inject into their software products, for their own personal gain not only come at odds with privacy, but the environment and power usage, so keeping these to a minimum is preferred.

2. We need to install non-OS software that may enhance the security of their machines: such software could potentially have built-in guides, tips and warning prompts, warning them not to do misinformed things. The software would need to be low-maintenance. Content and DNS blockers are listed below, these are very important:

Solution: use uBlock Origin, easy mode + enhanced security/privacy, by configuring it to block 3rd-party <iframe> by default, since:

iframe tags are very often used by malware code on compromised websites – using 3rd-party-sourced <iframe> to inject exploit on a user’s computer is quite a common technique

Additionally, specific filter lists have been recommended by Privacy Guides and the community, these are the: AdGuard URL Tracking Protection, Actually Legitimate URL Shortener Tool, AdGuard Tracking Protection, Block Outsider Intrusion into LAN, EasyPrivacy, Online Malicious URL Blocklist and Phishing URL Blocklist filter lists. All of these can be found by: clicking the uBO icon > dashboard (cogs icon) > filter lists > under the Privacy and Malware domains drop lists.

DNS filtering at the network-level with AdGuard or AdGuard Home (harder to setup) would enhance the blocking of malware, ads and tracking domains, as well as provide you with the ability to selectively block sites that you don’t want them to access. AdGuard’s applications are supposedly more powerful then their DNS servers alone, so I have bought a lifetime AdGuard subscription for 9 devices from stacksocial, which is for some reason much cheaper then what AdGuard offers themselves, but is legitimate.

What web browser should our non-tech savvy family members to use, e.g., Brave, Chrome or Edge? I am guessing this will depend on the operating system, Chrome for ChromeOS, Edge for Windows and so on.

3. We could also secure their important accounts, like bank accounts with 2FA and improve their passwords, check their accounts for suspicious activity (e.g., by using bank statements), change their email provider to Proton or Gmail (which I have been told is the most secure).

4. Other measures like encryption are not necessary due to the security > privacy threat model.

The “only” solution to deal with this use case in an easy way is to provide them with a OS that they cannot compromise (easily) even when they try to - and they will, due to lack of knowledge.

In short: buy a Chromebook/Chromebox for them. Alternatively an iPad would work, too. Add a blocking DNS resolver like NextDNS/Adguard on top of that and maybe uBO easy mode for a ChromeOS device.

Forget about warning messages, teaching them how to use uBO - in many cases this just will not work. There’s malware which specifically instructs the user to disregard other warning messages and even tells them how to disable software that would block infection.

uBO medium mode is completely out of the question IMHO. All that would do is you getting constant complaints about websites not working.

I put linux mint xfce for my non tech FAM, and on Thunderbird disabled the ability to click on links. And the last thing i do is constantly tell them don’t click on any links. Email, mobile messages etc
Just go to website themselves.
Yes i get more tech support questions but i dont want to have to deal with the stress if something goes bad.

I recommend following lists to block threats for them:

• Anti phishing (homepage)
• Anti short url (homepage) Such shorteners unfortunately regularly abused to hide phishing links, hardly ever used in legitimate ways (usually SPAM, phishing, ads)

why chrome OS devices?

Aren’t macbooks kinda the best out-of-box security for normies?

Do you know that Mint XFCE is one of the worst choices for security?

macOS allows you to install unsigned 3rd party software, you just have to click away the warnings. It’s also much more complex than ChromeOS.

On ChromeOS you can only install browser extensions (and Android apps and Linux apps after you enable Linux containers “Crostini”).
Really not much you can do wrong here even as a total newb. Security is top notch but of course privacy is not, because Google.

Still, for absolute tech newbs that can’t or won’t take the time to learn about their OS it’s a solid choice for a lightweight, easy to understand OS IMHO.

Even if the user completely messes it up (is that even possible?) you can reinstall and bring it back to the way it was in ~20 minutes.

My suggestions…

Have them use Windows. This is a user issue, not a privacy issue. Windows is the most common OS out there, this is going to be the simplest for them to use. If you want to spend time teaching them a whole new operating system and then being their on-call tech support, go for it, but that sounds like a massive headache.

Set yourself up as the Administrator on their computer and then create a user account for them to use. This is going to save them from themselves 90% of the time. Install the needed applications for them. Once that is done, they will be prevented from being able to install most applications without calling you up. This will be inconvenient for you but, less so then dealing with whatever they install on their own. If you have the ability, set it up so you can just remote in when needed. This will save you a lot of effort for the more low priority issues they may come across when not having admin access.

Have some good malware removal tools on a thumb drive stored at their home, just in case. I recommend Norton Power Eraser and Kaspersky Virus Removal Tool.

If they were informed users, you could probably get away with just Microsoft Defender and a decent DNS but since it sounds like they commonly have issues, these tools will help alleviate a really sticky situation. I understand people may have issues with these brands, especially Norton but, Power Eraser is extremely effective in situations where malware has taken hold and is preventing the user from opening or installing other common AVs. Using NPE and then KVRT in a dire situation is going to clear up a ton of problems that Windows Defender is not suited for.

Have there computer pointed to a decent DNS. Such as NextDNS where you can add in other blocklists. You may also want to go into their router settings, make sure they are using atleast WPA2, possibly point the router to NextDNS, and turn off obvious issues such as WPS.

For the browser, I would just install whatever they are comfortable with. Then add UBO to that. You can always do a bit of host file editing to block some of the annoying junk that something like Edge may point too.

You may want to try and convince your family members to create new email addresses. If they have fallen victim to phishing scams in the past they are probably on a bunch of scammy email lists that just changing their email address could help prevent. This one could be a hard sell though…

A lot of my suggestions may not be as privacy forward as you would like to see from a PG forum member but, I feel your issue is more about securing your families computer while making it easier for them to use as non technical users. I feel these suggestions will do that.

can we just fix that with a dns resolver / nextdns?

There are a lot of settings in ChromeOS you can flip to make it less privacy-invasive and yes, NextDNS will help, too.

someone should do a youtube video on the packet analysis of this lol.

My firewall is on lm just works. I dont want to waste my time and brain power on recommended os’s.

Never, ever use it. It is company that located in dictatorship country, closed source and fancy for privacy and security issues (one, two, three)

We have no guarantee that this company won’t voluntary share (not even sell) users data to dictatorships

Might be a small distinction to some but, I am not recommending downloading and installing Kaspersky AV just this specific tool (just as I am not recommending installing Norton AV). The tool itself is portable and could be run completely offline (which you should do regardless, if your system is infected).

“Don’t use X because it is from Y country” and “It’s closed source!!!1!1” make your actual, legitimate information look weaker. The fact that Kaspersky has previously been used to probe targets is a legitimate concern but just being Russian software isn’t enough to say “omg bad!!”. Not every single person from that country agrees with the gov…

And I’m not even touching the “closed source is inherently bad!!” because this is privacyguides not RMSguides

Thinking that all people from a country aren’t necessarily their gov =/= supporting the actions of that government, especially not imperialism they’re doing to their neighbours. Otherwise I would be saying that all Chinese people are secretly CCP spies or all Americans are jingoistic warmongers.

If you truly think that saying that some russians might not be as bad as their government is pro-russia in the atrocities they’re perpetrating against ukraine you may have a tiny bit of terminal online-itis

Anyway that’s more than enough off-topic, and you should probably touch grass

Being a Russian-registered company means it’s under Russia government’s law. Therefore, the country of residence of the software does matter a lot.

You might say that it’s a multinational company. However, since the software is not open source, no one ever knows. For example:

You can disable it in the settings under privacy and security. Is it the same function with Chromebook?

Firstly, thanks for the advice everyone, I will be implanting all of myself ASAP, for my family members’ devices. To clarify, the suggestions in this thread are advice for everyone, the advice should not be exclusive to or personalised for my family.

In my personal case, since I already have an AdGuard lifetime subscription for 9 devices, which I got cheap from stacksocial, I will harden Windows on my dad’s computer, and use AdGuard. However, a lot of you have suggested NextDNS, does it have any advantages over AdGuard?

Even if so, it is prohibited to use in many countries for critical infrastructure, so that is a reason for that.

I can’t say it like 100% truth, but such countries are really famous for surveillance. I have no guarantee that this closed source tool will not modify something in my system to send data after system will be connected to internet or will not open any kind of backdoor.

Maybe I am too paranoid but I will never trust companies that have any relationships with any government authorities and moreover have no open source code.

Adguard is good, but apps (not Adguard Home or extension) is closed source. If you trust them - there is no reason to worry