Mobile (phone/tablet) considerations
The NSA collects text messages
and tracks who you're calling, if not the actual contents of voice calls. There are apps for android that can help protect your privacy:
Keep your software and operating system up to date.
For Windows, there is software like Secunia PSI
(heavyweight, slow) or Filehippo's Update Checker
(lighter weight). Most apps these days auto-update. If they do, let them. Use windows update, don't ignore it.
Make SURE that [Adobe Flash] Player, [Adobe] Acrobat, and [Oracle] Java are up to date. They should auto-update by default.
Browser Market Share stats
I strongly advise using either Chrome or Firefox. They automatically update, they have lots of extensions and plugins available, and they are relatively hassle-free.
Windows XP (as of April, 2014) is no longer supported except for specific organizations that have extended support contracts with Microsoft. If you're using XP outside of that kind of umbrella, STOP NOW. It's NOT SECURE, and IE8 (the last version supported on XP) is only going to accumulate performance and security problems. If you have to continue using XP personally for some reason, don't use IE, instead install Chrome or Firefox which offer better protection against malware until you can move off of XP.
To enable TLS 1.1/1.2 in IE on Vista/7/8, in IE, Tools (gear icon) -> Internet Options -> Advanced tab. Scroll down to the bottom and select TLS 1.1 and TLS 1.2. This author is not sure when MS will push a patch that will make that the default, maybe they have, but I'm not sure.
To protect against malicious Flash videos: In Chrome, go to the config menu, (top, far right), "Settings", scroll to bottom, click "show advanced settings", click "Content Settings", scroll down to the Plug-ins section, and select "Click to play". If you run into a site that doesn't work properly without flash, and you trust the site, on the right side of the URL bar there will be a puzzle piece logo (it's right next to the favorite-site Star). Click on the puzzle icon for options that let you allow plugins once, or every time you visit that particular site.
In Firefox, use flashblock (a browser extension) or noscript (see below).
Recommended extensions (you can find them by googling the browser name and the extension name together):
- Adblock / Adblock Plus (chrome or firefox) [subscriptions: Easylist and EasyPrivacy]
- Self-Destructing Cookies (firefox)
- Vanilla Cookie Manager (chrome (less capable but same sort of thing as FF's self-destructing cookies)
- Disconnect ( https://disconnect.me/ )
- HTTPS Everywhere (firefox - get the stable version)
Advanced SSL-management extensions: CertPatrol
Access to your email account allows password resets for most sites you register with. It's imperative that you try to keep your email account secure. [b]Don't reuse your email account password(s) or banking password(s). If you've reused your email password somewhere else, and that "somewhere else" site gets hacked, and the attacker gets your password from it, they can now login to your email account. Since access to your email account allows resetting your passwords at most other sites (including ecommerce sites), it's critical that you take email account passwords as seriously as you take banking or financial information.
Most email providers also now provide 2-factor authentication. It might be codes sent via SMS to your phone, or a code or 2d barcode you scan into an app on your phone that can then, without using SMS, generate codes you type in in addition to your username and password.
Gmail, Hotmail/Outlook.com, and Yahoo all now support SSL encryption by default. If you use some email provider for your main email account, particularly if it's an older email service, make sure it supports TLS/SSL. If it doesn't, seriously consider switching email providers. Without SSL, the NSA is literally guaranteed to be reading all of your email, and so can less sophisticated hackers if you're on public wifi or an untrusted network connection.
***What do email scams look like? Example of an Email Scam
If you receive an email like that, the sender's
email account has been hacked.
Make sure your email account has recovery options (usually an alternate email -- make sure you take the security of the alternate account seriously, too! -- or a mobile number for using SMS to recover the account, or a recovery code -- Hotmail/Outlook.com offers those. Print out recovery codes if they're offered, and put them in your bank safe deposit box. That's in case you lose your password and your phone (for 2-factor), or if the account gets hacked and you need a way to prove you're the real owner.
Gmail, and some other sites, have the option of using 2-factor authentication. 2-factor is highly recommended if you have a smartphone (basically any android/iOS device) and if you can understand it well enough to set it up. It means stealing your password is not enough anymore; someone has to steal your password and hack (or physically steal) your phone.
Duo Security's mobile app
No need to use Duo's service; it stores standard 2-factor tokens the same as Google's app
google's 2-factor authentication
, unfortunately lacks the ability to reorder accounts on Android, and has had other software problems lately for instance on iOS 7 beta. Stick with Duo's app if you can. There are some other probably decent, alternative, 2-factor apps, like Authy.
Password security is beyond the scope of this post, since TFL is not a very critical site. Password management is important because, if you're not reusing passwords between sites, you will have a ton of passwords, more than most people can be expected to remember. Password management applications include KeePass (KeePass1, KeePass2, KeePassX, KeePassDroid -- all free, but if you use multiple computers or devices you have to ensure compatibility between the different clients (KeePass1/KeePassX clients won't work with KeePass2 password files) and you have to set up syncing yourself. Syncing is important even if you only use one browser, because if your computer dies or your home burns down, you need a copy of your password database stored "in the cloud" to recover. Every good password management app encrypts the password database, so if you're using a good master password for your password database, and take steps to keep your computer secure against malware, the risk of storing your master password database "in the cloud" is relatively small.
Commercial options, which may or may not be ideal, but are easier to use, include LastPass (some features free for desktop use, mobile client costs $12/yr), 1Password (costs $).
Virus and Malware protection:
+ Microsoft Security Essentials
is free and pretty good. Eset Nod32 has a great reputation among non-free AV software, and Comodo Internet Security is also frequently used (mostly for its sandboxing and firewall).
If you suspect an infestation, running multiple scanners gives the best chance of catching the malware. Here are some commonly recommended tools:
Other Security Measures
This is not for the faint of heart, but, for Windows, Microsoft provides software called the Microsoft Enhanced Mitigation Experience Toolkit [EMET]
, which uses several techniques to try to prevent malware from exploiting security problems in applications. It theoretically might cause problems for some applications, so if you experience strange problems with any program with EMET enabled, disable EMET features for that application before trying anything else.
There are some miscellaneous security-related (and some not-so-security-related) links at software tools and sites
in the TFL library.
are a good idea if you're serious about security; the idea is to run stuff like web browsers or other untrusted programs in a VM sandbox
(using software like VirtualBox
) (or Xen or KVM for the technically inclined), to keep any malware you may pick up isolated to that VM. Snapshots make it even better. If you're paranoid, check out http://qubes-os.org