View Single Post
Old July 22, 2009, 09:26 PM   #1
tyme
Staff
 
Join Date: October 13, 2001
Posts: 3,152
**Web and Browser Security** (TFL now supports TLS 1.2)

Mobile (phone/tablet) considerations

The NSA collects text messages and tracks who you're calling, if not the actual contents of voice calls. There are apps for android that can help protect your privacy:

Redphone

Textsecure


Blackphone is an unreleased phone that will probably have the above apps or similar, and more, in the default firmware. Maybe it's not practical to get that when it's released, but if you care about privacy keep an eye on what apps it ends up using by default, since they will probably be available separately in the android app store.


Keep your software and operating system up to date.

For Windows, Secunia PSI (heavyweight, slow) or Filehippo's Update Checker (lighter weight) will help keep your apps current.

Make SURE your version of Flash, Adobe Acrobat, and Java are up to date.


Browsers
Browser Market Share stats
I strongly advise using either Chrome or Firefox. They automatically update, they have lots of extensions and plugins available, and they are relatively hassle-free.
Don't use IE on Windows XP or earlier (SSL in those versions has problems; for instance it doesn't support SNI. To enable TLS 1.1/1.2 in IE on Vista/7/8, in IE, Tools (gear icon) -> Internet Options -> Advanced tab. Scroll down to the bottom and select TLS 1.1 and TLS 1.2.

Windows XP extended support (security fixes) will end on April 8, 2014. Unless you're with a company that has a separate support contract with Microsoft, you should migrate away from Windows XP by upgrading to windows 7 or linux (Linuxmint.com, Ubuntu.com, etc.) or even a Mac (with OSX) before then.

IE is a poorly maintained browser in general. Microsoft has started linking IE version support to Windows versions, meaning older windows versions won't get the latest IE versions. If your company requires the use of IE, see if you can use IE for corporate websites and use Chrome or Firefox for everything else. Most of the web is dropping support for older versions of IE, because they lack features or speed to deal with the latest website designs.


Browser Extensions

To protect against malicious Flash videos: In Chrome, go to the config menu, (top, far right), "Settings", scroll to bottom, click "show advanced settings", click "Content Settings", scroll down to the Plug-ins section, and select "Click to play". If you run into a site that doesn't work properly without flash, and you trust the site, on the right side of the URL bar there will be a puzzle piece logo (it's right next to the favorite-site Star). Click on the puzzle icon for options that let you allow plugins once, or every time you visit that particular site.

In Firefox, use flashblock (a browser extension) or noscript (see below).

Recommended extensions (you can find them by googling the browser name and the extension name together):
  • Adblock / Adblock Plus (chrome or firefox) [subscriptions: Easylist and EasyPrivacy]
  • Self-Destructing Cookies (firefox)
  • Vanilla Cookie Manager (chrome (less capable but same sort of thing as FF's self-destructing cookies)
  • Noscript (firefox) - enable blocking globally, then whitelist individual sites that need javascript/plugins, and that are important to you, as you run across them.
  • Disconnect ( https://disconnect.me/ )
  • HTTPS Everywhere (firefox - get the stable version)

Advanced SSL-management extensions: CertPatrol and Convergence and Perspectives


Email Security

Access to your email account allows password resets for most sites you register with. It's imperative that you try to keep your email account secure. Don't reuse your email account password(s) or banking password(s). The primary cause of account compromise, other than malware, is password reuse. When a site you've registered at gets compromised, your email address and password may be exposed. If you use the same email address and password on other sites, your accounts on those sites can be hacked with effectively no additional effort.

Gmail automatically uses SSL.

Yahoo mail users: turn on SSL:
step 1: http://thefiringline.com/library/yahoo-ssl-1.png
step 2: http://thefiringline.com/library/yahoo-ssl-2.png

Hotmail users:
[SSL details for outlook.com interface to follow. SSL might be mandatory on hotmail/outlook now, like it is on Gmail. I'm not sure. If you don't see a lock by the URL in the url bar, poke around in the outlook.com account settings and the option to enable SSL should be there somewhere.]

If you use some other email provider for your main email account, make sure they support TLS/SSL. If they don't, switch email providers. Without SSL, the NSA is literally guaranteed to be reading all of your email, and so can less sophisticated hackers if you're on public wifi or an untrusted network connection.

***What do email scams look like? Example of an Email Scam***
If you receive an email like that, the sender's email account has been hacked.

Make sure your email account has recovery options (usually an alternate email -- not really recommended, since it can be hacked too -- or a mobile number for using SMS to recover the account). That's in case you lose your password or the account gets hacked.


2-Factor Security

Gmail, and some other sites, have the option of using 2-factor authentication. 2-factor is highly recommended if you have a smartphone (basically any android/iOS device) and if you can understand it well enough to set it up. It means stealing your password is not enough anymore; someone has to steal your password and hack (or physically steal) your phone.

Duo Security's mobile app No need to use Duo's service; it stores standard 2-factor tokens the same as Google's app

google's 2-factor authentication, unfortunately lacks the ability to reorder accounts on Android, and has had other software problems lately for instance on iOS 7 beta. Stick with Duo's app if you can.


Password Security
Password security is beyond the scope of this post, since TFL is not a very critical site. Password management applications include KeePass (KeePass1, KeePass2, KeePassX, KeePassDroid -- all free, but if you use multiple computers or devices you have to ensure compatibility between the different clients (KeePass1/KeePassX clients won't work with KeePass2 password files) and you have to set up syncing yourself.

Commercial options, may not be as secure but are easier to use, include LastPass (some features free for desktop use, mobile client costs $12/yr), 1Password (costs $).


Virus and Malware protection:
+ Microsoft Security Essentials is free and pretty good. Eset Nod32 has a great reputation among non-free AV software, and Comodo Internet Security is also frequently used (mostly for its sandboxing and firewall).

If you suspect an infestation, running multiple scanners gives the best chance of catching the malware. Here are some commonly recommended tools:

Other Security Measures

This is not for the faint of heart, but, for Windows, Microsoft provides software called the Microsoft Enhanced Mitigation Experience Toolkit [EMET], which uses several techniques to try to prevent malware from exploiting security problems in applications. It theoretically might cause problems for some applications, so if you experience strange problems with an program, disable EMET features for that application before trying anything else.

There are some miscellaneous security-related (and some not-so-security-related) links at software tools and sites in the TFL library.

VMs are a good idea if you're serious about security; the idea is to run stuff like web browsers or other untrusted programs in a VM sandbox (using software like VirtualBox or VMware) (or Xen or KVM for the technically inclined), to keep any malware you may pick up isolated to that VM. Snapshots make it even better. If you're paranoid, check out http://qubes-os.org
__________________
“The egg hatched...” “...the egg hatched... and a hundred baby spiders came out...”
“Who are you?” “A friend. I'm here to prevent you from making a mistake.” “You have no idea what I'm doing here, friend.” “In specific terms, no, but I swore an oath to protect the world...”
“It's a goal you won't understand until later. Your job is to make sure he doesn't achieve the goal.”

Last edited by tyme; January 16, 2014 at 03:48 PM.
tyme is offline  
 
Page generated in 0.06310 seconds with 7 queries