The Firing Line Forums

Go Back   The Firing Line Forums > Forum Support > Site Questions and Tech Support (NO FIREARMS QUESTIONS)

Reply
 
Thread Tools
Old July 22, 2009, 09:26 PM   #1
tyme
Staff
 
Join Date: October 13, 2001
Posts: 3,194
**Web and Browser Security**

Mobile (phone/tablet) considerations

The NSA (along with affiliates and competitors) collects text messages and tracks who you're calling, if not the actual contents of voice calls. There are apps that can help protect your privacy:

Voice:
Redphone (android)
Signal (iOS)

Text:
Textsecure (android)
Whatsapp (provides good encryption in Android currently, and hopefully soon in the iOS version)

Keep your software and operating system up to date.

For Windows, there is software like Secunia PSI or Filehippo's Update Checker. Most apps these days auto-update. If they do, let them. Make sure windows update runs automatically unless you're savvy enough and have reason to inspect every update.

Make SURE that [Adobe Flash] Player, [Adobe] Acrobat, and [Oracle] Java are up to date. They should auto-update by default. If you haven't seen any indications of them trying to update, make sure they are, or you could be running old versions with security vulnerabilities that can lead to malware infections just from browsing the web. If you don't need it, make sure the java web plugin is disabled in your browser.


Browsers
Browser Market Share stats
I strongly advise using either Firefox or Google Chrome. They automatically update, they have lots of extensions and plugins available, and they are relatively hassle-free.
The trade-off is that Chrome has excellent security sandboxing for plugins, a hardened built-in Flash viewer, and (process-based) tab isolation. Firefox does not, but on the other hand it has a much more anti-tracker, pro-privacy philosophy. Basically, Chrome is better for security (as in not getting malware or becoming a victim of malicious websites), while Firefox is better for privacy (as in not allowing websites to track or profile you as well, and giving you more powerful extensions to protect your privacy in advanced ways).

Windows XP (as of April, 2014) is no longer supported by Microsoft, except for specific organizations that have extended support contracts with Microsoft. If you're using XP outside of that kind of umbrella, stop now, it's not secure. IE8 (the last version supported on XP) is going to accumulate performance, security, and compatibility problems. If you have to continue using XP personally for some reason, don't use IE. Install Chrome or Firefox, either of which offers better protection against malware and better support for modern websites, until you can get rid of XP, which you should do ASAP.

To enable TLS 1.1/1.2 in IE (specifically needed in IE 8-10 on win7/win8), open IE, go to Tools (gear icon), then Internet Options, and then select the Advanced tab. Scroll down to the bottom and make sure the boxes for TLS 1.1 and TLS 1.2 are selected. They should be enabled by default in IE11, but double check using that same procedure. I don't think IE on either XP or Vista supports TLS above 1.0. To solve that problem, upgrade to windows 7 or 8, or to a mac, or to linux.


Browser Extensions

To protect against malicious Flash videos: In Chrome, go to the config menu, (top, far right), "Settings", scroll to bottom, click "show advanced settings", click "Content Settings", scroll down to the Plug-ins section, and select "Click to play". If you run into a site that doesn't work properly without flash, and you trust the site, on the right side of the URL bar there will be a puzzle piece logo (right next to the favorite-site Star). Click on the puzzle icon, and you should see options to allow plugins once, or every time you visit that particular site.

In Firefox, use flashblock (browser extension) or noscript (which is more comprehensive, see below for link).

Recommended extensions (you can find them by googling the browser name and the extension name together):
  • µBlock (for Chrome or Firefox)
  • Self-Destructing Cookies (firefox)
  • Vanilla Cookie Manager (chrome (less capable but same sort of thing as FF's self-destructing cookies)
  • Noscript (firefox) - for best security, at the expense of some hassle, enable blocking globally, then whitelist individual sites that need javascript/plugins, and that are important to you, as you run across them.
  • HTTPS Everywhere (firefox - get the stable version) caution: can cause problems with some sites, so don't use if you mind having to tweak the settings for individual sites

Advanced SSL-management extensions: CertPatrol and Convergence and Perspectives


Email Security

Access to your email account allows password resets for most sites you register with. It's imperative that you try to keep your email account secure. [b]Don't reuse your email account password(s) or banking password(s). If you've reused your email password somewhere else, and that "somewhere else" site gets hacked, and the attacker gets your password from it, they can now login to your email account. Since access to your email account allows resetting your passwords at most other sites (including ecommerce sites), it's critical that you take email account passwords as seriously as you take banking or financial information.

Most email providers also now provide 2-factor authentication. It might be codes sent via SMS to your phone, or a code or 2d barcode you scan into an app on your phone that can then, without using SMS, generate codes you type in in addition to your username and password.

Gmail, Hotmail/Outlook.com, and Yahoo all now support SSL encryption by default. If you use some email provider for your main email account, particularly if it's an older email service, make sure it supports TLS/SSL. If it doesn't, seriously consider switching email providers. Without SSL, the NSA is literally guaranteed to be reading all of your email, and so can less sophisticated hackers if you're on public wifi or an untrusted network connection.

***What do email scams look like?***

Example of an Email Scam
If you receive an email like that, the sender's email account has been hacked.

Make sure your email account has recovery options (usually an alternate email -- make sure you take the security of the alternate account seriously, too! -- or a mobile number for using SMS to recover the account, or a recovery code -- Hotmail/Outlook.com offers those. Print recovery codes if they're offered, and put them in your bank safe deposit box. That's in case you lose your password and your phone (for 2-factor), or if the account gets hacked and you need a way to prove you're the real owner.


2-Factor Security

Gmail, Outlook.com, and many other sites offer the option of 2-factor authentication. What that means is that, when logging into the site, you enter your password and then a random several-digit number. Some sites send a text message with the code, which is better than nothing, but doesn't work if you don't have cell service. The better sites use a standard called TOTP, which allows offline generation of 6-digit codes that are unique for each user account on each site and change every 30 seconds.

It's highly recommended to get a TOTP-compatible app and set it up for your important sites (including email) if you can understand it well enough to set it up. 2-factor authentication (2FA) means stealing your password is not enough anymore; a hacker has to steal your password and hack (or physically steal) your phone as well.

Duo Security's Android app No need to use Duo's service; it stores standard 2-factor tokens the same as Google's app

Duo Security's iOS app again, no need to use Duo's proprietary service.

Instructions for setting up 2-factor with google accounts.

Google's 2-factor authentication app unfortunately lacks the ability to reorder accounts on Android. The iOS version allows rearranging though, for some reason. Stick with Duo's app on Android. I'd prefer Google's app on iOS unless I needed support for Duo's proprietary service.

Authy's 2-factor app works and is TOTP compatible, but I don't like the fact that it saves backups to the cloud, even though they're encrypted.

Authenticator for Windows Phone


Password Management
Password security is beyond the scope of this post, since TFL is not a very critical site. Password management is important because, if you're not reusing passwords between sites, you will have a ton of passwords, more than most people can be expected to remember. Password management applications include KeePass (KeePass1, KeePass2, KeePassX, KeePassDroid -- all free, but if you use multiple computers or devices you have to ensure compatibility between the different clients (KeePass1/KeePassX clients won't work with KeePass2 password files) and you have to set up syncing yourself. Syncing is important even if you only use one browser, because if your computer dies or your home burns down, you need a copy of your password database stored "in the cloud" to recover. Every good password management app encrypts the password database, so if you're using a good master password for your password database, and take steps to keep your computer secure against malware, the risk of storing your master password database "in the cloud" is relatively small.

Commercial options, which may or may not be ideal, but are easier to use, include LastPass (some features free for desktop use, mobile client costs $12/yr), 1Password (costs $).


Virus and Malware protection:
+ Microsoft Security Essentials is free and pretty good. Antivirus software is a poor substitute for good security practices (keeping your browser and Flash Player and your Operating System up to date, using ad blockers and enabling hacked site filters in your browser if it has that option).

If you suspect an infestation in Windows, running multiple scanners means the best chance of catching the malware. Here are some commonly recommended tools:

Other Security Measures

This is not for the faint of heart, but, for Windows, Microsoft provides software called the Microsoft Enhanced Mitigation Experience Toolkit [EMET], which uses several techniques to try to prevent malware from exploiting security problems in applications. It theoretically might cause problems for some applications, so if you experience strange problems with any program with EMET enabled, disable EMET features for that application before trying anything else.

There are some miscellaneous security-related (and some not-so-security-related) links at software tools and sites in the TFL library.

VMs are a good idea if you're serious about security; the idea is to run stuff like web browsers or other untrusted programs in a VM sandbox (using software like VirtualBox or VMware) (or Xen or KVM for the technically inclined), to keep any malware you may pick up isolated to that VM. Snapshots make it even better. If you're paranoid, check out http://qubes-os.org


Backups

Like general password management, beyond the scope of this post, but put some thought into it. What happens if your entire computer gets fried? What happens if your house gets demolished by a falling defunct satellite (while you aren't home, hopefully)?

Here's a video on two of the more popular options, Backblaze and Crashplan:
https://www.youtube.com/watch?v=o6q3n3QSNP8
__________________
“The egg hatched...” “...the egg hatched... and a hundred baby spiders came out...” (blade runner)
“Who are you?” “A friend. I'm here to prevent you from making a mistake.” “You have no idea what I'm doing here, friend.” “In specific terms, no, but I swore an oath to protect the world...” (continuum)
“It's a goal you won't understand until later. Your job is to make sure he doesn't achieve the goal.” (bsg)

Last edited by tyme; Yesterday at 12:02 PM.
tyme is offline  
Old September 11, 2009, 10:00 AM   #2
billyj571
Member
 
Join Date: November 5, 2008
Location: 30 Miles n of Seattle
Posts: 25
support

Thanks thats helpfull.
billyj571 is offline  
Old October 17, 2009, 11:23 AM   #3
Bud Helms
Staff
 
Join Date: December 31, 1999
Location: Middle Georgia
Posts: 13,038
Good post, tyme. I just noticed it.
__________________
"The irony of the Information Age is that it has given new respectability to uninformed opinion." - John Lawton, speaking to the American Association of Broadcast Journalists in 1995
Bud Helms is offline  
Old March 12, 2010, 11:16 AM   #4
Te Anau
Senior Member
 
Join Date: June 17, 2004
Location: Somewhere south of the No
Posts: 3,824
A lot of the above (and in the security link) is great info but well beyond the scope of your "average" computer user. If I know someone who is having computer issues I recommend the following.

1.Open "My computer", go to your "C" drive and right click on properties. Click on tools and schedule an error check after checking both boxes to automatically fix errors and scan for and attempt recovery of bad sectors. Restart your computer and let scan commence.

2.Go to www.cnet.com and download Malwarebytes. Install program, check for updates and run full scan. Manually check for updates about once a month and manually run a full scan weekly.

3.Go to www.cnet.com and download "Super anti-spyware free edition". Install program, check for updates and run full scan. Manually check for updates about once a month and manually run a full scan weekly.

4.Go to www.free-av.com and download Avira AntiVir as your free anti virus program. Install, check for updates and run full scan. This program will monitor your computer as you surf and if set up correctly will automatically download updates. Run scan at least every week.

5.Go to www.cnet.com and download "CCleaner". Install program, leave on default settings with one exception. Go into the settings area and check one of the boxes for secure file deletion. I use and recommend 3 overwrites. This program should be run weekly and will remove a tremendous amount of garbage from your typical "abused" home computer.
__________________
"Patriotism is supporting your country all the time, and your government when it deserves it." --American author Mark Twain (1835-1910)

Last edited by Mal H; March 12, 2010 at 11:48 AM. Reason: Edited format
Te Anau is offline  
Old March 12, 2010, 12:29 PM   #5
Brian Pfleuger
Staff
 
Join Date: June 25, 2008
Location: Central, Southern NY, USA
Posts: 18,791
Quote:
Originally Posted by Te Anau
If I know someone who is having computer issues I recommend the following.
I used to do all that too, well, if they refused to buy a Mac, which is the best solution but nowadays, Microsoft Security Essentials handles virtually all of those tasks, does it pretty well and is also free. You're right about the disk scan part too, most people never do that.



The correct answer is still "Buy a Mac" but some people are slow to listen.
__________________
Still happily answering to the call-sign Peetza.
---
The problem, as you so eloquently put it, is choice.
-The Architect
-----
He is no fool who gives what he can not keep to gain what he can not lose.
-Jim Eliott, paraphrasing Philip Henry.
Brian Pfleuger is offline  
Old March 12, 2010, 05:07 PM   #6
Te Anau
Senior Member
 
Join Date: June 17, 2004
Location: Somewhere south of the No
Posts: 3,824
Quote:
The correct answer is still "Buy a Mac" but some people are slow to listen.
They're too expensive and the amount of freebies is muuuuuucccchh smaller then that available for Windows machines.I guess new Macs may run some windows stuff. Still too much $$$$$ however.
__________________
"Patriotism is supporting your country all the time, and your government when it deserves it." --American author Mark Twain (1835-1910)
Te Anau is offline  
Old October 7, 2010, 05:32 AM   #7
Jimmy10mm
Senior Member
 
Join Date: June 16, 2010
Location: Greenacres, FL
Posts: 906
Quote:
They're too expensive and the amount of freebies is muuuuuucccchh smaller then that available for Windows machines.I guess new Macs may run some windows stuff. Still too much $$$$$ however
There is also Linux. I run Ubuntu on a PC at home and another at work. I haven't spent a dime on anything but hardware in years.
Jimmy10mm is offline  
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:41 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2015, vBulletin Solutions, Inc.
This site and contents, including all posts, Copyright © 1998-2015 S.W.A.T. Magazine
Copyright Complaints: Please direct DMCA Takedown Notices to the registered agent: thefiringline.com
Contact Us
Page generated in 0.11197 seconds with 9 queries