The Firing Line Forums - View Single Post

**tyme** · July 22, 2009, 09:26 PM

Browser and Mobile (phone/tablet) privacy

The NSA (along with affiliates and competitors) is known to monitor communications of all kinds. Protect your privacy with good encryption software. Make sure websites you visit are encrypted (look for a green padlock next to the url bar), especially if you log into them. Use encrypted communication apps like Signal or Whatsapp whenever you can.

Keep your software and operating system up to date. Avoid buggy software

Don't install more software than you really need, and keep everything you have up-to-date. Especially web browsers (they auto-update, and if you've disabled that, you probably shouldn't have). Especially software that you use to read documents you get from the internet, like Adobe Acrobat Reader and MS Office (or LibreOffice). If you have Flash or Java installed, those need to be kept up to date too. Video players, audio players, codec packs... they all need to be kept up to date.

Don't install additional antivirus software unless you really need it. It sounds strange, but antivirus software itself can make your computer more vulnerable to malware, and it tends to make your computer much slower than Microsoft's AV does. Microsoft's built-in Windows Defender is the sweet spot in most cases. Seriously.

If you suspect a malware infestation in Windows, running multiple scanners gives you the best chance of catching the malware. Malwarebytes is a good free antivirus to use in addition to Windows's built-in antivirus. The MalwareBytes Forums provide help diagnosing suspected malware problems.

OS & Browsers
You shouldn't be running Windows XP on an internet-connected computer. If you're running Windows 7, you should be planning to upgrade to Windows 10 in the near future, and it's critical that you keep all internet-related software like browsers up to date, because with Win7 no longer updated, browsers are now your strongest, and perhaps only, line of defense against malware.

Windows 10 may have some minor privacy issues, but it's better at keeping your computer from getting hacked. Extended support for individual users of Windows 7 ended in January 2020.

Firefox and Chrome/Chromium are both good, but Chrome is controlled by Google which is swiftly becoming the new Microsoft, so I tend to recommend Firefox. However, Chrome and Chromium are probably slightly more secure.

Browser Extensions

Recommended extensions (you can find them by googling the browser name and the extension name together):

µBlock origin (for Chrome or Firefox)
Cookie Autodelete (Firefox)
Vanilla Cookie Manager (chrome) is slightly less capable, but the same sort of thing as FF's Cookie Autodelete

For fine-grained blocking of different types of content (particularly scripts, frames, xmlhttprequests, cookies) based on request and target domain, try one of these:

uMatrix (Chrome or Firefox)
Noscript (firefox)

For best security, but at the expense of some additional hassle, enable uMatrix or Noscript blocking globally, then whitelist individual sites that need javascript/plugins, and that are important to you, as you run across them.

Email Security

Access to your email account allows password resets for most sites you register with. It's imperative that you try to keep your email account secure. Don't reuse your email account password(s) or banking password(s). If you've reused your email password somewhere else, and that "somewhere else" site gets hacked, and the attacker gets your password from it, they can now login to your email account. Since access to your email account allows resetting your passwords at most other sites (including ecommerce sites), it's critical that you take email account passwords as seriously as you take banking or financial information.

Most email providers also now provide 2-factor authentication. It might be codes sent via SMS to your phone, or a code or 2d barcode you scan into an app on your phone that can then, without using SMS, generate codes you type in in addition to your username and password. More on 2-factor later.

Gmail, Hotmail/Outlook.com, and Yahoo all now support SSL encryption by default. If you use some other email provider and it doesn't support SSL, it's crap, and you should move to a security-conscious email service. Without SSL, the NSA or anyone else who can listen in on network traffic between you and the email service can read all your email. The greatest risk is when you're on public wifi or some other kind of untrusted network connection.

DO NOT FALL FOR EMAIL SCAMS.

How do you recognize a scam? Does an email make you afraid or nervous or otherwise emotional? Does it claim there's some problem and encourage you to rush to solve it? Does it present an attachment or link and entice you to open it? If so, assume it's fake and do not click on any links in the email, and do not open any attachments, until you can confirm it came from who it says it's from.

***What do email scams look like?***

~~Example of an Email Scam~~
If you receive an email like that, the sender's email account has been hacked.

Make sure your email account has recovery options (usually an alternate email -- make sure you take the security of the alternate account seriously, too! -- or a mobile number for using SMS to recover the account, or a recovery code -- Hotmail/Outlook.com offers those. Print recovery codes if they're offered, and put them in your bank safe deposit box. That's in case you lose your password and your phone (for 2-factor), or if the account gets hacked and you need a way to prove you're the real owner.

2-Factor Security

Important services like email and banking, and even less important services, often have the option of 2-factor security. This means either an app on your phone will generate a code each time you want to log into the site in question, or the site will text message you a code.

Either option is far more secure than just using a password, but be aware that text messages aren't as secure as you might think. Clever hackers can call your phone company, impersonate you, get your phone number routed to their phone, and then receive your SMS 2-factor code. Mobile apps that generate codes offline are the best 2-factor option, but not all sites offer it. If they do, it may be listed as "TOTP 2-factor" or app-based 2-factor. Go to your mobile device's app store and search for 2-factor. Duo Security and Authy both offer decent apps, but be aware Authy does (or used to, at least) backup your encrypted 2-factor secrets to the cloud. If you're not tech savvy you might need some help setting the first few 2-factor accounts up.

Alternative 2-factor access methods are important, too. You don't want to be locked out of a site forever if you lose your phone. Think about that. But also make sure the alternatives are reasonably secure. One option is to keep an old phone or tablet around and add all your 2-factor accounts to both your current and your older devices, but that won't help if there's a natural disaster or theft and both devices are taken. Another option is to write down the 2-factor seeds on paper and store that in a safe deposit box. It's a hassle, but getting your accounts compromised or losing access to an account because your phone died are even bigger hassles.

There's a much better 2FA security solution, called U2F (universal 2-factor), by the FIDO alliance, but it typically involves an extra hardware dongle that you have to pay for. If you don't mind that, you probably already know about them, but here are Yubico's variants (disclaimer: I do not work for, nor have any financial interest in Yubico; there are a few other companies that make similar products, but Yubico is probably by far the most well-known):
https://www.yubico.com/products/yubi...pare-yubikeys/

Password Management
Password management is important because, if you're *not* reusing passwords between sites, you will have a ton of passwords, more than most people can remember. And, if you *are* reusing your passwords, that's bad... a hack of one site can get your password leaked and then your accounts with the same password at other sites can be compromised.

Commercial password managers with cloud backup include:

LastPass (some features free, the other features plus mobile client support cost $24/yr)
1Password
Bitwarden (open source, core features are free, but some features like 2FA require a subscription)
Dashlane

Another option is to use KeePassXC and using independent sync or backup software to keep a very recent copy backed up to the cloud. As long as your KeePassXC master password is strong, the password database file can't be realistically cracked, so there shouldn't be too much risk involved in syncing that password file to some cloud storage provider (Amazon, Backblaze, Google Cloud, etc.).

If you don't care about cross-platform support, there are lots of other keepass variations (it's open source, and there have been a bunch of clones from the original keepass). KeePass 2.x is a C# app that can run in linux using Mono. There are additional KeePass derivatives listed on Wikipedia. Keep in mind there are keepass 1.x format data files, and keepass 2.x format data files, and keepass 1.x derivatives won't read 2.x data files. KeePassXC is derived from 1.x, so it will not read 2.x data files (afaik).

Other Security Measures

Sandboxing applications with containers (in linux) or with a program like Sandboxie in windows is good. Running untrustworthy software in a VM is better. The best solution, while not for the faint of heart, is to use an advanced OS that does good security isolation within one coherent OS interface... like Qubes OS.

There are some miscellaneous security-related (and some not-so-security-related) links, many of which are now broken or outdated but perhaps historically interesting, at software tools and sites in the TFL library.

Backups

Like password management, backups are critical for you to set up and use on any computer where you store anything you can't afford to lose. What happens if your entire computer gets fried? What happens if your house gets demolished by a falling defunct Russian or Chinese satellite (while you aren't home, hopefully)?

Make sure all your critically important files are within whatever directories are being backed up.

Network backup devices, like Apple's TimeMachine, Synology's lineup, QNAP's lineup, Drobo's lineup, etc, are good, but they're going to tend to be in the same place as your computer most of the time. It'll save you if your computer's disk dies, but what if there's a fire, a natural disaster, lightning strikes and fries both computer and NAS, or if someone steals all electronics in your home or office? That's why cloud backup can be very important even if you backup to a NAS device.

Crashplan has left the personal backup business, but you can pay slightly more for their small business plan. Backblaze has a $5/mo cloud backup offering. You can roll your own with software like Cloudberry (beware, it can be buggy, so test restoration) or Duplicati (open source, and free, but also buggy), but you'll need a cloud storage provider like AWS S3, Google Storage, Microsoft OneDrive, Backblaze B2, etc. Whatever cloud backup software you use, read its documentation to see what cloud storage providers it supports.

Whatever cloud storage provider you choose, if you're backing up anything private, make sure your backup software encrypts your data before sending it to the cloud. Cloud providers cannot be trusted not to read your data.

Computer Hardware

Various *hardware* flaws were disclosed in January 2018 ("Meltdown" for intel processors only; "Spectre" variants for almost everything). If you haven't kept your OS up to date since then, you need to, or it's theoretically possible applications, and perhaps even websites with javascript, could hack you by reading keys or passwords out of your computer's memory. Keep your OS up to date to minimize risk!

If you're buying a new computer, google the model number of the cpu along with spectre and meltdown and see whether it's been improved. If it's been released since 2020, it might have at least some improvements so that Windows (or whatever OS you use) doesn't have to slow your computer down so much to work around remaining hardware flaws.

July 22, 2009, 09:26 PM	#1
tyme Staff Join Date: October 13, 2001 Posts: 3,355	Web and Browser Security Browser and Mobile (phone/tablet) privacy The NSA (along with affiliates and competitors) is known to monitor communications of all kinds. Protect your privacy with good encryption software. Make sure websites you visit are encrypted (look for a green padlock next to the url bar), especially if you log into them. Use encrypted communication apps like Signal or Whatsapp whenever you can. Keep your software and operating system up to date. Avoid buggy software Don't install more software than you really need, and keep everything you have up-to-date. Especially web browsers (they auto-update, and if you've disabled that, you probably shouldn't have). Especially software that you use to read documents you get from the internet, like Adobe Acrobat Reader and MS Office (or LibreOffice). If you have Flash or Java installed, those need to be kept up to date too. Video players, audio players, codec packs... they all need to be kept up to date. Don't install additional antivirus software unless you really need it. It sounds strange, but antivirus software itself can make your computer more vulnerable to malware, and it tends to make your computer much slower than Microsoft's AV does. Microsoft's built-in Windows Defender is the sweet spot in most cases. Seriously. If you suspect a malware infestation in Windows, running multiple scanners gives you the best chance of catching the malware. Malwarebytes is a good free antivirus to use in addition to Windows's built-in antivirus. The MalwareBytes Forums provide help diagnosing suspected malware problems. OS & Browsers You shouldn't be running Windows XP on an internet-connected computer. If you're running Windows 7, you should be planning to upgrade to Windows 10 in the near future, and it's critical that you keep all internet-related software like browsers up to date, because with Win7 no longer updated, browsers are now your strongest, and perhaps only, line of defense against malware. Windows 10 may have some minor privacy issues, but it's better at keeping your computer from getting hacked. Extended support for individual users of Windows 7 ended in January 2020. Firefox and Chrome/Chromium are both good, but Chrome is controlled by Google which is swiftly becoming the new Microsoft, so I tend to recommend Firefox. However, Chrome and Chromium are probably slightly more secure. Browser Extensions Recommended extensions (you can find them by googling the browser name and the extension name together): µBlock origin (for Chrome or Firefox) Cookie Autodelete (Firefox) Vanilla Cookie Manager (chrome) is slightly less capable, but the same sort of thing as FF's Cookie Autodelete For fine-grained blocking of different types of content (particularly scripts, frames, xmlhttprequests, cookies) based on request and target domain, try one of these: uMatrix (Chrome or Firefox) Noscript (firefox) For best security, but at the expense of some additional hassle, enable uMatrix or Noscript blocking globally, then whitelist individual sites that need javascript/plugins, and that are important to you, as you run across them. Email Security Access to your email account allows password resets for most sites you register with. It's imperative that you try to keep your email account secure. Don't reuse your email account password(s) or banking password(s). If you've reused your email password somewhere else, and that "somewhere else" site gets hacked, and the attacker gets your password from it, they can now login to your email account. Since access to your email account allows resetting your passwords at most other sites (including ecommerce sites), it's critical that you take email account passwords as seriously as you take banking or financial information. Most email providers also now provide 2-factor authentication. It might be codes sent via SMS to your phone, or a code or 2d barcode you scan into an app on your phone that can then, without using SMS, generate codes you type in in addition to your username and password. More on 2-factor later. Gmail, Hotmail/Outlook.com, and Yahoo all now support SSL encryption by default. If you use some other email provider and it doesn't support SSL, it's crap, and you should move to a security-conscious email service. Without SSL, the NSA or anyone else who can listen in on network traffic between you and the email service can read all your email. The greatest risk is when you're on public wifi or some other kind of untrusted network connection. DO NOT FALL FOR EMAIL SCAMS. How do you recognize a scam? Does an email make you afraid or nervous or otherwise emotional? Does it claim there's some problem and encourage you to rush to solve it? Does it present an attachment or link and entice you to open it? If so, assume it's fake and do not click on any links in the email, and do not open any attachments, until you can confirm it came from who it says it's from. *What do email scams look like?* ~~Example of an Email Scam~~ If you receive an email like that, the sender's email account has been hacked. Make sure your email account has recovery options (usually an alternate email -- make sure you take the security of the alternate account seriously, too! -- or a mobile number for using SMS to recover the account, or a recovery code -- Hotmail/Outlook.com offers those. Print recovery codes if they're offered, and put them in your bank safe deposit box. That's in case you lose your password and your phone (for 2-factor), or if the account gets hacked and you need a way to prove you're the real owner. 2-Factor Security Important services like email and banking, and even less important services, often have the option of 2-factor security. This means either an app on your phone will generate a code each time you want to log into the site in question, or the site will text message you a code. Either option is far more secure than just using a password, but be aware that text messages aren't as secure as you might think. Clever hackers can call your phone company, impersonate you, get your phone number routed to their phone, and then receive your SMS 2-factor code. Mobile apps that generate codes offline are the best 2-factor option, but not all sites offer it. If they do, it may be listed as "TOTP 2-factor" or app-based 2-factor. Go to your mobile device's app store and search for 2-factor. Duo Security and Authy both offer decent apps, but be aware Authy does (or used to, at least) backup your encrypted 2-factor secrets to the cloud. If you're not tech savvy you might need some help setting the first few 2-factor accounts up. Alternative 2-factor access methods are important, too. You don't want to be locked out of a site forever if you lose your phone. Think about that. But also make sure the alternatives are reasonably secure. One option is to keep an old phone or tablet around and add all your 2-factor accounts to both your current and your older devices, but that won't help if there's a natural disaster or theft and both devices are taken. Another option is to write down the 2-factor seeds on paper and store that in a safe deposit box. It's a hassle, but getting your accounts compromised or losing access to an account because your phone died are even bigger hassles. There's a much better 2FA security solution, called U2F (universal 2-factor), by the FIDO alliance, but it typically involves an extra hardware dongle that you have to pay for. If you don't mind that, you probably already know about them, but here are Yubico's variants (disclaimer: I do not work for, nor have any financial interest in Yubico; there are a few other companies that make similar products, but Yubico is probably by far the most well-known): https://www.yubico.com/products/yubi...pare-yubikeys/ Password Management Password management is important because, if you're not reusing passwords between sites, you will have a ton of passwords, more than most people can remember. And, if you are reusing your passwords, that's bad... a hack of one site can get your password leaked and then your accounts with the same password at other sites can be compromised. Commercial password managers with cloud backup include: LastPass (some features free, the other features plus mobile client support cost $24/yr) 1Password Bitwarden (open source, core features are free, but some features like 2FA require a subscription) Dashlane Another option is to use KeePassXC and using independent sync or backup software to keep a very recent copy backed up to the cloud. As long as your KeePassXC master password is strong, the password database file can't be realistically cracked, so there shouldn't be too much risk involved in syncing that password file to some cloud storage provider (Amazon, Backblaze, Google Cloud, etc.). If you don't care about cross-platform support, there are lots of other keepass variations (it's open source, and there have been a bunch of clones from the original keepass). KeePass 2.x is a C# app that can run in linux using Mono. There are additional KeePass derivatives listed on Wikipedia. Keep in mind there are keepass 1.x format data files, and keepass 2.x format data files, and keepass 1.x derivatives won't read 2.x data files. KeePassXC is derived from 1.x, so it will not read 2.x data files (afaik). Other Security Measures Sandboxing applications with containers (in linux) or with a program like Sandboxie in windows is good. Running untrustworthy software in a VM is better. The best solution, while not for the faint of heart, is to use an advanced OS that does good security isolation within one coherent OS interface... like Qubes OS. There are some miscellaneous security-related (and some not-so-security-related) links, many of which are now broken or outdated but perhaps historically interesting, at software tools and sites in the TFL library. Backups Like password management, backups are critical for you to set up and use on any computer where you store anything you can't afford to lose. What happens if your entire computer gets fried? What happens if your house gets demolished by a falling defunct Russian or Chinese satellite (while you aren't home, hopefully)? Make sure all your critically important files are within whatever directories are being backed up. Network backup devices, like Apple's TimeMachine, Synology's lineup, QNAP's lineup, Drobo's lineup, etc, are good, but they're going to tend to be in the same place as your computer most of the time. It'll save you if your computer's disk dies, but what if there's a fire, a natural disaster, lightning strikes and fries both computer and NAS, or if someone steals all electronics in your home or office? That's why cloud backup can be very important even if you backup to a NAS device. Crashplan has left the personal backup business, but you can pay slightly more for their small business plan. Backblaze has a $5/mo cloud backup offering. You can roll your own with software like Cloudberry (beware, it can be buggy, so test restoration) or Duplicati (open source, and free, but also buggy), but you'll need a cloud storage provider like AWS S3, Google Storage, Microsoft OneDrive, Backblaze B2, etc. Whatever cloud backup software you use, read its documentation to see what cloud storage providers it supports. Whatever cloud storage provider you choose, if you're backing up anything private, make sure your backup software encrypts your data before sending it to the cloud. Cloud providers cannot be trusted not to read your data. Computer Hardware Various hardware flaws were disclosed in January 2018 ("Meltdown" for intel processors only; "Spectre" variants for almost everything). If you haven't kept your OS up to date since then, you need to, or it's theoretically possible applications, and perhaps even websites with javascript, could hack you by reading keys or passwords out of your computer's memory. Keep your OS up to date to minimize risk! If you're buying a new computer, google the model number of the cpu along with spectre and meltdown and see whether it's been improved. If it's been released since 2020, it might have at least some improvements so that Windows (or whatever OS you use) doesn't have to slow your computer down so much to work around remaining hardware flaws. __________________ “The egg hatched...” “...the egg hatched... and a hundred baby spiders came out...” (blade runner) “Who are you?” “A friend. I'm here to prevent you from making a mistake.” “You have no idea what I'm doing here, friend.” “In specific terms, no, but I swore an oath to protect the world...” (continuum) “It's a goal you won't understand until later. Your job is to make sure he doesn't achieve the goal.” (bsg) Last edited by tyme; February 28, 2015 at 12:02 PM.