«
»

Safety Online

July 2, 2008, 1:55 pm
security.jpg

We can have the most secure box in the world but that doesn’t mean necessarily that we’re safe. There are a lot of interested parties in the world that want your information and the list of who those interested parties are grows by the day. Looking for a job? Well, the companies you’re applying to are running Google searches on your real name, your email address, and any screenname you may have given them, looking you up at LinkedIn, Myspace, Facebook, etc. Making online purchases? Well, both the identity thief and the government would love to track those transactions. Searching for information related to an embarrassing situation in your personal life? Google saves those searches. Like to show off your musical tastes on Last.fm? Congrats, you’re probably broadcasting a good portion of the music you’ve pirated. Logging in to a site to pay a bill? There’s a cracker out there that would love for your password to be transmitted in plain text, rather than encrypted. And lets not forget the fact that AT&T spies on the American populace for the NSA, MPAA, RIAA, and probably any other organization that asked it to. Even if you truly trust a company, you never know what information of yours could be handed over in a lawsuit. Think you’re hidden behind a screen-name? Think again.

I should give a little warning, I do suggest people follow all of these tips, but they are for the paranoid and some will consider it over board.

Related Reading on TuxTraining.com

  1. Secure the Hell Out of Your Linux box
  2. Secure the Hell Out of Your Windows box
  3. The Ultimate SSH Security Tutorial
  4. How to Install and Setup IPCop as your Linux based router

Secure Your Router

  1. Use an open source router such as IpCop, Endian, Tomato, or DD-WRT. With so many routers out there you never know if there is a backdoor in their firmware and I find it best to use something where the code is available to the public.
  2. Never ever keep the default password.
  3. Never make the router accessible from outside your network.
  4. Minimalize the amount of open ports on the router. I find when I need a port open to an internal machine, I find a way for that machine to only accept connections from IPs that I know my traffic will originate from, thereby, blocking everyone else.
  5. If you run wireless, ensure you have WPA encryption running with a strong passphrase. Do not leave your network open to outsiders, ever.

Firefox

We should all know by now to not use IE, but furthermore I would suggest using Firefox, even over Opera, Konqueror, Safari, or other browsers because of the security enhancements you can receive from add-ons.

A couple of quick steps:

  1. Do not allow Firefox store your passwords. Use an application like KeyPassX. Even storing passwords with a Master Password in Firefox is unsafe (and a tad obnoxious).
  2. Set Firefox to clear private data on exit. To do this go to Preferences –> The Privacy Tab –> select the option to clear private data when Firefox exits.

Add-Ons for Firefox

  1. Noscript-The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and others mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser. NoScript’s unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality.
  2. CookieSafe – This extension will allow you to easily control cookie permissions. It will appear on your statusbar. Just click on the icon to allow, block, or temporarily allow the site to set cookies.
  3. McAfee Site Advisor - This will help with phishing protection by letting you know which sites are unsafe, if you were unsure.
  4. CustomizeGoogle – This will allow you to block google ads, anonymize your tracking cookie, disable click tracking, and force SSL (https) connections to google services that you use.
  5. Greasemoney – Allows you to customize the way a webpage displays using small bits of JavaScript. Userscripts.org has some scripts that can aid in the security of sites you visit.
    1. GoogleSecure – A greasemonkey script that forces gMail, gCal, Google Docs, History, Bookmarks and Reader to use (https) secure connection.
    2. Scroogle -User GET over SSL- Gives Scroogle.com (more on this in a moment) a nicer look and forces SSL connections to the site for enhanced security.

Use Scroogle – Scroogle is an ad-free Google search proxy which prevents the searcher’s data being stored by Google. Less ads, more security. Firefox Search Engine for scroogle is here. Be sure to select the one that has SSL in the title.

PrivacyFinder – ( http://www.privacyfinder.org/ ) Privacy Finder is a privacy-enhanced search engine. Once you state your privacy preferences (low, medium, high, or custom), the search results are ordered based on how their computer-readable privacy policies comply with your preferences. A privacy meter with four green boxes indicates that the website complies with all your privacy preferences. Websites that do not comply with some or all of your preferences will have privacy meters with fewer than four green boxes. The number of green boxes that are missing are proportional to the number of preference conflicts between the website’s privacy policy and your privacy preferences. The absence of the privacy meter means that a valid computer-readable privacy policy, known as a P3P policy, could not be located.

Google – Always log out of Google/Gmail (in fact, when done with a site, always log out of it anyways). Make sure you do not have a web history account, if you do delete it. I know it’s hard to break your Google addiction, but they are known to collect far more data than some of their rivals. I personally like doing my searches with Scroogle and Wikia. Avoid uploading documents to any site that has important personal or job related information on it. Including GoogleDocs.

Social Sites (web2.0, forums, etc.)

  1. If possible, do not sign up for them. Typically nowadays I do not sign up for anything except a few forums to ask for technical help. This doesn’t require me to put information on there that someone else can identify me by.
  2. If you do, read the EULA’s of these sites to know your rights.
  3. Do not use the same user name and password on any two sites. Use KeyPassX to manage passwords if you must.
  4. If you’re on social sites, keep your profile scarce of personal information. Make the profile private (flickr, photobucket, myspace, all have these options). Only allow people you trust to view your profile. Try not to put face pictures of yourself online. Or video.
  5. Do not reveal much about your personal life on forums or sites like digg and reddit. Don’t talk about where you live (city/state/country), do not talk about your family. If you must, try not to give exact locations or anyones name.

Email

  1. Use a secure web mail, like Hushmail. Note, Hushmail will still comply with US subpoenas for information in your mailbox.
  2. Learn how to use GPG Encryption on emails.
  3. In the advent Hushmail will not work for you, pop your current email into Thunderbird. And again, learn to use Thunderbird with GPG
  4. Have multiple email addresses and keep them seperate. 1. for business 2. for family and friends, and 3. for various forms online you must sign up for.
  5. I know this is typically for either the elderly or generally the technophobic, in which case, this blog does not appeal to that crowd, but DO NOT CLICK STUPID CRAP SENT BY STRANGERS IN YOUR EMAIL. I can’t stress this enough to people.
  6. If possible, it’s always safest to run your own mail server and secure the hell out of it.

Instant Messaging

  1. Encrypt Pidgin with OTR
  2. Do not use a screenname for a IM service that you use online anywhere. Keep them seperate.
  3. Do not log your conversations.

Use Tor for sensitive browsing – But do not ever, ever, ever type a user name and password into a website through Tor. The exit node can sniff everything you are doing. This only protects you from being sniffed by your ISP or your internal network. It also makes the website owner not able to tell where your connection is originating from.

VPN – It is also good to have a trustworthy VPN. VPNs are typically faster and more secure than the Tor network mentioned above. Sweden’s Pirate Party runs Relakks. Again, though, the same applies, I would not type any valuable user name or password while connected to the VPN service.

Making Purchases Online

  1. Always do so on a page with SSL (https:), if the site doesn’t have it, do not put your card number in.
  2. Never use a debit card, always use a credit card. Typically there is far more fraud protection on credit cards than on Debit. All in all it’s better to make payments in person, with cash and reciept, than anything else, when possible.
  3. Do not make online purchases rerouted through a shady network (Tor, VPNs, etc..)
  4. Try to keep your purchases local to the country you are purchasing from. Suing people internationally can be expensive, and at times, flat out useless.

Related Posts

FreeSoftwareDaily
Stumble
Delicious
Technorati
Facebook
Tags: , , , , , , ,
Category: Security

Comments are closed.