Friday, May 21, 2010

Essentials for browsing safely

1) Mozilla Firefox, set to delete all history/cookies/etc. on closing (except saved passwords)

2) The following addons for Firefox:
BetterPrivacy manages Flash's equivalent to cookies, known as LSOs. Basically, LSOs are another way legit websites can save preferences for when you come back to their site, and malicious sites can use them to try to track your browsing history.

NoScript limits what a malicious website can do to your computer by disabling (by default) a good chunk of the code they use to try to infect your machine. It does this by stopping Javascript/Java code from running on web pages, and then allowing you to enable the code (either permanently or temporarily) if it's for a website you trust. Also, since many popular web pages have content from several sites on one page (like Flash ads), NoScript will let you selectively enable Javascript/Java content from each of the various sites. It will not prevent you from clicking on malicious ads or weblinks, so please still be careful.

For logging into to very sensitive sites (like your bank): open Firefox, click on Clear Recent History in the Tools menu, set "Time range to clear" to "Everything" (except for Saved Passwords, if you let Firefox remember any of your passwords). Under the Tools menu, click on BetterPrivacy, click "Remove All LSOs", then click OK (You can keep certain LSOs from being deleted [like from your banking site] by selecting them and clicking on "Prevent automatic LSO deletion. You will then be asked whether you want to delete protected LSOs whenever you click on the "Remove All LSOs" button). Once you've done these steps, return to the Tools menu, click on Start Private Browsing, and do your banking. When finished, go to the Tools menu, click on Stop Private Browsing, then close Firefox. Be sure to also clear all other LSO objects using Better Privacy as well.

Of course, also remember:
  • Above all, be cautious. Security is a mindset, not a magic combination of apps. Also, dedicated intruders will get in if they spend enough time and effort, just like a dedicated burgler can get into pretty much any house. The key is to not make your computer an easy target.
  • Don't give out your info to sites unless it's absolutely required, and only give as much as you need to.
  • Use a separate email account (like another Gmail account, for instance) to sign up for dodgey sites/advertising/etc.
  • Have a firewall running and configured correctly. If you're having an issue, don't turn off the firewall to troubleshoot it unless you have no other choice. Seriously. Disconnect from the internet before lowering your firewall. Remember, your router's built-in firewall can only stop incoming traffic - software firewalls help to prevent outgoing traffic that you don't want. Also, routers can be hacked easily if you don't change their default passwords.
  • For your router password or for important sites, use a long password with numbers and symbols (or at least a passphrase) that is not easy to guess from your publicly accessible info.
  • Don't use the same password for everything. If you have trouble keeping track of passwords, use a password managing program like KeePass.
  • Don't run more than one software firewall at once. It doesn't add any security, and it slows down your system.
  • If you're running Windows, install an off-the-shelf antivirus/anti-malware program like Norton or Kaspersky and make sure it's automatically updating itself and scanning your system daily. Go for their "Internet Suite" if you want one-stop security setup (antivirus+anti-malware+firewall+antispam tools, browser add-ons, etc).
  • Beware clicking on shortened addresses, such as from (especially in emails or on Facebook and Twitter). 
  • Always hover your mouse cursor over links to check them before clicking on them.
  • Don't click on links to financial sites in emails, period. Close your email program and log in to the company's website directly via your web browser to check if a warning is legit or not. If still unsure, call the financial company's support number directly, using the number on their site or in the phone book (not the number in the email you just got). If you do not have an account with the company in the email, then it's a scam.
  • If you get a web browser pop-up saying you have a virus and offering a free scan: don't click on any part of your web browser. Instead, close your browser by using a system monitor such as Task Manager in Windows (via Ctrl-Alt-Del), System Monitor in Ubuntu, etc...

No comments: