3DSC Day 21: Clean Your System

Congratulations on completing three whole weeks of the challenge!  We have less than ten days to go!  Today’s task is to use Bleachbit or CCleaner to clean your system.  Your computer creates a lot of digital “litter”.  Small files get shuffled around throughout your operating system.  Your computer saves “ghost” copies of files. Registry entries are added and only partially deleted…I could go on and on.  All of this clutter creates two problems.  First, it can undermine the encryption you worked so hard on this weekend by making plaintext copies of files available.  Next, it can slow your system down.  All those junk files equal additional stuff your computer has to sort through when you want to open a program or a file.  Getting rid of them helps your computer run smoothly and efficiently.

There are two programs I like for cleaning a computer: Bleachbit and CCleaner.  Both of these programs work similarly, but Bleachbit only runs on Windows and Linux machines, and CCleaner runs only on Windows and Mac machines.  To use either of these programs, download and install them.  Each will have list of items to clean on the left side of the interface.  I recommend checking all of these options.  This will ensure maximum “clutter” is deleted from your machine.  If this is the first time you have used an application like this, it may take up to a couple of hours to run the program.

Clean Your System
The Bleachbit interface.

The end result will be a computer that is much cleaner.  There will be far less information on your machine that can be exploited.  You will also cleanly delete browsing history, cookies, and other online information that is used by websites to track your browsing history.  I recommend you run one of these programs on a daily basis.  After the initial run it should only take a few seconds to run it.  Both

3DSC Days 19 & 20: Weekend Project #3

With another week coming to a close it’s time for another weekend project.  This one will be a little more self-guided than the last two, and will vary a lot from person to person.  Today’s task is to download VeraCrypt and begin using it to encrypt your files.  This will a multi-step process.  I am going to walk you through some of it, and refer you to the official User Guide for other portions. If you’re already comfortable with encrypting data-at-rest (which I’m confident some of you are) use this weekend to catch up on or reinforce some of the previous tasks in the challenge.

Encrypt Your FilesBefore we begin, I should explain exactly what VeraCrypt is.  VeraCrypt is an encryption program for protecting data-at-rest.  We have already talked about some encryption apps (Private Internet Access, ProtonMail, Signal, and Wickr) but they are all designed to protect data-in-motion.  Data-at-rest is the information stored on your computer that is not currently being transmitted or used.  VeraCrypt is a fork of the older TrueCrypt.  If you are familiar with TrueCrypt, learning VeraCrypt should be no problem.

  1.  The first step is to download and install VeraCrypt.  Because it is a security software, I also highly recommend you verify the checksum of the download before installing it.  I previously wrote an article here explaining how.
  2. Next, you need to understand how VeraCrypt works.  VeraCrypt comes with a very thorough, 162-page User Guide that explains how to use all the features and functions of the program.  Access it by opening VeraCrypt, clicking the Help drop-down, and selecting User Guide.  You should read the introduction and the Beginner’s Tutorial at a minimum (it’s only 19-pages with lots of pictures).
  3. Make a couple of practice volumes.  Before you encrypt your files with VeraCrypt’s very strong encryption you should have a really strong grasp on how the program works – otherwise you risk losing them.  You also need to be absolutely certain you choose a password that you can remember.
  4. Make a volume for your “real” files.  What files should you be encrypting?  I recommend encrypting everything.  Your family photos, your resumes, work reports, medical information, financial documents, personal writing.  All of these files would leak some data about your if your computer were lost, stolen, or accessed by someone else.  How big should this volume be?  It truly depends on the total size of all the files you wish to protect.  For example, I keep about 40 GB of files on my computer that I consider “sensitive”.  I store these in a 60 GB VeraCrypt volume.  This gives me plenty of room to grow before I have to make a new volume and transfer all of my files.
  5. Transfer your files from their plaintext location into your VeraCrypt volume.  This may take time – up to several hours depending on how many files you have and the speed of your computer.  Once you have transferred your files, don’t delete the unencrypted ones just yet.  This is for two reasons.  First, if you are new to VeraCrypt you will want a backup copy – just in case.  Second, next week we will discuss how to securely delete these files so they are not left behind, unencrypted, on your hard drive.

It may take some time for your to encrypt, and this task may be confusing to some.  I am traveling all weekend but will try to answer your questions as I can, probably sometime in the afternoons/evenings.  If you really run into trouble, don’t forget to check the User Guide; it is the authorative source for all things VeraCrypt.  I’ll look forward to seeing you all next week!

3DSC Day 18: Secure Messaging

Today we will wrap up our three-day mini-series covering smartphone security.  Your call history and text messages are available to your mobile service provider.  They are also available to malicious parties that can hack your service provider.  Your phone calls and text messages are also available to anyone with certain technology.  Though IMSI-catchers like the Stingray are only available to law enforcement, today’s state “secrets become tomorrow’s PhD theses and the next day’s hacker tools.”  Today’s task is protect your personal communications by installing and setting up secure messaging applications for voice and texts.  I will cover my two favorite encrypted messaging apps, Signal and Wickr Me.Secure Messaging

Signal Private Messenger:  I have written about Signal before, so I won’t belabor the point other than to say it is my favorite secure messaging app, and to list a few of its features.  I will say Signal is so easy to use that even my mother uses it.  It is also very capable.  It encrypts voice and text messages, sends photos and videos, and supports group messaging.  I also thing Signal’s messaging interface most closely replicates that of the iPhone.  Signal is free and available for Android and iOS.  A desktop version is currently in beta.

Wickr MeWickr Me (formerly Wickr) is a simple ephemeral messaging system, but is only for text messaging.  Wickr Me encrypts your messages from end-to-end and like Signal works over your data connection.  Your messages self-destruct after a pre-defined interval (from 3 seconds to 6 days), and Wickr Me offer protection against screenshots.  Unlike Signal, which requires you share your phone number, Wickr Me messages are sent from username-to-username.  Wickr me is one of the simplest, most prolific secure messaging applications on the market, and best of all it is free for both Android and iOS.

ProtonMail:  If you would like to bring your encrypted email to your mobile device, ProtonMail just came out with apps for iOS and Android.

An ancillary task to installing these apps and becoming familiary with them is migrating your family and friends to them.  Like I wrote in a previous article on convincing others to use encryption, there are several strategies you may employ to do this.  There are many other secure and ephemeral messaging systems.  Some are good, and others aren’t.  There are also a few that I trust and use, like Threema (I am planning a full write-up in coming weeks) and Silent Phone.  However, these are paid apps.  I firmly believe free apps are the way to go, especially when their success depends on your convincing others to use them.  As always, I recommend you vet any messaging app against the EFF’s Secure Messaging Scorecard before trusting it.

3DSC Day 17: Smartphone Security II

Today’s article will follow up on yesterday’s, and cover three follow-up tasks that will greatly increase the security of your mobile device.  They are:

  • Remove unnecessary/unused apps.  Installing an app allows it tremendous access to your device.  Though apps are sandboxed on both Android and iOS devices, each app you add to your phone increases your attack surface.  Apps can compromise your privacy by collecting, transmitting (often insecurely), and selling your data.  Apps can also compromise your security; if an app has a security hole it may give an attacker or malware access to your device.  Go through your applications and get rid of anything you can’t live without, or whose function cannot be replicated by your web browser. An excellent resource that helps you understand what apps are doing in the background is Clueful.  Clueful is available for Android and iOS, and tells you what apps are really doing in the background.  Use it to determine which apps you should get rid of, and to decide if you should install a certain app or not.
  • Restrict app permissions:  The latest versions of Android (6/Marshmallow) and iOS allow you to have granular control over app permissions. This allows you to decide which apps have access to your phone’s camera, microphone, contacts, location data, and more.  Remember, some apps may require these functions.  A messaging app will need access to your photos if you want to use it to send pictures.  A banking app will need access to your camera if you want to use it to scan and deposit checks.  It is up to you to decide what permissions each app should have.  I recommend erring on the side of caution: when in doubt deny the permission.  If you later find the app needs that permission you can always re-enable it.
    • Android 6.0 and later: To modify these settings in Android 6/Marshmallow open Settings >> Apps.  Tap the gear icon and select App Permissions.  You will be shown Body Sensors, Calender, Camera, Contacts, Location, Microphone.  Tapping any of these will show you the apps that can currently access the selected data set.  A slider button allows you to disable access.
    • Android 5 and earlier:  Earlier versions of Android do not allow you to customize permissions for individual apps.  You should check to see if your phone is upgradeable.  To do so open Settings and scroll to About (or “About Device”, “About Phone”, or similar).  In the About menu open System Update.  If an update to Marshmallow is available for your device you should download and install it at your earliest convenience.
    • iOS:  Open settings and scroll to the botton where the list of your apps begins.  Tapping on an app will let you manage it’s permissions and notifications settings.
  • Manage Your Wi-Fi Networks:  When your Wi-Fi is turned on it is constantly transmitting a list of the Wi-Fi networks your phone has saved.  These can reveal where you live, work, and frequent, and can set you up for a rogue access point attack.  Your set of networks is also incredibly unique and can be used to track your device.  You can defeat most of this simply by turning off Wi-Fi when you leave your home or work.  Though you should do this, it is easy to forget.  It is a good idea to be rendundant and clean up your list of networks.
    • Android:  Deleting a Wi-Fi network in Android is incredibly simple.  Open Settings >> Wi-Fi.  Choose the network you wish to “forget” and tap it.  This will open a dialogue that will allow you to delete or modify the network (modifying will allow you to update the password if necessary).
    • iOS:  The iPhone operating system does not allow you to delete individual networks, except while you are connected to them.  If you have not been extremely careful about managing your Wi-Fi networks, I recommend deleting them all by resetting your network settings.  Be aware that this will delete ALL of your Wi-Fi networks and you will have to re-enter passwords for trusted networks.  To do this navigate to Settings >> General >> Reset >> Reset Network Settings.

3DSC Day 16: Smartphone Security I

Today we are going to shift gears a bit from desktop machines and online accounts, to smarphone security.  Today’s task is to encrypt your device and put a (better) passcode on it.  I realize that most of you probably have a passcode on your mobile phone, but many out there don’t.  Even if you do I want to make those passcodes better; this is a critical step in smartphone security.  Phones are much more easily lost or stolen than your laptop and they carry a wealth of information about you.  I don’t mean to wade into a hot-button issue here, but recent events have proven encryption works. You should use it to protect the data that is on your phone.

While a password on a smartphone would be better than a passcode, the inconvenience of a tiny keyboard is hard for even me to tolerate.  We can make passcodes better though.  To make them better, make them longer.  You don’t need to go crazy; even a one-digit increase in length makes your passcode stronger by a power of ten.  You passcode should not be a simple four- or six-digit passcode (especially in iOS, see below).

Android-specific:  If you have an Android device you have several options for unlocking your phone.  First, and most importantly, I recommend NOT using a pattern to unlock your device.  Patterns leave traces of themselves on your screen, and most of them are notoriously predictable.

You should also encrypt your Android phone.  I have written fairly exhaustively about this (both here and in Complete Privacy & Security) but many Android phones are still shipping without encryption enabled.  To encrypt your Android phone open Settings >> Security >> Encrypt.  If your phone is already encrypted this option will be greyed out.  If it is not, you will need to charge your phone to at least 80%.  Leave it plugged in and choose encrypt; if your phone allows the option of encrypting the SD card, you should.

Smartphone Security I

iOS:  If you are using an iOS device your information is encrypted by default, but you only get the benefit of this encryption if you use a strong passcode.  In iOS it is important to use a longer passcode than the standard older four- or newer six-digit “Simple Passcode”.  This is because the simple passcode lets anyone picking your phone up know exactly how many characters are in the passcode. To set or change a passcode open Settings>>Touch ID and Passcode.  To use a longer passcode, toggle the “Simple Passcode” slider off.  If you only use numerals in your passcode, the unlock screen will only present a numerical keyboard instead of the full keyboard as shown below.

Smartphone Security

I also recommend disabling Touch ID.  This feature has been defeated in several tests, and your fingerprints are very likely on your phone’s screen, anyway.  One final feature you should enable is Erase Data.  This is at the very bottom of the passcode settings.  As has been widely publicized due to recent events involving the San Bernardino phone, entering 10 incorrect passcode attempts will wipe the phone’s data, ensuring it does not fall into the wrong hands.

 

3DSC Day 15: Two Factor Authentication

Last Tuesday I asked you to begin changing the passwords to your online accounts.  By today the majority of your accounts should have shiny, new passwords that are long and strong. You are already well ahead of the curve for having completed this step but today we are going to make your online accounts even stronger.  Today’s task is to begin enabling two-factor authentication wherever it is available.  This will increase the security of these accounts well beyond what even the very best password could.

What is two-factor authentication, you ask?  When this feature is enabled on an online account you will be required to enter a second factor besides your password to login to your account.    If you are logging into a Gmail account, for example, the process will work like this: you enter your username and password as you normally do.  When you click to button to login, a new screen will ask that you enter your unique, six-digit code.  There are several mechanisms for code delivery, but typically it is sent via an SMS (text) message.  When you recieve the text message with the code, you enter it and are granted access to your account.

Two-Factor Authentication

Each code is only good for one login.  This means that if your username and password are stolen in a data breach, an attacker would still not have access to your account.  He or she would not be able to receive the one-time authentication codes.  This makes your account much, much stronger than an account that is not protected by two-factor authentication.

To set up two-factor authentication you will first need to login to your account.  Specifics vary from service to service, but for most you will have to navigate to your “Account” or “Settings”, and then to the security settings.  Two-factor authentication is sometimes also referred to as multi-factor authentication, two-step verification, or some similar variation.  Next, turn this feature on.  You will receive a test code.  Once you have submitted the test code correctly your account is now protected with two-factor authentication!

Some of the accounts and services that offer two-factor authentication are: Amazon, Bank of America, Blur, Chase Bank, Dropbox, Evernote, Facebook, Gmail/Google, Hotmail/Microsoft, LastPass, Slack, Twitter, and Yahoo! Mail, to name a few.  For a much more comprehensive list of sites that support two-factor, visit https://twofactorauth.org/.

Backup Codes:  The vast majority of services that support two-factor authentication offer you a recovery mechanism called a backup code.  This code is there in case you lose or break your phone.  It is obviously important to save these codes; I recommend doing so in your password manager.  It is unlikely you will ever need to use them but like data backups, it is nice to know they are there.

Like passwords, this is another ongoing task.  Every time you log into an account that you haven’t setup two-factor authentication for, take five minutes and set it up.  Don’t try to do everything all at once (unless you are really motivated).  Just set it up when you are logging into that account anyway.  By this time next week, most of your accounts should be fully protected.

3DSC Day 14: Virtual Private Network

Today is going to be a little bit different that most because today I am going to ask you to spend a little money.  Today’s task is to purchase a virtual private network service.  A virtual private network (VPN) is one of those things that I just could not live without.  After using one for so many years it feels like wearing a seatbelt – I can go on without it, but I’m going to have a nagging feeling the whole time.

So what exactly is a VPN?  A VPN works like this: you install a program on your computer and smartphone.  When activated the program will create an encrypted “tunnel” to a remote server, also owned and/or operated by the VPN provider.  Your traffic will be encrypted to and from this remote server.  This has two benefits:

  • Security:  If you are worried about your local traffic being captured and analyzed, worry no more.  All of your traffic will be encrypted and protected from hackers, internet service providers, nosy owners of public Wi-Fi hotspots, and your company IT guy.  Your VPN will also defeat trackers like Verizon’s supercookies.  It is hard to overstate the security benefits of using a VPN, especially when you are connected to an untrusted network.
  • Privacy:  VPNs also offer you a great deal of privacy.  When you connect to a VPN server your traffic appears to originate from that server.  This means that websites that are attempting to track your physical location and browsing history (via your IP address) will have a much harder time doing so.  Additionally, all your traffic that exits the VPN server exits alongside the traffic of other users, making it less distinct and not obviously yours.

Although there are tons of free VPN services available, there are lots of good reasons NOT to use a free virtual private network.  Running a VPN service is expensive business with a lot of overhead, and free ones have to be financed in some way.  Some free VPNs are little more than data collection mechanisms for gathering subscribers’ data.  For example Facebook paid $120,000,000.00 for Onavo, a company that offers a free VPN and data compression app.  One imagines Facebook did so to serve the needs of Facebook and will receive a return on that investment, probably in data collected from users.   One free VPN even sold user bandwidth that was subsequently used in botnet and DDoS attacks.

Buy VPN

The virtual private network service that I recommend is Private Internet Access.  Private Internet Access (PIA) has a lot of things going for it that I really like.  First, PIA has over 3,000 servers.  Though you are only allowed to choose what region you would like to connect to (US Midwest, US Texas, US East, etc.) there are numerous servers in each “region”.  This allows PIA to load balance so traffic is not slowed by heavy use on any single server.  Next, PIA uses the OpenVPN encryption protocol which offers the best VPN encryption currently available.  A single PIA subscription offers unlimited bandwidth and allows you to connect up to five devices simultaneously.  This is enough for many small families to connect most of their devices with a single plan.  Finally, PIA is extremely user friendly and available for Android, iOS, Mac OS X, and Windows devices.

To use Private Internet Access (or many other paid VPNs) follow the steps below:

  • Purchase a subscription.  A year is only $39.95 which averages out to $3.33 per month.  You can pay for your PIA subscription with all major credit cards, PayPal, BitCoins, or even with major retailer gift cards.  Have an old, half-used REI gift card from last Christmas?  It’s probably worth at least a month or two of PIA service.  After you have purchased a subscription you will be emailed your login credentials.
  • Download the PIA app on your computer, phone, and other devices you wish to protect (I have previously written specifically about PIA for iOS).
  • Enter your credentials on the app and connect.  That’s it.

PIA does offer some advanced user settings, like the ability to change encryption, SHA, and handshake protocols as shown in the screen grab below, but the default options are solid.

Virtual Private Network

FULL DISCLOSURE: this blog has an affiliate relationship with PIA.  This means I receive a small commission for every subscription sold through this site.  However, I do not push PIA because of this; I push PIA because I believe in the product and use it myself.  There are numerous other VPN providers with which I could partner but I do not because they have yet to earn my trust.  That being said, there are many very good, reputable VPN providers out there.  If you are uncomfortable with PIA I encourage you to do your own research.  Some other virtual private networks that I have experience with and would personally recommend (and DO NOT have an affilate relationship with) include AirVPN, blackVPN, and CyberGhost.

3DSC Days 12 & 13: Weekend Project #2

This weekend’s project is to check up on your Wi-Fi security.  This shouldn’t take you more than an hour or so, and you will have to reconnect all your devices to the internet.  But once it is done correctly you shouldn’t have to go through the hassle again for a long time.

Login to your router:  The first thing you will have to do is figure out how to get into your router’s settings.  First this will require connecting the router.  Typically you connect by opening your web browser and typing the router’s IP address into the address bar.  How you do this will depend on whether you own or rent your wireless router.  Regardless of whether you own or rent, I recommend that you get an Ethernet cable to connect your computer and your router, because one setting we will change later will disable your ability to modify the router’s settings without being physically connected to it.

  • Own: If you own your router and have never changed the login credentials, look the defaults up online.  If you can’t find defaults for your router, you always have the option to reset the router totally by holding the reset button for 30 seconds (removing power won’t clear out the old settings).  Links for default credentials and login IPs for the most popular home routers are:
    • Linksys:  192.168.1.1
    • Netgear:  192.168.1.1 or 192.168.0.1
    • TP Link:  http://192.168.1.1 or http://192.168.0.1 or http://tplinklogin.net
  • Rent:  If you rent your router from your internet service provider, the management credentials are likely on a label on the router.  If not, you may have to call your ISP to find the managment credentials.

Once you have logged into the router you can begin modifying its settings.  The specifics of each router’s menus will vary but the principles presented here should be available on all manufacturers’ products.

Change the management credentials:  One of the first steps you should take is to change your router’s management credentials.  This will prevent someone from connecting to it remotely, logging into it, and making changes to your settings, subverting your wi-fi security settings.  Use your password manager to generate a good, strong password and store it there.

Wi-Fi Security

Disable remote management:  Only do so at this point if you are connected via an Ethernet cable.  If you are connected wirelessly you will not be able to make any further changes to the router.  If you don’t have an Ethernet cable and don’t wish to buy one, save this step for last.  If you do make this change prematurely, or wish to modify settings later, you can always reset the router back to defaults and start over.

Wi-Fi Security

Encrypt the signal:  This is perhaps the most important setting you can change to increase your wi-fi security.  Select WPA2 encryption.  If your router does not support the WPA2 protocol consider upgrading it immediately.

Disable Wi-Fi Protected Setup (WPS):  Wi-Fi Protected Setup allows you to quickly connect devices when you have physical access to the router.  You press the button while a device is attempting to connect, and it connects.  This works great in theory but in reality this protocol is broken (and has been for a long time) and can allow anyone to view your Wi-Fi traffic.

Wi-Fi Security

Change your SSID: Your SSID (your network’s visible name) should not leak information about you or your residence.  It should be either generic or misleading.  I would not want someone to drive up my driveway and be able to see my family’s last name by merely looking at the name of the Wi-Fi network.  There are good arguments to be made for not using common network names.  Your Wi-Fi network should not be super common, but it shouldn’t give away information about you, either.  I also recently wrote about hiding your SSID as a Wi-Fi security measure.  I leave it to you to come to your own conclusion.

One other thing to consider when naming your network: include the suffix “_nomap”.  This will ensure that Google will not index your Wi-Fi network along with your home address.  As an example, if your Wi-Fi network is “FamilyWiFi” change it to FamilyWiFi_nomap”.

3DSC Day 11: NoScript Security Suite

Today is the last day of working with Firefox – I promise!  Because your browser is your computer’s ambassador to the internet this is worthwhile work – making your browser more secure makes your computer more secure.  Today’s task is to install the NoScript Security Suite add-on to Firefox.  I decided to include this add-on on its own day because NoScript has a very steep learning curve. While NoScript is the ultimate in security add-ons, it is also the most difficult to use.

NoScript is the nuclear option of security-focused browser extensions. NoScript blocks all scripts and plugins, including Flash, Java, and JavaScript, from executing except on websites that you have explicity approved. It also performs a number of other browser-related security functions. Unfortunately, this security comes at a cost. Because it blocks so many scripts, NoScript “breaks” many websites. In many cases, this may be desirable; NoScript prevents videos from automatically playing, stops animations, prevents pop-ups and other advertising, and makes busy pages much more manageable. For sites that you need to work, this can be quite frustrating initially. For this reason, the application allows you to whitelist certain sites permanently or temporarily.

NoScript Security Suite

I recommend taking a few minutes to learn how NoScript Security Suite works.  Otherwise it can be very frustrating, and I don’t want you to get discouraged with using Firefox because NoScript breaks your websites.  NoScript works on a whitelisting basis.  Until you have approved a site, or certain elements of a site, NoScript will block all scripts that the site is attempting to run.  This offers a substantial security layer between you and the internet.  Unfortunately many of the blocked scripts are necessary for sites to function as intended.

To use NoScript, install the NoScript Security Suite add-on.  It is available at https://noscript.net/ or through the Firefox add-ons menu.  Once it is installed you will see a NoScript icon in your browser’s toolbar.  Clicking the NoScript icon on a page will display all of the scripts that are running on the page. It will present options for enabling or disabling each script individually, as well as settings that apply to all scripts on a page and globally. These options are:

  • Allow scripts globally (dangerous): This setting removes all protections afforded by NoScript and lets all scripts on all pages run. There are some occasions where using this option is desirable. For example, if you are creating a new account or making an online purchase, and may be redirected to a page where scripts blocking may interfere with password input fields, you can allow scripts globally.  As soon as you are finished, enable script-blocking again.  Unfortunately, this option is not reset when you close and reopen your browser.
  • Allow all of this page: This setting permanently whitelists the entire page and all scripts running on it. Be aware that permanently whitelisting a site on NoScript will place the name of the site in a list on your computer. This list is unencrypted and may be viewed by anyone with access to your computer, allowing him or her to see what sites you visit frequently.
  • Temporarily allow all of this page: This setting allows the page you are visiting and all the scripts on the page to run for the duration of the browsing session or until permissions are revoked. This setting will be reset when you close your browser.
  • Allow…: This allows you to whitelist an individual script on a page permanently.
  • Temporarily Allow…: allows you to whitelist an individual script on the page you are visiting. This permission will be revoked when you close the browser. This may be desirable if you are visiting a page that needs a Flash script to run to play a video, animation, or other graphic that is broken by NoScript, but only desire it for a single visit.
  • Make page permissions permanent: If you frequent a site and have allowed the minimum number of scripts to permit that page to function properly you may wish to use this setting. It will add those permissions permanently to your whitelist so you do not have to manually allow scripts each time you visit the site.
  • Revoke Temporary Permissions: This option allows you to immediately revoke any temporary permissions and stop the scripts associated with them.
  • Forbid: Forbidding a given script allows you to stop any script to which you have granted temporary or permanent permissions. When visiting a site, you may wish to allow all the scripts on the site, then forbid them one by one until only the desired functions on the site are running and nothing else.
  • When you no longer wish to allow scripts on a given page NoScript also gives you the ability to revoke permissions. Additionally, each script on the page will have an “Allow” or “Temporarily allow” option, so you can fine tune each page to make the content you desire visible while blocking everything else. Though using NoScript can be frustrating at first, once the sites you primarily use have been whitelisted and are working well, the add-on requires little intervention except when visiting new sites or sites that are not permanently whitelisted.

This post has only covered the tip of the security iceberg that is the NoScript Security Suite. In addition to preventing scripts from executing, NoScript also prevents Cross-Site Scripting attacks, allows you to force sites to use HTTPS connections (where available), prevents clickjacking attempts, and provides automatic boundaries enforcement (ABE).

3DSC Day 10: Firefox Security Add-Ons

Today we have crossed a new landmark: after this task you have completed one-third of the Thirty-Day Security Challenge!  Congratulations!

Yesterday we installed Mozilla Firefox.  We made some changes to Firefox’s settings to evade online tracking and limit the browsing data that is stored locally on your device.  Today we will increase Firefox’s security further by installing some security add-ons.  Add-ons are small plug-ins that that enhance an existing piece of software.  To install these add-ons follow the link provided.  On the resulting webpage click the green “Add to Firefox” button.

There is a slight chance that you have some other add-ons in Firefox already.  You should think twice about these.  They are probably not security add-ons.  Add-ons like those from Amazon.com and Facebook do not enhance your privacy.  Instead they give these services access to your browser.  Consider removing any add-on that does not improve your privacy or security.

Better Privacy:  This simple add-on is designed to delete flash cookies.  Flash cookies, sometimes called Locally Shared Objects (LSOs) are more sophisticated than conventional cookies.  Flash cookies allow much more detailed tracking of your online behavior.  Better Privacy runs in the background when you close Firefox and deletes flash cookies from your browser.

Disconnect:  Disconnect is an anti-tracking application.  It is very lightweight and prevents websites from tracking your behavior and serving you certain requests.  I like Disconnect because it is incredibly lightweight but still very capable.  According to Disconnect your pages will load 27% faster when using the add-on.  This is because tracking requests and adds consume bandwidth.  When they are blocked this bandwidth is yours once again.  Once Disconnect is installed you don’t have to do anything.  Disconnect will silently protect you in the background.

HTTPS Everywhere:  Many websites offer an encrypted (SSL) login page.  Unfortunately, many of these pages revert to a plain-text connection after you have logged in.  This can allow your ISP or a hacker to see what you are doing.  To prevent this, HTTPS Everywhere attempts to force an encrypted connection during your entire session, on any website that is capable of a secure connection.  HTTPS Everywhere is written by the Electronic Frontier Foundation (EFF), an advocacy group for online privacy.

Firefox Security Add-Ons