3DSC Day 09: Browser Security

Yesterday we began to shift our focus outward when we began changing online account passwords.  Today we will continue this shift by installing Firefox and modifying some of its settings.  Browser security and privacy settings play a big role in how easily websites can track you.  Firefox gives you the maximum flexibility to control these settings to your benefit.  It also has one other huge benefit that other browsers do not, and we will discuss this later tomorrow.

The first step in this process is to download Firefox if you do not already use it.  Next, install the program on your computer. Once it is up and running, open “Preferences”.  To access Preferences click on the “hamburger icon” in the upper left of the interface. The Preferences menu will have eight tabs listed down the left-hand side of your screen.  This tutorial will only deal with those that are most relevant to improving your browser security and privacy.

Privacy Settings:  This is where most of the real work will happen to increase browser security and privacy.  First, under Tracking, uncheck the box labeled “Request that sites not track you”.  Though checking this box would allow Firefox to send a Do Not Track request to websites, the sites you visit have no obligation to honor this request.  I do recommend that you leave the Tracking Protection box checked.  Tracking protection is provided by Disconnect, a company we will see again later this week.

Next, go to the History section.  The changes made here are incredibly important.  After modifying these settings, Firefox will not save anything between browsing sessions.  This makes it much more difficult for sites to track your browsing behavior, and minimizes the browsing history that is stored locally on your computer.  Under “Firefox will:” drop-down, select “Use custom settings for history”.  This will allow you to choose exactly what Firefox “remembers” or purges when you close it.  Choose the settings that mirror those shown in the image below.

Browser Security

Next, click the “Settings” outlined in red in the above image.  This will open an additional dialogue allowing you to choose specific items to be purged when you close Firefox.  I recommend that you check all of these options as shown below.

Browser Security

Security Settings:  Set up these settings to mirror the image shown below.  Ensure to check “Warn me when sites attempt to install add-ons” (add-ons will be discussed tomorrow).  Uncheck both “Block reported attack sites” and “Block reported web forgeries”.  Both of these protections require that your browsing data be available to Mozilla for review.  I do not feel that this is in the best interest of your privacy.

Next, uncheck “Remember logins for sites” and “Use a master password”.  Because we now use a password manager it is unnecessary for Firefox (or any other browser) to remember our logins.  Firefox does not store this information securely.  If you have used this feature in the past you may wish to click “Saved Logins” button.  This will allow you to view these logins and migrate them into your password manager.  Once you have done so, delete all of them from Firefox.

Browser SecurityToday you have taken huge steps to increase your internet browser security and privacy.  Over the next two days we will take some additional steps to increase this even further, making you much more secure and private online.

3DSC Day 8: Change Your Passwords

Last week we primarily worked on securing your local computer.  Yesterday we focused on installing a local password manager.  Today our view will expand outward.  On this, the eighth day of the Thirty-Day Security Challenge I will challenge you to change your passwords on your online accounts.  Don’t rush in and try to change them all at once though – that could be a recipe for disaster.  Instead, try to change your passwords during your normal logins.  Time to check your Gmail account? About to settle in for some Netflix?  Getting ready to order that new book on Amazon?  Take an extra couple of minutes and change those passwords.   Your Dropbox account can wait until tomorrow when you will be logging into Dropbox, anyway.

When changing your passwords you should definitely pay attention to the qualitative aspect of the new ones.  All of your passwords should be:

  1. Unique.  Don’t use the same password on any two accounts.  Each account gets its own password – this is critical to good online account security.  This is much more important than even the quality of your passwords.  No ifs, ands, or buts.  This way if one account is hacked it won’t effect any of the others.  Mat Honan is an excellent example of why using the same password on multiple accounts is a bad idea.
  2. Long.  Use the maximum allowable length.  Google accounts allow you to use up to a 99-character password.  Your password manager does all the work and you’ll never enter it manually, so what do you care?  Max it out!
  3. Randomly generated.  Human-designed passwords are terrible, in the vast, overwhelming majority of cases.  We just have a hard time reliably generating truly complex strings of letters, numbers, and special characters.  Don’t try to make one up.  Instead let the password manager do the work and generate one for you.

The password manager you installed yesterday will be fairly critical to this task.  Without it you won’t be able to generate password meeting the above criteria…and if you do, you won’t be able to remember them.  Add each one as a new entry to your password manager when you change it.

This will be a carry-over task that won’t be finished in a day (unless you really work at it).  If you only change your passwords at your normal logins the process will be slower but it will also be more manageable.  By this time next week I bet that the majority of your accounts have been changed, and by the end of this month all of your accounts should have new passwords.

3DSC Day 7: Install a Password Manager

Welcome to the second week of the Thirty-Day Security Challenge!  We are officially one-quarter of the way through the process!  Today’s task is install a password manager on your computer and/or phone. This is an absolutely critical step.  Future posts in this series will ask that you change current passwords and create new accounts with good, strong passwords.  Being limited to feeble human memory requires most of us to choose poor passwords.  We use the same ones on multiple accounts and some of the new ones we will create this month will probably be lost or forgotten.  Storing passwords insecurely on a Word document or spreadsheet isn’t a great idea, either, since it’s really vulnerable to loss.  The password manager will solve these problems for us by creating good passwords, recalling them for us, and storing them securely.

Below I have listed some reputable password management options.  Review these, choose one, and install it.  After you have chosen a password manager, secure it with a good, strong password.  Pin it to your taskbar (Windows) or keep in in your dock (Mac). This will place it within easy access for the remainder of the month.  Take a few minutes to get familiar with creating and accessing entries – you should be using this a lot in the future.

There are a number of good password managers out there and your choice will be somewhat driven by your operating system(s).  The list I give here is by no means exhaustive and there are loads of options.  I am only willing to list the ones that I have used and have familiarity with, however.

FREE OPTIONS

Password SafeWindows:  If you primarily use a single Windows computer, Password Safe is the way to go.  It is widely known for it’s user-friendliness.  Password Safe is what is known as a host-based password manager meaning your password database is stored only on one, single device.  It isn’t transmitted to the cloud or stored on a remote server.  There are variants of Password Safe for other operating systems, too, but none of them are supported by the original developer.

KeePass/KeePassX/MacPassCross-platform:  KeePass and its variants are open-source password managers and perhaps the most universal of the ones listed here.  There are forks that work on nearly any operating system you can imagine and all of the databases are compatible with other versions.  These are not the most user-friendly password managers, however, and they lack some of the functionality and polish of most of the alternatives.  They do enjoy the benefits of being strongly encrypted, cross-platform, and totally free.  Like Password Safe, KeePass (and its sister applications) only stores your AES-256-encrypted password database locally, on a single device.

LastPassCross-platform: LastPass is the only cloud-based password manager I would even begin to recommend.  LastPass stores all of your passwords in an encrypted database in the cloud.  This means that you can access your passwords from any device, as long as you can access the internet.  One other major benefit of a cloud-based password manager is that you will have an offsite backup of your passwords should your computer crash or be stolen. Unfortunately this is exactly the reason I don’t prefer LastPass; being able to access your passwords from the internet means that someone else can, too.  It also means that you might be tempted to enter your master password on a computer that you don’t own or control.  LastPass is free on a single device; to install it on multiple devices will require a premium account, which is only $1/month (which is still really close to free).  Premium accounts can be installed on all your devices and shared among up to five users.

PAID OPTIONS

Codebook Password Manager:  I have a fondness for Zetetic’s Codebook that I have written about it before.  I have used it for years on my iOS devices, and if you only have one or two devices this may be a great option for you.  However it is a paid program and you must purchase a subscription for each device.  Codebook is a host-based password manager that allows you to sync with other devices locally through Wi-Fi.

1Password:  I include 1Password because it consistently ranks among the most popular password managers.  I personally don’t love it but I also don’t have anything against it, and it does have some good things going for it.  1Password is a host-based password manager that allows you to sync with other devices locally through Wi-Fi.  It is also incredibly user-friendly and good looking, but it is expensive.

3DSC Days 5 & 6: Weekend Project #1

This weekend’s project is twofold.  First, make sure your computer is running an up-to-date antivirus application. There is a good chance many of you already are.  If you are running Windows 7 or 10 you probably have a variation of Windows Defender or Microsoft Security Essentials.  You may also have a version of a premium antivirus suite like McAfee or Norton.  If you do not already have antivirus program you should install one immediately, even if you are a Mac user.

The antivirus application I recommend for both Windows and Mac is Avast.  The links are, respectively: Avast Antivirus Free and Avast Free Mac Security.  I like Avast because it consistently performs well in independent testing.  Once you have installed Avast you will be asked to register it with an email address.  Next, allow its defintions to update and let it run.

Antivirus Application

Next, scan your computer with an anti-malware application.  Even if you have a Mac, even if you run antivirus.  While antivirus protects you in near-real-time from malicious applications, anti-malware is reactive in nature and will root out those applications that have already managed to install themselves.  The anti-malware utility I recommend is Malwarebytes Anti-Malware Free.  Though there is a premium version of the application the free version is incredibly capable and will be sufficient for our needs.

This is set aside as a weekend project because it will take some time.  Set your computer up with the application and enable a full scan.  Then hit the gym, take the kids to the zoo, or head out for some drinks with your friends.  When you come home the scan should be finished.  Quarantine all malicious threats and potentially unwanted programs.  If you had positive results (meaning Malwarebytes found something) you should run the program again, or try another application.  Two trusted apps that I have had great results with are Spybot Search and Destroy and Comodo Cleaning Essentials.  Unfortunately Spybot and Comodo are only available for Windows.

Review:  With the first week at a close, let’s review our progress.  You all now running a computer with an up-to-date operating systems and all your applications are updated.  You have created and are using a standard user account.  Your machine has been scanned by anti-malware to remove any malicious programs, and anti-virus is protecting you in real-time.  You are already head and shoulders above the average user and should commend yourself.  You have also planned ahead and requested a ProtonMail account for yourself.  Enjoy the rest of your weekend and I will see you all on Monday!  Next week we will begin protecting some of your online information.

3DSC Day 4: Setup Private & Secure Email

Today will be a change of pace.  It will take five minutes at the absolute most and it does not pertain to securing your local system.  Today your task is to setup a private and secure email account.  Email is a necessary evil.  While most of us think of email as roughly analogous to a mailed letter (sealed in an envelope and opened only by the intended recipient), it is much more like a postcard.  Google’s Erik Schmidt even remarked in all seriousness that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties”.  He was referring to Gmail and non-Gmail users alike.  Our emails are read by various parties along the way and contain a ton of personal information.  Relationship and health information, intimate photographs, the stories that make us who we are.  Today’s security challenge aims to fix that by making encryption the default for your future emails.

Private & Secure Email

ProtonMail is a free, end-to-end encrypted email provider. I have written about ProtonMail twice previously on this blog and in my books.  Due to extremely high demand for ProtonMail accounts the service has experienced a backlog of requests and a new account may take some time.  However, you can still request an account by visiting https://protonmail.com/invite.  The only information that is requested is your desired username and an email address.  The email address is used for notification when your account is ready.  The delay in getting a ProtonMail account is the reason we are breaking so drastically from local computer security tasks this week.  Having a private and secure email account will be important later on this month, so please don’t delay!

By the end of this month-long challenge you should have a new ProtonMail account.  I won’t bore you with all of the details, but I will run down the key features.  First and most importantly, all of your emails to and from other ProtonMail accounts will be automatically encrypted using very strong encryption.  Also, your emails will be stored securely in an encrypted, “zero-knowledge” format.  This means that the email provider will have no access to your messages.  Even if you have to correspond with non-ProtonMail accounts, this alone cuts your attack surface in half.

EXTRA CREDIT: If you really want to go the extra mile you can sign up for accounts for the three personal contacts.  These should be the people you email the most.  This could be your spouse, parents, children, friends, co-workers, or any combination thereof.  This will ensure you enjoy the maximum benefit of ProtonMail’s end-to-end encryption, and create a much broader user base and make us all a little less conspicuous.

3DSC Day 3: Review Privacy Settings

At this point you are running your computer on a standard user account and your operating system and applications are updated.  Though it may not seem like it, you are miles ahead of most users already; the two relatively lackluster tasks we performed over the last two days are the incredibly important.  We still have a long way to go, though, so hang in there.  Today is the day to review those basic privacy and security settings!  If you’ve forgotten where these settings hide, don’t worry – I will walk you through them for Windows 7, Windows 10, and OS X.

Windows 7:  There is only one task that is specific to Windows 7 users only.  This task is to remove the privacy-invading Windows 10 features installed in default updates.  I did a full blog post on this a couple of months ago; it can be found HERE.

Windows 7 and 10:  These tasks should be completed by both Windows 7 and Windows 10 users.

  • Disable AutoPlay:  AutoPlay allows removable media to automatically play or run upon connection with your device.  This introduces a gross vulnerability by potentially allowing malware on these media to execute automatically.  To disable this AutoRun and AutoPlay, navigate to Start>>Control Panel>>Hardware and Sound>>AutoPlay.   This will open a Windows Explorer dialogue allowing you to choose what action the OS should take for various types of media.  The first action you should take within this dialogue is to uncheck the box at the top that states “Use AutoPlay for all media and devices”.  Next, in the drop-down menu for each type of media, select “Take no action” and click Save.
  • Unhide File Extensions:  By default Windows hides the file extensions (like .docx, .exe, or .jpeg) from you on the assumption that most users don’t care (sadly, they are almost certainly correct in this assumption).  Hidden file extensions can cause you to open a file that looks like a .jpeg, but is actually a malicious executable, so it is a good idea to display these extensions.  To do so, open any Windows Explorer menu and click the Organize drop down menu at the upper left of the window.  Next, click Folder and Search Options, which will open a new dialogue.  In this dialogue click on the “View” tab and scroll down to “Hide Extensions for Known File Types”.  Uncheck this box and click Apply.

Hide Extensions

Windows 10: Go over the Windows 7 instructions, and then review the privacy settings specific to Windows 7.  I did a full write up on this HERE, complete with screenshots.  If you are running a Win10 machine go ahead and follow the link and check back in tomorrow.

Mac OS X:  I have not previously written about OS X settings but in gearing up to write Your Ultimate Security Guide: OS X, I am excited to get started!  Here goes: to access these settings first open System Preferences.  Next click the “Security and Privacy” icon.  This will contain most of the settings we will address in this article.

  • General:  Under this tab are a couple of settings, the first of which is “Require password ____ after screen saver or sleep begins”.  This should be set to immediately; as soon as your screen switches off a password will be required to access your desktop, assuming the account in question has a password enabled.  If it does not, go back to System Preferences >> Users and Groups, select your account, and assign it a password.
  • FileVault: If FileVault is not enabled you should take the time to do so now.  This enables Apple’s OEM full-disk encryption.  This means that the data on your computer’s hard drive is fully protected in the event your computer is “borrowed”, lost, or stolen.
  • Firewall: The firewall should also be enabled.  The firewall monitors your computer’s incoming and outgoing internet connections for suspicious activity.  This is an excellent line of defense against many forms of internet-based attack and has almost no impact on the user.
  • Privacy:  Review all of the privacy options (Location Services, Contacts, Calendars, Reminders, Accessibility, and Diagnostics & Usage).  Disallow any applications that do not require this information to function correctly.  Under Diagnostics & usage uncheck both boxes.

Review Privacy SettingsSee, that wasn’t so bad!  See you all tomorrow…

3DSC Day 2: Set Up a Standard User Account

Today’s security task is to set up a standard user account. Though it is a phrase that is normally applied to the corporate or government sectors, personal computers should also employ and adhere to the Principle of Least Privilege (PLP).  The Principle of Least Privilege is a concept stating that any user should have only the permissions necessary to do his or her job.  At the home-user level this means creating and using a Standard User account rather than performing day-to-day operations on an Administrator account. Using an Administrator account is perhaps one of the most common errors I see committed by home computer users. This mistake that has caused me endless frustration in “fixing” friends’ computers that have become thoroughly infected with malware.

These computers become so thoroughly infected because they are always running with administrator-level privileges.  The ability to make system-wide changes like executing programs or deleting other users’ files is not necessary for daily use.  Running on a standard user account still allows you to do these things, but only after entering the administrator password to confirm that you actually want this action to occur.  Though it may not seem like it, this step is so important that even Microsoft recommends it.  To setup a standard user account refer to the following:

Windows 7/10: Windows has two different types of accounts: Standard User and Administrator.  A Standard User account has all of the necessary privileges for most of us to do the jobs we do on home PCs.  Even though I work at a computer daily, I only rarely log into an Administrator account.  User accounts have the privileges necessary to do most day-to-day tasks including creating, opening, editing, and saving documents, browsing the Internet, etc.  There are a very small handful of things a User account does not have the privileges for, the most important of which is installing programs.

Because Administrator accounts have the necessary privileges to install programs, executable files may be able to run on an Administrator account without having to ask permission.  If permission is required, malicious executables are sometimes capable of tricking the user into agreeing to install the program.  Standard User accounts have fewer permissions, and the most important permission a Standard User account lacks is the ability to install programs without permission from the administrator.  When a malicious program attempts to install itself on a Standard User account, a prompt will appear asking for permission from the Administrator (and the administrator’s password if the account is password protected).  Seeing a password prompt alone should be enough to make a user question whether he or she really wants to allow the executable to run.

When you purchase a new Windows computer, the only account that is enabled by default is an Administrator account.  Many home users will never create another account, choosing instead to work only inside this account.  This is problematic as it makes the computer more susceptible to malware and viruses.  To set up a user account, navigate to: Start >> Control Panel >> User Accounts and Family Safety >> Add or Remove User Accounts >> Create a New Account.

Standard User Account

OS X: Setting up a user account in OS X is a relatively uncomplicated affair.  Open the System Preferences and click Users and Groups.  Click on the padlock icon at the bottom left of the interface and enter your password when prompted (assuming your administrator account is password protected).  Click the “+” icon just above the padlock to create a new user account.

Standard User Account

A COUPLE MORE CONSIDERATIONS…

Account Naming:  There is a tendency to give Standard User and Administrator Account distinctive names.  For instance, a family of four might name their accounts Justin, Sarah, David, and Ashley.  Unfortunately, these unique account names associate themselves with many things.  For example, Microsoft Office records the creator of file by recording the User account name under which it was created in the metadata.  If you send out files (of any type) this may leak information about you or your family.  For this reason I strongly encourage using bland generic names such as Administrator, User 1, User 2, and so on

Passwords:  The administrator accounts and user accounts should be password protected with different passwords. Though I recommend using long, complex passwords in most cases, I recommend (and use) easily memorable passwords that are quick and easy to type for the Administrator and User accounts.  This is because the password protection on these accounts offers very little actual security.  Having a password can hinder anyone attempting to install malicious software on your device.

Migrating Your Data:  The unfortunate part of setting up a new account is that you will have to migrate your data, programs, and desktop to a new account.  If you don’t have the time to migrate today, don’t worry about it.  However, you should perform all the future tasks in the 30-Day Security Challenge on your Standard User account.  To ease the process of migrating your data, I recommend taking the following steps:

  • While logged into your administrator account, set up a shared folder
  • Import your documents, photos, and other files into the shared folder
  • Log out of your administrator account, and log into the standard user account
  • Copy all files to a folder that is not shared
  • Finally, log back into the administrator account and delete the shared folder

Thanks for joining, and I’ll see you all tomorrow for the third day of the challenge!

3DSC Day 1: Install OS & App Updates

Welcome to the Thirty-Day Security Challenge! I am looking forward to the coming month and I appreciate all of you who have chosen to follow along!  Today’s task is not flashy or even terribly interesting, but it is one of those tasks that is absolutely critical to security.  Today’s task is to install OS and app updates.  While we are  in the update settings we will also make sure that future updates are downloaded and applied automatically so you don’t fall out of date.

Keeping your software up-to-date is an incredibly important step in securing a computer.  As software ages, security holes are discovered in it.  Attacks are written to take advantage of these holes.  Though software updates are occasionally released to add features and to deal with bugs, they are very often written specifically to patch security holes.  If your software is outdated it becomes vulnerable.  These vulnerabilities are also well-publicized by virtue of the fact that patches exists to fix them.

Windows: To install OS and app updates in Windows, navigate to Start>>Control Panel>>System and Security>>Windows Update.  Select Change Settings from the left sidebar.  Open the dropdown menu.  If you want to go fully automatic (Windows downloads and installs updates as soon as they are available) choose Install updates automatically (recommended).  If you prefer to have your updates downloaded but choose the time and place to install them, choose Download updates but let me choose whether to install themThis also gives you the advantage of being able to research updates before you commit to them (at least in Windows 7), as some updates help Microsoft collect data about you.

Install OS and app updatesTo update your applications in Windows, you have a couple of options.  You can do so manually for every application you have, or you can download an application that will check them for you.  There are two such applications that I recommend.  They are Patch My PC Updater and Secunia PSI.  Both will scan your computer’s installed programs and let you know if updates are available.  Both are also capable of downloading and installing updates for you.

Mac OS X:  To update your OS and applications in OS X, open the App Store.  If a badge is displayed on the App Store icon you have updates waiting.  If you think there may be updates for your machine go to the top of your screen and open the “Store” drop-down menu and select “Reload”.  This will manually check for updates.

To ensure that future updates are downloaded and installed automatically, open your Mac’s System Preferences and click the App Store icon.  Make sure the following boxes are checked:

  1. Automatically check for updates,
  2. Download newly available updates in the background,
  3. Install app updates,
  4. Install OS X updates†, and
  5. Install system data files and security updates.

Install OS and app updates

†You may wish to leave this option un-checked. It will allow you to install OS X updates at your leisure.  Because these updates can take time and require a restart this may be prefereable depending on your situation.  Realize that you will have to be alert for new updates and install them manually.

Tomorrow will be another foundational step and one that will require some thought and decision-making on your part.  Stay with me!