This is actually pretty amazing. We’ve had an online security expert — someone who knows how to hack — write us a bunch of tips on how we can safeguard ourselves from him and his peers. He has asked to remain anonymous.
We get lots of requests from from Boot Camp participants about our best advice for online security, and we couldn’t round up better advice than what you’ll read here this week.
Web Browsers: The choice of web browser is important. Never, under any circumstances, use ether Internet Explorer or Safari (Apple’s browser for OSX and Windows). Both are horribly insecure. Firefox and Google Chrome are both good browsers. Chrome does a bit more to protect the underlying operating system from web-based attacks, but these days the goal of most attacks are to gain access to something the user has online anyways, and not the computer. This guide is rather Firefox-centric because many of the privacy enhancing extensions mentioned here cannot work in Chrome, as that browser does not support them. Indeed Google has a financial incentive not to enable such extensions, as more privacy = less effective online advertising, Google’s main revenue model.
Log out of web based email, banking/shopping sites and social networks such as Facebook when you are not actively using them. If for example you have Facebook logged in on one tab, malicious code on another site in another tab can attack your Facebook account. Also, malicious Facebook applications (more on that in the social networking category) can attack accounts you are currently logged into on other tabs, such as banking and shopping sites or other social networks. Logging out of online accounts when not actively using them limits the potential for such attacks.
Be skeptical. If it looks too good to be true, it probably is. Offers for free iPads, free music/movies (aside from reputable torrent sites such as The Pirate Bay) are common scams. Such scams will often ask for your contact info (especially phone number) before supposedly giving you the offered item, and will then use that to spam you and rack up charges on your cell phone. The Better Business Bureau website is a good place to look up the reputations of businesses. The Web Of Trust add-on for Firefox is another good resource, as it lets users rate websites on authenticity, security etc, then lets users see a site’s average rating as they search.
Use your browser’s private browsing mode. If you see a link that look suspicious, or that goes somewhere you are not familiar with, opening it in private browsing isolates that site from the rest of your online activity, including any social networks or bank accounts you might be logged into at the moment. To do this in Firefox, right-click the link then click copy link location, then start private browsing via the tools menu and paste the link into the address bar.
Be careful clicking on links from URL shorteners. URL shorteners are sites such as tinyurl.com, bit.ly and is.gd that are used to take a long web address and shorten it. Though such services are useful, especially on sites like Twitter, they are also used by attackers to mask attacks. A suspicious looking attack URL like http://example.com/?id=”><script>document.location=’http://attacksite.com’</script> can be made to look harmless, like http://tinyurl.com/6cdx8b2. Open such links in your browser’s private browsing mode, as described above.
When on public WiFi at places like Starbucks, Do Not log in to any online accounts. Doing so in such public places is only safe if you are using tunneling technologies such as a VPN, which is out of the scope of this guide. Doing so opens the user up to having their accounts hijacked by anyone at the coffee shop. The tool Firesheep (a Firefox extension) makes this type attack easy enough for even an average computer user to do it.
When logging into any site involving money, look for https (instead of http) in the address bar. The ‘s’ means that the connection is encrypted, meaning no one can get in the middle of that connection to listen in. If you do not see it on such sites, it could mean that someone is trying to steal your password. Also, install the HTTPS Everywhere Firefox extension by the Electronic Frontier Foundation. This extension contains a database of many popular websites which allow for encrypted https connections, and forces the browser to automatically use such connections.
When you are about to log into a site, look at the address bar to make sure the address there is the one you usually see before typing your username and password. Attackers will often trick users into visiting sites that look identical to Facebook or banking sites, therefore tricking the user into giving the attacker their password.
One of the most common causes of account compromises is bad passwords and the use of the same password across multiple online accounts. To solve this while at the same time making password management vastly easier, use a password management tool. I highly recommend LastPass.com, which works in every major browser, Windows OSX and Linux, as well as Android and iPhone phones. Set one strong password that unlocks your password vault, then use LastPass to generate long, super-complex, unique passwords for each website that you use.
When choosing a master password, length and unpredictability is more important than complexity (though complexity is good!). I recommend picking eight random words that do not form a sentence, then using a combination of upper and lower case for each of these words. This may sound like a lot to type, but you’ll only be typing this password, so it is actually easier. Also, this is easier to remember than one might think, as it is words instead of random characters, is the only password you will be typing, and you will be typing it frequently. One important note with LastPass is that you should log out of it as soon as you are done logging into the site you need to log into, as this greatly mitigates the risk of attack against your LastPass account.