Friday, 30 November 2012

Added Security part 3




Get rid of Java
I'm repeating myself here, but if you don't need it, throw Java in the bin ASAP. It has never been, is not and most likely won't ever be safe running Java in your browser. That some companies forces users to run Java is a sign of incompetence, ignorance and stupidity. The amount of stories regarding security flaws in Java keeps popping up like farts in a barn full of cows (whatever comparison that is).

Here are three (out of hundreds) stories:
09.10 : csoonline.com
26.09 : arstechnica.com
29.08 : krebsonsecurity.com


Java is not safe as a browser plugin. Throw it in the bin!

Norwegians are forced to use Java for online banking. Plain stupidity!

BankID, responsible for making Norwegians insecure on the Internet.



Use two-factor identification
Wherever possible use two-factor / two-step identification. Gmail and Google Apps has got it already, same thing with LastPass. Luckily more and more services do come with this option as well.

Dropbox
Dropbox was hacked this summer, and did set their users passwords to be expired.

Or: sorry we got hacked and we lost you password.

Dropbox has recently increased their security by offering two factor authentication as well. If you are a Dropbox user you should enable two factor today. Log in and go to the security settings for enabling Two-step verification.

Click to enable.

Welcome to a more secure world.

Use texts or app.

Etsy
Etsy has also introduced two-factor authentication. So, if you're an Etsy user you know what to do to stay safer.





Terms of Service; Didn't Read
For all security and privacy aware people out there the TOS or Terms of Service is important. However, most people don't read several pages of boring details. I don't blame them. However, there is a brilliant page to the rescue:


ToS;DR aims at creating a transparent and peer-reviewed process to rate and analyse Terms of Service and Privacy Policies in order to create a rating from Class A to Class E. 

Check it out at:
tos-dr.info



Browser Improvements
Disable 3-party cookies
To limit tracking and enhance privacy you might consider disabling 3-party cookies. If you're a Chrome user this can be done going to chrome://chrome/settings/content#third-party. If you're using another browser Google is your friend.



Disable JavaScript by default
I have mentioned NotScript earlier. An option, at least for Chrome users, is to by default disable JavaScript in your browser. The NotScript extension is more feature rich, however it is simpler just using Chrome's built-in functionality.





Do Not Track
Most browsers now has got a "Do Not Track" option. Turn it on if you want to at least ask sites not to track you (or send a "DNT signal"). Note that there is no guarantee the sites will listen though. You are by turning this option on simply asking sites to please not track.
To do this in Chrome you can go to chrome://chrome/settings/search#do%20not%20track.

Privacyfix

Privacyfix is an extension that you can consider. This is what they write:
"Privacyfix puts you in complete control of your online privacy. The Privacyfix browser extension scans for privacy issues based on your Facebook and Google settings, the other sites that you visit and the companies tracking you. Privacyfix then takes you instantly to the settings that you need to fix. Privacyfix also can warn you of new privacy issues as you surf the web, so you know when sites like Facebook change their privacy policies or have privacy breaches."
https://www.privacyfix.com



Stupid password restrictions
I've started on a list of sites having insane and stupid password restrictions. It's crazy how many big sites there are on the Internet that obviously are storing password as clear text, or weakly encrypted. To check out the list go to:
http://morphogenetically.blogspot.com/search?q=security+fail+-+



Cloud storage

Glacier
If you've got a lot of old files, that you do not need to access that often you can check out the new service from Amazon, the Amazon Glacier. This is what they write about the service:

"Amazon Glacier is an extremely low-cost storage service that provides secure and durable storage for data archiving and backup. In order to keep costs low, Amazon Glacier is optimized for data that is infrequently accessed and for which retrieval times of several hours are suitable. With Amazon Glacier, customers can reliably store large or small amounts of data for as little as $0.01 per gigabyte per month, a significant savings compared to on-premises solutions."

CloudBerry Lab


Another option for backing up your data in the cloud comes from CloudBerry Lab. They offer a set of nice tools, like tools for integrating cloud storage as a local drive. Check out more on www.cloudberrylab.com.

cloud explorer

virtual drive

cloud backup



BoxCryptor

If you store your data in the cloud, your data is not necessarily encrypted. And if the data is encrypted it might not be done the TNO way (Trust No One - means no one that yourself can decrypt your data). A solution to this is to use a tool that locally encrypts your data before it is sent to the cloud. One tool is BoxCryptor. This is what they write:

"You want to encrypt Dropbox, Google Drive or Microsoft SkyDrive and access your data from everywhere without worrying about data security or give up comfort? Then BoxCryptor is the perfect software for you. It has never been easier and more user-friendly to encrypt your data without losing the advantages of cloud storage."



Windows Defender Offline
Got malicious software on your computer? Windows Defender Offline to the rescue.

"Windows Defender Offline can help remove such hard to find malicious and potentially unwanted programs using definitions that recognize threats. Definitions are files that provide an encyclopedia of potential software threats. Because new threats appear daily, it's important to always have the most up-to-date definitions installed in Windows Defender Offline. Armed with definition files, Windows Defender Offline can detect malicious and potentially unwanted software, and then notify you of the risks."



LastPass security challenge
src: identi.ca

If you're using LastPass there is a nice tool to improve your online security. As mentioned earlier the LastPass guys has created a security challenge. I've spent a fair bit of time, changing my passwords to increase their strength and making sure I never (there are a very few exceptions, as some services having multiple domains you log in from) use the same password twice. I've even now started using unique email addresses for all new sites I sign up to. My motto is that you can never be too cautious. It's actually a bit addictive to see how good you'll manage to score on this test.

LastPass security challenge.

75% score is not good enough.

40 duplicate passwords, and 131 sites using duplicate passwords. Ugh.

Historical results. I'm getting better.

Option to check if your usernames are compromised.

88.2%, but still not satisfied.

Down to only 9 duplicate passwords, and only 25 sites using them.

Major improvement.

Even more changes done to my online logins, and I'm finally above 90%.

13 weak passwords left.

94.4% score and quite satisfied.

Only 8 sites using duplicate passwords, and those being unavoidable.

A nice development.

No comments:

Post a Comment

Allowed HTML tags:
<b>bold</b>
<strong>strong</strong>
<i>italics</i>
<em>emphasis</em>
<a href="">hyperlink</a>


Please, show the courtesy of identifying yourself when adding a comment. Anonymous comments will, most likely, be removed.