Taking Charge: Online Security and Privacy

Why Should I Care?

Advertisers constantly gather information about the sites you browse, services you use and even places you visit while you’re walking around with your phone. They do this for a number of reasons including providing a more personalized experience, say, showing you advertisements that are relevant to your interests. We unconsciously trade our personal information for more comfortable service experiences.Some of this may be fairly benign, but on some level, having anonymous companies gathering large volumes of data about you to create a consumer profile can be concerning. Further, this information is bought and sold, without you giving explicit approval or control over what is included. For this reason, taking an interest in your online security and privacy is important.

Aside from advertisers, you also have to be aware that there are people who will try to steal or take advantage of your personal information. For instance, if you use the same password for both your Gmail account and your Amazon account, which you really shouldn’t, and someone gets hold of your Gmail password, they can suddenly start placing Amazon orders under your identity. If you post that you’re going for vacation, publicly to Facebook, what’s to stop someone from unlawfully entering your residence while you’re out of town?

There are a number of things you can do to start taking control of your online identity. Securing your web browser is a great first step. Proper password practices and controlling what you store and share online, through internet services should be the next place to look.

Securing Your Web Browsing

1) Use a Virtual Private Network (VPN): This will mask your Internet (IP) address and encrypt traffic between you and your VPN host. To the outside world, it will look like any traffic requests are coming from your VPN host, instead of your computer. Why do this? Number one for me: online privacy. Companies like Google and Facebook connect all sorts of information about what you do online and can in many cases link it back to your IP address and browser fingerprint. Why let them gather all this information on you? TorrentFreak is a good place to research the right VPN for you. As an aside, you can also use VPNs to get around geographical blocks for certain services, though sites like Netflix went on a tear, blocking VPNs a while back for this very reason. A caveat with all this is that VPNs will add overhead to your internet connection, likely slowing things down, so you won’t necessarily want to leave them running all the time.

2) Secure your web browser: Update Chrome/Firefox/Microsoft Edge. After that, install plug-ins such as Ghostery, uBlock Origin (for Chrome, for Firefox) and HTTPS Everywhere to limit how easily advertising companies can collect information n on your browsing habits and secure your browsing. Also, by keeping your browser up-to-date, you mitigate known vulnerabilities, keeping you and your information safer.

3) Use data silos: Sites like Facebook will not only track what you do on their site, but track activity in all other tabs in the browser running Facebook. Why let them gather information on you? By using a browser, say FireFox exclusively for Facebook, and another browser like Chrome for your other browsing, you limit what Facebook can collect. Way back when, I used to use a program called Sandboxie that would effectively limit applications from modifying / interfering with my host operating system. If you’re concerned about malware, in e-mail attachments for instance, running your e-mail client in a sandbox can help mitigate damage.

Maintain Your Passwords

1) Site specific passwords: Use site / service unique passwords, and further, if you can, use a different log-in name than your e-mail address for any sites you use. The benefit of this is that, should one of your sites be compromised, the rest of your online identity won’t fall like a house of cards. Having site specific passwords can be a pain if you’re managing this bit manually, which I wouldn’t. Check out services like LastPass, which will not only manage your passwords, but back them up securely, make them available across all your devices and even generate extremely complex passwords for the sites you use. This will dramatically decrease the probability of having all your accounts compromised, should one of your sites get hacked.

2) Update your more sensitive site passwords regularly. Sites like your e-mail account and banking site should have their passwords changed periodically. Should your password become compromised at some point, by updating your password, the potential harm caused can be minimized.

Floating Through the Cloud

Ah jargon. I’ll not rant about the term, but basically, if you’re storing content online, make sure it doesn’t have sensitive personal information. If you wouldn’t leave tax documents sitting out in the open at the office, I wouldn’t leave tax documents unencrypted on someone else’s server. As such, be aware of what information you’re placing online. I use a no longer supported application called TrueCrypt (7.1a), which encrypts my more sensitive information, prior to uploading it. This application is no longer supported, however. VeraCrypt might be worth checking out, as an alternative.

Social Media Management

Share the minimum amount of personal information possible. If I’m going on vacation, I’ll only post about it afterwards. No reason to send thieves to my door. Be cognizant of what you’re sharing and always ask yourself, should this be online? Things like your Social Insurance Number, home address, and yes even your telephone number should not be easily publicly accessible. It’s much easier to mindlessly overshare than it is to permanently remove this information after the fact.

Advanced: Two-Factor Authentication

Passwords can be compromised and to combat this, some services allow an added level of security through what’s called two-factor or multi-factor authentication. The idea behind this is simple: to login to an account, you will need two bits of information. You need something you know, such as your account password, and something you have, which can be your cell phone to either generate a second secure code for log-in, or receive a securely generated code to log-in. This helps prevent unwanted access to your account, given the “something you have” piece, is presumably something only you have access to. Many services like Google’s gmail, Steam and Dropbox all support this level of security. It does add a bit of overhead, but adds additional confidence that only you can access your account.

Summary

By taking some of these steps, you can limit some of the information that is gathered about you and increase security of your information. The most onerous of these moves would be switching to a password manager and switching all your passwords, though in the long run it’s absolutely worth the hassle. Always be aware of what you’re sharing online and really consider whether you should be posting it online.

Header image by Krysten Newby // CC BY 2.0

Thoughts on Evernote in the News

Evernote has been in the news recently, having rightly ruffled some feathers, for updating their company privacy policy saying the following:

1) They may use your data to test and improve their product through machine learning algorithms

2) Employees may access your data

They’ve also, more recently, taken a step back issuing an apology in a FastCompany article. The claim is that this information was only going to be used towards product improvement. This, while very likely true, is troubling for a few reasons:

1) Your data, on Evernote’s servers is likely stored in the clear (unencrypted), which is how employees and algorithms can parse it. If you have sensitive information, it isn’t magically excluded or protected. Hopefully you aren’t storing tax documentation in the clear over there?

2) Evernote does not place you, the customer, and your privacy first and foremost. Their priority, quite clearly as expressed through their actions, seems to be product improvement with the customer second.

So, they may backtrack and completely reverse this decision, however they’ve made their philosophy pretty clear. Even if you’re a paying customer of the product, really, you’re not foremost on their list of priorities. They will leverage content that you trust them with, as they see fit, to improve their product, and ultimately their bottom line.

Between this, and their rather bothersome change to their basic plan of adding a two device limit to their application, I see many good reasons to consider an alternative like Microsoft OneNote. I like the idea of supporting the little guy, when it comes to business, but the little guy has to have reasonable business practices when it comes to handling my information.

This really is a shame – they have a vastly superior product, from a User Interface perspective, and I’d hate to leave them.

Firefox Security: Extensions and Settings to Help Secure your Browser

Regardless of which web browser you use, there are steps which can be taken to further improve your browser security online, limit your exposure to malware, and keep your computer happily humming along. Joking aside, step one is ditching Internet Explorer – there are other options (Firefox, Chrome, Safari, Opera, etc.) which are far more secure. I’ll stop myself before I begin an out of control rant, but needless to say, even in the context of a browser like Firefox, there are steps you should take to improve browser security.

Useful Firefox extensions:

1) NoScript – Protects you against cross-site scripting attacks (XSS) and clickjacking. A useful plug-in, though a little heavy handed – for the first few days of using this, I often had to use the “allow site” function (the little icon, on your web browser status bar), to get my regular sites to load properly. Once you have those set though, you barely notice it’s running.

2) Adblock Plus – blocks advertisements and can block access to known malicious domains. It can also block flash and java, as you deem necessary. Given the many security vulnerabilities stemming from Adobe products (as evidenced by the ridiculous amount of updates they push out for their plug-in), this may be an important way to protect yourself online. If you’re interested, you can find a list of the top ten “internal vulnerabilities” (meaning from client computers mostly) here. Unsurprisingly Flash, Acrobat and Java top the list.

3) HTTPS Everywhere – this add-on provided by the Electronic Frontier Foundation makes HTTPS requests (secure http) to websites you access, where possible. Some sites like Google allow secure access, but don’t enable it by default. Using this plug-in, if you try to navigate to http://google.com you will be redirected to https://google.com.

4) Web of Trust – web of trust provides information on the site you are browsing, to provide some indication to the user, as to whether the site should be considered trustworthy or not. It provides an indicator that will turn green (site deemed ok) or red (site deemed a hazard) based on ratings by the web of trust community base, around the world.

4) LastPass – Allows you to securely store and manage your passwords, even generating secure passwords for your sites as needed. Far more secure than the built-in Firefox password management feature. I won’t go into too much detail, but I’ve written about LastPass previously here.

Some other important settings include:

Prevent Firefox from storing your site passwords:

By disabling Firefox’s built-in password manager, you are preventing your Firefox from storing passwords for the sites you browse, on your local machine. It’s generally not a good idea to have your passwords stored by your browser, especially if you work on a shared computer.

Prevent Firefox from storing information on the sites you browse:

Beyond all this – keep your browser up-to-date! The importance of this cannot be stressed enough. Security vulnerabilities are being patched all the time, and if you don’t keep up with the patches, you aren’t benefitting in any way from the work people are putting into improving your online security.

Carnegie Mellon’s Computer Emergency Response Team (CERT) has a long, but good write-up on how to browse securely here.

If you’re interested in securing Google Chrome, here’s a good write-up on security related extensions, courtesy of Tech Drive-in.

Happy browsing,

Syd

Header image courtesy of Lee Gillen – Browser Security Advisories / CC BY 2.0

OpenDNS: Domain Name System of the 21st Century

What is a DNS:

At its most basic level, a Domain Name System takes human readable website URLs, such as wordpress.com,  and gets the relevant server IP address (76.74.254.126), allowing you to access the site without specifically needing to know the IP address. This allows people to easily remember site addresses, without ever having to know (or realise) there is an IP address behind them. There are many Name Servers, which will basically translate a website URL for you, cross referencing the relevant server IP address, and directing you to the correct hosted site. Think of a DNS server as a telephone book, for domain names on the internet. Normally, your Internet Service Provider will have their own DNS service, which allows address resolution (for websites, e-mail addresses, etc.).

What can OpenDNS do for you:

With that very brief, and hopefully not mind-numbingly boring description out of the way, DNS servers have room for improvement. I’ve been using the OpenDNS provided name servers, as opposed to the default provided by my server provider (Primus Canada), to try and take advantage of certain features the service promises:

1) Faster address resolution (through advanced caching, and a series of servers located around the world)

2) A phishing filter, which will block harmful sites (by not allowing the site to properly resolve, giving you an appropriate warning / error message). Known phishing sites are submitted at PhishTank, and vetted by the community. Similarly there’s also a malware protection service, which will stop you from accidentally accessing a compromised website. To see how OpenDNS deals with questionable sites, you can safely try this example (it just shows you the OpenDNS block page)

3) Typo correction – common misspellings of domain names are appropriately redirected

4) Content filtering – if you have children, you can use this service to block adult sites

5) Analytics about accessed domains (through reporting and logs)

Should I Stay or Should I go:

OpenDNS offers the service free to users, with more advanced options available for a fairly nominal fee, should you need the additional features ($10 USD per year, for a household). You can see the features offered by the various pricing plans here.

Given this service is made freely available, reduces domain resolution time and increases your security on the web (by blocking malicious sites), this is definitely something you may want to consider for home use. If you’re concerned about OpenDNS logging the sites you browser for whatever reason, here’s their privacy policy. You can purge your history as often as you like, through their dashboard.

Set-up:

If you’re interested in trying out the service, it’s just a matter of going to their site, and setting up an account. After that, they’ll provide instructions on how to use their service.

On my router, running the Tomato firmware, the changes were relatively simple, changing settings in two areas.

Change one – tell your router which DNS service to use (they provide two IP addresses):

Second set of changes – associate your OpenDNS account: 

If you don’t use a router, the setup is still pretty simple. Once you create an account, they walk you through changing your local computer DNS settings. It’s mostly a matter of changing your DNS servers under your TCP/IP settings.

Conclusion:

That’s it! All for the price of free, you’ve likely sped up browsing the web, and increased your home network security by blocking a bunch of phishing / malware sites. This is one of many suggested ways to improve your home network security. If you’re “iffy” about using a random, non ISP based service, you can take comfort in the fact that large organizations such as Nvidia, Honda, MIT University, Penn State University, and even *gasp* libraries use the service. There’s a comprehensive listing here. IT sites such as computerworld have also recommended this service. You can read a brief review over at techcrunch.

There’s really little reason not to take advantage of this – I’d use it for either home or office use. I’ve been a user for nearly a year, with no complaints.

Happy surfing,

Syd

Header image courtesy of laughing squid – OpenDNS LED Sign / CC BY 2.0