How to stay safe on the Internet

I’ve created this document to enable you take control of your online information and have a better understanding of what makes you vulnerable and open to attacks.
There are many forms of online ‘hacking’ and the majority are doing it for two reasons.

1. Money
2. Information

More recently than ever, online security has become prominent in media and it’s made people uncomfortable and confused about where they fit into the bigger picture.

Am I vulnerable?
What would a hacker want from me?
Is it really something to be concerned about?
How can I better protect myself?

These are just some of the common questions being asked by many people who don’t know much about technology or use their computer for browsing the web and have never delved into the never-ending pit that is computer systems and IT.

My attempt here has been to create a short, plain English outline of the key factors to your security.

Am I vulnerable?


If you have a broadband connection at home or even if you don’t but you use an online service in any shape or form which nowadays nearly everybody does then you are vulnerable to some form of attack.
The extent of that vulnerability depends very much on what you do and who you are. The ‘what you do’ part meaning what services you avail of (Facebook, Gmail, Evernote, Online banking etc.)
The ‘who you are part’ is referring to your job or what you have that others might want (Bank manager, CEO, financial advisor, inventor etc.)
Although you might not think about this but you might possess invaluable information that somebody might want.

But how could Facebook be dangerous?


This is another common question I hear and well Facebook is a fantastic location for a hacker to gather information about you, everything from

· Name
· Date of birth
· Location
· Current location (when you tag yourself)
· What you’ve done
· Where you’ve been
· Who you know
· Interests you have

The list goes on. All this information can be used against you in forms of Identity theft or Social Engineering amongst other things. Think about PM’s you’ve sent to friends on Facebook, if any other that information has been in anyway private (Bank details, phone numbers….) If somebody gains access to your Facebook they too will be able to see this information.

Facebook is one example of online services that can be exploited to be used against you, other examples include google+, twitter, bebo, gmail, evernote and so on.

Passwords


The first thing I’m going to recommend about these services is to keep yourself as private as possible if you are going to use them. This means only adding people you trust, only allowing them to see your page and only share information necessary or as little as possible.

The second thing and this goes for everything you need to create a password for – use complex passwords.
A complex password comprises of two main factors, it’s long and contains non-standard characters (symbols & upper case).

Generally you should aim to have at a minimum 12 characters. The best way to create a memorable complex password is to take a sentence and convert the characters as follows.

Mary had a little lamb

This would translate into a complex password as

M@ryHadA1itt131amB

As you can see this wouldn’t be overly complicated to remember but is highly effective.
This prevents the use of dictionary and rainbow table attacks, which are the two main ways an attacker would attempt recovery of your password. That being said it would eventually be cracked if a hacker had enough time and processing power (Would take weeks if not months of processing).

This brings be onto my second recommendation which is why you should change your password regularly (once a month would be good).

Surfing the web


The next port of call is your security while using these services or while surfing other websites. There are a couple of points of communication that need to be looked at here and I’m going to look at them from the start.

Home WIFI – Encryption


If you use a home router then you’ll need to check your encryption on it. As of when I wrote this the best solution is WPA2 with AES or TKIP Encryption which will work across most devices (AES is best if possible). You might find if you have some older devices that they don’t support this form of encryption, which might be a tell-tail sign that it’s time to say goodbye!

There are other forms of protection (Mac filtering, hiding SSID, IP Filtering) although these do add another layer of complexity they’re actually very easy to bypass and might cause you more problems then they’re worth. Remember I’m trying to give you easy to follow user friendly advice, if you’re not sure what a MAC Address is then I suggest you leave these settings alone.

Public hot spots


It’s great that you can control who has access to your home network but when using hot spots or in a café with Internet then it’s a whole different story. Here people can attempt to listen in on your connections in many ways, a popular form of attack is called a man-in-the-middle attack where somebody pretends to be the hot spot and when you connect to it they actually forward on your traffic and watch all the information you’re sending and receiving.

My rule of thumb is don’t do anything personal at a hot spot, no online banking, checking emails, I use them only to surf the web or look up information if I’m working or planning something. I know this is a rather drastic measure but Hot Spots are notorious for hackers.

Web Browser


Ok this is a big one.
I user Firefox, Google Chrome is also known to be exceptionally good along with Opera (older versions were terrible but it’s come along way since then)
Avoid Internet Explorer and Safari, both of these browsers are terrible and really lacking in every sense.

I like Firefox mainly because of its open community and how well it renders pages & compatibility.

Firefox has a database for extensions, which can be found here
https://addons.mozilla.org/en-US/firefox/

Other browsers have their own databases or sites where you can find plug-ins, a Google will find them easily.

Adblock Plus


Adblock plus is an amazing little plug-in that automatically blocks adverts from being displayed on websites you visit. This serves two purposes, one being it stops you from being bothered by adverts all the time but more importantly it protects you from having harmful javascript executed within your browser. Hackers have targeted ad servers and providers as a means to infect your computer through malicious code being executed within the advert.
This basically means what seems like a perfectly normal advert could actually have hidden coding behind it waiting to exploit your browser.

Please bare in mind that using this plugin could actually be damaging for a company providing a free service as there only means of income might be the advertising space they sell on their website.

Flagfox


Another small tool to add to your browser is Flagfox. This little tool is quite simple but amazingly powerful, it displays a little flag beside the URL to let you know where the webserver server is located.
A very common form a hacking is DNS hijacking, this is where you visit a legit website lets say google.com but rather than being directed to google you’re directed to another webserver which is malicious.
Well flagfox will make it evidently clear where the webserver is located, so if you visit google.com but the webserver is located in Ukraine you can be sure something isn’t right.

Ghostery


Ghostery is a tool designed to stop websites, analytics and advertisers from tracking what you do. Imagine walking into a shop and having a shop assistant follow you around writing down everything you do, then not only that but imagine when you leave the shop and go somewhere else the shop assistant follows you to watch what you’re doing. Well that’s exactly what these trackers are doing, it’s an invasion of privacy and they don’t seem to care about your rights. I’ve even seen advertising trackers specifically looking for your medical information, not only that but most don’t disclose what they intend to do with the information or how long the retain it for!

No Script


Ok this one is very powerful and protects you from Cross-site scripting attacks amongst other things but it can be a little irritating or people to use. It basically blocks a website from launching anything (JavaScript & Java) amongst other things and allows you to select the sites you deem to be safe and reliable.
I’ve only recently started to use this as before I thought it would be too much hassle but with the number of java based attacks I decided it was time to take the plunge.

LastPass


Right the last recommendation I’m going to give you plugin-wise is LastPass.
LastPass is a cloud based password manager that makes your life a whole lot easier. The cloud is encrypted so even if it is hacked which it has been once in the past the attackers can’t link your passwords with your account nor can they even see the passwords without your master password.
I’m not going to say much on it – check it out for yourself.

File sharing


Most people out there use some form of file sharing from P2P, Torrents, Rapidshare to download illegal music, games, movies so on. But you trust these sites to provide you with free software that has in no way been modified to harm your computer, it doesn’t seem logical does it?
I’m not going to preach about what’s ethical and what’s not but just think about what you’re downloading because the chances are it’s not being provided for free.
Operating system


Mac vs Windows vs Linux

By default Windows is the most targeted OS in the world purely because it’s the most widely used. This is a good and bad thing, this for one means there have been many vulnerabilities found and fixed over the years making the latest OS more secure than ever. But it also means if you’re still using an older version of windows you’re a sitting duck!
Also never use your administrator account as your daily account, create two accounts – administrator and your own. This means if you do get infected then the infection won’t have admin privileges to take advantage of your system. It means you’ll be prompted for a password every time you want to install software but it’s a minor inconvenience for the safety net it provides.

Mac on the other hand has kept itself hidden away from the limelight over the years and thus hasn’t had it’s security reputation dragged through the mud. I can however say Apple take a more aggressive approach to security than Windows ever had, they’re not afraid to be bold and tell other companies that their products aren’t up to scratch.
Most recently was blocking the use of older versions of Java. They have also dropped support for WEP encryption as it’s inherently unsecure, this is good news because it makes the end user aware of possible security concerns.
Some people however don’t like this approach as they think it limits their choices (which it does – for the right reasons)
I would also like to point out that I regularly practice ethical hacking and it is far more difficult to extract information from an OSX system and a Windows system, quite a lot of attacks on OSX systems are social exploitations and not system exploitations. Most recently was the Mat Honan from wired magazine having his entire life destroyed not because he wasn’t secure but because of social engineering.
You can read the article here.
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

The last system I want to mention is Linux. Linux doesn’t need to be mentioned in great detail other than the people who use it most regularly would know it quite well as it’s only recently started to become popular as a daily OS.
As I said before this is intended for people who don’t know a whole lot about computers and I myself don’t know Linux well enough to comment fully.

Patching


No matter what OS you use or what software you have installed it is paramount that you patch! Patching is a term used for updating your system, patches/updates are brought our regularly are quite frequently they address security issue which have been found. By patching your system it makes it more difficult for a hacker to exploit that system with known vulnerabilities. The majority of attacks would come from a generic source targeting an already known vulnerability while very few will come in the form of 0 day or previously unknown exploits.

Antivirus


Everybody knows what antivirus is and at some point has come across it.
I would like to make you aware that Antivirus is only part of the solution and not the answer to the problem. By just having it installed is not going to protect you, it should be used as a net rather than a shield. If you are relying on it to protect you against everything I can assure you it wont.
Another common misconception is the more antivirus products you have installed the more protected you will be – this is not true. Actually you’re leaving yourself open for a world of trouble as both pieces of software can conflict causing system crashes, slow system speeds, and they might even fight and attempt to remove one another.
As for which vender to choose I’m not up to date as much as I used to be but

· Avast
· AVG

Were two I liked and I actually have Avast installed on a VM for testing and it’s very responsive and doesn’t effect system speed much at all.
Having a Google I can see BitDefender is coming up number 1 in a number of test results, I have no experience with this software so I’m unable to comment. I would be grateful if somebody could offer a further insight into which antivirus is best and why.

Infection


When you discover an infected file or realise your system is riddled with the computer version of an STD most people feel allowing antivirus do it’s thing is enough. Well that’s incorrect. The only time I feel it’s ok to consider an infection fully removed by antivirus is when it catches the file before it’s had time to infect the system. If the antivirus is pointing to an already installed piece of software, an executed file or an infection that already exists on a system then if you really want to be sure its gone you need to wipe your system.
People are always shocked, they can never understand why anybody would do that especially if the virus discovered is considered a ‘generic’ infection. The reality is you don’t know if the virus you have has been modified since the malware analysis was carried out. Let’s say you discover a virus on your system that had been discovered 5 months ago to be relatively harmless but anything could have changed in 5 months and now the virus includes a root kit which your antivirus cant remove.
Regularly backup your files and if ever required to wipe the system it wont be as devastating as it sounds, but it’s the most effective way of cleaning your system.

Mobile devices


This is a very new area but proving itself to be very dangerous, particularly on Android devices.
You probably feel by this stage I’m an Apple fan boy, which is a fair statement. However the main problem with the Android market is the lack of regulation compared to the App Store. There are over 20,000 malware apps currently on the market compared to one found on apples store.
I’m not saying this to get you to run out and switch from your Android for an Apple, I’m a fan of both. I even bought my dad an Android tablet for Xmas because I knew it would suit his needs better.
What I’m trying to get at is you need to be vigilant about the Apps you choose to download and install on your system.

Conclusion


To end this I would like to point out this is my personal opinion and I understand not everybody will agree with everything I have said here but if I’ve helped a few people understand better how they can help themselves stay safe I’ll be delighted.

I’m also open to peoples suggestions on anything I’m missing as it’s quite late/early and I’m sure I’ll look back at this and wonder how I missed something. I would like to make this a more refined document and make it available as a pdf so please if there’s anything you want to add leave a comment or message me.

Please keep in mind the audience this is intended for when making suggestions – talking about hash algorithm’s and VPN encryption isn’t going to help, if anything it’s going to make the document less useful and more complicated.

I also have a no-tolerance harsh approach to security due to the fact that I work in the industry.

Please feel free to ask any questions.

Thanks

freeze4real

Excellent post.

Thanks for the tips.

Hopsin

So why exactly is Internet Explorer so weak compared to Firefox?

BTW: I think your wrong when you say:

[regarding linux]

the people who use it most regularly would know it quite well

Most people I know using linux are on Ubuntu and only have it because it was easy to install and just used all the defaults and havent a clue what they're at. At least half of the people I know on linux are extremely uncomfortable in a terminal. And most installed and then never updated or upgraded since then and as I said, are sitting on a maybe a 2 year old system with no updates and all the defaults still intact.

I think these people are very vulnerable, even if they were sitting on a fully patched box, just due to the fact there is a huge misconception that linux doesnt get hit with malware so they think they are safe and then they take more chances online. Your article definitely needs a lenghty peice on linux and how to harden it.

chrismon

Great write up.

Hopsin

Hopsin wrote: »

So why exactly is Internet Explorer so weak compared to Firefox?

BTW: I think your wrong when you say:

[regarding linux]




Most people I know using linux are on Ubuntu and only have it because it was easy to install and just used all the defaults and havent a clue what they're at. At least half of the people I know on linux are extremely uncomfortable in a terminal. And most installed and then never updated or upgraded since then and as I said, are sitting on a maybe a 2 year old system with no updates and all the defaults still intact.

I think these people are very vulnerable, even if they were sitting on a fully patched box, just due to the fact there is a huge misconception that linux doesnt get hit with malware so they think they are safe and then they take more chances online. Your article definitely needs a lenghty peice on linux and how to harden it.

There are a few reasons why IE isn't in the same league as other browsers, main ones are,

• Rendering of web pages isn't as reliable or as fast as competitors
• Being the largest browser on the market and the default browser for windows it's become a big target especially older versions
• Lacks the large community of developers other browsers have, I think the majority if not all plug-ins I've mentioned above can't be acquired for IE (Correct me if I'm wrong)

There are other reasons but they're my main ones.


You're right about Linux. I don't have any non-techie friends who use Linux but that's not to say they're not out there, especially now with the adoption of Linux as a primary OS starting to become popular... Chrome-book is a perfect example of this. I can see it becoming huge especially fro students.


I left Linux out mainly because I could write another article about it as I'd have to explain how to do the things I'm talking about.


Maybe if I covered the basics and created a little script people could run weekly or monthly? Even set it as a crontab so they won't have to run it manually.

limnam

Deleted User wrote: »

There are a few reasons why IE isn't in the same league as other browsers, main ones are,

• Rendering of web pages isn't as reliable or as fast as competitors

• It would depend on the content it was rendering. Also I don't think the speed of a browser has any direct link to insecure code.

  Deleted User wrote: »

• Being the largest browser on the market and the default browser for windows it's become a big target especially older versions This was once true, but not any more. From Chrome,FF and IE. IE now has the lowest market share from the 3 with Chrome growing to over 50%

  Deleted User wrote: »

• Lacks the large community of developers other browsers have, I think the majority if not all plug-ins I've mentioned above can't be acquired for IE (Correct me if I'm wrong)

Deleted User wrote: »

There are other reasons but they're my main ones.

I'm pretty sure you can get a lot of the plug-ins mentioned or ones that do a very similar job.

The speed wouldn't have a direct impact on security but it's top of my list of reasons to change.

IE still has over 50% of the market as of 2013, where did you get the statistics for Chrome being more popular?

limnam

Deleted User wrote: »

The speed wouldn't have a direct impact on security but it's top of my list of reasons to change.

IE still has over 50% of the market as of 2013, where did you get the statistics for Chrome being more popular?

Regardless of what stats I look at none of them seem to have IE at the top.
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
http://gs.statcounter.com/
http://www.w3schools.com/browsers/browsers_stats.asp
http://clicky.com/marketshare/global/web-browsers/

ozmo

Not bad - but far too much opinion given as fact.
Your information on IE may be a bit dated for instance and one sided. Its still the most popular and although i prefer chrome myself i wouldnt suggest anyone to move from the newer versions of IE if they like it.
Not a fan at all of firefox myself - i find it slow and incompatible with many sites- but thats just 'my' opinion.

I find your comment on safari being inferior at rendering than chrome amusing as chrome actually uses webkit to render pages- ie. its a lot of safari inside!

Spot on with the antivirus software though- mostly inneffectual and not nearly as important as antispyware precautions. The free microsoft defender is a very good antispyware/antivirus to consider and doesnt slow the pc down much...

limnam

limnam wrote: »

Regardless of what stats I look at none of them seem to have IE at the top.
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
http://gs.statcounter.com/
http://www.w3schools.com/browsers/browsers_stats.asp
http://clicky.com/marketshare/global/web-browsers/

I see where the mistake is made here, these stats are based on traffic volume not on unique hits.

Basically it's not accurate at all.
let's say I like hip hop music but you like rock music.
We both go along and I download 5 hip hop songs and you download 1 rock song from a website.
Statistics for that would say hip hop is more popular but in reality I just download more than you so it's actually just as popular as one another.

http://arstechnica.com/information-technology/2013/02/internet-explorer-still-growing-as-windows-7-starts-its-decline/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29

http://www.zdnet.com/the-web-browser-wars-continue-and-1-is-well-that-depends-on-whom-you-ask-7000009305/

limnam

Deleted User wrote: »

I see where the mistake is made here, these stats are based on traffic volume not on unique hits.

Basically it's not accurate at all.
let's say I like hip hop music but you like rock music.
We both go along and I download 5 hip hop songs and you download 1 rock song from a website.
Statistics for that would say hip hop is more popular but in reality I just download more than you so it's actually just as popular as one another.

http://arstechnica.com/information-technology/2013/02/internet-explorer-still-growing-as-windows-7-starts-its-decline/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29

http://www.zdnet.com/the-web-browser-wars-continue-and-1-is-well-that-depends-on-whom-you-ask-7000009305/

w3 and others use unique hits and they still don't have IE at the top.

ozt9vdujny3srf

I think your post would be a million times more credible if you had references from reputable sources after each of your points. I'm sure you'll agree that the last people folks want to do is take the word of some dude on an internet forum when it comes to personal information.

ozmo

ozmo wrote: »

Not bad - but far too much opinion given as fact.
Your information on IE may be a bit dated for instance and one sided. Its still the most popular and although i prefer chrome myself i wouldnt suggest anyone to move from the newer versions of IE if they like it.
Not a fan at all of firefox myself - i find it slow and incompatible with many sites- but thats just 'my' opinion.

I find your comment on safari being inferior at rendering than chrome amusing as chrome actually uses webkit to render pages- ie. its a lot of safari inside!

Spot on with the antivirus software though- mostly inneffectual and not nearly as important as antispyware precautions. The free microsoft defender is a very good antispyware/antivirus to consider and doesnt slow the pc down much...

Hence why I stated at the bottom that these are my opinions, no matter what one says there will be somebody else to disagree or argue against it.

Safari is inferior, I've been using OSX as my primary OS for over 4 years now and I can say Safari just can't compare to Chrome or Firefox when used daily.
Chrome is also excellent and it is also slightly faster and loading/rendering pages then Firefox. The biggest issue I've had with Firefox recently was the lack of support for a built-in PDF reader. I'm not sure what happened but after an update PDF's couldn't be read but they have sorted it out now.

They may use the same engine but stick a v8 in a truck and it's still going to go slow, put a v8 in a two seat sports car and it's going to fly.

limnam

limnam wrote: »

w3 and others use unique hits and they still don't have IE at the top.

I don't mean to be rude but think about the people who visit w3 schools, the majority are going to be people in the industry who have a fair idea and experiment with browsers. That's why I wouldn't take their logs as accurate because it's going to be weighed by the industry. Do you think your granny visits w3 schools?

From their website

From the statistics below (collected from W3Schools' log-files over a period of ten years), you can read the long term trends of browser usage.

My article was aimed at people who don't know anything about security and I wanted to give them some advice.

Mckenna Numerous Camera wrote: »

I think your post would be a million times more credible if you had references from reputable sources after each of your points. I'm sure you'll agree that the last people folks want to do is take the word of some dude on an internet forum when it comes to personal information.

True story, the problem is I don't trust everything I read on the Internet either.... the above conversation is a perfect example - web browser usage.
That's why I minimized my links to articles only where I see it as a valid point (take for example the wired hack).

Ah I was trying to give some free advice but it's never that simple

ozmo

ozmo wrote: »

I find your comment on safari being inferior at rendering than chrome amusing as chrome actually uses webkit to render pages- ie. its a lot of safari inside!

Yep, it even has Safari mentioned in its user agent at the end.

I agree about the IE stuff. I don't like the interface but if someone's using IE9 or IE10 and is happy with it then I've no problem with that. I still see the odd site that needs IE, was trying to do a HP Care Pack registration last week and it wasn't going through in Firefox, tried it in IE8 (the company have IE9/10 blocked in WSUS) and it worked fine.

limnam

Deleted User wrote: »

I don't mean to be rude but think about the people who visit w3 schools, the majority are going to be people in the industry who have a fair idea and experiment with browsers. That's why I wouldn't take their logs as accurate because it's going to be weighed by the industry. Do you think your granny visits w3 schools?

W3 was one of them. did you look at the rest? plus the IE only went behind on w3 fairly recently too. I'm not going to go around in circles on this one I think the fact it can even generate a which browser is king top shows that IE is not as dominant as it once was and that windows OS's were forcred to give an option of which browser to use has changed the size of that attack surface to make it worth the attackers efforts to aim for chrome/ff I think it's a nice thing that you're doing, but if you're putting the information here for grannys that don't visit W3 well I'm not sure how many grannys are looking around security forums?

900913

Well written guide ni@ll.

I don't know why some people can't just take it for what it is and have to nit pick every point.

LoLth

Its the nature of security and internet forums, everyone is talking about the same thing but we all have opinions on how that thing can be achieved.

Nice document ni@ll , it *is* quite simplistic for security professionals but no-one said this forum was for security professionals only and it contains some nice points that an average user would understand easily.

As for nitpicking, if you post it in a public place its going to be commented on. Hopefully you take the comments as constructive and maybe think about taking some into account if you decide to present/post this guide elsewhere. Nitpicking is good, its how we find the holes in our systems. Its digging in heels and refusing to discuss instead of issue statements thats the problem imho.

@limnam, it might be for granny's who wont read it here but many of us deal with computer illiterates and/or wannabe "experts" regularly. Having access to a clearly worded document that you can copy/pasta and send along cant be a bad thing and might even save one of us some time someday. (in my opinion though, its not just granny's that need to read things like this. I have met many computer users (some programmers) who dont understand the basics of security beyond feeling guilty that they didnt apply the patches when they were told to because they would do it later when they weren't busy or, worse, wrote their application so that it only works with one , older, version of a product so it is forcing insecurities into the system from the start).

Capt'n Midnight

Deleted User wrote: »

What would a hacker want from me?

As little as $25 will buy you access to a thousand malware-infected PCs, neatly packaged as a botnet army to control or spy on You can make back your investment as spambots or bitcoin mining or some such or simply selling on the uninteresting ones.

Paydirt is when you find an interesting machine. A key logger means you can bypassed a lot of encryption.

The best way to create a memorable complex password is to take a sentence and convert the characters as follows.

Mary had a little lamb

This would translate into a complex password as

M@ryHadA1itt131amB

Using 1337=lEET doesn't add nearly as much entropy as you would like to think. Using some of the 1,000 most common words doesn't add that much entropy either. Neither slows down dictionary attacks that much (and for $25 you can have 1,000 zombies ... ) That password is essentially the word "lamb"
with some padding

using fádás and gaeilge would slow down off shore dictionary attacks , it helps a little

Public hot spots Web Browser

https everywhere is a must.
The best solution is a VPN to somewhere you trust because you can't control what the OS leaks (smart phones are really bad)

But a key logger doesn't care

Mac vs Windows vs Linux

By default Windows is the most targeted OS in the world purely because it’s the most widely used. This is a good and bad thing, this for one means there have been many vulnerabilities found and fixed over the years making the latest OS more secure than ever.

Oh sweet mother of Jesus, not that crap again.

Windows is attacked because it is the most common
AND because it's easy.
If you google enough you can buy tools (and zombies) to exploit windows and become a script kiddie. (it's not as easy as before, opposable thumbs are now a definite advantage)


Windows is designed to be backward compatible and fast. Only recent versions have done anything other than patch holes as they are found. A quick look at the security advisories shows that most months there is a patch to stop compromise your system and gain control over it

If I had time I'd setup Windows NT 3.5 in a VM to see how many of the "recent" exploits it was vulnerable to

One nice feature of Chrome is that new tabs use separate memory so less chance of cross scripting or whatever


[tin foil hat]It's certain that many commercial products have back doors for state agencies to use. needless to say a third party could also exploit them if discovered [/tin foil hat]



one common attack is entice web users with pretty pictures
image search can take you to nasty places very quickly

I also have a no-tolerance harsh approach to security due to the fact that I work in the industry.

That sounds harsh.
Please tell me you don't work in the computer security industry.

/2c

Capt'n Midnight

Just another reminder of why windows is bad, there are just too many different updaters to keep track.

Take adobe acrobat reader for example. I want something that can read a pdf. I don't want to download a security patch every month to fix functionality that has nothing to down with viewing a pdf :mad::mad::mad::mad:

The philosophy of "do one thing well." Just doesn't apply to windows bloatware.


http://www.theregister.co.uk/2013/03/15/secunia_vulnerability_research/

Nearly nine out of ten security vulnerabilities in Windows computers last year were the fault of popular third-party applications, as opposed to Microsoft's own software.
...
In 2012, 86 per cent of 2,755 vulnerabilities identified by Secunia's study were found in code developed outside of Microsoft;

Also that companies app you downloaded
What are the chances it was written by an intern who has now left and is no longer updated ?

www.secunia.com have a thrid party updater - slow to scan
www.filehippo.com have a quick one but not as many products
www.ninite.com if you re-run the installer it will patch those apps but BEWARE you get default settings / associations which may not be what you like

ChRoMe

Capt'n Midnight wrote: »

Just another reminder how the dominant platform is obviously the target of a greater number of attacks

Fixed that for you

Thanks for all the feedback! It's great to see people on here interested in this topic - if you agree or not I'm still happy to see the responses!

I will get around to updating it and adding a few new sections just haven't got the time at the moment.

arius

Deleted User wrote:

Ghostery
Ghostery is a tool designed to stop websites, analytics and advertisers from tracking what you do. Imagine walking into a shop and having a shop assistant follow you around writing down everything you do, then not only that but imagine when you leave the shop and go somewhere else the shop assistant follows you to watch what you’re doing. Well that’s exactly what these trackers are doing, it’s an invasion of privacy and they don’t seem to care about your rights. I’ve even seen advertising trackers specifically looking for your medical information, not only that but most don’t disclose what they intend to do with the information or how long the retain it for!

I used this until someone told me Ghostery analyze and track browsing activity. Checked their privacy statement...

Data Collected and Data Usage
When you download Ghostery onto your computer, we collect basic data in server logs, like your web request, the data sent in response to that request, the Internet Protocol (IP) address, the browser type, the browser language, and a timestamp for the request. This information is used to maintain the functionality of the Website and to count the number of Ghostery downloads. We like to count. We do not take any action toward you directly, such as contacting you when there is a Ghostery update. That is done through our general blog, newsletter, or through the respective browsers, which will speak directly to the Ghostery application.

They affirm sharing the information when required by law

Information Sharing Policy
We don’t share information with third parties. However, for whatever limited information we DO collect, our lawyers have said that we have to reserve the right to disclose any information as required by law, or when we believe that disclosure is necessary to protect our rights and/or to comply with a judicial proceeding, court order, or legal process served on us.

For me, the privacy statement contradicts implied behaviour of the add-on.

900913

The VPN Hidemyass save logs too, and share them with the feds.

21:05 edit: Why do we log the above^ information? Being able to locate abusive users is imperative for the survival of operating a VPN service, if you can not take action to prevent abuse you risk losing server contracts with the underlying upstream providers that empower your network. Common abuse can be anything from spam to fraud, and more serious cases involve terrorism and child porn. The main type of logging is session logging – this is simply logging when a customer connects and disconnects from the server, this identifies who was connected to X IP address at X time, this is what we do and all we do. Some providers choose not to do session logging and instead try to locate the abusive customer by using the intelligence from the complaint, for example if someone hacks XYZ.com they may monitor traffic to XYZ.com and log which customers have a connection to this website. Ask yourself this: if a provider claims not to do any form of logging, but is able to locate abusive customers, how are they able to do this without any form of logging?

http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/

arius wrote: »

I used this until someone told me Ghostery analyze and track browsing activity. Checked their privacy statement...



They affirm sharing the information when required by law



For me, the privacy statement contradicts implied behaviour of the add-on.

arius

You'd wonder why the publishers of Ghostery (Evidon, Inc) would be worth $30 million providing "freeware" ad-blocking tools...

Evidon is dedicated to improving online advertising by increasing accountability, improving transparency and, most importantly, helping consumers and advertisers understand why, how, and where ads are displayed online. The website www.evidon.com is owned and operated by Evidon, Inc. As you use our corporate website and interact with us as a business customer, prospect, or interested consumer, we want to help you understand our information practices.

Khannie

arius wrote: »

You'd wonder why the publishers of Ghostery (Evidon, Inc) would be worth $30 million providing "freeware" ad-blocking tools...

Indeed. I used to wonder quite a bit about revenue streams for products like this. It seems that their general goal is to be bought out by a larger company (e.g. google) who then go on to use that product to retain or get new customers, gaining extra revenue through their existing revenue streams.

WhatsApp is another one that I couldn't quite figure out the revenue stream of (for example)....until there were rumours of a buyout from google and then it all became clear.

syklops

Khannie wrote: »

Indeed. I used to wonder quite a bit about revenue streams for products like this. It seems that their general goal is to be bought out by a larger company (e.g. google) who then go on to use that product to retain or get new customers, gaining extra revenue through their existing revenue streams.

WhatsApp is another one that I couldn't quite figure out the revenue stream of (for example)....until there were rumours of a buyout from google and then it all became clear.

Some people are serial start up creators. They work on a two year plan / model. Create project, get funding, get famous for doing x well, get bought. Rince and repeat. Good way of becoming stinking rich as well.

syklops

The best way to create a memorable complex password is to take a sentence and convert the characters as follows.

Mary had a little lamb

This would translate into a complex password as

M@ryHadA1itt131amB

Actually the key to selecting a good password is length. The longer the better. You say 12, honestly, I would switch those numbers around and aim for 21 minimum.

"phone coffee biro monitor" comes to 22.when concatenated. As was said above, adding other characters really doesn't add much extra entropy, and all it does is make it harder to remember.

Capt'n Midnight

Khannie wrote: »

Indeed. I used to wonder quite a bit about revenue streams for products like this.

Another stream would be to not block certain ads, but they no one's going to admit to that.