Mozilla Security

How To Be More Secure With Your Data & Identity

It’s amazing how on a daily basis there’s a story about someone’s identity or data being stolen, personal info being misused, or just getting screwed via the Internet. Most of the time it’s due to a complete lack of standards regarding how people treat their digital property and identity. It’s the electronic equivalent of leaving your home and not locking the door. Anyone can come in and take what they want.

  1. Use SSL When Available – Many sites offer SSL interfaces to make them more secure. Sometimes it’s used by default, sometimes it’s not. You can often test yourself by just changing the http:// in the URL to https:. For example, you can do this for virtually all Google services including, Google Docs, Gmail, Google Calendar, etc. For Gmail there’s even an option to force SSL. If you still haven’t enabled this, do so now. Many non-Google products offer this too, for example Meebo.
  2. Be Cautious Of Open Networks – Just because you see a WiFi hotspot doesn’t mean it’s safe. It’s trivial for someone to sit in a coffee shop with a laptop and pretend to be free internet access. Once someone connects they can essentially snoop on all that persons traffic. Connect only to networks you know and only use services over a VPN or HTTPS so that your traffic isn’t in plain text. To be extra cautious limit the amount of high risk activities you do on these networks (do your banking from home).
  3. Don’t Connect To The Internet Directly – Even if you have only one computer, it’s still advisable to have an access point between you and your internet connection. Virtually all access points today provide decent firewall protection that will shield you from any of the horrors that exist on the internet. Any NAT device will provide a degree of protection (though NAT isn’t a firewall replacement). Access points can often be found for under $50 making this a very sound investment. Yes there are software firewalls, but they have downsides. The minimum is a hardware device between your computer and your broadband modem
  4. Use Encryption For Your Home WiFi – If you have a home wireless network, make sure you have encryption enabled and use it. Ideally you should be using WPA2/AES since it’s the most secure at this point, though anything is better than nothing. While sites you browse over HTTPS are encrypted, you still want the entire tunnel encrypted. This does hurt performance slightly but most modern hardware (even the cheap stuff) is more than capable of handling this. Odds are you run an 802.11g network and your wireless is way faster than your broadband anyway. If you don’t have this enabled or don’t know how, check the manual, the manufacturer’s website or call tech support for help. You should be doing this.
  5. Don’t Trust IM or Email For Confidential InformationIM and Email aren’t very secure mechanisms for sending information. They should never be trusted for things like sending credit cards, social security numbers, medical information, etc. If you ever see a merchant using IM to process a credit card (so they only need 1 terminal rather than one per location), pay cash or walk away. Sadly it happens. It’s perfectly fine for chatting with your friends, but not good for secure information. It’s possible to encrypt email with PGP or GPG, and IM’s with OTR or an encryption certificate but they require both parties to utilize them and are somewhat technical in nature and therefore few actually use them.
  6. Only Download From Trusted Sources – Download only from trusted places. Download software only from the developer’s website, not just any place that has it. Look for software at places like Tucows, FileForum, (operated by my employer) and other well trusted download locations. There’s a lot of hoax sites out there trying to distribute malware (malicious software). Also be suspicious of anyone offering commercial software for free.
  7. Keep your AntiVirus Up To Date – Just installing AntiVirus software isn’t enough. The program is useless unless you keep the virus definitions (the files which tell the software what is a virus and what isn’t) up to date. All modern AntiVirus software does this automatically for the duration of the subscription. When your subscription expires either upgrade to a new version or renew the subscription. There are enough free AntiVirus solutions out there for Windows to make it inexcusable to not have protection. For paid AntiVirus, Norton AntiVirus 2009 is pretty good (I use it and reviewed it myself). So is Kaspersky. Avast and AVG would be my personal recommendations for free.
  8. Use AntiSpyware – AntiVirus products go a long way, but you’re much better off if you use an AntiSpyware product as well. Many of them are free downloads, just make sure you get them from reputable places. I’d recommend Spybot S&D, AdAware and Windows Defender. Make sure to run the updater within the product at least once a week, and scan on occasion (weekly, biweekly, whatever). Mac users don’t really need to do anything here as Spyware isn’t much of an issue thus far.
  9. Be Aware Of Phishing – Never open links in email unless you’re sure of its origin. If your bank wants you to login and do something, visit the banks website by going to the site yourself rather than clicking on a suspicious link. No business will ask you to verify your password. Microsoft has some more tips.
  10. Use A Secure Browser – Firefox 3, IE 7+, Safari 3.2 all offer Phishing protection. This isn’t perfect (nothing really is), but it can greatly reduce your chances of being a victim of a phishing attack. Enough browsers support protection that you shouldn’t be browsing without it. Firefox 3 also includes malware protection. I have a Firefox bias though that doesn’t mean you can ignore this. Use a modern browser with phishing protection.
  11. Secure Your Computer – If you have a laptop you should have a password when logging in. If you don’t, correct this. It’s easy to do on Windows or Mac OS X. This will at least stop dumb thieves, which are fairly numerous. Even if your laptop never leaves your home this is still a good idea. It’s not impossible for the cable guy, phone guy, refrigerator repair man, etc. to try and steal something like a laptop. This is such a small step that can save you some trouble later on.
  12. Secure Your Cell Phone – It’s not going overboard to secure your cell phone. If you’re like a growing number of people, your cell phone is a much more complicated device than it was just a few years ago. It can contain a lot of data including phone numbers, your calendar, photos, browsing history, email, even financial data. Just this week someone sued because they lost their cell phone, which happened to contain nude pictures that they claim were leaked online. Most phones include the ability to add some form of a password or passcode. The iPhone even has an option to wipe data after a certain number of unsuccessful attempts. Securing this compact hard drive isn’t a bad idea.
  13. Don’t Put Things Online You May Regret – People who do this admittedly deserve what they get. Posting information regarding your personal lows may work out to your advantage in the future. Already 1 in 10 college admissions officers check social networking profiles according to Kaplan. When I graduated college in 2006 I could tell who actually looked at my job application by looking at the log files for this blog. All but one or two potential employers went to Google to screen me. In more than one case I actually used tail -f and watched them (live!) browsing this blog from their corporate network while they screened me over the phone. Only one actually brought it up in an interview (and he said he was impressed by depth of my technical posts). That was way back in 2006. Employers and colleges are much more savvy now. I get emails from headhunters constantly because of this blog. Because of this I know it’s not scaremongering. People out there really do use the Internet to screen strangers. This is standard practice, especially if you’re under 30 (and more likely to have some digital trace online) or if you apply for a tech/internet job.
  14. Backup – Backing up is important. Get an external hard drive and backup all data you care about on a routine basis. I’d suggest at least once a week. I’d also suggest having some sort of off-site backup for things you wouldn’t want to loose in the event of a fire or natural disaster (email, financial records, etc.). You could use online services like Amazon’s S3, though make sure to use encryption, or the offline method of saving them to a disk and putting that disk either at a parents home, safe deposit box, etc. Just make sure that disk is either encrypted or in a secure location where it won’t fall into the wrong hands. A fireproof safe is another way to go though you’ll want to make sure you use a UL Class 125 safe rated for at least 1hr. They can withstand fire and keep the internal climate at no more than 125°F and 80% humidity, suitable for magnetic media. If it’s not UL tested make sure it’s suitable for the media you are trying to store for at least 1hr, preferably more.

6 replies on “How To Be More Secure With Your Data & Identity”

And what if you unfortunately break your backup disk ? I learned the hard way it happens, so you should have 2 backup disk, or one copy on the backup disk and one encrypted on an online service.

@jmdesp: Good point, but the odds that your system and backup disk “break” at the same time is pretty low considering the reliability of modern drives. For practical purposes, your pretty safe if you have a primary system, a backup, and an offsite backup.

In reality you should have several offsite backups since any offsite location you choose could be subject to the same disaster (hurricane, wildfire, etc.) and should be distributed across the globe. But in practical purposes, that’s very unlikely to be needed and is to costly and time consuming for the average person.

Great information, I wish it was “skinnable” for less knowledgeable users (my Mom will stop reading at “use SSL” and “NAT replacement”).

Regarding backup, I dutifully make them but I don’t trust my backup programs. Awful Norton 360 and Lenovo ThinkVantage both nag me to make backups but I have no idea what format they use, whether any other vendor supports it, whether it’s available for other O.S., etc.

A few wordage errors (I couldn’t locate an e-mail to nag you privately)
“from the developers website” This is possessive form, so “developer’s website”
“your much better off”, “if your under 30”. These are contractions of “you are”, so apostrophe.
“sure of it’s origin”. This is already a possessive pronoun like “his”, so no apostrophe.

Leave a Reply

Your email address will not be published. Required fields are marked *