Sunday, September 17, 2006

5 More Security Tips for Power Users

These tips go further than the usual advise of disabling JavaScript, Java, Active X, and Flash.

1) Delete your cache and cookies after each session
This sensitive information, which should be closely guarded, has a bad habit of becoming publicly accessible. If you’re using Firefox (and you are right?), the web developer toolbar has a nice feature to “Clear Private Data” under the miscellaneous pull-down. You could also set the history to zero and deny all cookies. Your call.

2) Beware of overly long URL’s
Be especially suspicious of URL’s wrapping more than a single line and heavily disguised with URL-encode characters. If your not sure about the true nature of a URL, decode it and check to see if it has any HTML tags embedded within. If it does, you probably DON'T want to click.

3) URL shortenners
Pranksters and bad guys alike are using URL redirect services like TinyURL, snipURL, notlong, shorl, and doiop to disguise potentially malicious URL’s. To double check on these URL’s I’ve been using the command line to issue an HTTP request directly to see where the Location header is pointing. If the redirect URL looks safe, then I’ll click. Never can be too careful with these things.

4) Damn those secrets questions!
Everyone eventually forgets a password and needs to regain access to their account. Most password recovery methods are fairly straightforward providing a few different options to verify your identity. The one method that really drives me crazy is the “clever” secret question and answers. There is no friggin’ way I’m giving any website the name of my 3rd grade kindergarten teacher, dog, or high school and certainly not my favorite color. If a breach was to occur, and they do all the time, then I’ve just lost MORE personal information. To circumvent this non-sense, I’ve begun treating secret QnA’s like username/password pairs. Imagine the surprise of the customer support person when I tell them the name of my dog is ji*P5c$r.

5) Use a virtual machine
For my tin-foil-hat-wearing-brethren, consider using VMWare when surfing off the reservation (so to speak). If anything strange happens during the current session, your important data remains well protected. Just remember to roll back to a known good state between sessions to protect your security and privacy.

1 comment:

fffan said...

Since v1.5, Firefox allows Clear Private Data out of the box ... just use Ctrl+Shift+Del. After reading your post I might start to use it.

Thanks for putting up this great blog!