» Fri May 13, 2011 6:11 pm Special thanks to Exorince and Veeno for their help!
Important definitions:
- Two-factor/multi-factor authentication: The use of two (or more) forms of authentication. They must be different forms, using two items of the same form does not qualify (so two passwords is still considered single-factor authentication). There are three forms of authentication:
- Something you know (Password is most common, followed by a PIN, and in smartphones: a swipe pattern)
- Something you have: A keyfile, ID card, or a token
- Something you are: Anything biometric such as a fingerprint or iris scanner
- Something you know (Password is most common, followed by a PIN, and in smartphones: a swipe pattern)
- Brute-force attack: A hacking attack where the hacker systematically tries every possible combination to gain access to your account
- Dictionary Attack: A hacking attack where the hacker systematically goes through every word in the dictionary, followed by every name, followed by any personal information they know about you
Passwords
Passwords are the most common form of security around, and the most important. This issue will not be covered in it's entirety here because of how prevelent it is, but rather this will be the starting point for strong passwords and other password-related things that apply to everything. Password-related content for specific services and products can be found in their own appropriate section.
Here are some basic questions to start off with:
1. Do you use the same password everywhere or almost everywhere?
2. Are your passwords less than 12 characters in length?
3. Do your passwords contain a word from the dictionary or a name properly spelled?
4. Is one (or more) of the following missing from your passwords: a lower-case letter, an upper-case letter, a number, or a special character?
If you answered "Yes" to any of the above questions, your password is probably weak, and if you see your password http://www.tomshardware.com/news/imperva-rockyou-most-common-passwords,9486.html, then you definitely have a weak password.
So, what are wrong with the above things? Let's see:
1. When you use the same password everywhere or almost everywhere, if any site gets hacked or you slip up and give out the password just once, all or almost all your accounts are compromised. -- http://xkcd.com/792/
2. The shorter the password, the easier it is to crack. In some instances, short passwords use weaker encryption in general than longer ones (for example, Windows passwords under 15 characters use LM Hash, which is extremely weak, passwords with 15+ characters use NTLM)
3. Words and names are extremely easy to crack with a modern PC by just doing a dictionary attack. It's all the easier if you have a botnet or supercomputer trying all the possibilities.
4. The more variance in your password, the better. Having at least one of each character type significantly boosts your password strength compared to not.
So, just how secure is your current password? Test it out http://howsecureismypassword.net/. If you are paranoid (which in this case is NOT a bad thing), you can view the source. It all runs locally and sends nothing back, it even works fine in offline mode. Still a little anxious about entering your password? http://howsecureismypassword.net/faq/#safe
Further reading: http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/ -- a bit on the old side, but still a great read.
Remembering your Passwords
But remembering a bunch of 12+ random character passwords is hard, right? Well, it doesn't have to be.
To start, you can create a system to help you remember your complex passwords. The Mozilla team did a great job describing it, including a video. http://support.mozilla.com/en-US/kb/Choosing%20More%20Secure%20Passwords. Such a system can create very strong passwords and be quite memoriable. I currently use a variation of it.
Maybe you still are afriad you will forget your password. For this there are four options that I will discuss here. These are: KeePass, LastPass, TrueCrypt, and keeping them on you at all times. The first two are password managers, TrueCrypt is obviously a file encryption tool (which I will give more attention to in the future), and keeping them on you at all times, while counter-intuitive, does work. Each of these tools has their own distinct advantages and disadvantages, so I leave it up to you to choose the one you feel is best. First, though, let me address a question you are probably wondering right now:
So what is wrong with my browser's password manager?
Quite simply: it is incredibly insecure, especially the way it is right now. Firstly the encryption on the password database isn't very strong (I can't even find information on Chrome's password database being encrypted). Are you using Google Chrome's password manager? All your usernames and passwords are just a click away and there is no way to fix that (don't believe me? http://www.blogtechnika.com/disable-chrome-password-manager). It's the same on Firefox unless you use a master password. Opera is a step up in that it will never show you the passwords, just the username, but the encryption is still weak. I really cannot recommend Chrome's password manager at all as there is NOTHING you can do at the current time to secure it. If using Chrome, you really do need to use a third-party password manager. Both Firefox and Opera aren't much better off, but if you are going to use them, you do have some options.
Firefox's built-in password manager:
First download https://addons.mozilla.org/en-US/firefox/addon/256173/ and set a master password. A quality meter will tell you how strong it is. Set up an auto-logout time. You will never be prompted for your master password so long as you don't time out, but if you do you'll need to re-enter it again. Either leave it on a short time but only when inactive or set it to a long time (an hour or so) but always times out. Which to choose depends on your browsing habits and how easily you are annoyed.
Opera's built-in password manager:
Opera's password manager is a bit more feature-rich than Firefox's and so is it's master password, which is good since there is no extension for it. Tools -> Preferences -> Advanced -> Security -> Set Master Password... and set your password. Set your timeout interval (right underneath it called "Ask for password") as you feel appropriate. Setting it to "Every time needed", the default setting, will probably drive you mad, an hour is good. Finally make sure to check the box for "Use master password to protect saved passwords". If you don't, the master password only applies to client certificates.
As I said, Firefox and Opera's password manager are only marginally better than Chrome's even with the master password, so a third-party password manager is still best as the encryption is many times better. If you do use them, at least think twice about giving them important passwords for things like your bank account. Please consider one of these good password managers instead.
The Good Password Managers
http://keepass.info/: KeePass is a Password manager for Windows. It can run on Mac OS X and Linux http://keepass.info/help/v2/setup.html#mono if that is something acceptible to you (alternatively there is http://www.keepassx.org/, but it only works with 1.0 databases. Ports to other platforms also exist). You give it a master password, and, optionally, you can create a keyfile (this is known as two-factor authentication. See "Important Definitions" at beginning of post). Now you only need to remember one password and all your passwords are secure. KeePass has a plugin for Firefox called http://keefox.org/, but really all programs (not just browsers!) are supported through the auto-type feature. Just minimize KeePass (to the tray even), press the hotkey auto type combo, and KeePass will automatically enter your username/password into the active program/website. There are also various tools to import your existing password list into KeePass.
Pros: Open Source, you control it, portable, highly secure, will tell you the strength of your passwords, can generate random passwords, works with any program. Works on Android/iPhone too.
Cons: The auto-type feature takes a little getting used to, while it works with any program the overall integration suffers to allow this (Except in Firefox where KeeFox creates seamless integration).
http://lastpass.com/: LastPass is a browser-based password manager that works in all major browsers and is cross-platform. Binary versions exist, but still only works with browsers and the passwords are still synced online. On Windows an Application password manager (works with any program like KeePass) is in the works, currently at beta, but only available to Premium members. It is free for home use, but to use it with your phone you must pay ($1 a month). Your passwords are encrypted with a local encryption key and synced across browsers. When on a network you don't feel 100% secure accessing your LastPass database, you can use one-time passwords that expire after use, so you don't have to worry about them falling into enemy hands.
Pros: always with you so long as you have Internet Access, instantly syncs, highly integrated, audits your passwords, can generate random passwords, one-time passwords, very secure (before you ask: It's been verified that LastPass NEVER gets your encryption key -- http://tinisles.blogspot.com/2010/01/should-you-trust-lastpasscom.html)
Cons: You must trust that they will stay around, if your Master LastPass password is compromised, all your passwords are compromised*
*Note: LastPass Premium offers two-factor authentication (http://helpdesk.lastpass.com/security-options/sesame-multifactor-authentication-with-a-usb-thumb-drive/). The Free version has http://helpdesk.lastpass.com/security-options/grid-multifactor-authentication/, which I don't quite consider unique enough of "something you have" to be two-factor authentication, as if someone knows what your card looks like, they can access your account without actually having your card, but still a significant security boost.
http://www.truecrypt.org/: TrueCrypt is an on-the-fly encryption tool. So how does it work as a password manager? Well, it isn't as elegant as the other two options, but if you create a small encrypted file container in which you put a document containing all your passwords, then it is a highly effective, encrypted, password database. This way if you forget any password you have a fallback to rely on.
Pros: Extremely secure, offering many options for creating your encrypted file container (including a hidden volume).
Cons: Obviously not integrated at all with any application, so you must do everything manually. Must use a third-party tool (such as Dropbox) to sync it.
Keeping a list always on you: Obviously no software is involved, you just simply keep a list on you at all times, say in your wallet (or anywhere else, so long as you always remember to keep it on you). This method, while once frowned upon, has been gaining popularity in recent years among security experts. Why? Because it is always on you, so you know it is safe. If it isn't on you, then you know it is time to change all your passwords. For extra security you can do a trick to the list that only you know. For example: inject a random number in every password at a specific spot (or in a pattern that you know). If the list falls into the wrong hands, they can't tell those numbers aren't part of the actual password and as such cannot use your passwords right away or at all. This gives you more than enough time to verify you didn't just leave the list at home and to change your passwords to something secure again.
Pros: Pretty secure, you are instantly aware if your password database is compromised since it is always on your persons. Always with you in all circumstances
Cons: You must diligently keep it always on you for the security aspect, obviously if you do no trick and lose the list, all your passwords are potentially compromised, likewise it is obviously 100% manual.
Passwords - the remaining stuff
At this point your passwords are nice and complex, secure, and easy to remember/access, but that is not all there is to say on password security. Remember those password hints and pesky security questions you set up for most services? Those can be an achilles heel to your accounts if you are not careful.
For password hints there are a few things you can do: You can do away with them completely, typing in gibberish when forced to have one (what I currently do), or you can use things you know you know to help you remember the pattern you use for your passwords. Along the lines of http://www.youtube.com/watch?v=nFz_7HttWa0 - It means absolutely nothing to anyone but you. In all cases you should be careful here and any hint you give should use word associations or have a meaning that only you would understand relying on your personality or life.
Security questions are similarly a dangerous thing, much more dangerous than password hints as they can reset your password. Weak questions mean your strong password is worthless. If you are confident in your passwords to the point you are certain they will never be forgotten, once again you can make these complete gibberish so they are impossible to break into. Security questions have two pitfalls: 1. They are susceptible to social engineering since they are questions about you. Make sure you NEVER post your answers to your security question anywhere ESPECIALLY social network sites like Facebook and Myspace. If you do that, then all your security efforts go down the drain. 2. is security questions are often just a word or name, making them HIGHLY susceptible to dictionary attacks if the security questions don't have a lock-out. To combat this make your answers always at least two words, and maybe throw in a special character at the end or the beginning that is your "trick" for them. One thing growing in popularity that does a good job to combat both, is to create a pattern to your security questions that does not answer them and only you know -- (http://www.zephoria.org/thoughts/archives/2007/11/15/algorithms_for.html). My advice is to do that, but also make sure to include a special character at the beginning or end.
If you follow through with everything, your passwords will be very secure and any backdoors effectively shut to anyone but you.
Smart Phones
Smart Phones are all the rage these days, and as they grow more feature-rich we store more and more of our lives on them. Combining that with their high-mobility means they are a huge potential security risk and privacy hole if you lose them. Thankfully there are a decent amount of options for security on them.
Locking your phone
Android: Android 2.2 enabled PIN and password locking, prior to that you could only do a swipe pattern*. http://www.tech-recipes.com/rx/5901/android-2-2-froyo-use-pattern-pin-or-password-for-screen-unlock-security/
*Note: If using a swipe pattern, make sure to have at least one part of the pattern trace over itself. If you do not, someone can tell your pattern by looking at your smudge marks.
For Apps there are two tools: Android Protector and Tasker:
http://www.android-password.com/ - free up to 10 locked apps, $0.99 for unlimited locks.
http://tasker.dinglisch.net/ - $5-7 (out of market version is cheaper and recommended for file encryption). http://tasker.wikidot.com/applock
Why lock an app? Let's say you are letting a friend borrow your phone, but don't want them "accidentally" reading your emails or posting something from your Facebook account. Now you can lend them your phone without watching over their every move like a hawk.
iPhone: with iOS4, full password support came to the iPhone. http://www.macobserver.com/tmo/article/ios_4_setting_secure_passcodes/ -- iPhones not using iOS4 or later: http://www.youtube.com/watch?v=8SW9mL-f5Ww
Unfortunately I can't find any tools in the market to lock apps. For jailbroken iPhones it looks like there are two (I couldn't test them since none of my family members would let me jailbreak their iPhones :P), both available on Cydia: mAdvLock (also has file encryption, but costs $15) and Lockdown (has a free version, pro version is $2 and works on iOS4).
Password Managment on your Smart Phone
If you listened to the suggestions above and decided on KeePass, you can use it on both the iPhone and Android. If you are a Premium member of LastPass, you can also use that on your iPhone/Android phone. Of course a system to your passwords that you memorized or keeping the list of your passwords on you at all times also works.
KeePass for your phone:
Android:
http://www.keepassdroid.com/ - Free. The Dropbox app on Android being very full-featured means easy syncing from the safety of your private dropbox folders. It's still a bit cumbersome, but overall good. Read-only support for KeePass v2 (kbdx) files (you shouldn't be creating accounts on your phone anyway).
iPhone:
http://itunes.apple.com/us/app/ikeepass/id299697688?mt=8 - $0.99 and can use your http://ikeepass.de/bl0g/?p=175 -- Note that it must be a KeePass v1 database (kdb), not 2 (kdbx) for iKeePass to work with it. http://ikeepass.de/bl0g/?page_id=45#Opening a Database from an Online Server
http://itunes.apple.com/us/app/mykeepass/id353354895?mt=8 - $0.99. It, like iKeePass, supports databases on Dropbox, however, it has one very nifty feature: http://mykeepass.blogspot.com/2010/02/some-users-are-asking-how-to.html. Given for it to work with Dropbox it must use the public folder, I think over wifi is a very nice implementation. MyKeePass has another feature over iKeePass: It works with Keypass v2 (kdbx) databases (read-only, though). MyKeePass has the edge right now for the iPhone, but that may change in the future.
https://lastpass.com/misc_download.php
It's a free app, but having a Premium LastPass plan ($1/month) is needed. Just like on the desktop, on your SmartPhone LastPass is highly integrated with your browser. It supports both iPhone and Android, supporting Android's browser as well as Dolphin HD and Firefox Mobile (on the iPhone just Mobile Safari).
Remote Locating/locking/wiping
I imagine nothing could be worse than losing your smart phone, luckily there are a few ways to try and recover it.
Android: Android has many ways to recover it after you lost it, each offers its own advantages. Some free, some paid.
With 2.2 Froyo you have remote wiping built into Android. The only thing is that you must have Exchange set up, and only an administrator can remote wipe it. Really only an option for you if your Android phone is through your work.
http://preyproject.com/blog/2010/01/prey-arrives-on-mobiles-android-version-available - Free. Well known for their PC tracking software, Prey is now on the Android. Simply send a specific SMS to your android phone to activate it (you can set it up in the app) and another to deactivate it.
https://www.mylookout.com/ - Free or Premium version for $30/yr. Not only does it offer remote finding through the website, but also has an antivirus program. The Premium features include the ability to lock your phone until you find it or wipe it clean, as well as even more goodies.
http://lifehacker.com/5611003/build-a-find-my-iphone-clone-for-android - Free if you have Tasker already, otherwise $5-7.
https://www.wavesecure.com/wavesecure/android.aspx - $19.90/yr. You can track your phone, lock it, and back up/wipe the data
http://us.norton.com/mobile-security - Free for now. Same as above, but by Norton instead of McAfee
https://www.mobiledefense.com/ - Free (waitlisted). Before getting waitlisted, it was the app to go. Remote location, wiping, locking, and backup. Add yourself now and you might get lucky to get it in the near future.
iPhone:
http://www.apple.com/iphone/find-my-iphone-setup/: Free for iPhone 4 users running iOS 4.2. $99/yr otherwise (there is a workaround that may apply to some). It does it all, though. Remote lock, remote finding, remote wipe, displays a message.
Workaround for non-iPhone 4 owners: You must know an iPhone 4 owner. iPhone 4s can create 3 free MobileMe accounts. If you have a friend who owns an iPhone 4 and not used all their activations, http://lifehacker.com/5696311/how-to-enable-and-use-find-my-iphone-for-free-on-iphone-3gs-and-other-pre+2010-devices
http://www.tektrak.com/ - Free for two uses, $5 beyond that. Like Prey for Android, it only locates the phone, but always runs in the background.
http://www.orbicule.com/undercover/iphone/ - $5. Alternative to TrekTrak.
https://www.myfonehome.com/ - $3. Another Alternative, more or less the same as Undercover or TrekTrak.
Encrypting Files on your Phone
Your phone may contain sensitive data, in which case you may feel the need to encrypt it. Options are fairly limited, but do exist.
Android: http://tasker.dinglisch.net/ from the website (but not from the market) offers file encryption. It's the only real good choice out there.
iPhone: There isn't too much out there, since the iPhone doesn't really offer file storage. Jailbroken phones can get previously mentioned mAdvLock, otherwise there are some options to password protect pictures and videos: http://itunes.apple.com/us/app/video-lock-free-simple-secure/id396385649?mt=8, http://itunes.apple.com/us/app/private-pics-free/id308884615?mt=8, and http://itunes.apple.com/us/app/picture-safe-hidef-no-1-privacy/id303740913?mt=8 (other options exist as well).
One more thing: Apps & Privacy
Be careful what you install. Here is a list of some of the worst offenders of apps that invade your privacy: http://blogs.wsj.com/wtk-mobile/. On Android, always pay attention to what permissions an app asks for on install and make sure it makes sense.
Web Browsing
There's not a single person reading this who doesn't do it. We all are doing it right now, in fact. Web browsing is a part of all of our lives, but without proper care it can be quite dangerous.
When randomly searching for things, you never know if that next search result is going to contain malware. Your antivirus software may have a rating feature, and your browser may have some protections (as does the search engine itself), but for more information a website reputation tool is needed. There are various ones out there, but the one that I feel does the best job is http://www.mywot.com/. Like any web rating site, it is prone to users downrating, but overall I feel it does a very good job. It does collect information on "you", as to get ratings it needs to know the domains you are looking at. This is true for any web rating service, though, so if you want to have this functionality, you'll have to allow the data be collected. WOT has an extension for Firefox, Google Chrome, IE, Opera, and Safari. Other browsers can use a bookmarklet for the service.
Recently there has been a rise in Intranet sniffing on public wifi networks. The main tool to this end is Firesheep, which can collect passwords sent over non-secure connections. Firesheep in particular can be countered with http://www.zscaler.com/blacksheep.html, but other tools can do a similar job, such as Wireshark. To combat these other tools, the most effective way is to always establish a secure connection. To that end the Tor Project and EFF have teamed up and made an extension called https://www.eff.org/https-everywhere for Firefox (NoScript can also do it, but it is a bit more complicated. http://noscript.net/faq#faqsec6). Similar extensions exist for https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof and https://addons.opera.com/addons/extensions/details/redirect-to-https/1.92/?display=en also exist, but are not as foolproof.
Webmail
Currently Gmail is set to always us HTTPS for secure email browsing, which is a good thing, but if you changed this yourself you can fix it under the General tab in Settings. Hotmail recently added this feature, which you can set by going https://account.live.com/ManageSSL. Unfortunately Yahoo! has not added this feature. If using Yahoo! you should request this very important security feature be added.
Hotmail also has a single-use code system for signing in on computers that are not your own. For information on how to set it up, read http://explore.live.com/windows-live-sign-in-single-use-code-faq?. Gmail does not offer this, but does offer Password recovery over SMS. To add this feature, Go to your Google Account's https://www.google.com/accounts/UpdateAccountRecoveryOptions?hl=en.
Gmail offers the ability to Remotely log out of any computer (http://gmailblog.blogspot.com/2008/07/remote-sign-out-and-info-to-help-you.html), which can be very useful if you leave yourself logged in somewhere on accident.
Cookies and LSOs
Cookies are not necessarily bad, in fact there is a cookie keeping you logged in to this forum right now. However, advertisers often use cookies to track you around the web. Given the usefulness of cookies in general, you probably don't want to outright disable them, however blocking third-party cookies will block practically all advertiser cookies without hindering your web experience.
Firefox: Tools -> Options -> Privacy -> Use Custom Settings for History -> Uncheck "Accept third-party cookies"
Google Chrome: Wrench/Tools icon -> Options -> Under the Hood -> Content Settings -> Cookies -> Check "Block all third-party cookies without exception"
Opera: Tools -> Preferences -> Advanced -> Cookies -> Select "Accept cookies only from the site I visit"
Local Shared Objects (LSOs), also known as flash cookies, are a part of Adobe Flash and are becomming an ever-more prevalent way of storing data on your computer as well as tracking your whereabouts. Note that as before, LSOs do have legitimate uses, so don't think that they are all bad. There are a few things that can be done. The one thing that is the same for everyone is to go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html page and delete/disable the storage for various websites. This has one significant advantage over other options: You can set those websites that do use flash cookies to track you to 0kb. That way they can't store data and you don't have to worry about a new one being created. Firefox and Chrome have addons for flash cookies, that being https://addons.mozilla.org/en-US/firefox/addon/6623/ for Firefox and https://chrome.google.com/extensions/detail/ghgabhipcejejjmhhchfonmamedcbeod# for Google Chrome. Both of which can automatically delete LSOs on browser close. Another way to go about this is to block Flash except when needed.
Firefox: https://addons.mozilla.org/en-US/firefox/addon/722/ can block flash perfectly fine. If you are not a fan of NoScript, there is https://addons.mozilla.org/en-US/firefox/addon/433/ (Flashblock and NoScript don't work well together, and since NoScript does what Flashblock does by default, it isn't necessary)
Google Chrome: https://chrome.google.com/extensions/detail/gofhjkjmkpinhpoiabjplobcaignabnl is available here as well.
Opera: http://my.opera.com/Lex1/blog/flashblock-for-opera-9 -- Even though it doesn't specify Opera 11, it works fine in it.
One more: http://arstechnica.com/web/news/2010/09/evercookie-escalates-the-zombie-cookie-war-by-raising-awareness.ars. Evercookie is new on the field and is a javascript that creates multiple files through multiple methods to store data on your computer. It is not wide-spread yet, but may be in the future. The only truely effective way to deal with the evercookie is to block the javascript.
Using an ad-blocking feature, add the following entry: */evercookie.js*
Ad-blockers and Script-blockers
Ad-blocking does more than just remove annoying ads (though that is the most obvious) -- it also adds security. ads are not controlled by the website they are displayed on, and there are many cases of malicious ads infecting users, the most recent example I can remember was not even a year ago on SlickDeals.net. I am all for supporting websites you visit, but when the ads don't run on their own server, you are taking a risk. Thankfully whitelists are fairly popular for ad-blockers, so you can get rid of the annoying/dangerous ones while still supporting your favorite websites. For extra privacy, consider adding the Track-blocking lists from http://alturl.com/fw5nk.
Script-blocking is similar. Many scripts from domains other than the one you are on can be dangerous or track you.
Firefox: Does it really need to be said? https://addons.mozilla.org/en-US/firefox/addon/1865/! Undeniably the king of Ad-blockers.
The Previously mentioned NoScript is the add-on of choice for script-blocking.
Google Chrome: https://chrome.google.com/extensions/detail/gighmmpiobklfepjocnamgkkbiglidom is currently the best one. https://chrome.google.com/extensions/detail/cfhdojbkjhnklbpkdaibdccddilifddb was recently officially ported, but is in Beta and VERY unstable.
For Script Blocking it is https://chrome.google.com/extensions/detail/odjhifogjcknibkahlpidmdajjpkkcfn
Opera: Opera has a built-in Content Blocker that is best used with the http://tinyurl.com/4mgnvc. Right-click any page and select "Block Content" to access the blocker. Hold shift while clicking to block specific items. https://addons.opera.com/addons/extensions/details/noads-fixed/1.0.8-fixed3/?display=en is another option. The best is to use Content Blocker whenever possible and NoAds' Content Blocker Helper feature for iFrames/javascript and only use NoAds for the auto-updating filter list feature.
Chrome's NotScript was ported to Opera 11. https://addons.opera.com/addons/extensions/details/notscripts/1.0.4/?display=en
URL Unshorteners
With the advent of microblogging, URL Shorteners have grown in popularity. However, just randomly clicking a shortened link is VERY dangerous, as the site on the other side may be crawling with all sorts of nasties. Luckily, there are ways to unshorten a URL.
Firefox: https://addons.mozilla.org/en-US/firefox/addon/long-url-please/
Google Chrome: https://chrome.google.com/extensions/detail/ahhcmjnfhbpgagklnjhlcabnbcdgipje?hl=en
Opera: https://addons.opera.com/addons/extensions/details/unshorten/1.2.1/?display=en
Private Browsing and Deleting Browser Data
Private browsing is supported in Firefox, Google Chrome, and Opera. It allows you to browse the web without leaving a trace (not really, but for the most part, yes). It is great for when you occasionally want to browse without leaving a trace, but if you are willing to go futher, you can clear all or at least select browser data every time on close. Why would you want to do this? Your browser cache and cookies are insecure. If someone gains access to your computer and you leave don't clear out your cache and cookies they will be able to gain access to your accounts since you are still logged in. This can be remedied in Firefox, Chrome, and Opera in different ways by deleting your browser data on browser close.
Firefox: Tools -> Options -> Privacy -> Check "Clear history when Firefox closes". Proceed to click the "Settings" button. Cookies, Cache, and Active logins should definitely be cleared on close. It does mean you'll have to log in to your sites every time, but that is what password managers are for. For extra security clear your Form & Search History and Download history. If extra paranoid and you won't miss it, clear your Browsing history as well. super-paranoid people may also want to consider clearing offline website data and site preferences to not leave a trace behind.
Google Chrome: Google Chrome only supports deleting cookies on browser close. To enable this go Wrench/Tools icon -> Options -> Under the Hood -> Content Settings -> Cookies -> Check "Clear Cookies and other site data when I close my browser". You need previously mentioned https://chrome.google.com/extensions/detail/ghgabhipcejejjmhhchfonmamedcbeod# to completely clear out your private data on browser close. It is an option under the extension options.
Opera:
Cache: Tools -> Preferences -> Advanced -> History -> On "Disk Cache" check "Empty on exit".
Cookies: Tools -> Preferences -> Advanced -> Cookies -> Check "Delete New Cookies when Exiting Opera"
Download: opera:config#TransferWindow|KeepEntriesDays and set to "0"
If feeling extra paranoid: Tools -> Preferences -> Advanced -> History -> Set History Addresses to "0" and uncheck "remember content on visited pages" and set opera:config#UserPrefs|SavePasswordProtectedPages to 0
One more thing: Web domains and extensions
The single greatest thing you can do to check if you are on a phishing website is to check the domain. Modern web browsers all highlight the actual domain of the site making it all the easier (Firefox users need https://addons.mozilla.org/en-US/firefox/addon/4014/). Doing that alone will greatly lower your risk of being a phishing victim.
The last thing to talk about is plug-ins. Plug-ins are insecure, to put it simply. They aren't updated automatically with your browser, and it is very easy to miss one that is a security risk. The biggest security risks in general to your computer are: Adobe Flash, Adobe Acrobat/Reader, Java, Silverlight, and Quicktime (http://www.youtube.com/watch?v=54XYqsf4JEY). On top of not updating with your browser, these plugins also have a great deal more permissions than your standard browser extension does. Ask yourself if you really need those plugins, and then, even for those you do, think about at least making your addons on-demand (I currently run with Java always disabled, being the least useful in the modern web and one of the most dangerous). Mozilla made a wonderful plug-in checker that is available https://www.mozilla.com/en-US/plugincheck/, use it often. It works with Firefox, Google Chrome, and Opera.
Firefox: NoScript is the closest thing to plug-ins on demand. If you don't want to block javascript, you can set it up so that only plugins are disabled. To do this Go into the Options for NoScript. Under General, select "Scripts Globally Allowed (dangerous)", then on the "Embeddings" tab, forbid java, flash, silverlight and other plugins, select "Apply these restrictions to whitelisted sites too". Plugins are now effectively on-demand.
Chrome: http://lifehacker.com/5685352/set-chrome-to-run-flash-and-other-plug+ins-on+demand-only
Opera: http://techie-buzz.com/how-to/flash-block-opera.html
Note that running plugins on demand may break some sites.
I'll be honest with you guys. I've caved. I created a Facebook account...
... Well, kinda. I created a dummy account attached to a dummy email address for the sole purpose of perusing Facebook's privacy options.
Facebook is a social network site, that puts it instantly at ends with privacy, but that isn't to say you can't have your cake and eat it too. Here are some things you can do to improve your privacy without quitting Facebook.
First things first: set up an email address just for Facebook. You can set your email to private, but that http://gawker.com/5505967/facebook-revealed-private-email-addresses-last-night. Most webmail services offer excellent email forwarding features to make it seem like it isn't even a separate email account.
Now let's head over to Facebook's privacy settings. Click Account->Privacy settings when logged in on Facebook.
Recent happening: Recently Facebook announced the option to use HTTPS throughout the site. This will be slowly rolled out over the upcoming weeks. Pay attention to when you can do it, and I HIGHLY recommend enabling it as soon as possible (http://blog.facebook.com/blog.php?post=486790652130)
Connecting on Facebook
I almost missed this at first, being at the top and not highly visible (maybe Facebook did that on purpose :P). This controls what people can see on your public profile. What you should set to what depends on how visible you want to be, but there are three settings you should consider altering:
Send you messages: Set it to at least "Friends of Friends" if not "Friends Only". This will seriously cut back on the amount of spam messages you recieve.
See your friend's list: Does everyone need to be able to see who your friended? No. Like above set it to at least "Friends of Friends" if not "Friends Only" (maybe you also have some people on your friends list who you don't want to be able to see who else you friended, customize it to keep them from seeing it).
See your current city and hometown: Maybe you are trying to reconnect with someone from your hometown, but besides that this is nothing but a significant privacy leak that offers no real value to have visible to everyone. Even if you are trying to reconnect with someone, having it visible may not do you any good, rather you are better off trying to track them down than rely on them trying to track you down.
Sharing on Facebook
This controls the more private bits you put on Facebook. For the most part there isn't much benefit from letting everyone see everything on here.
Posts by me: Does the whole world need to see this? If so, use a blog. Facebook is for networking with groups, not for the whole world to read your manifesto. Friends of Friends or Friends only make the most sense. Maybe there are a few "friends" that you don't want to be able see your posts (like your boss).
You can also set who can and cannot see an individual post/update, which I will discuss below.
Family: Does it even make sense to have everyone be able to view this? No. Either have just your friends view it or even just a subset of those, like close friends and actual family members.
Relationships: Even allowing some family members the ability to see your relationship status can be dangerous for some people. This is one that I definitely think you should have very restricted, unless you want a bunch of people messaging you asking "what happened between you two!" and "I liked him/her" or "you deserve better" mere minutes after changing your status from "in a relationship" to "single" or "it's complicated". An anecdotal bit from just last month: my sister had a horrible break up with a guy my parents never really approved of. She didn't change her status on facebook for some time and I can recall various times where various people family and friends talking about her non-status change behind her back. :shakehead:
"Interested in and looking for" and "Bio and favorite questions" are two that you should set as you feel appropriate as if you are trying to find people who have similar tastes rather than just staying in touch with those you already know, you may want to leave them open (just don't make your favorite questions the same as your security questions as I mentioned above in the passwords section!)
Religious and political views: This can be quite volitile for some people, especially if you have never told some family members about your stance on these things, so think carefully about who you let see this.
"Places I check in to" and "Include me in "people here now" after I check in": once again, depends on your stance social networking vs privacy. Note that the last one is visible to people checked in nearby, NOT just friends. While that may be fine with you for things like conventions, it is a privacy leak at other times that you may or may not want.
Photos: I highly recommend customizing who can and cannot view what photos and videos. Be aware of what you are posting and apply fitting filters to any and all pictures as you see fit.
Photos and videos I'm tagged in: Do you want other people to be able to find videos and pictures of you that you did not upload? Like, say, your boss or a family member who doesn't know some of your habits? Or in general maybe you were just stupid a night and did things you normally wouldn't. I highly recommend restricting this one to certain people only, and it doesn't really hurt your social networking (it doesn't stop them from seeing tagged photos from mutual friends, of course)
Can comment on my post: Maybe you have that one annoying person who just pesters you, use this to keep them from bothering you with comments.
Suggest photos of me to friends: Same concept as "Photos and videos I'm tagged in"
Can see Wall posts by friends: This is another one you may wish to restrict quite a bit if you have a friend who says some things often you don't want a boss or family member to see and you don't want to disable your Wall.
Friends can check me in to places: It makes no sense to enable this one in any situation. Disable it.
Contact information: Set this as you feel appropriate. Remember this, people with a bajillion friends and who added those obviously fake accounts to boost their friends list: if you make it visible to those not-really-friends people, they can very easily go ahead and use it in advertising and other things without your knowledge. It might explain your constant spammage.
Apps, Games, and Websites
Info accessible through your friends: This is a potentially huge data leak. Look at what you are allowing your friends to leak and see if that makes any sense to you for games. It doesn't a lot of the time. It can undo a lot of the other settings you've set up.
Instant personalization: A huge privacy leak that offers little to nothing in return other than possibly saving you a little time. On the other hand it can cause other sites to become incredibly annoying (see http://lifehacker.com/5542041/block-sites-from-using-your-facebook-login-with-adblock-plus to add blocking filters as well). Disable it.
Public search: You may be ok with some people searching you out on Facebook, but a full search engine is a different matter. It's disabled automatically if you disable everyone being able to search for you on Facebook.
Account Settings
**As mentioned above, http://blog.facebook.com/blog.php?post=486790652130 that can be found in your Account Settings, I HIGHLY recommend enabling it As soon as it is available to you**
Now go to Account Settings to get the last little bit of Privacy and security settings:
Set up your mobile phone with Facebook, and you can get one-time passwods through SMS for Facebooking anywhere you don't feel 100% safe (like those public wifi networks previously mentioned). In "Account Settings" you can also remotely log out any other active computer connected to your account (http://blog.facebook.com/blog.php?post=436800707130).
For the last thing, head over to the "Facebook Ads" tab in your account settings. Set to "No one" both "Allow ads on platform pages to show my information to" and "Show my social actions in Facebook Ads to". With that, your Facebook is now nice and secure, however:
Some Other Settings
http://www.wikihow.com/Manage-Facebook-Privacy-Options#tips - I HIGHLY recommend really getting into the habit of using this. In many aspects it is better than setting a universal rule for your posts. http://just-ask-kim.com/hot-facebook-tip-post-privacy-control-who-sees-your-facebook-post/ -- Also demonstrates a bit of the power of labels (see below reading).
Also be Aware Of
As we saw just recently on this very forum (http://www.gamesas.com/index.php?/topic/1157218-what-is/), linking to content from your profile IS a leak that can lead to your profile being uncovered. Be aware of this when linking to images you've uploaded to your Facebook account. Likewise be weary of Facebook Connect. If you Facebook login information is compromised, so are these sites. It can also be used to track down your Facebook page if your profile picture is tunneled through FB Connect.
Remember that Facebook only uses a secure connection for initial log-in, after which your log-in cookie is transmitted over insecure HTTP. This allows for your log-in information to be sniffed out with previously mentioned Firesheep. Consider forcing HTTPS with previously mentioned HTTPS Everywhere (and related clones) when on public networks (note: HTTPS Everywhere does break some apps some other stuff on Facebook). **Note: This is now chagning!!! See previous notes about it!*
A recent development is how much information leaks through to Apps when using them (http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html):
"The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities."
Your Facebook ID is always collected, so it isn't fully anonymous, this data is linked directly to you:
"Defenders of online tracking argue that this kind of surveillance is benign because it is conducted anonymously. In this case, however, the Journal found that one data-gathering firm, RapLeaf Inc., had linked Facebook user ID information obtained from apps to its own database of Internet users, which it sells. RapLeaf also transmitted the Facebook IDs it obtained to a dozen other firms, the Journal found."
Just another of many things to think about on Facebook.
Also, a recent development is that http://www.insidefacebook.com/2011/01/15/platform-update-facebook-lets-developers-ask-a-user-for-their-address-phone-number/. Pay extra-close attention when granting permission from now on.
Further Readings:
http://lifehacker.com/5719631/get-better-privacy-and-less-chat-annoyance-with-facebook-lists It'll make your customization of who gets to view what much simpler.
http://lifehacker.com/5548375/a-guide-to-facebooks-new-simpler-privacy-controls
http://nakedsecurity.sophos.com/2011/01/21/the-state-of-facebook-security/ -- Facebook scamming is on the grow, so be careful. This is just another reason to forbid Facebook from communicating with other sites.
Pretty much all of us use it, and it knows a ton about most of us. Thankfully Google does give you some control.
http://www.google.com/intl/en/privacy/ - Learn it, love it, visit it often. Click on http://www.google.com/intl/en/privacy/tools.html to get to the settings. The rest is just information. In privacy tools you will see many options.
Google Dashboard: The important one is Google Dashboard, which will tell you what Google products you are using and what Google knows about you through them. It is a central point of control for all your use of all Google products.
Ads Preference Manager: this will allow you to control what ads Google will show you. In doing so you tell Google what you like so you get more accurate/relevant ads.
Data Liberation Front: If you are looking into biting the bullet and leaving Google entirely, head here. This site will tell you how to get any and all your data from all the Google services out so you can switch to different options. It's drastic, but if you are THAT worried about Google, it may be interesting.
Google Encrypted search: This secures your connection between you and Google for your searches, but it doesn't work for everything. Google still stores your information, so for truely anonymous web searching through Google, you will need to use https://ssl.scroogle.org/.
Web History Controls: This is a setting you may have inadvertantly enabled. It uses your previous web searches to "help" you in the future as well as potentially storing other web usage information. It doesn't remove your searches from Google's servers, but it may still be useful especially in a multi-user environment.
Google anolytics Opt-out. You can opt-out of being tracked through Google anolytics. You will need to install a browser extention, and currently only supports Firefox, Google Chrome, and Internet Explorer. This can, of course, also be done through a content blocker.
Search Personalization Opt-out: If you are using Web History, this is enabled. Instructions on how to disable it when not signed into a Google Account are also explained.
Some Other Settings
Google Buzz: Google Buzz is quite a privacy leak. The only way to disable it is to remove your public profile, which can be done https://www.google.com/profiles/me/deleteprofile?continue=https://www.google.com/profiles/me/editprofile%3Fedit%3Dt. In all likelihood you probably don't even have a public profile. (Click "My Account" on google, and it will tell you under "Profile")
Remember: Pretty much every Google product has options on the visibility of your content, just look around and set it appropriately. Creating a document you only want select people to see? Set it appropriately. Even more important are your Google Calendar settings (if using it). Every calendar you create has options on how public it is that can be found in the Calendar settings, same for every event you add to your calendar. Spend some time just looking around at the various privacy settings for Google Products that you use. There isn't much you can do with how much Google collects on you short of stopping your use of Google products, but you can stop anyone else from seeing that Google info.
File Encryption
File encryption is the ultimate in data privacy and security. There are many encryption tools out there, but for the purposes of discussion here I will only talk about TrueCrypt. TrueCrypt offers many advantages over other options, including BitLocker. In being cross-platform, it makes recovery in any situation possible. Other encryption schemes may offer advantages over TrueCrypt (for example, if interested in TPM), so it may not necessarily be the right choice for you.
There are three basic encryption options, as well as the choice between hidden and non-hidden volumes. These options are: an encrypted file container, an encrypted non-system partition or drive, and an encrypted system partition/drive (this last option is currently only available on Windows). Two-factor authentication is also available through the use of keyfiles, though it isn't an option for system encryption (but two-factor authentication still can be achieved).
Encrypted file container: This option is the simplest to implement. You create a volume that appears to be a normal file (you can make it any filetype you want), but when you mount it with the proper password (and/or keyfile) it reveals the truth. You can make it a hidden volume for even added privacy/security (a would-be attacker may uncover the outer volume in one way or another, but the hidden volume remains secure). The disadvantage to making an encrypted file container is it is relatively simple to just copy the file container to a removable drive where the attacker can try and crack it at their leisure without you being aware of it (a keyfile would drastically lower their ability to succeed, if the keyfile and file container are not stored in the same location).
Encrypted non-system drive/partition: This option is relatively simple to implement. The advantage is it looks like just unallocated disk space to the untrained eye, and, in the case of removable storage, the user would be prompted to format it before use. Of course in removable storage you must be careful to not format it yourself. Once again the use of a hidden volume and keyfile can be used for increased privacy/security.
System drive/partition Encryption
This one is a bit more advanced than the earlier options, but offers significantly greater security and privacy as well. On your system there are temporary files and various files tied to programs that make it hard (though not necessarily impossible) to seamlessly use file containers or encrytped non-system drives/partitions to protect their contents from prying eyes. For example, say you stored your IM logs, program profiles, and bookmarks in an encrypted file container. It would be relatively simple to accidentally start up the program those files are related to without unencrypting the container, which could either cause instability or write new files to an unencrypted area. System drive/partition encryption allows for seamless encryption of all system/program files you want out of prying eyes. You can make it a hidden volume if you choose: http://lifehacker.com/5554136/hide-your-entire-operating-system-from-prying-eyes.
Unfortunately keyfiles do not work with system encryption, but you can still get two-factor authentication. Before you encrypt the system, you will be prompted to create a recovery disc in case anything goes wrong, which you can use to restore the TrueCrypt boot loader, boot into the encrypted system, restore the original system loader, or permanently decrypt your system. By restoring the original system loader, or installing a new boot loader to the MBR (such as GRUB2), you would be required to boot from the rescue disc, making a two-factor authentication setup (you must know the password, and you must have the recovery disk). This can be further streamlined if your computer can boot from USB by loading a USB drive with the recovery disk. http://stdout-dev-null.blogspot.com/2010/02/truecrypt-rescue-disk-on-usb.html.
Dual-booting is complicated for Linux-Windows (Windows-Windows can be simply done through the use of the hidden operating system feature), but not impossible. You can do the above and have GRUB2 written to MBR and use the CD/USB to boot into Windows, or you can force GRUB2 to install to the root (or boot) partition. http://pzolee.blogs.balabit.com/en/2010/07/grub2-and-truecrypt-windows-linux-dual-boot-system/.
If Linux is already installed, simply restore GRUB2 from the TrueCrypt rescue disc, boot into it, force GRUB2 to install to your root/boot partition, and then reinstall TrueCrypt Boot Loader to the MBR from the rescue disc. If you are using the two-factor authentication method, all you need to do is restore GRUB2. Since you don't need TrueCrypt on the MBR, GRUB2 can happily rest there.
If Linux isn't already installed, make sure you have the necessary unencryped partition to install it to. You cannot partition a TrueCrypt encrypted volume, so the partitioning for Linux needs to be done before encryption (or if you have a non-system partition/drive already, you could further partition that). Encrypt Windows with TrueCrypt and install the Linux distro of your choice. After installation force GRUB2 to the root/boot partition and restore TrueCrypt to the MBR (once again, this last step can be skipped if you are going to use the two-factor authentication method for TrueCrypt).
Linux can also be encrypted. Many distros offer options to encrypt Home at install. Full encryption, including root, requires more work and generally not included as options from live CD install. Just look through the distro documentation for dm-crypt/LUKS or Google your distro along with those terms and you will find a guide on how to do it.
Mac OS X does not seem to have a freely available tool to do system encryption (at least as far as I could find), and the one tool I did see mentioned, PGP Whole Disk Encryption for Mac OS X, is quite expensive ($150) and did not seem to have a great track record. However, your Home can be encrypted with a built-in tool called http://docs.info.apple.com/article.html?path=mac/10.5/en/8736.html.
There is one disadvantage to system encryption: it will slow down your OS. This is mitigated with a good hard drive and a modern processors that has AES-NI when using just AES encryption -- to the point it is negligible to unnoticable. Currently most i5s and newer i7s (the entire i5 and i7 line for Sandy Bridge) support it (AMD plans on adding AES-NI support in their next generation of chips), but still something you should be aware of.
Further reading:
http://www.truecrypt.org/docs/?s=keyfiles
http://www.truecrypt.org/docs/?s=hidden-volume
http://www.truecrypt.org/docs/?s=rescue-disk
With that, you can properly encrypt your important data and keep it from prying eyes.
Local Networks
Your local network is an important point of security. A properly set up one will allow easy sharing and collaboration while simulatenously keeping out those who would intrude on it from the outside.
Your Wired Network
For a wired network, you don't have as much to worry about. Make sure not to use the DMZ your router allows: this is a black hole for security and offers nothing over properly forwarded ports. Any forwarded port should have a distinct purpose, otherwise don't forward them. Disable remote/WAN administration (might be buried in there somewhere). Make sure to keep the router nice and updated with any new firmware releases (better yet, use custom firmware like http://www.dd-wrt.com/site/index, http://openwrt.org/, or http://www.polarcloud.com/tomato), as they patch various security flaws. Next you should chenge the username/password for logging into your router. Not doing so is quite insecure. Finally make sure your router firewall is enabled, it's one of the nicest features they have. While not necessary, disabling UPnP can add a little more security by closing any vulnerabilities it may have that are unpatched. Keeping your router up to date is simpler and more friendly, though.
Your Wireless Network
Wireless networks are another thing. On top of all the above, you NEED to be using WPA2 with AES. Nothing else is secure!!!! Well, nothing you can reasonably implement, at least. http://blog.jdpfu.com/pages/wifi-security (the only two things I disagree with are using MAC filtering and disabling SSID broadcasting: If someone knows how to crack a WEP key, they can easily find out how to spoof a MAC address or uncover an invisible network. Both also come with significant disadvantages while offering no real security). As mentioned in that checklist, make your WPA2 key VERY complex. You don't need to worry about forgetting it: write it down and stick it to your router. If someone is in your house, your WPA2 password isn't going to keep them out of your network (if you want to be secure with your WPA2 key, use the same password strategies mentioned in the passwords section).
But what about your WEP-only devices? I've not tried it yet myself, but http://viidev.blogspot.com/2008/05/secure-wep-network-for-nintendo-ds.html. Other options are to set up a wireless access point with WEP for when you want to use your DS/other WEP-only devices, and just unplug the WAP when not using it. Everything else will be on your normal WPA2 connection.
Your Computer
Your computer can leak information out of your local network if you are not careful. The browser section covered many of the most common leaks, but if you computer is infected with a keylogger or other malware, data may be leaked and all of your network security can be bypassed. Likewise, on an open network, someone may try to break into your computer over the network. There are a few things you can do to mitigate these risks:
Keep your Operating System updated. It's easy to fall into the cycle of not getting the latest updates for your OS. These often patch security holes that can be exploited. Along the same lines, keep your software updated, especially major programs and anything that uses the Internet.
Use a password! Windows Passwords are trivial to overwrite if someone has access to your PC (which is where encryption comes in), but they are VERY useful in keeping other, unwanted people on the network out of your shared folders. You should also, of course, disable shared folders on public wifi networks.
Install a firewall. Your router has one, but when on open networks like your laptop may often connect to, your router firewall won't be of any help. The best free one is Comodo's Firewall. the Defense+ feature also is a basic HIPS program (Host-based Intrusion Prevention System) that will stop rogue programs from doing naughty things. This does an excellent job on keeping keyloggers, trojans, and worms from sending data out from your computer (keyloggers can also be effectively nulled with the use of a Password manager such as KeePass and LastPass).
Keep your antimalware solutions up-to-date and scan as you feel needed. Whther you run full-fledged real-time protection AV, or just something to occaionally scan with like Malwarebytes, it's better to have it on your system now and not need it, then need it and not have it. Some malware makes it near-impossible to install some antimalware programs and/or update them successfully. Instantly being able to do a scan after you think you've been compromised is a very nice thing. The next-best thing is to instantly shut down your computer and use live rescue CDs like http://support.kaspersky.com/viruses/rescuedisk offers. Antimalware, whether proactive or retroactive, should always be considered your last line of defense.
Final Remarks
This isn't everything. I didn't cover a considerable amount, such as proxies and Instant Messaging. As large as this is, it is only a fraction of what is out there. I hope you found at least some of this information useful, and will proceed to improve your data privacy/security. Just improving your privacy and security settings in a few places can dramatically increase your overall privacy and security. Also, please inform your family and friends on some methods to increase their own privacy and security to help everyone reach a more secure standing. Data Privacy Day remains greatly unknown, but it is an important holiday that should be more widely recognized.
Since this isn't nearly everything out there, feel free to share your own tips. Also: spread the word. Data Privacy Day does nothing if no one is aware of it.
Edit: If I were to make a hierarchy of what I'd like for people to take away from this it'd be:
1. Use a different password everywhere
2. Use special characters in your password
3. Don't use insecure password managers
4. Fix back-doors to your password by using strong password reset questions/answers
5. Lock down your smart phone and set up a way to remote wipe it
6. Use secure connections whenever possible
7. Stop using WEP for your wifi network. Use WPA-AES ideally, and set the rest of your router settings properly
8. Delete at least your cookies when done browsing. Every browser can delete these on browser close.
9. Check your browser plugins and check them often. If not using a plug-in, then disable it. Try making all or at least some plugins on demand instead of always-running.
10. Don't go to short URLs, especially if randomly posted by someone you don't know/by anyone in an email/on Facebook. Use a URL unshortener
11. Consider using an ad-blocker/script-blocker
12. If using Facebook, check out all the settings mentioned and make sure they are correct AND DEFINITELY ENABLE SECURE CONNECTIONS FOR FACEBOOK ASAP
13. Take a look at your Google settings, and make a habit of becomming familiar with the Privacy Center
14. Especially if using a laptop, consider system encryption.
15. Keep your computer up-to-date and secure.
I already do most of this stuff but Ill show this to computer noobs I know. 
