FEATURING: Fauxmccoy with advice on how to browse safely

Fauxmccoy knows of what she speaks:

So … I Married a Hacker

This story is not quite as adventuresome as my first marriage, when at 19 “I Inadvertently Married a Much Older, Denture Wearing, Mentally Ill Drug Dealer”. Sadly, the only thing known at the time i said “I do” was the fact that he was older. The marriage did not last long and the divorce settlement (in which i received 200 hits of San Francisco LSD to distribute along Haight Street) was just as wacky, but I digress.

When I married my young hacker, we were both students and i routinely walked in on him doing nefarious computer deeds. This happened regularly until we had our first child, at which point, i became quite clear that from now on, if the police were to show up on our door, it would be because one of us called them and for no other reason. Out of love and respect, he left his hacking ways behind although he remains up to date on methods because that is how he earns his livelihood. He was able to parlay his skills into being a well compensated systems analyst who specializes in network security for organizations who depend on it, such as municipalities, the IRS, VISA, etc. Although considering these clients, i am hard pressed to say that he is now one of the ‘good guys’, but the work is certainly legal and above board.

In light of a number of us here experiencing internet security issues, I asked Fred if he would be interested in me resurrecting my tech writing career by presenting a “best practices” model for cruising the internet with relative security. In this article, I will detail a number of things which each of us can each do to beef up our internet presence, but will sum it up using my husband’s statement “do not be the low-hanging fruit”.

We know that some of us have been specifically targeted because of our work/statements in support of the Martin/Fulton families receiving justice for the loss of their son, Trayvon Martin. Some of this, while disconcerting, is relatively benign, such as having usernames and avatars stolen and used to spread vile, racist garbage on other sites. While this is unpleasant, there is next to nothing that will make this activity stop. My best advice is to not use personal pictures of your self, children, even pets as avatars which would cause you distress if used by the wrong hands.

Others here have experienced far more difficult scenarios in which email accounts have been hacked, doxing has occurred, family members have been accessed and harassed, and threats have been received. These things can be addressed, your success in avoiding being in this position depends upon your vigilance.

Basic Browsing Security

This is the level of security i would recommend on any trusted site, including this blog, the Huffington Post etc. I will give more stringent security tips below for visiting blogs which actively support the defendant because they represent greater risk.

1. Avoid revealing overly personal information. This can range from your actual name, city info, and age, up to posting pictures with identifying details in the background (for example, a photo in which a diploma in the background which can be blown up to determine your name).

2. Keep your computer system fully updated, including the operating system, anti-virus updates, and most especially updates from Flash, Java, and Adobe Reader which are notorious malware vectors. THIS IS CRITICAL!

3. Install an anti-virus program. The husband highly recommends the free versions of AVG and Microsoft Security Essentials. MAC systems are no longer immune and there is a free app called ClamXav which i have used and like. Keep these current at all times.

4. Install a browser specific add on to block java script and flash. A malicious script hidden on any site can not only decipher your internet address, but can use code to bypass your firewall and at that point, all information on your home network is breached. I use No Script and Flash Block for Firefox, but you will have to determine the most appropriate for your browser.

5.Social engineering is one of the best known tricks for gaining access to your system. This includes fraudulent attempts to gain your passwords by sending out mass emails for people to change their Twitter password for example. Unfortunately, the link you press in the email may look exactly like Twitter, but it is not. Should you receive such an email, go directly to your account (not by provided links) and change your password. Social engineering also consists of embedded links posted on any site which can redirect your browser to a page which contains malicious script that appears blank. In other words, be careful of that which you click, shortened URLs can be especially dangerous (such as bit.ly or tiny url). There are servies such as unshorten.com which you can use to determine where the link redirects and decide in advance if you trust the site.

6. Passwords — not enough can be said about passwords as this is one of the easiest ways for a security breach to occur. NEVER re-use passwords. For important accounts, such as your bank or main email, you want to use the strongest password possible, this consists of a 12 character, randomly generated string which includes upper/lower case letters, numbers and symbols. Do not use ordinary words such as ‘deadbeat’ substituting 3s for e or 4 for a, such passwords are very simple to break. Obviously do not use your name or that of anyone in your immediate family, including your pet.

7. The best password system is to install a password vault add-on such as “LastPass” and I highly recommend doing so. LastPass is well regarded in the tech world and works across all platforms and browsers, there is even an android phone app available at minimal cost, but i do not like the interface, personally. LastPass will store personal data on its secure server (i even keep my credit card number stored there) to be used in filling out online forms; it can generate strong passwords for any site which requires registration, and then stores them so that you do not need to remember them. Always let LastPass generate the strongest possible password. LastPass will automatically log you into a website should you wish when you go to visit it and can run a security check on your passwords to identify weaknesses. When using LastPass, you will need a password to log into it, you want this to be a strong password. Although it sounds counter-intuitive, it is really OK to write down the few strong passwords you need (bank, email, LastPass) and keep it in your wallet.

8. Do not use your main email for registering on sites. For me, my gmail account is my main account for friends and business dealings. I use a yahoo account for registering for most sites which require one and I make sure that the yahoo account has no reference either in the account settings or contacts of my primary gmail account.

Browsing Questionable Sites

I know that many of us cannot help but to see what the CTH and its spin-offs are up to now. I consider doing so as a potential security risk. First of all, just by visiting the site, administrators have access to our IP addresses, I for one, do not want that. Secondly, I do not trust that there are no malicious codes embedded. We know that a few of us have had serious security breaches and unfortunately, we know that this crowd engages in unethical doxing behavior. If you feel that you absolutely must know what they are discussing, I advise using extra caution, including the following steps:

1. Browse Anonymously — I pay a small monthly fee to access a virtual private network (VPN) to mask my IP address at all times. VPNs are relatively inexpensive (some are free, but advertising driven and slow), easy to install, can be used on both your computer and smart phone, and provide the ultimate security of guarding your IP address any time you are online. VPNs also add a great level of security when using a laptop, especially in a public space. This article in LifeHacker details some of the best VPNs available and contrasts their services and pricing structure. http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs. Notice that I used the direct link in its full form so that you can see where you are going before you click. I think that as a service to each other, we should always do this. If a VPN is out of your price range, consider using an online anonymizer such as Anonymouse prior to viewing sites with questionable content.

2. Block Script and Flash — As stated above, I use NoScript and FlashBlock for firefox. Whatever browser you use will have some version available, search Lifehacker.com for browser specific recommendations. I cannot stress how important this is when browsing sites of questionable content.

3. Registration — if you must register at the site, use a throw-away email address at sites such as Spaminator or Mailinator and under no circumstances should you use the same password for registering that you use at any other site.

4. Posting — The best practice would be to not post at such sites, but if you do, do not use the same userID there that you would here or elsewhere.

A Note to Blog Owners

I know a number of you other than Fred maintain your own blogs, please remember that our virtual security is in your hands. You have access to our IP addresses and emails. Keeping your blog secure with strong passwords is critical.

In conclusion, I hope that this helps us all to become more aware of the security of our online presence and provides the tools necessary to become secure. I am open to any further suggestions and hope that comments generate some. Also, for the tech savvy amongst us who use different browsers or alternate services, please feel free to share what works for you. I am working on a follow up to this on what you can do once you know your security is breached and hope that Fred will be kind enough to post. Obviously if you have had a security issue and are receiving any type of threat or harassment, please report to your local authorities.

Happy browsing, stay safe, and enjoy capital letters in a post from me 🙂

49 Responses to FEATURING: Fauxmccoy with advice on how to browse safely

  1. groans says:

    Faumccoy – THANK YOU so much for this valuable information – I learned a lot! And, of course, many thanks to your husband for sharing his knowledge with us!

  2. colin black says:

    I get abode an flash updates all the time an nine times out of ten .
    If I click on to download it goes through the motions .Your sytem uploading 10 percen 3o percent 70 100 done press finnish.
    An then I press finnish an a box pops up saying your system already has all latest updates.

    So it kinnda pisses me of after a while an I dont always press them I just ignore.

    • fauxmccoy says:

      colin – i cannot stress enough how important is to keep these two things updated. i was just talking to the hubster, telling him that this article was published and he told me that according to recent data that java is responsible for 50% of security issues, the next closest was adobe in the mid 20s.

      ask a friend to help, if you need to, but by all means make sure these updates are current (if you even need java at all) and ask for help installing the appropriate script and flash blockers for your browser.

      good luck!

  3. aussie says:

    Don’t get caught by shortened URLs either, that don’t end up where they promised to.

    http://unshort.me/

    Put them in there and it tell you the final destination.

    Still not sure? put the resulting domain URL into GOOGLE Search and you’ll find interesting references describing who they are and what they do, good or bad.

  4. Xena says:

    Others here have experienced far more difficult scenarios in which email accounts have been hacked, doxing has occurred,…

    Thought this might be appropriate …

  5. bettykath says:

    A good system to use if you change your password/s frequently: Make up a fairly long sentence that you can write down in block letters where it will look like a note to yourself, or a to-do, or the start of a poem. Use lower case except for 2-3 random letters. Use every nth letter of each word and some number that you pick based on the number of letters, e.g., the first 3 words of your sentence, and the letters in upper case.

    By having a system based on an ever changing sentence of the week or month, you have a randomizing technique. What I have suggested has many ways you can personalize it – caps first, or numbers first, or letters from the words first, or some combination of the elements that you will remember, and no one says you have to start at the first word or go left to right.

    In one instance where I wanted a non-easy password to keep the computer locked, I used a sequence of keys that my fingers seemed to know but I couldn’t write down. It sometimes took me a couple of tries to get it right.

    • fauxmccoy says:

      bettykath — it certainly sounds as if you have discovered a method that works for you, as i used to have to do in various tech jobs i have had over the years. i have to say, that i love the simplicity of ‘last pass’ being able to generate very secure passwords and it’s ability to recall them as needed. it saves valuable wear and tear on my aging brain cells 🙂

      the bottom line is that whatever works for you is the best thing to use, keeping the obvious criteria in mind — a mixture of upper and lower case letters, numbers, and symbols in a random string which is changed at least every 90 days.

      thank you for adding your method.

      • great info fauxmccoy, thank you so much. i dont know how to change mine, it is my real name…but hehehe… there are 3 that i know of living in my small town here…i avoided posting on zimmerbutts fan club sites because it is my name. was actually worried they might try to harass all of us Judys here. didnt want to bring that on any of the others.

        • fauxmccoy says:

          judy — for the most part, using your real name may be of little consequence, unless you are a high-profile individual and your location is easily attainable info.

          i do think that avoiding posting on the ‘fan club’ sites is by far the smartest choice any of us could make.

  6. What about Chrome laptops that say the virus protection is built in? Are they safe ? I’m thinking of getting one.

    • fauxmccoy says:

      bonnie – i am sorry to say that i do not know enough about that to be able to answer your question with confidence.

    • aussie says:

      No, that’s a advertising ploy. You’ll find they mean the browser is a bit more secure (they claim) than the other types.

      Virus protection has to be constantly upgraded, because new viruses, and new types of viruses, are constantly being produced. Whatever is built int to that machine won’t be any good in 6 months. It’s like relying on your 2007 flu shot to protect you this year.

  7. esentrick says:

    Thank you professor n fauxmccoy!

  8. Malisha says:

    Very interesting information. Some of it is too advanced for me to understand but I’m giving it to my friends who CAN and they will help me get into compliance. You’re the best!!

    • fauxmccoy says:

      thanks malisha — when all else fails, ask a 12 year old to help 🙂 i need one right now to make my cable box and tv communicate with each other.

      • Xena says:

        @Fauxmccoy. Just went through something similar last week. My combo VHS/DVD player got sick. Having it since about 2004, and with the price of them now being very affordable, I decided to purchase a new one.

        While the older one used two connections for the tv and cable box, the newer one looked like something from the dashboard of a spaceship. LOL!!! The cable company wanted $30 to make a house call to connect it, but while I was talking to them, I discovered a phone number on the back of the new VHS/DVD player to call for connection assistance.

        They were very helpful — gave step by step instructions.

      • Malisha says:

        Faux, Spread butter on one of them and put the other one right next to it and say, “nice, nice, nice” until they communicate. It works with possums.

  9. two sides to a story says:

    Great article, except for one point. Everything I read about Java right now says DON’T download it to your computer unless you absolutely need it to run particular programs. The average computer user DOES NOT need it, and the program has many security issues at the moment. I recently removed it from my computer, though my computer still tries to update it – I haven’t figured out how to stop that, but did figure out this morning how to stop a particular Windows update that always fails.

    In fact, if you’re using Firefox as a browser, I believe Firefox tells you to not use Java – I believe this is where I first started reading about Java security issues.

    • two sides to a story says:

      On, PS – I would never in a million years store my credit card numbers ANYWHERE on any system except in my head or on the credit card.

      • fauxmccoy says:

        i understand your aversion to storing credit card information. the beauty of how ‘last pass’ works is it’s encryption process. nothing is actually stored on its server except for encrypted blobs of data, not even the FBI would be able to turn those blobs into useable information. the only way the data becomes un-encrypted is when by the end user logging in and using a ‘key’. the de-encryption process occurs on the users computer. you do not have to trust me on this, all i am saying is that the ‘lastpass’ system is and has been highly trusted in the tech world because of its elegant encryption process.

      • Two sides to a story says:

        I’ve read a little about the history of encryption – interesting subject!

        • fauxmccoy says:

          two sides — yes, it is a very interesting subject. because of how this program executes it’s encryption, the only way my data can be accessed is if someone stole my wallet with the lastpass highly sophisticated password contained on a small piece of paper behind my credit card. in that case, they would already have my credit card.

          the other thing that i do is use a pre-paid debit card for all online purchases and keep a small balance on it. just like only carrying the amount of cash one is willing to lose in one’s wallet. the particular debit card sends me text alerts when any transaction is made, thus, i will know immediately if something goes awry.

          i realize that the systems that my family has in place may seem elaborate, but that is only because we know the dangers of it not being so. all of the things that i recommended are powerful tools, but easy to navigate and very intuitive. i would not recommend them otherwise.

    • fauxmccoy says:

      two sides — you bring up a good point. as i stated in the article, java is notorious for providing security breaches. i do need java for some things which is why i have it, but it is also why i use ‘noScript’ to block all java scripts unless they are the ones i need and which i trust. either method (using a script blocker or deleting it) will be effective. if your computer is still trying to download updates, i have to wonder if java has been fully uninstalled. windows uninstaller is poorly written and often leaves behind pieces of a program in hard to find places which will cause what you are describing to occur. the best way i have found to fully uninstall programs is to download a couple of free applications ‘C Cleaner’ (formerly ‘crap cleaner’) and ‘Revo Uninstaller’. between these two programs, you should be able to eliminate all traces of Java, if that is your desire.

      • Ben Franklin says:

        If youre using Windows the only question is: What botnet am I a part of?
        Antivirus has very weak detection rates.

  10. Rachael says:

    Wow! Thanks. Some really valuable information here.

  11. unitron says:

    Funny, the Professor assured me that not posting under one’s real name because of security concerns proves that one is a paranoid racist.

  12. fauxmccoy says:

    thank you fred for posting! to the rest, i’ll be happy to answer any questions that i can.

    • Great article.

      Many thanks for your time and effort.

    • ay2z says:

      Thanks!! Will be going over a few things.

    • looneydoone says:

      fauxmccoy,
      Thanks so much for the information. My computer tech worked with this same info received from you (in last week’s email) and cleaned up the problem I experienced from the hacking/doxing that had been done…sure wish I knew *who* it was that cost me the $300 service call

      • fauxmccoy says:

        looney – i am glad to know that the info i sent was helpful, sorry you had to spend cash on it. if i lived closer, i’d have done it for you. 🙂

      • looneydoone says:

        fauxmccoy,
        As mentioned, I’ve gone back to using the old ASUS netbook without a HD when perusing sketchy sites such as the outhouse and AOL/Huffpffffft too.
        I’ll be closing my huffpffft account the day fogen is convicted of M2 (if I can hold out that long)

    • Xena says:

      Thanks fauxmccoy, and thanks professor for posting this.

      I’m still trying to digest the info about Flash in Firefox. I switched to Firefox from Chrome because even after disabling Flash in Chrome, it continued to crash. So, if I disable Flash in Firefox, can I still watch videos on Youtube?

      • fauxmccoy says:

        xena — i don’t think you would be able to view youtube videos without flash. what i would recommend is installing the firefox add-on ‘flash block’ which identifies the flash objects on your screen and blocks them until you click on them to allow them to process.

        https://addons.mozilla.org/en-US/firefox/addon/flashblock/?src=ss

        while you are there, consider ‘ad block’ for advertising free viewing as well, if you have not already.

  13. Trained Observer says:

    Thanks, Faux, for a ton of useful info wrapped up in entertaining, easy-to-understand style.

    LOL to below:

    “… IRS, VISA, etc. Although considering these clients, i am hard pressed to say that he is now one of the ‘good guys’, but the work is certainly legal and above board. — Faux McCoy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: