Improving Gmail Security

In a few of my other blog posts I have already used the example of Gmail and https to improve security. But I feel with the recent improvements Google introduced that it is time to emphasize security and email again.

Continue reading Improving Gmail Security

Secure Browsing Using FireFox

In an earlier blog entry I kind of promised to come back to explaining how I try to be more secure about how I browse using FireFox. So here it is. First of all there are two different ways I do this, one is on my Powerbook (laptop) which I bring with me and therefor has a higher risk being used by others (unauthorized) or worst case scenario: it can get stolen. And my Mac Pro in my computer room which doesn’t get used much by others, and when so, only by those who I trust. Regardless, in both situation, unknown people might try to hack into the system from the outside or steal traffic via sniffing and such. Preventing abuse is impossible, making it harder to do so is possible.

Continue reading Secure Browsing Using FireFox

Improving Online Security

Over the last few years I have taken ‘being online’ a lot more serious, especially the security aspect. Trojans, rootkits, viruses, naughty cookies, xss exploits in sites and advertisements, and all that nasty stuff is now a day to day matter. Not to mention fraud, scams, spam and id-theft.

Particularly with being ‘on’ 24/7/365 because of high speed broadband internet. Participating in online communities, social networks, online loans, online banking, online dating and e-commerce, etc. brings risks with it.

Sure, you can run a bunch of software and addons to try and prevent all this, but it is a second level of defense. I think that it is more important to start at the beginning. Your first line of defense is your own browsing behavior.

Instead of just clicking dialog windows, links on sites, and entering details in forms, etc. As a user you should learn to take a second to read the screen, realize what is going on. And learn to say no. Don’t read emails you are not expecting, don’t follow links from emails. Don’t click on dialog windows that should not pop up; things like that.

Aside from trying to improve my online behavior I try to improve my own security, to lower the damage if something does go wrong. I am making sure I use hard to guess, long, and random passwords. One for each login. I try to make a unique less obvious login name if a web site supports this (and use a public obvious screen name so people recognize me easily still).

I do not follow links from unofficial sites that point to (claiming to be) official sites. I open a new tab and type out the url or use my bookmarks. I do the same with emails. I never click on email links, I load a browser and type in the url. This is to ensure I won’t accidentally click on a phishing link or xss exploit link for online banking, paypal, ebay, and such. As for email, I try to limit this to plain text email only. Avoiding html emails as much as possible to ensure no naughty script could get through a filter. And as for attachments, I don’t even open them unless I am expecting someone to send me something.

For web sites I try to not store the passwords (remember me off) on the laptop, but for convenience I do use this on the workstation. But, as an extra layer of security I turned on the master password feature in FireFox so no data is entered in any form unless I manually confirm this.

When I do browse to sites where I have to login and know that the information is privacy sensitive I try to use encrypted connections only. Before I explain that I want to add to this that I hardly ever (almost never) use a public proxy or some proxy / or a free VPN site or something like that to browse sites where I need to login. I simply can’t be insured that my data is not mirrored to some naughty admin who will abuse it. So, where possible I try to login using https. This has an ‘s’ in the url, instead of just http. The s means the session is encrypted over a secure socket layer protocol. Making the data unreadable to anybody snooping on the line (man in the middle idea).

Example, you could just type in your browser gmail.com and end up on your web mail. But I have a bookmark that brings me to https://mail.google.com and ensures my login is encrypted and my mail browsing / composing and reading session is encrypted.

Where possible: take and use https – gmail uses it, online banking uses it and most payment sites use it.

Talking about sites where you can buy stuff, make sure the line is indeed secured and your session is over https. Your browser will display a small lock icon in the bottom of the browser. Also, make sure that if you do enter your credit card details that you’re doing this on a third party official and well known CC processor site. And not in a normal web page on the companies own web site. Why give them your name, number and security code and expiry date? Do you really trust them?

At this point you probably think ‘wow this guy is paranoid’, and I might agree with you. But. I’ve slowly learned how to adjust my online behavior and it has helped me feel more secure and be more secure. Once you changed the simple things like unique passwords for accounts. Not clicking links in mails and from unofficial sites, using https where possible, etc. You will quickly find it is second nature. I don’t even think about it anymore really. And it helps me have more time to just open my mail client and read those emails I was expecting. Instead of browsing through 75% garbage and risking getting infected. I just delete the garbage on the fly.

So, have fun improving your online security. Well, it’s not really fun – but it helps make things easier for you. You will quickly find that you can identify the garbage and identify real emails (sites, logins, etc).

Feel free to register on the blog and leave a comment, suggestion or other feedback. And please come back to find another blog about how I secured my network / internet connection.

What Goes Where On My System?

My Mac Pro has a bunch of hard drives right now, and I have been adding, swapping, and removing drives the last few months. It was time for me to get a bit more organized and I think that’s a great tip for everybody. It gives you a much better understanding of what is on your computer system.

You might think “What is so hard about finding stuff on your hard drive”, well .. let me give you a simple example: Your browser might store downloaded files on your Desktop, while you have an OS ‘Downloads/’ folder, or perhaps your torrent client stores it in ‘programs/client/downloads/’, making it a bit annoying having to browse around while a single link on your desktop to your ‘Downloads/’ folder might make it a lot easier for you.

First things first of course, what goes where?

My first drive in the Mac Pro is currently a 250GB drive (called MacHD) which is used to store the OSX 10.5 operating system and the programs I use. Most of the data that result from those programs are stored on the second drive which I called the DataHD, it’s 320GB. This drive has a folder called backup_machd where I store backups of certain files from the MacHD drive. The MacHD drive by the way has a folder called backup_datahd where I store daily backups of the DataHD folders. Since there’s enough space no the DataHD I also have a htdocs/ folder in the root where I have my localhost ‘dev’ stuff, such as a test instance of vBulletin, or the svn build from DeskPro, stuff like that. The MacHD (almost forgot to mention) has a folder called bash where I have my custom coded bash scripts that help me run daily or weekly crontabs to make archived backups of certain folders (among other things).

These two drives, the MacHD and the DataHD drives are being backed up with the ‘Time Machine’ feature from Leopard. I have an external USB 2.0 box with 2x 160GB hard drives. Not perfect, but when I have a bit of extra cash in 2008 I will upgrade these a larger size so I can have bigger backups that go back further in time. These are the only back ups I make of my internal drives. I do not really back up my media drives.

I have 2 more USB 2.0 external drives, but they’re used to back up data for a few web sites. I don’t use them, and the back ups are done automatically. I just check once a month if things are still going ok. But it’s kept separate from my ‘live’ system.

I also have 2 media drives. One is called MediaHD (320GB) which stores my music, movies, games, and downloads. I point all my programs to that download things from the net to this downloads folder, which has sub folders to keep it organized and easy to find. The other drive is called TvHD where I store my purchased TV shows. I really like good tv shows and I watch a lot. It’s a 750GB drive. The drive is split in 2 partitions though. A very small portion is used by Adobe and ProTools as a ‘cache drive’ to help speed up running filters and renders on huge media files. Since there’s over a terabyte of data on the media drives I do not back them up. It’s a risk I am willing to take. I don’t want to hog my system backup moment because it’s trying to backup and compress huge files that I can re-download from iTunes or Amazon.

The Mac OSX comes with default folders for Music, Pictures, Documents, Downloads, etc, but I really don’t use them. They’re useless to me as they are on the Main HDD and I store everything on other drives. It’s a bit of a hassle to change the original symlinks and I just dragged them out of Finder, and dragged my own entry point folders into the sidebar. I also made my own small stack folder which are quick links to all these folders. Making it very easy and quick to use.

My plan for the future is to add a 1TB drive into the system, replacing the 320GB MediaHD one. And use the 320GB MediaHD as an Ethernet network drive. I have 1 port on my router unused, and it would be nice if all systems in the apartment or visitors coming over, can use this network drive. Eventually I also want to replace the MacHD that’s 250GB with a bigger one. And move the 250GB as a dedicated MusicHD on the FireWire800 port. And if I ignore the lack of money in my wallet, I could imagine having the MyBook of 1 or 2TB as external backup drive on the other firewire800 port, for backing up the MacHD and the DataHD with TimeMachine.

For now I have enough space obviously, and there’s no problem making new space either. There’s enough data like old music, or a few movies or tv shows that I won’t ‘watch’ again. Or I could throw away backups older then 6 months.

But back to the topic. On my old PC I just had it where the OS threw it, or that particular program. And it was quite annoying to find it back, or to take the time and organize it. Or just accept that the Desktop is filled with icons. On my Mac now I have things a lot more organized in a way that it is, for me personally, easy to find. Media goes to the media drives, data goes to the data drive. And software goes to the Mac drive.

Now, if anything breaks, I loose either all my Data (which I have a backup of) or my programs (and I will still have all my data after a re-install) or I loose my media (and then I cry a little, but at least I still have all my data). Hard drives are a lot cheaper these days, getting a 500gb for around 100 bucks is kind of easy to find. The Mac Pro can have up to four drives in it. And it takes the 7200.11 Sata2 drives from Seagate which are 1TB. So that’s 4 TB of data! Then there are of course the options to expand over USB ports, Firewire ports, and eventually over the Network on Ethernet or even add Wifi drives.

Who needs DVD burners right?

Here are some pictures of me adding the new 320GB and 750GB to the system (which I done earlier this year)

image-40075-257298-p1180024.jpg

image-40075-410513-p1010010.jpg

image-40075-410505-p1010015.jpg

image-40075-410504-p1010016.jpg

Organizing Important Information

Update: Since 2010 I have moved to 1password, because of continues development, browser integration, and iOS support. Strongly recommended!

Since I’ve moved away from Windows I’ve found myself wanting to be more organized with the way I store important information such as logins to web sites, private web addresses, shell accounts and what not.

In the past I’ve either written it down (with the risk of finding out the o might be an O or a 0, or simply being unable to find the paper, or … finding out that password is now outdated. I’ve also just placed details into plaintext documents. This got spread over the directories on the computer, or even worse, spread over my local area network. A solution had to be found. If not only to get the information organized, but also to improve security.

After trying a few programs that promised a) security and b) autofilling-in forms, and c) have some unique features, I was simply not satisfied with the way they were doing things (or they were too expensive). A simple requirement is a single file encrypted backup, or the ability to create categories for personal, business, shells and web sites, or have unique custom fields so I could have an entry for url or ssh port, aside from just title, login and password. One of my friends Chris (chroder.com) also switched to the Mac and he started to use info.xhead. I gave it a try, despite the lack of motivation at this point. I was pleasantly surprised; it basically has everything I want (without going into detail on this: What I want more is the ability to optionally store a file with an entry).

info_screenshot_13.png

The last few months I’ve been using it and started to get used to it. It is at a point where when I am not on a system where it’s installed that I really miss it and find myself troubled not having my details with me.

I’ve learned to simply take a few seconds and note down the information for a new blog login, a new shell account, a privacy detail from an email, and such, just to find out I have direct access to it from a central point. I also find out I keep the information up to date and that it is not a hassle finding it (in other words, it doesn’t disrupt my workflow).

The program is created by xheadsoftware.com and has a mac-feel to it. It’s easy to use, looks very clean and flexible, and properly integrates with Spotlight. It’s just $15, so certainly affordable to everybody. Once you open the program you can set it up the way you want to. Easy to manage categories, entries and items. I believe it uses 448 bit encryption method to ensure security. You secure the program with a single password. So if someone gets this very important (central point of information) file with your privacy details they will need a password too in order to get to it. Of course, if you forget that one entry password, you’re basically screwed.

A few additional cool features are .Mac support (so you can easily backup to .Mac and restore on another computer. Which I did for my powerbook) and data import. Other features that won me over is a one-click copy of data fields, and the easy instant search. About the import by the way. I’ve exported my FireFox form-data stored details with an add-on and converted this XML data to a CVS file with a spreadsheet program, and then imported it into info.xhead. It’s very cool, so I did not have to type-over those details or re-add all those details. However, it would have been nice if .xml import was supported.

Anyway, no more little files, little post-its, little entries on the whiteboard, outdated details on other systems, and what not. Just a quick little program to help me many times per day to get to my privacy data (that’s now also secure). Using the built-in password generator I have also improved my security since I am using a lot more unique passwords per login, that are very hard to guess, and are pretty damn long.

I don’t know what it is why having a Mac makes you want to be more organized with even the littlest of things like managing privacy details, but eventually it helped me speed up and smooth out my workflow. And that can’t be a bad thing right?

In a few future blog entries I will tell more about how I secure my system, network, and internet things such as email, ssl and FireFox.