My Digitized Thoughts - Ramen Mukherjee ...

The first important thing is to control yourself, most problems occurred for loosing the self control while online. For other things I first suggest using Firefox, why? Because no matter how much google brags about their browser, it has several flawed loopholes and exploits which in turn actually helps to spread these kinds of malwares. Don’t you are surprised that none of them are attacking google+ or Orkut ?? Strange isn’t it? Anyways without getting intro controversies I must say that protection you can get by following a 3 LAYER architecture.

• 1. First Layer is Social Network / Website Security. in this case it is Facebook.
• 2. Second Layer is Browser Security
• 3. Third Layer is Computer Security.

But the problem is that often we forget to protect the middle one, which is I am trying to focus here.

The First Layer (Social / Web Layer)–

1. Hide all your personal albums. Share your photos with only selective group of members. Don’t make them public. Disable photo tagging.

2. Make your private album such as profile picture strictly private to yourself. Remember we are focusing on security here.

3. Don’t reveal too much of yourselves on internet, don’t reveal all of your information which however can be used to actually GUESS your account informations. Remember always that you cant trust online anyone, no one is your friend, so don’t share anything personal over the net, it may happen that your most trusted friend’s profile got compromised and that hacker knew all of your secrets to hack into YOUR profile.

4. Don’t ever show your login email id in your profile to public. Make it a strict private. Remember that a hacker needs two things, one your login email id and another is password, which in most case are easy to guess, because people tend to use passwords related to their life, and revealing to much of their lives in public would increase the risk to get guessed easily.

5. In your settings, enable login notifications both in email and text, activate your mobile number but strictly make it private.

6. Delete all unused apps, actually what happens is that once you permit any app to access your details, later that app can get compromised and by your permission that corrupted app can leak you’re a/c info. So don’t use any app, if you do then delete it after using it.

7. Don’t blindly click on any link, photos, videos AYTHING Even the clicking on the last portion of any long post’s “see more” can be manipulated to forward you to a phising site. For that use a linkchecker, like AVG linkscanner, bitdefender trafficlight, WOT etc …which can check the link.

8. Always keep a strong watch on when you login and how many times you login, and if you can then from which ip you are logging into. THIS IS VERY IMPORTANT because you may get wrong login timing in facebook’s notifications, wrong locations also due to their different location of servers, but the IP address is always accurate.

9. Change your password often and securely, use a random password, use password maker for that.

10. Enable secure browsing so that your channel to Facebook can become encrypted so less eavesdropping can be occurred.

11. Don’t ever use any proxy services to logininto Facebook, it will make frequent lokups in Facebook and later Facebook will realize that you are a glob trotter and then they will loosen the security so that you can login smoothly.

12. Don’t use OPERA TURBO while logging onto Facebook, because opera turbo is also a proxy based service which compresses the website to save bandwidth, but in order to do so your info get bypassed by another server and if that server gets compromised your data can get leaked, also OPERA TURBO tends to save data for reuse it. DON’T DO IT EVER.

13. Always LOGOUT and clean your cookies. It will be good if you enable automatic cookie cleaning at the exit time of the browser. BUT before logout you MUST delete the device from Facebook > setting > devices. So that if somehow anyone got the session cookie he/she can never use that to login into Facebook again.

14. Use a password manager (ex: last pass) which uses encryption and never enter password with physical keyboard, if you need to, then use virtual on screen keyboard which is in windows, linux, mac os x.

15. Use MOBILE PIN feature of Facebook if you are using Facebook from mobile and using Facebook sms service.

16. Always keep your mobile phone locked so that no one can use your mobile to access Facebook. Don’t let anyone to access their profile from your phone, don’t access your profile from anywhere, if you do keep in mind to clear the cache, cookie, history, and password, remember again to LOGOUT PROPERLY.

These are very common steps, but these steps can ONLY make your profile safe from Facebook attacks. To actually not get infected physically (machine wise) you need the later two tiers of security

The Second Layer (Browser Layer) –

1. Always use a secure browser. For me I ONLY trust Firefox on any platform, IE9 is also great but it seems that it stopped supporting flash, another thing is that IE9 is fast secure but not reliable due to its past records and it can be easily manipulated. Apple Safari is great BUT ONLY in Macintosh, not in windows, OPERA is good but it seems that majority of websites are not supported in it. Again OPERA is not FAST ENOUGH unless you use OPERA TURBO, which is again FATAL for social networks specially Facebook (as I explained above). Lastly Google Chrome, well this is the most used (thus abused) browser, the problem is that you cant tune chrome for becoming perfect, its DNS PREFETCHING is the problem why these attacks are getting spread day by day. Again google’s sync is the problem where even if you delete any app from your pc it gets back in the next sync, or if you use chrome in another pc.

2. In firefox there are lots of addons which are trusted from decades and very much secured, I am not telling you to blindly trust them, just keep on updating them and firefox. These are –

• No Script – The one add-on that many security experts do not want to live without. No Script can block script execution on websites. It does so on all websites by default with the option to enable specific scripts temporarily or permanently. The add-on can prevent script based attacks (most of them are) if used correctly.
• Last Pass – The password manager for Firefox. It can generate and remember secure passwords, fill out forms and even auto login the user into websites. The three important security related features are secure password generation, password storing and auto login. Secure passwords have the weakness that they are hard to remember. It is simply easier to remember 123456 than f&z_cU!;re4xZ especially if you consider that unique passwords should be used one every website. With Last Pass users get unlimited secure passwords with the need to only remember the master password. The auto login feature can be very effective against phishing attacks as it won’t work on phishing websites that use a different url than the original.
• No Redirect – A versatile add-on that handles several things at once. It will reveal the destination url of short url services and prevent that Internet providers and other companies use DNS hijacks to show their (search pages). This does happen for instance with many major ISPs if the user mistypes a domain extension.
• Link Extend and Web of Trust – Link Extend and Web of Trust provide a similar functionality. They provide website ratings to inform the user about potentially dangerous websites. Both display ratings in major search engines but also in a toolbar for the active page.
• CS Lite – Cookie permissions on a per-site basis. Allows the user to block or allow cookies permanently or temporarily.
• Backup: Febe Firefox Backup. It is always a good idea to create regular backups to be prepared when data gets corrupted or deleted. Febe is a Firefox add-on that can backup all profile data of the web browser including bookmarks, settings, extensions and passwords.
• Flash Block – This is the closest to the No Script Firefox add-on. Flash Block will only block Flash content but not other script related objects.
• McAfee Site Advisor bookmarklet
• Adsweep, Adblock and Adblock+ – Two options to disable most advertisement that is displayed on websites. These add-ons are more about the annoying objects on websites and less about security. They can however be helpful in situations were rogue ads are displayed that spread malware.
• Web of Trust or Trend Protect – Both display ratings for the active websites and websites that are listed in the major search engines (Google Search, Yahoo Search, MSN). They can be used as an indicator if a site’s potentially dangerous to visit.
• Perspectives - Securely bypasses Firefox HTTPS security errors by verifying certificates using a collection of Network Notaries.
• Bitdefender Quickscan – it is a online virus scanner inside Firefox so that you can scan while you surf.
• Facebook Phishing Protector – saves from XSS and several Scripting attacks
• HTTPS Finder & HTTPS Everywhere – enhances your web browsing experience while securing the channel using encryption and validation so that you can know that the website is validated and the channel is secure. This provides another way to see the info if the links.
• Bitdefender Trafficlight – it is an addon to Firefox which enables user to surf securely, it checks the links visited, it is also intergraded into Facebook so it saves from unusual activities and hacking also.
• WorldIP – it enables you to quickly check YOUR IP so that later you can verify that IP when you get login notifications from FACEBOOK.
• Ecleaner – now many times we come across faulty apps, but even after uninstalling them from firefox some of their remains, this addon removes them all.

These are few useful addons which I personally tested, I am sure there are more. Just look at the subjects of security which are written in all above points, and you can use any other addon which YOU trust for that. Alternatively you can use private browsing modes to login into social networks or email account.

The Third Layer (Computer Security) –

1. This layer is pretty simple to understand as it needs nothing special which you don’t know.

2. Use a good antivirus. I use AVG FREE and its damn awesome, all settings turned to max, linkscanner active, infact this is the first application which prevented the malware from the Facebook SCAM to get loaded into my computer, archive scanner running always, memory and USB drives gets scanned all time, protection to the c drive and windows directory gets priority, its active security system is awesome.

3. Use a good firewall, I use windows 7’s default firewall which is very secure, but I use some tricks and tuned it to maximum, cant share these settings publicly for my security. Don’t get access right to all programs. Specially FAKE P2P softwares like kazaa, frostwire, etc .. However Torrents are secure. But clients like bitcomet is not. Use utorrent or bittorrent. They are the best. vuze’s java based plugins are not safe also it takes huge memory so don’t use that either. The problem is that the best client of torrents don’t work in windows which is transmission. Close all ports don’t open unnecessary ports, while using XP, please don’t increase the prescribed limit of HALF-OPEN ports. This will be fatal. This will help to spread the virus faster.

4. Make UAC in windows7 to MAX, this will help you not to get infected accidentally by any malware.

5. But for today’s environment where 0 days attacks are getting increased you should also use something more, that’s CLOUD PROTECTION, while I found IMMUNET FREE working superbly in windows x86 architecture, PANDA CLOUD FREE is working awesome in windows x64 architecture. Cloud / online protections are lightweight, don’t need any update, always ready to work, and you only need to be online to get the protection.

6. Use free garbage cleaner like IObit Advance Systemcare or better use CCleaner, this is a tiny free tool which provides all the functionalities. Use this to sweep all registry data, histories and most importantly cookies.

7. Use free proxy like TOR-VIDALIA bundle, systems to securely surf the web and email BUT DON’T USE IT FOR FACEBOOK; this will help to hide your security online. Never show your official private email ID in Facebook, Facebook has its email id, use that instead, but however if you need to show your private email in Facebook then you MUST use proxy to send mails as without protection anyone can see your IP in mail header.

8. If you are stuck with windows it is high time that you invest in ORIGINAL windows because with frequent updates windows, defender, IE, NETWORK DRIVERS, firewall & UAC rules will get updated, so that you can stay protected online.

9. always use an offline mail software to send and receive mails, what happens online IMAP access that the contents of mail gets loaded automatically then they are checked, so the changes of getting affected by steganographed viruses, so while using POP and SMTP the mail gets checked 2 times, one at the provider, second at your own computer, so you can be more secure. Also don’t download attachments from all mails that could have a virus.

10. Always encrypt the mails before sending, windows live mail writer can do that automatically BUT ONLY if you are using hotmail (windows live mail), but you can use PGP, TRUECRYPT also to encrypt the mails.

11. Enable bitlocker in windows 7 for c drive and windows so that no virus can harm. Also this will make sure that no malware can corrupt the firewall and antivirus.

I will try to update the lists all the time, please share your views and thoughts to make this list better and secure for all.

Thank You for your patience.

© Ramen Mukherjee

Credits –

1. http://www.ghacks.net/2009/10/15/top-5-security-plugins-for-firefox-chrome-and-internet-explorer/

2. Mozilla Firefox addon repository