One of the big no-no’s in online security is using the same user name and password for different sites. The reason is simple: if one site gets compromised, your login information for other sites is now “floating around”. While having separate passwords is great in theory, practicing it is another story. To help with this, check out the Firefox add-on Magic Password Generator.

You remember one master password. (It is not stored anywhere, don’t forget it!) Then, with a (somewhat simple)  cryptographic hash function, the extension combines your master password and the domain name of the site to make another unique password for that site. The password is not saved in Firefox, or anywhere else. It’s secure!

Keep in mind, this extension is completely separate from the password manager built into Firefox. Basically, passwords are generated on the fly each time using an algorithm based on the current domain name.

This extension works best if you only use a single computer, but if you use multiple, there are tools available on their website to help you find out what your password would be.

While Magic Password Generator is certainly not for everyone, some of you may find it useful.

As you are probably well aware, phishing scams are everywhere. I believe these are by far the most dangerous “computer” threat out there as their sole purpose is to steal important info (i.e. bank logins). While security programs attempt to detect these, I am extremely skeptical about relying on these programs (as you may know, I don’t believe in anti-virus/internet security suites) as the best protection is education.

On that note here is a good test to help determine how good you are at distinguishing real emails from fake ones. Some questions are easier than others, so if you end up missing a few be sure to review the information on why.

Additionally, for those interested, I have written an article on this site which really gets down to the nuts and bolts of some fake emails in an eBay scam I was the target of.

Whenever you do browsing to sites you are not familiar with, you always run some risk of the site not being “on the level”. If you do not go the route of script blockers, it is a good idea to have something watching your back. Web of Trust (WOT) is a tool that can fit this bill.

WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It’s easy and it’s free.

When you have WOT installed, it will check websites you are visiting as well as search results/links (on popular sites) so you can see if they are rated safe before you visit. Based on what I have seen, this site gets positive reviews from several sources, so I have no reason to question it.

(Just about) every time you go to do anything on the Internet, be it check your email, visit a website or whatever, your network has to submit a DNS request to find out the target machine(s) to communicate with. So a lot of your Internet performance and security is effected by the DNS servers you use. By default, most everyone uses their ISP’s servers, but you might want to consider using the free OpenDNS service instead.

OpenDNS offers many features (such as content filtering and phishing protection) and is easy to set up. Additionally, depending on your ISP, you can see noticeable speed increases (due to faster DNS query responses). Best of all, OpenDNS has virtually zero downtime so you will not be impacted if your ISP has a DNS outage.

I plan on both implementing OpenDNS both at home and in our office in the very near future.

If you ever have the need to hide text from web crawling bots such as email gathering spam bots or search engine spiders, then putting your text in an image and posting the image is an effective method. Of course, this can be cumbersome for obvious reasons. Instead of doing this manually, check out Hide Text.

Hidetext.net lets you convert text to an image. This means you can hide passwords, personal messages, pieces of code, or any kind of private information on forums, blogposts, emails, irc, msn-aim chats, [etc]

Usage is simple, just type in your text and click a button to generate an image. Additionally, you can use their email specific tool to create a multi-color, multi-font image of your email which essentially makes it readable only to humans.

A great article which covers this tool is available here. This is definitely worth a bookmark if you do a lot of posting on web sites or want to publish your email on your web site.

If you like to take total control over your browsing session which means controlling individual cookies, then a Firefox add-on you need is CookieSafe.

This extension will allow you to easily control cookie permissions. It will appear on your statusbar. Just click on the icon to allow, block, or temporarily allow the site to set cookies. You can also view or clear the cookies and exceptions by right clicking on the statusbar icon. For safer browsing you may choose to deny cookies globally and then enable them on a per site basis.

Basically, what NoScript does for javascript, CookieSafe does for cookies. While I do not consider cookies to be nearly as dangerous as scripts, this is definitely something the security conscience user will want to consider.

On the heels of my post yesterday regarding scammers using fake websites to steal information from job applicants, I thought I would post a few pointers to help determine if a website is indeed legit.

• Does the site look professional? If the site looks very thrown together and has little to no content with typos everywhere, stay away.
• Is there any contact information? If so, do they provide a phone number and does it work?
• Check their website registration on whois.net. If the site has been around a very short time, beware.
• Use common sense. If you think it is sketchy, it probably is.

These are just a few and are in no way definitive or absolute. Unfortunately there isn’t a way to 100% determine if a site is on the level.

If anyone has any additional signs to look for, please share.

In the news recently, there was mention of a City in Montana requiring not only information on your social media accounts, but your user name and passwords as well. It goes without saying, this is huge concern to applicants’ privacy.

On a related note, phishers and scammers are taking advantage of job applicants as well by setting up phony companies to order to gather personal information. This is an article definitely worth looking at if you are applying for a job primarily via electronic communication.

Job seekers who posted their resumes on Monster, Career Builder and Yahoo received e-mails from either USA Voice or Instant Human Resources, telling them that based on the their resumes they qualified for a promising sounding position. Those who didn’t smell a scam right away filled out online applications, in the process disclosing personal information.

Just be careful who you give your personal information to. Whenever there is opportunity, you can bet scammers are looking to take advantage of people.

Clickjacking is one of newer online threats. If you are not familiar with it, here is an excerpt on what it is:

Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

This is threat regardless of what browser you are using. Thankfully, Firefox users can protect themselves from this threat with NoScript. The linked article contains an email from the author of NoScript which explains the settings to use to protect yourself.

Basically, using NoScript with user specified trusted site protection (default configuration) protects you against most all scenario’s, but for complete protection you would need to disable all IFRAME’s. Disabling the IFRAMES, however may cause certain sites to completely stop working.

IE8 users can heed the following advice:

End-users can mitigate the impact of CSRF attacks by logging out of sensitive websites when not in use, and by browsing in independent InPrivate Browsing sessions. (InPrivate sessions start with an empty cookie jar, so cached cookies cannot be replayed in CSRF attacks.)

Many people do not like to use the NoScript add-on for Firefox because it is pretty restrictive out of the box and requires time to tune it to where you do not notice it running. While I can certainly understand this point of view, one thing you may not know is that even if allow global scripts to run (which removes the restrictions people find annoying), NoScript still protects you from XSS.

If you are not familiar with what XSS is, you can read the full description of the protection provided by NoScript on their site.

Cross-Site Scripting (XSS) vulnerabilities are usually programming errors made by web developers, which allow an attacker to inject his own malicious code from a certain site into a different site. They can be used, for instance, to steal your authentication credentials and, more in general, to impersonate you on the victim site (e.g. your online banking or your web mail).

While there is no doubt taking advantage of NoScript’s full range of protection will give you significant protection, at the very least the XSS protection alone makes this add-on worth having.

As you probably are aware, websites can serve as hosts for malicious scripts. If you are not adequately protected, they can damage your system. One tool to help protect from these infected sites is LinkScanner.

LinkScanner Lite inspects each search result as it is returned to your browser. One of four color-coded icons will appear next to each result.

LinkScanner Lite also allows you to inspect any hyperlink on the Web, at any time, simply by right-clicking on it. LinkScanner Lite will perform its analysis and return a verdict.

This tool is included with AVG’s security tools, so you may already have it.

One note on this is it should be used responsibly. I would recommend you try to use only the on-demand scanner to avoid sending garbage traffic (via the pre-scanner) to websites you might not even visit.

One thing which is good to do periodically is to audit your PC against online threats. Doing so is very easy and locking down the most obvious entry points is one of the simplest ways to stay safe. This process is made easy by using some of the free tools available from Audit My PC.

This site offers tools which can test your firewall, help prevent spam, scan your computer for viruses and malware or install a firewall on your machine (if you don’t have one already). Additionally, Audit My PC offers tools to test your connection speed and generate sitemaps for your websites.

Overall, this is a pretty nifty site. Even if you don’t use everything it offers, it is good to have this stuff all at a single location.

When it is seemingly important enough, I like to run tips regarding high priority security notices. Users of Internet Explorer (any version) will want to take note of this Microsoft Security Advisory notice. The details on the problem state:

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

In a nutshell, the issue is your machine can be compromised by merely visiting a site which is coded with a special blend of scripting. You can read a more ‘user friendly’ description of the error here.

There is currently no patch for this issue as Microsoft is working to release an emergency fix. If you do use IE as your primary browser, you may want to consider using an alternate browser until this issue is resolved.

Whenever you are doing work on a server, security should be at the top of your list. For obvious reasons, a server is the absolute worst place to have a malware infection. To help minimize the risk, you should always be smart with your browsing habits.

If you are working on a Windows Server OS (a true server OS, not XP or 2000 acting as a server) and using Internet Explorer, make sure you are using IE with the Enhanced Security feature enabled. This is an option available in the Add/Remove Windows Components section. Alternately, you can use Firefox with the NoScript plugin installed. Both will disable javascript unless you manually allow the site access to run it. Linux users will also want to take advantage of Firefox with NoScript to protect themselves.

Again, it is almost best to browse with ‘paranoid level’ security when working on a server. You should only go to sites you know and trust anyway, but you never know what could be lurking on that site in the rare event it has been hijacked.

While doing some research the other day on firewalls, I came across (naturally) Wikipedia’s page on firewall comparisons. This page was actually exactly what I was looking for as it lays out some popular ‘personal’ and commercial options side by side.

Outside what I was looking for, you can see the Windows firewall actually compares quite nicely on the most important functionality, especially the one included with Windows Vista. The firewalls most of you may be interested in (the personal variety) are included at the top with, unfortunately, only limited data. For more detailed information on personal firewalls, check out this page. On the personal firewalls page, you can find links to reviews which can help if you are looking a for a firewall on your PC.