The internet can be a scary place. Threats come in many forms, lurking in practically any corner. Worse, yesterday’s prevailing advice for staying safe online -- avoid dodgy websites, don’t traffic in stolen or illegal goods, interact only with people you know -- no longer holds. Phishing emails from supposed family members, spyware piggybacking on legitimate apps, well-known sites hijacked with malicious code -- digital safety clearly needs new rules to meet today's evolving threatscape.
Considering how much of our digital lives occurs online -- communications, financial transactions, entertainment, work, education, to name a few -- adopting even a few safe browsing practices can lead to broad benefits. And this includes how we deal with email messages as well, given how popular email is as a delivery mechanism for online attacks using exploit kits and malware.
Here, we provide a strategic guide for staying safe online, outlining what you can do to protect your data and privacy on the web, while remaining productive.
Understand your threat profile
We all use the web differently, and our risks vary drastically, depending on where we are, what we are doing, even what day it is. How security researchers stay safe online is dramatically different from a consumer who emails, uses Facebook, and watches Netflix. That in turn is different from a developer downloading new tools and frequenting forums for advice.
At a base level, you should regularly update all your applications -- not just the OS, but every application, especially your web browser. You should also switch your browser preferences to click-to-play for Flash if your browser hasn’t proactively done that for you. You should also deactivate ActiveX and uninstall the Java client on your machine. Unless you are using Java-hungry client applications, such as games or certain educational offerings, you likely don’t need Java anymore. Even major videoconferencing applications are shifting to pure HTML5.
You should also consider the combination of venue and activity. For example, performing sensitive transactions on public wireless networks can get you in trouble. The public Wi-Fi at your favorite coffee shop is not the place for online banking. Not even if you’re using an SSL connection; a man-in-the-middle attack is still possible over SSL.
Once you've got those basics down, you’ll need to consider what dangers you are most worried about, what assets you want to protect, who you interact with regularly, and where your data is stored. In the following sections, we break down these concerns to help you match your secure browsing practices to your threat tolerance -- the level of threat you’re willing to live with online.
Threat level 1: No malware, please
Most folks, especially businesses, want to avoid malware at all costs. Two of the most common vectors are links that download malware and drive-by-downloads, in which malware is downloaded automatically just by loading a web page. Dangerous links can be found on webpages, in email, or on IM. Scammers often use social networks and URL shorteners to spread malicious links in disguise, in hopes that someone will click.
First action: Stop clicking on links. This requires social training, and it can be hard to stick to, especially given all the links we are sent all the time both professionally and personally. Ask people you communicate with regularly to send you a heads-up notification if they are planning to send a link -- and to send the link only after getting positive confirmation. Or, ask people to confirm that they in fact sent the link by using a different channel. For example, text your brother to ask if the link sent from his account is really from him. This may sound paranoid but the recent fake Google Docs scam succeeded because people thought the malicious file was from someone they trusted. Always type in your own links, and if someone sends you a link to what looks like a cool whitepaper, go to the source directly and seek out the whitepaper on the website yourself.
Pro tip: Set your browser to ask where a document should be saved so that you are always aware when something is being downloaded. Drive-by-downloads rely on stealth so that users don’t even realize what is happening. Configure your security software to scan all files as they are downloaded.
Threat level 2: I don’t like spyware, either
An attacker who manages to compromise your browser can uncover all kinds of information. Here, browser add-ons are not necessarily your friend. Use them sparingly, as they can become an unforeseen delivery mechanism for malware. Periodically check your list of extensions (
chrome://extensions in Chrome,
about:addons in Firefox) to see whether anything unfamiliar or inexplicable is there. You can rarely go wrong by disabling something that looks suspicious. Also be mindful of web pages that try to trick you into installing browser extensions -- for example, “Click ‘add’ to speed up this website” or some other deceptive prompt.
First action: Be extra cautious with browser add-ons created by individuals, as they may access sites without HTTPS. Even the pros struggle: LastPass, creator of the widely used password manager, has had to fix a number of serious vulnerabilities in its browser extension recently. Ask yourself if the convenience provided by an add-on outweighs the potential risk, especially if it’s something you may not find worthwhile in a month.
Pro tip: Always consider the source. If you need to download Flash or Adobe Reader, get it from Adobe’s website. Don’t download tools like these from unaffiliated websites, because it’s easy for spyware, adware, and other malicious files to piggyback onto the download. Don’t search for “free PDF converter” and download whatever comes up first. (Do you even need one? Chrome automatically turns pages into PDF, and Office has good PDF support nowadays.) Projects like PortableApps.com and Ninite provide convenient ways to automatically obtain and update common open source and free-to-use applications from trusted sources.
Threat level 3: No tracking at any time
First action: Use private browsing or incognito mode when online. Here, cookies and browsing history aren’t retained when your session ends. You can fire up incognito mode and paste in a URL (that you are sure isn’t going to give malware) and navigate to the page fully sure you aren’t tracked. If you want to always be incognito on Chrome, add
—incognito at the end of the target command in Chrome properties, and you’ll be in incognito mode whenever you launch Chrome. You can do the same for Firefox via
Pro tip: If you want to use Facebook, Twitter, or other social account but don’t want that login following you persistently, create a separate user profile in Chrome, Firefox, or Safari, one reserved exclusively for that social network. Log into it there, and only there, and use it there and only there. This confines the amount of data associated with that login to only those things you absolutely need it for. This technique is also useful for minimizing tracking from sites that use social networks as single-sign-on providers, like Spotify.
If you are concerned about tracking, you should enable Do Not Track on every browser you use. DNT isn’t enforced -- it just tells websites that you’ve asked not to be tracked. It’s up to the websites you visit to respect that request. Many websites aren’t scrupulous and there is no guarantee the site you are visiting will honor the request, but it doesn’t hurt to at least make your preferences clear upfront.
Threat level 4: Hands off my information
First action: Block cookies whenever you can. While it would be nice to block both first-party and third-party cookies, and to disable session cookies, it makes basic web browsing such as email and social networking nearly impossible. You should at least block third-party cookies, and you should consider deleting your browser history on a regular basis.
Also, don’t let browsers store passwords. It’s convenient, but it’s hard to guarantee the security of the stored passwords. Use a separate password manager such as 1Password or KeePass.
Pro tip: For searches, use a secure search engine such as DuckDuckGo, which doesn’t store information automatically transmitted by the computer, such as your IP address and other pieces of digital identity. DuckDuckGo cannot auto-complete search queries based on previous searches or location, but that’s a small price to pay given that it also cannot link search history to you.
If you want to keep your information to yourself, private browsing is your friend. If no cookies are saved, there’s nothing to steal. It’s a good idea to delete all cookies after every browser session. You will have to log in to websites with each new session because they won’t know who you are. This is another use case for establishing distinct user sessions, in which you create sessions for specific logins and confine cookies for that login to that user session only.
While some add-ons can be dangerous, others are good -- for example, Disconnect, which blocks third-party tracking cookies. The extension blocks social media accounts from tracking browsing history and gives users the ability to control the scripts on the site. Another extension worth having, Ghostery, blocks common tracking scripts but lets you whitelist sites that depend on them if need be.
Threat level 5: Don’t phish me
Phishing sites are fraudulent websites designed to steal personal information. This isn’t limited to login credentials for email or banking sites. Phishing sites can masquerade as contests and ask for your SSN. Phishing attacks can also redirect victims to a bogus site where malicious code is downloaded and the malware collects sensitive information. We see potential phishing attacks everywhere, so our natural inclination is to not click on any links.
First action: Don’t click on links received in email or open attachments, let alone fill out sensitive information in forms that come your way. That FedEx claim form may just be a fake. Pick up the phone and call FedEx to verify what is going on. Don’t click the link in an email that looks like it’s from HR warning you about your vacation balance. Go to the HR website directly to see what is wrong. Typing out URLs helps catch tricks such as using a
0 (zero) instead of an
O (the letter) or
nn instead of
m, or the fact that the address is something like
paypal.com.someothersite.com. Type a trusted URL for a company’s site into the address bar of your browser to bypass links in an email or instant message.
Pro tip: Provide personal information only on sites that use HTTPS. Remember that with Let’s Encrypt and other sources of free SSL certificates, just a padlock icon is no longer enough. Look for an EV cert -- the name of the entity should show up in the browser bar. The HTTPS Everywhere extension from the Electronic Frontier Foundation is also a good option as it forces sites to put traffic over HTTPS.
If you receive emails from merchants -- for instance, for specials or discounts -- see if there’s an option to send emails as text instead of HTML. This makes it easier to see what the content of a given link is.
It’s difficult to detect all phishing attempts -- some are extremely good. Make sure you don’t use the same password for your accounts so that a stolen one doesn’t mean all others are compromised. Use a password manager to generate discrete passwords for each site account. Try to keep personal Internet separate from work Internet, and never register for sites using your work address. If that account gets compromised, you don’t want it to lead to phishing attacks against your work address. Turn on two-factor authentication, when a site supports it, to make it harder for attackers to use stolen credentials -- especially if that site is a financial institution.
Threat level 6: Nuclear protection
If you’re going for maximum protection, you'll need to set up a system of multiple browsers and operating systems to keep activities separate. And you might want to consider a series of virtual machines to isolate the threats.
First action: Use different web browsers for different activities: Have a browser for financial transactions, another for communications, another for just browsing. That way, if an attacker compromises a web forum you frequent, he or she can’t use cross-site scripting to get access to online banking because the attack can’t jump across browsers. A Facebook scam can’t escape to gain access to Amazon.
For a very sensitive website -- the crown jewel of your accounts -- have a dedicated web browser for that site and be restrictive in its configurations. For example, having a dedicated browser used only to access your Amazon Web Services control panel means there is no way to “accidentally” browse to some other site (whitelist only AWS, block others) and potentially expose your organization’s entire cloud infrastructure. Turn on all security options to lock down the browser.
Pro Tip: For extremely risky -- potentially dangerous -- or incredibly sensitive sites, consider splitting up the activity across multiple virtual machines. Do all your banking in a dedicated virtual machine using a locked-down (yet up-to-date) browser. This eliminates all banking-focused web attacks, and the attacker would have to do a lot more work to get your banking information.
Linux Live CDs are great alternative to running VMs -- you can even run a Live CD in a VM for maximum security. Tails is a very stripped-down Linux variant that runs off a USB drive and can be used to hide digital footprints, since it keeps nothing persistent.
Got an email attachment that looks hinky? Open it in a VM. If it’s malware, it has infected just an empty VM. Of course, don’t assume that everything is okay just because nothing happens in the VM: Malware can be designed to not execute within a VM. Keep that file always in the VM and away from your main desktop.
If you want to hide your activities online, consider Tor, which conceals your identity by using encryption to scramble data transmissions and routes traffic between multiple Tor nodes to obscure the origin. Since your traffic passes through random servers with Tor, the data is no longer tied to your personal IP address.
Being safe online is a combination of technology, awareness, and willingness to jump through hoops. Today’s browsers offer lots of protections, including the ability to disable plugins and turn on anti-phishing mechanisms. Just turning those on and completing basic security hygiene, such as updating all software, will address much of the low-hanging fruit.
But it is easier than ever to be infected with malware or get hit by a phishing attack. Sometimes it’s just a matter of being in the wrong place at the wrong time. But once you know what you are most worried about and what your appetite for risk is, you can set a sensible security regimen to fit your needs, keeping you safe and productive online.