Post

Everyday Security & Privacy

US Patent 07380427

Here is a list of simple tools and best practices to keep your computational work and communications reasonably secure. Your privacy can be protected by paying attention to these low-impact steps and by following some or all of these guidelines, you are also increasing the security and privacy of your co-investigators who are using the same network connections and servers.

First, the recommendations:

  1. Use a password manager
  2. Use Two-factor Authentication/2FA
  3. Encryption Everywhere
  4. Block Browser Plug-ins by Default
  5. Block Advertiser Code

Password Management

The best password is one that is truly random and long. Having a unique randomized password for every computer and service you use can help ensure that only those people who are authorized can access an account on those services and keep the leak of any one password from opening up other accounts.

Unfortunately, we know that most humans are not skilled at remembering many random sequences of characters, numbers, and symbols. A better solution is to have a good password you can remember that secures a list of randomized passwords for each service you use. 

MIT IS&T has purchased access to Enterprise LastPass. This software will allow you to create and manage different passwords for all services and logins you have.

The password to secure your random passwords should not be a simple word or a well known phrase. Having a secure and personalized system for creating an easy to remember password for a password manager is key to ensuring it is not easily guessed.

Good options for password management:

  • LastPass (good integration with MIT networks, includes multi-factor authentication)
  • 1Password (good UI on OSX and Windows)
  • KeePass (cross platform/open source)

A few more words about password security.

Two Factor Authorization/2FA

Two factor authorization is based on the concept of something you know and something you have. The something you know is a password or pass-phrase. The something you have is either your phone (SMS messages, phone call, authenticator app), yubikey, or a token generator device.

MIT campus and the Media Lab have a deal with Duo Security All students and staff must use this service to access many systems on campus. The Duo phone app also provides 2FA that works with other services, such as Github, Google, Slack and many more. If you already use Google Authenticator or Authy, you can use the same QR codes to generate 2FA tokens using the Duo app on your phone.

Encryption of Network Data/VPN/HTTPS

Two problems with sending unencrypted communication over a network are that not only can it be recorded and examined; it can be altered in real-time. Malware or hidden web frames can be inserted into a webpage without your knowledge or the knowledge of the service you are browsing.

If you have good encryption between you and the end service, it should not be possible for the data to be altered between you and the end server. There are several solutions for this.

HTTPS or HTTP/2

It is good practice to make sure that all of your web related communication is encrypted using HTTPS or HTTP/2. Not only can you ensure that data is unaltered between you and the service, HTTPS provides a check on if you can trust that the end service you have connected to is the actual service and not someone else. There is a browser extension that can help enforce this:

  • HTTPS Everywhere (Firefox, Chrome, Opera)
  • At the present time there is no good solution for Safari

Without an extension, it is good practice is to simply be aware of the icons on your browser to check that a site is being loaded via HTTPS or HTTP/2.

Virtual Private Network (VPN)

When connecting to the Media Lab or MIT networks, some services are only accessible if you are already on a local network connection or if you are using a VPN connection. A VPN connection creates an encrypted network directly between your computer (laptop, desktop, or phone) and the Media Lab or MIT networks. Instructions for use:

If you configure the VPN connection to route all traffic through it, this can help secure communications between your laptop and the rest of the internet, if you are browsing from a cafe or some other untrusted local network. This should not be considered a substitute for HTTPS; using both is better.

Block Browser Plug-ins by Default

Flash, Java and other browser plug-in technologies are the primary sources of security and privacy break downs on the web. Many websites include both hidden and visible references to plug-ins that automatically load as soon as you navigate to that site.

Browsers provide methods for blocking plug-ins by default, while retaining the ability to load individual plug-ins on a website as needed, by clicking on them.

  • Chrome, type or click: chrome://settings/content into the Chrome URL field, and select "Let me choose when to run plugin content"
  • Current Safari, Preferences > Security > Plug-in Settings > When visiting other websites: Ask
  • ClickToPlugin (preferable on older versions of Safari)

This can be a tricky balance as some video on websites require that plug-ins are automatically loaded, else the video is unplayable. Adjusting exceptions for particular websites can sometimes be tedious but is well worth it to avoid being exposed to malware.

Block Advertiser Code

Chunks of code (javascript) are downloaded and executed in your browser (and therefore on your laptop, desktop or phone) as you navigate the web by external third party advertisers.  This code, combined with cookies (data that helps trace you and keep session or login state for you on individual web sites), can leak information about your browsing and buying habits. 

Related Content