This week we have been investigating browser hacking, or the inadvertent disclosure of personal information that is saved and stored by your browser. Today we will be showing several actions you can take to keep your information private.
The best way to protect yourself from a remote attacker is to prevent the remote access malware needed to access your computer from installing in the first place. Using a good, up-to-date anti-malware package should detect, block, or remove all but the newest malware downloads and installations. If you are using a premium product that requires annual subscription payments, please keep the subscription current. Expired anti-malware products cannot protect you from newer exploits. Free products, such as Windows Defender, are a good alternative as long as they are getting regular updates.
This, of course, will do nothing to deter someone with physical access to your computer. In that case, using a locking password-protected screen saver on a short timer will help. So would setting your computer to log out back to the login screen after 5-10 minutes of inactivity. You do have a password for your computer, don’t you?
Next, keep your operating system and applications fully patched and updated. Make sure Windows and Microsoft updates are installing automatically, and popular applications such as Adobe Reader and Flash, and Java are staying updated as well. Since Flash and Java are used all over the web, keeping these updated is critical. It is especially important that you upgrade to the most recent versions your web browsers, since they will be more secure against newer attacks and exploits.
Other browser specific actions you can take to protect yourself are:
- Use incognito mode. This prevents your browser from saving any data, but means you will not have any browsing history, customized web site, relevant suggestions, or saved logins. But that is what we are talking about, so this is the best option.
- Prevent saved logins. If you want software to remember your passwords, use a password manager.
- Set a master password. Or if you prefer, set a master password to access your stored passwords, this way an attacker would need the master password to read the stored passwords. SmartLock is a good alternative for Chrome.
- Use a password manager. Using a good third-party password manager is a better option. When coupled with two-factor authentication, a password manager such as LastPass is your best option for saving remembered passwords.
- Two-factor-authentication. Use 2FA for as many web accounts as you can, certainly for your email, banking and financial, social, and shopping accounts. We use Google Authenticator. If your password escapes into the wild, an attacker who still need your smartphone to log into 2FA protected accounts.
- Disable cookies. There will be some websites where you need cookies, but you can enable them on a site-by-site basis. Disabling third party cookies prevents advertisers from tracking you and serving up “relevant” ads.
- Disable autofill. Sure, this means filling in forms manually. You can set up autofill in a password manager if this is an important feature for you. LastPass can do that for example, and at least your information is not in the browser, but safely encrypted inside the LastPass application.
- Clear your browser cache. This removes all web browsing traces that may have slipped by your other defenses. You can set this up to clear automatically when you close the browser, or you can elect to do it manually once in a while. We prefer automation to human memory. CCleaner can be a good tool for this purpose. The professional version allows for scheduled cleaning.
If you have followed our guidance, your browser should be more secure than it was at the start of the week. Hopefully you found this series on browser hacking informative as well. We love to hear from our readers, if you would like to send a comment we would be happy to post it on the site.
More information:
- Exabeam report
- Security and browser settings for:
MAY
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com