Presentations Posted

I have finally gotten around to purging sensitive information from my presentations and they are now posted. You can see them from the menu by going to “Professional” and then to “Writings and Presentations”. For your reference, the following are new:

New Theme

I have upgraded WordPress to the latest, killed some old plugins and added some new ones. I also added a brand new theme so I could merge my pages from my old website over here. That’s right, this is now the primary place for stuff about me. (I’m sure you’re all thrilled.)

Anyway, if you just followed my blog, there’s new stuff at the top menu, check it out. If you were following my website, there’s new stuff right here. You can also play with the archives to the right. If you’re here because you’re stalking me, you probably want to go to about first. Then download Maltego. Use a mix of the URLs from the about page and the following keywords: “Josh More”, “guppie”, “guppiecat” to do multi-level Internet-based snooping on me. Enjoy. If you find the stuff I wrote on Usenet when I was 15, please accept my apologies. In my defense, I was 15. ;)

Over the next several weeks, I hope to merge some of the stuff from my files back to this site, just to keep everything updated. If stuff is broken, please let me know.

Operation Night Dragon

My marketing guy says if my posts are going to rank higher on search engines, they have to be timely and call out keywords in bold and italics (and lots of hyperlinks throughout)… so today you get a post about OPERATION NIGHT DRAGON (insert ominous sound effect here).

Night Dragon for those that do not know, is an attack against energy companies that was recently (look marketing, it’s timely!) exposed by a McAfee report. The attacks involved several techniques including compromising web servers, database servers, stealing passwords and targeting employees for access and executives for data. The ultimate goal of this is unknown, but suspicions are leaning towards this being an attack focused on stealing data not on stealing money or reducing the capabilities of the attacked firms.

While there is plenty of discussion in the security community that is, frankly, overhyping this attack (I would have named it “Lightning Thief”) that’s not where I am going to go here. Instead, I am going to focus on two key words. To paraphrase the story, it all boils down to this:

“McAfee identified attackers that used unsophisticated attacks to enter the networks of US energy companies, where they browsed and accessed sensitive information. The attackers have been present in the networks since late 2009.”

So let’s talk about this a little bit…

Unsophistication

We like the stories about the uber-elite hackers that use diamond-tipped tools cut a hole in the firewall, glide into the network on a rappelling line, identify their targets and then steal them avoiding the fancy lasers and weight triggers. However, if your business doesn’t have those defenses, there’s no point in investing in all the impressive tools. Like as not, your business is less like The Louvre and more like Barometer World. Now don’t get me wrong, I think that barometers are pretty nifty, but let’s face facts. It doesn’t matter how many barometers you have in that room, you’re not going to protect it like the Mona Lisa.

(Note to marketing: I know that barometers aren’t timely. Sorry. Here’s some timely stuff in bold for you: #grammyforbieber, Mubarek resigns… we happy?)

Of course, this means that if someone wanted a barometer, they could probably just walk in and take one. Sadly, the same is true for your data. In a great many businesses, your data could just walk out the door and a lot of people wouldn’t care. I’ve heard comments ranging from “Who would want my data?” to “My data isn’t worth anything anyway.” as reasons to not invest in basic protection. However, the often-missed point is that it doesn’t matter how much you value your data. What matters is how much a competitor values it. If it costs very little to attempt to steal your stuff, people are going to try again and again. Eventually they’ll probably succeed.

In addition to the nifty-cool attacks we read about, there is a constant background of simple and unsophisticated attacks targeting your business. Once they get in, they’re a lot harder to get out, which brings us to…

2009

At the same time these attacks were occurring, the Billboard number one song was Whatcha Say by Jason Derülo. Twilight: New Moon was brand new and a groundbreaking paper on air pressure and landslides was released. (Sorry marketing, this timely stuff is hard, but at least barometers are still cool.) In the fifteen months following, the attackers have been digging through data, finding what they wanted and stealing the work of others. This has likely enabled them to win contracts by underbidding, develop competing technologies and steal customers.

Now combine this with that magic word unsophisticated and the fact that we’re not talking about the Louvre here. We don’t have a situation where a super-stealthy cat burglar snuck into a museum, stole an ancient and magical artifact, and slipped out under the eyes of watchful guards. Instead, we have a situation where someone like Jacques Clouseau clumsily stumbles into the barometer museum and lives there for a year, riffling through papers and taking barometers home every night. All without being noticed by anybody.

It’s ridiculous. For years, we’ve been giving people the same basic rules for security:

Keep your systems patched.
Give users minimal rights.
Run antimalware software.
Limit where your users can go.
Watch what goes on on your network.

In order for these attacks to succeed, there had to be multiple failures along many of these rules. Let’s take one last visit to the barometer museum and think about what these rules would look like if IT were not a factor:

Lock the doors when you’re closed.
Don’t give everyone the master key.
Hire a night watchman.
Lock the windows too.
Make sure the watchman is awake.

See, we’re not talking about building massive security infrastructure to protect your precious hoard of 17th century barometers. We’re talking about taking extremely basic precautions. It costs a lot less to invest in a few key technologies and make sure they’re working than it does to replace all your stuff, so just do that. After all, where do you want the bad guys to live — your business or that of your competitor?

(Marketing, here are some more words in bold for you: Night Dragon, Night Dragon!, Nihgt Dragoon (to catch the typo people) malware, evil, energy, security… we good?

Measuring Psychological Variables Of Control In Information Security

For much of the last year, I have been exploring an idea. As of a few weeks ago, I completed a paper based on my explorations. To put it very succinctly, I have long wondered why small businesses do not suffer more security breaches than they do. As a group, they tend to have sloppy operations practices and poor to nonexistent controls. While they are a smaller and less-tempting target, that alone doesn’t seem to explain the lack of problems. One thing that might explain this is the tendency for people at lower risk to compensate for that lower risk by taking larger personal risks. So I decided to study the variables of psychological control within an information security context. The conclusions were somewhat surprising… but that may be due to the limited sample set.

Anyway, if you are interested in Likert scales, psychology or academic analysis of information security, the paper is available here.

If you like, you can just jump down to pages 26-28 and get my conclusions.

I welcome your thoughts.

Not Another 2011 Security Predictions Post

Well, it’s that time of year again. I’m not talking about “vacation’s over and now we have to actually work” or the “let’s all resolve to exercise until Feb 1”. I’m talking about the annual tradition of making security predictions for the coming year. It seems that every year more companies use this time to look for problems in the upcoming year. Everyone says pretty much the same things: malware is going to get worse, mobile devices will be targeted, social media will be targeted, a big company that’s generally low on the radar will get hit big time, millions of dollars will be lost, cyberwar will knock us back to the stone age, and there’s a monster at the end of this post. (I may have made up the last two.)

It happens every year, and frankly, I’m tired of it. There’s little significantly different between 2011 and 2010, just like there was little different between 2010 and 2009, or any previous year. In fact, there are only two big trends that matter.

Big Trends

Defenders will try to defend the best they can with limited resources.
Attackers will try to attack the best they can with limited resources.

Of course, there are subtle effects as these trends play against one another. For example, if the defenders all invest in antimalware, the attackers will get better at writing malware. If the defenders all focus on monitoring their logs, the attackers will get better at hiding what they from the logs. It’s your classic arms race… with one exception. Every time the defenders put a defense in place, they lose resources and ever time an attacker wins, they gain resources. Sadly, this brings us to the two differences between 2010 and 2011.

Differences: 2010 and 2011

The defenders will have fewer resources.
The attackers have more resources.

See, every time an attacker successfully hits a business and steals half a million dollars, that’s half a million dollars that goes straight into attacking other businesses. As the successful attacks build upon one another, the attackers can build their infrastructure and fine tune their operation. Sadly, as time goes by, the defenders lose out. If they were successfully attacked, resources were either stolen directly or will be slowly leached away in terms of higher insurance premiums, lost customers and the like. If they were not successfully attacked, they often face the difficulty of explaining why they need still more resources when they have nothing to show for what they spent in the previous year.

So it appears as though the game is rigged. The attackers are going to win and the defenders are going to lose… right? Well, kinda. Fortunately, there is one single magic mitigating factor.

Magic Factor

No two organizations are identical.

This, right here, is what is going to help the defenders. See, if you have two people defending their business and one person invests in security and the other one doesn’t, the attacker is going to go after the one that didn’t. Burglars only rob a house with the security system if there’s either some pretty fancy stuff in that house or if all the other houses have security systems. Lions and wolves go after the sick and the old in the herd. There’s less risk and therefore a greater potential reward for doing so. As the old story goes, if you’re hiking in the woods with a friend and are attacked by a bear, you don’t have to outrun the bear… just your friend.

The same thing applies to business. You don’t need to invest in every single security technology. Your office doesn’t have to look like the lair of a Bond villain. You don’t need your computer to read your fingerprint, scan your retina and get a drop of blood to log in. You just have to invest a little bit more and a little bit smarter than the average.

… which brings me to my security predictions of 2011.

The majority of businesses will continue to under-invest in many aspects of their business, including security.
Of the businesses that do invest, many will do so reactively and without proper analysis, in effect throwing good money after bad.
A great many businesses will be breached… far more than we’d like, but by no means all of them.
Some attackers are going to get rich and retire. Others will get caught. Those still at it will learn from others and get smarter about attacks.
The handful of businesses that learn from one another and get smarter about defense will be in a much better position than those that do not.
Many businesses will continue to believe themselves secure because they purchased a firewall/antimalware/magic box. Security is not bought, it is created day to day, month to month and year to year through intelligent investment and operations.

In short, the strong and smart will survive, the weak and lazy will not. It’s the way of the world.

Of course, those don’t help you to decide what to do, as we’ve still not discussed what “average” is. What do you need to do to be one better than your competitors? While I clearly can’t speak for your business specifically, in general…

If you don’t have antimalware, get it and check it daily. – Malware is one of the prime tools in the attackers’ arsenals.
If you don’t have web filtering, get it, tune it and check it weekly. – A shocking number of attacks come in via the web.
If you don’t have antispam and email encryption, get it and check it monthly. – Email is right up there with web for attack vectors.
If you’re not patching your systems, start and do it (at least) weekly. – If you’re not fixing your problems, it’s just too easy.
If you’re not reviewing your logs, start or outsource it. – Most attacks show up in logs, but if you’re not looking you won’t see them.

There’s a lot more I could go into, like vulnerability assessments, security training, etc. However, if you’re not doing all five of these you’re behind the curve and are a prime target. Fix these first to buy the time to make the bigger changes.

Don't Poke the Bear

The world is abuzz today with the news of Gawker’s passwords being leaked. Rest assured, this will not be yet another “the sky is falling” post or yet another hasty analysis of what happened. If you want a good overview, please read Daniel Kennedy’s excellent post over on Forbes.com. If you want to know what it means to the security community, todb’s Metasploit post is good.

No, instead, the only specifics you need to know about this attack is that it hit Gawker, and Gawker owns sites like Lifehacker, Gizmodo and io9 and if you had an account there, you should change your password (details here). If you used that password in other places, you should change it there too. It looks as though Gawker was using poor security on their servers and in the way that they stored passwords. That’s all I’m going to say about the tech. Instead, I’m going to talk about hiking.

I like hiking. You get to be outside, you get to see beautiful scenery and enjoy the air. You get to interact with all sorts of wildlife. On my hikes, I’ve seen butterflies, frogs, rabbits, birds and even things like raccoons. I’ve known people who get far more into hiking than I do, and they report seeing even neater animals like rattlesnakes, wolves, cougars and bears.

Now, when one goes out hiking, one takes on a certain amount of risk. Usually, the risk is much lower than the risk one takes driving to the hiking trail, but I’m not going to get into safety statistics either. The point is that good hikers know to take certain precautions. For example, I’ve been hiking in rattlesnake country. There are lots of ways to deal with rattlesnakes. Here are some examples:

1) Hike where they don’t live.
2) Wear tough boots.
3) Make noise as you walk.
4) Bring a first aid kit with you in case you get bit.
5) Bring anti-venom with you in case you get bit.
6) Wear a full suit of armor.
7) Deploy a fully-automated hunter-killer drone ahead of you.

See, the fundamental problem here isn’t that rattlesnakes have mouthes full of nasty venom that can clot your blood, destroy your limbs or kill your brain. The problem isn’t even that they bite you in less than half a second. The problem is that most rattlesnakes don’t want to bite people, but sometimes people push them into it. After all, they have to wake up, do their little rattly thing, bite you, use up all their venom and then get away before you fall on them. It’s a royal hassle. Really, most rattle snakes just want to go about their day, lounge in the sun, eat a rat or two and sometimes get busy making brand new baby rattlers.

This is true with most of nature’s threats. Leave them alone, and they’ll leave you alone. Even the ones that are bigger, faster and meaner than rattlesnakes. Cougars would rather eat a deer than a person. Wolves want to run around together. Bears mostly just want to sleep. (Sleeping is awesome!)

So what’s the point here? The thing is, with hiking you can choose your location, however, when you’re on the Internet you cannot. On the Internet there’s just the one hiking “location”. You can look at different things on your hike, but it’s always in the same place… and in that place live all sorts of poisonous snakes, wolves and bears (and even nastier things). You can’t not hike there… and it’s crazy to go everywhere fully armed. It’s no fun to go hiking fully armored, and too expensive to get a ton of drones, much less adding armaments.

No, whether you’re hiking or using the Internet, there are two simple rules:

1) Take basic precautions.
2) Don’t be stupid.

For example, in the hiking world, you wear good boots and carry a walking stick. In the Internet world, you run a modern antimalware system and harden your servers. In the hiking world, you avoid walking on cliffs, don’t stick your hands into dark crevices and don’t poke any sleeping bears you may see. On the Internet, you avoid the nastier sites, keep your systems patched and don’t tick off people with more time and inclination to harm you than you have to defend against it.

Gawker found a sleeping bear. They poked it with a stick. They got mauled. End of story.

Lesson one of Internet security? Don’t poke the bear.

Collecting data for a research project

I am collecting data for a research project that touches on, among other things, the differences between security practices in small and large businesses. I would certainly appreciate it if you could fill out this form.

(If this form is cut off for you, please try it here)

Loading…

Security for Santa

Click image to embiggen.

Been away for a while

“Hey Josh, where’ve you been?”, I hear you all asking. Over the last several months, you might have noticed a suspicious absence of security folks from the wider blogging world. The reason for this is pretty much “Sorry, been busy”, which I know isn’t much of an excuse. So here’s the deal. Security is hard. Its always been technically complex, but recent events have combined to create something of a perfect storm. We like to divide the world into “good guys” and “bad guys”. In the past, it’s been a fairly even fight. However, with the global economic recession resulting in staff cuts, there are fewer good guys. Of course, with small budgets, there have been cuts on the technology side as well. At the same time, advances in malware technology have given the attackers some extremely impressive tools. These advances have been made possible due to unprecedented cooperation within multiple groups of organized crime.

So here we are, a reduced set of security practitioners trying to help businesses maximize security benefit for the dollar against a massive global network of highly skilled and highly paid criminals who are writing highly complex malware that goes far, far beyond your old school phishing attack with key logger. This post is going to focus on a specific type of financial attack. Odds are, if you’re reading this, you’re more interested in protection than the technical stuff, so we’ll break tradition and leap straight into that.

If you’re interested in hearing more about what this particular malware can do, there are technical links at the bottom of this post. For now, know that it’s a highly complex piece of financial malware which exists to steal money in any way it can. It runs on all versions of Windows and most common browsers. It’ll come in via email, web, PDF files, USB or any way that the attackers come up with. Small businesses and nonprofits are being targeted because they tend to have weak controls, but CEOs and CFOs are also being targeted as they tend to have to more to lose.

Protections:

Within the industry, we often talk of security tradeoffs. Basically, there are costs to reducing risk… and these often go beyond mere dollars. My ultimate goal as a security consultant is to help a business make the appropriate decisions and balance security expenditure against the possible benefits. The following advice is what I believe to be true for most businesses, but please keep in mind that your particular business may have different requirements. To keep things simple, here are five technical and five financial recommendations.

T1) Use a dedicated system for financial transactions. Yes, it’s expensive, but a lot less expensive than having your money stolen. If you use the same computer to transfer money that you use to play Mafia Wars on Facebook, you’re just asking for trouble. If you’re using a shared system that’s not locked down, you might as well just cut the attacker a check… it’d save time.

T2) Use a dedicated firewall. Put a firewall between the dedicated financial workstation and both the Internet and internal network. Set it to use NAT and allow no traffic to flow from the Internet to the workstation. Allow the workstation to connect to your bank and the Microsoft and Adobe updates sites. Depending on your financial processing software, you may need more sites allowed… but keep it as minimal as possible. Only allow connections that it needs. The firewall should be a physical device as malware often disables local firewalls.

T3) Keep the workstation hardened and updated. Make it useless for anything other than financial processing. Don’t install Office. If you need to view docs or spreadsheets, install the free viewers from Microsoft. If you don’t need to view PDFs, keep Adobe as far away as possible. Update as soon as the updates are available. Forget about testing the MS patches, the vulnerability window is already negative, delaying patching is just stupid. Build your business processes to have a manual failover in case a patch breaks your financial transfer workstation. That’s a much better use of time than testing patches on a one-off system.

T4) Take away admin rights. I know it’s a pain to figure out what privileges you actually need to run that one app that is used every January to do taxes, but it’s a less than the pain to recovering half a million dollars because someone had admin access and didn’t need it. If you can use Linux and Firefox, by all means, do so… it’s a lesser target. If you cannot, go with Windows 7. The UAC security controls in Windows 7 are excellent.

T5) Use a real antimalware program. The one that comes loaded on your workstation when you buy it from Dell/Best Buy isn’t going to cut it. Freebies aren’t going to cut it. Real programs cost real money. For specific recommendations, I like Sophos because of the enterprise control features. Being able to use device-based controls and lock down applications is very important here. If you really want to go light and accept the risks that come from reduced control, Kaspersky is a good second runner. In any case, if you detect malware running on your dedicated system, notify your financial institution immediately.

F1) Set your account to use dual controls. This means that one person in your organization has the ability to initiate payments but a second person must approve them. This makes the attackers’ job much more complicated, as they have to control two systems and synchronize data in order to steal money. If your financial institution does not offer this ability, we strongly recommend finding another institution.

F2) Some institutions allow you to create a list of companies and individuals who are authorized to receive payments (called Positive Pay or Whitelisting). This list should be created outside of the Internet banking system so that an attacker cannot simply add and authorize a new account. If you have this available to you, by all means use it! This can go a long way towards preventing your money from being transferred to money mules.

F3) Almost all institutions allow you to sign up for alerts. With these systems, you get emails (or, in some cases, text messages) whenever a transaction occurs. The faster you can respond to a suspicious transfer the more likely you will be to reverse it. Bank-to-bank transfers are nearly immediate and require the cooperation of the receiving bank to get the money back. The longer you wait the more likely that the money has moved on and more institutions will need to be involved, which makes recovery much less likely.

F4) Set limits wherever you can. Many systems allow you to limit the amount of money a particular person may transfer, the amount that may be transferred per day/week/month and the times at which transfers can occur. Of course, you run the risk of being prevented from transferring money when you really need to, but in most cases you can work around this with a phone call to your institution. The protections you get from limiting transfers are usually worth the occasional irritation when you have to work outside the norms.

F5) Utilize emerging technologies. Not all banks have these options, but if your bank can provide you with a two-factor authentication token, security software to facilitate secure transfers, out of band approval systems (phone, fax, text message, etc.) or analysis of payment patterns, take advantage of them. They’re usually free to inexpensive and will give you a much deeper level of financial protection than you would get otherwise.

F6) Bonus suggestion! Some accounts have overdraft protection in place. This sounds good if you are worried about occasionally spending more than you have. However, the flipside is that it could allow an attacker to steal more money than exists in the account. If you can get by without overdrafts, turn this protection off or, if you have to, at least set the protection level as low as you can.

In the end, a combination of technical and financial controls will go a long way towards protecting you, but implementing them will require you to change your business processes. If you’re a CEO, CFO or owner you’re lucky. If you’re not, you may need to set up a meeting with your C-level people. They need to understand that they are being targeted personally because of their role. They need to know that the online systems are being manipulated. The balance reported on an infected system will be altered to hide the malware’s activities. They also need to understand that there is no 100% solution. What I recommend here is a good start, but they could still have problems if the attacker is persistent.

Technical Links:

Zeus overview on Wikipedia
Recent arrests related to this malware
Zeus Tracker (This site is often attacked and may not be available.)
SecureWorks Threat Overview
Sophos Threat Overview
Zeus spreading to mobile phones

Firefox Profiles

I’ve been absent from this blog for a while. Other projects are occupying my time. I hope to return to regular blogging soon… but it may be a bit longer yet.

However, one of my projects involved getting a new laptop. Since getting a new laptop is a good excuse to redo things and do them better, I decided to take a closer look at my Firefox profile setup.

I play a lot of roles, ranging from security researcher to consultant. There are different Firefox configurations that I need for each, but it’s a pain to constantly log in to different user accounts. To make this process simpler, I decided to create four different Firefox profiles, each tuned to a specific set of tasks. What follows is a description of what I did under Linux. The same process should apply to other operating systems… but I’ve not testing them there. With one exception (noted) all add ons are from addons.mozilla.org.

Warning, geekery below this line.

I started with my basic add ons:

Adblock Plus to prevent those annoying ads (and ad-based malware infections)
Neo Diggler to give me a quick way to clear the location bar and give me the ability to add custom stuff
No Script to prevent scripts from running. I did a quick whitelisting of the sites I use a lot (Google, Amazon, Alliance, LinkedIn, etc)
Web of Trust to give me a hint before I click on a link.
Tiny Menu to maximize screen real estate. (I love me the tiny laptops)
TorButton for quickly accessing The Onion Router (requires installing additional software to utilize)

Sadly, LongURL is not supported on the new Firefox yet.

I restarted Firefox to activate everything and configured the plugins the way I like. I also customized the Nav bar and moved everything up to the Menu bar that TinyMenu made nice and small. Then I used the View menu to turn off Navigation and Bookmarks.

Then I went into Preferences->Privacy and set Firefox to “Never remember history” and suggest “Nothing”. I also cleared my history that was created thus far. In Preferences->Security, I told it to never remember passwords, block reported attack sites, web forgeries and add ons. (By not remembering passwords, I render myself less vulnerable to risk from theft of my profile directories, but more vulnerable to keyloggers… it’s a good tradeoff to me.)

I then shutdown Firefox and went into ~/.mozilla/firefox. I did a cp -a of my profile directory to other names (this bit would be different on Windows):

cd ~/.mozilla/firefox

cp -a blahblah.default research

cp -a blahblah.default paranoid

cp -a blahblah.default webdev

Then I edited profiles.ini and copied the four top lines of [Profile0] to new blocks of Profiles 1 through 3. I edited the Name and Path to reflect each of my new profile directories (research, paranoid, webdev). I edited the Firefox launcher and appended “-ProfileManager –no-remote” to the “run command”. This way, when I click on the little icon, Firefox will prompt me for the profile I want each time I launch it, and it lets me run multiple profiles at once.

I then launched it and selected my “research” profile.

Here, I went back into Preferences->Privacy and told it to go ahead and remember history and make suggestions (as when I’m researching things, I often forget where I found things and what I searched on.) Then I installed the following add ons:

Add N Edit Cookies for cookie manipulations
HackBar for SQL injection fun
PassiveRecon for exactly what it sounds like
RefControl for mangling HTTP headers
DeeperWeb for those occasional rambling searches.

Then I added the following search engines to the dropbox:

Offensive Security Exploit Database
Security Focus Vulns Search
Security Wire Search

I’ll probably add more as I play with it. I’m still not used to using this feature to search the deep web. (Wonder if one could be written to access our corporate wiki?)

Then it was time to restart Firefox and activate, set preferences, yada yada yada.

After that, I restarted to access the “paranoid” profile. I went into Preferences->Security and turned on ALL warning messages. It’s annoying to use now, but that’s partly the point.

I set StartPage to my initial home page, using the “Generate Custom URL” feature on the site. Since I’m not storing any cookies at all, this is how it has to be done. I removed all search engines and added IxQuick HTTPS, Startpage HTTPS and Scroogle SSL. On the AddOn side, I added:

Force-TLS to force HTTPS connections (though it really doesn’t do all I’d like it to)
Certificate Patrol to track certificate details
Perspectives for a paranoid check against SSL certificate alteration. This one is linked to from the Mozilla add ons site, but not installable from there.

I then disabled the CNNIC SSL certficate (Preferences->Advanced->Encryption->View Certificates->Authorities, scroll to “CNNIC ROOT” click “Edit” and unselect “This certificate can also identify web sites”.) It’s a matter of debate as to whether or not this is necessary… but so long as it’s being debated, my paranoid side will be careful. (The other profiles don’t care. :)

Lastly, I installed the Orange Fox theme, which is ugly and garish, but since I wanted a visual reminder that I was in the paranoid profile, it was exactly what I wanted.

After another restart I entered the webdev side. The fun new add ons here were:

Firebug for tracing DOM and CSS issues, which I don’t do much anymore, but it’s still nice to have.
CodeBurner For Firebug to add reference to Firebug
FlashGot for massive download fun on archive.org
Greasemonkey for fixing stupid sites (and integrating with FlashGot to bypass trivial Javascript-implemented “security” checks)
Live HTTP Headers for watching traffic in real time, when I don’t want to launch a real proxy
Web Developer for the same reason as Firebug

From here, I am in a position to fire up the profiles as I need them, and am able to work on the web without worrying about my tools being available.