Security Sprint – Malvertising
- At February 17, 2010
- By Josh More
- In Sprint
0
We’re all busy people. A security sprint should take no more than two hours… which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.
One of the easiest ways for an attacker to get malicious software to a target is to get it running on a popular site. Newspaper and TV sites are popular targets, and since they fund their operations with web-based advertising, that’s where attackers focus. If they manage to compromise an ad server, then they can get their malicious software right on the popular targets without actually having to compromise the targets themselves.
Sadly, this technique is all too effective against the undefended.
Happily for us, it’s easily defended against.
If you run Firefox, you’re in the best shape. There’s an Add On called Adblock Plus. Once you install it, you’ll be prompted to select a subscription from the list. (I just pick the top one.) This list matches most ads and keeps things up to date for you, so if the location of the ad changes, it’s still blocked. So, not only do you not see the annoying ads, but you’re also protected against the “malvertisers”.
I don’t have much direct experience with the non-Firefox browsers, but if you want to use something else, check out Ad Block IE for IE8, IE7Pro for IE7, this technique for combining AdBlock Plus Filters in IE, and PithHelmet for Safari.
I do have to point out that some developers have gotten clever, and code their applications to make sure that ads are loaded, so if you use this trick, expect things like Facebook games not to work. But then, you shouldn’t be playing them anyway.
Security Sprint – Firefox Profiles
- At February 03, 2010
- By Josh More
- In Sprint
- 4
We’re all busy people. A security sprint should take no more than two hours… which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.
If you use Firefox as your primary browser, there’s a feature that you’re probably not taking proper advantage of. Firefox stores your personal data in a profile. This includes your bookmarks, passwords, cookies and add ons. The advantage here is that you can tune your Firefox configuration to what you’re doing… and somewhat segment your data.
For example, I have my normal browsing profile which includes a bare minimum number of add ons Adblock Plus, LongURL Mobile Expander, Web of Trust, BetterPrivacy, Cookie Safe and NoScript. Then, if I am conducting offensive security work, I use a profile that is loaded with some attack tools like SQL Inject Me and XSS Me. Similarly, when I’m doing web development or troubleshooting, I have a separate profile that loads Web Developer and Live HTTP Headers. This approach keeps my normal use fairly light and allows me to load the extensions that I need when I need them.
In theory, it also keeps my passwords and cookies a bit safer than usual. It’s not as secure as using a completely separate user account or even computer for doing dangerous activities, but it’s better than not doing anything at all.
To do build your own profiles, go here and launch the Profile Manager. Then, when you start Firefox, you will get dialog asking you which profile you wish to run. From there, it’s just a matter of picking which mode you wish to work in and selecting the appropriate profile before you start.
Security Sprint – Internet Passwords
- At January 27, 2010
- By Josh More
- In Sprint
- 0
We’re all busy people. A security sprint should take no more than two hours… which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.
You’ve probably heard about some of the recent attacks against various websites. The problem here is that if one of the sites you use gets attacked AND they’re not encrypting your password AND you’re using the same password on other sites, then that one breach on one site can put all your other sites at risk. Of course, if you want to be on the Internet, you have to accept some risk… but it’s hard to accept the risk when you don’t know it’s there. So let’s figure it out.
1) Take twenty minutes and make a list of all of your Internet sites in a spreadsheet. Try to remember all of them, not just the common ones. There’s a list below to get you started:
2) Go to the login page of each site and click on the “forgot your password?” link. Yes, this will reset your password, but that’s the point.
3) Once the new password arrives in your email, look at it. Does it sound like something you’d pick for yourself? If so, there’s a good chance that they’re not encrypting their passwords properly. Create a “secure” column in your spreadsheet and mark them as “no”.
4) If the password arrives and looks random, then they reset your password for you… which probably means that they can’t access your password directly. This means that it’s probably encrypted in the database. Mark these as “yes” in the “secure” column.
5) There is a drawback to this plan, and that’s that all of your passwords will change. Most of the sites that you marked as secure will force you to change your password when you log back in. If they don’t, change their “yes” to “no”.
6) Now you have a list of all of your sites and know which ones are the more trustworthy. The last step to this sprint is to reset your passwords to something more secure. There are lots of articles and tools out there, and I see no need to add to the pile. All I’ll say is that you should pick ones that you can remember and that aren’t the same for all sites. If you want to use really complex systems, look into password wallet software.
7) Once all your passwords are changed, and you have an idea of how risky your sites are, you can proceed with your Internet life in relative security.
Sites to consider:
- Email: Gmail, Yahoo Mail, Hotmail
- Social: MySpace, Facebook, Livejournal, Twitter
- Professional: LinkedIn, Plaxo, Namez, Zoominfo, Notchup
- Images: Flickr, Photobucket, Smugmug
- Documents: Scribd, Docstoc, Instructables, SlideShare
- Shopping: Amazon, Zappos
- Bookmarking: Delicious
- Video: YouTube, Vimeo
