Tuesday, April 8, 2008

More Secure Web Browsing

Recently I had a conversation with my Dad about some things that can be done to be more secure whilst web browsing. I explained to him that a common attack vector is through the web browser and that a lot of the risks can be mitigated by using a different browser than Internet Explorer and by turning off scripting by default.

The purpose of this post is to give my Dad instruction on where to get and how to install the browser I recommend and which add-ons might help keep him more secure.

Before I begin, it would be useful to point out something which I think is as applicable here as it is within the realm of network monitoring. Prevention Always Fails. At some point you will get owned because your information or your computing resourse (think botnet) is worth something to somebody else. You can impliment as many safeguards as you want, but the fact is the Internet is a dangerous place and although these safeguards will raise the bar and might prevent many attacks being successful eventually something will fail, and when it does the next action you need to take is detection. Now, it's very difficult to know when your preventative methods have failed so my advice would be to assume they already have. By making this assumption I would then begin to use the detection tools, monitor bank statements, credit card statements and look at traffic leaving your network etc....

Anyway, now to getting the bar raised and becoming more secure online....


The Web Browser

Firstly I recommend using Firefox. Firefox is an open source browser that is fast and lightweight. Yes there have been vulnerabilities with Firefox but these have been patched quickly and Firefox updates itself automatically.

To download Firefox I recommend Googling "Mozilla Firefox" and downloading it directly from the Mozilla site. Once downloaded simply install using the default options.




The Add-ons

Once installed, you will want to install a couple of add-ons. Add-ons are little programs that add extra functionality to Firefox. They are simple to install and there are hundreds of them freely available. One word of warning through. As there are so many add-ons it is really easy to go over the top and install a whole load of them, and some add-ons may make your system less secure so just install what you need and maybe research them too.

The add-ons I recommend are:

  • NoScript
This turns off scripting by default and allows you to enable it selectively for trusted sites. Once a vulnerability is found with a computer an attacker will often try to exploit that by embedding code into a website to take advantage of that vulnerability and compromise your computer. Often the victim will be totally unaware that this has happened. As is most often the case everything that is done on the computer from that point on can be captured and silently sent back to the attacker. Think banking, think paypal, think amazon!!!

After installing NoScript all scripting will be off. This does break some pages and they will not display properly. If this is the case, right click the NoScript icon in the bottom right corner of your browser and select to temporarily allow scripting for the site you are on. The NoScript icon in the bottom of the screen changes depending on the settings you have selected. It's a good idea to enable and disable sites and make a mental note of how the icon has changed.

  • Customize Google
This script allows you to remove Google adds and force your browser to always use gmail over HTTPS. Check out the preferences in the add-on window or on the Tools menu.

  • Formfox
This add-on will give you information when you fill a form out about where that information is really going. By holding you cursor over a button before you submit a form it a pop-up window will tell you where it is going. Try it with a Google search!


To install new add-ons or enable / disable them once you are in Firefox, click on the tools menu and then select add-ons. From here you can select whether to enable or disable the add-on and adjust any settings for it or you can click the "Get Extensions" link to be taken to the site where you can download new add-ons. Once installed Firefox may prompt you to restart the browser.



You can also install Themes to change the look and feel of Firefox or install plugins if they are missing such as Flash, Adobe Acrobat Reader etc...

This blog post only touches on what Firefox can do. It is very extensible and feature packed. i don't know anyone who has gone back to Internet Explorer after using Firefox.

The one thing I will say is very few websites don't work well with Firefox, for example my bank doesn't. So I use I.E for that site only and do 99% of my browsing through Firefox with scripting off.

Hope this Helps.

Update:

01-05-08 - One last tip, but a really important one. As most browsers use tabs these days, it allows you to log into one site and then open a new tab and log into another. This is really bad practice as a site from one tab can run code to execute actions on the site on the other tab. So if you do banking or email remember to log out and close the tab before you do other stuff.

Links

2 comments:

SynJunkie said...
This comment has been removed by the author.
Mary Ellen said...

SynJunkie, thanks for your post to my blog, it brought me back to yours, which is fantastic. I thought you might like to know that I just added a CNN clip of HackerPrincess.blogspot.com
Best,
MennoniteLady