The recent news is based on a study released by University of California, San Diego researchers who found that a number of sites were “sniffing” the browsing history of visitors to record where they’d been.
This reconnaissance works because browsers display links to sites you’ve visited differently than ones you haven’t: By default, visited links are purple and unvisited links are blue. History-sniffing code running on a Web page simply checks to see if your browser displays links to specific URLs as purple or blue.
These are not new discoveries, but the fact that sites are using this technique to gather information from visitors seems to have caught many by surprise.
As has been broadly reported for months, Web analytics companies are starting to market products that directly take advantage of this hack. Eric Peterson reported on an Israeli firm named Beencounter that openly sells a tool to Web site developers to query whether site visitors had previously visited up to 50 specific URLs.
Fortunately, the browser makers (most of them) have responded. These sniffing attacks do not appear to work against the latest versions of Chrome and Safari. Within Mozilla Firefox, these script attacks can be blocked quite easily using a script-blocking browser plugin, such as the Noscript add-on.
Mozilla addressed this history-sniffing weakness in a bug report that persisted for eight years and was only recently corrected, but the changes won’t be rolled into Firefox until version 4 is released. As a result, current Firefox users still need to rely on script blocking to stop this.
So the safest browsers to guard you against History sniffing would be Chrome and Safari.
adapted via krebsonsecurity.com
Cookies may sound like they have something to do with delicious baked goods, but in terms of the Internet, they are simply small text files that allow a website to store information related to the user of the computer. These files are contained on the user’s computer, usually in the web browser’s folder.
The web browser itself will look for cookies in the computer folder specified for storing cookies. The browser will then open the file that is requested from a certain website, if one exists. If no cookie file exists, a new one will be created.
In addition, browsers regularly maintain cookies. Cookies also specify expiration dates. When these dates are reached, the browser will automatically delete the file from the computer.
Cookies provide an easy way to customize and maintain the look of webpages to a user’s need, and it streamlines the services they provide. However, many people believe cookies may be a threat to personal security. While it is true that cookies collect a user’s information, they are not programs that can be run on the computer. Therefore, they are not viruses or any malicious programs that can read or erase information from a hard drive, and they will not cause pop-ups.
There are still drawbacks. Cookies can be intercepted as they are being relayed from website to computer. Recently a cookie exploitation called Firesheep, and allowed people to log on other users’ Facebook and Twitter accounts.
While people still debate whether the benefits of cookies outweigh the threats that they may pose, in the long run, cookies make the Internet more convenient and dynamic.
adapted via thetartan.org
Security researchers warn that a new malware distribution campaign uses fake versions of the malicious site warnings commonly displayed by Firefox and Google Chrome.
Both Chrome and Firefox tap into Google’s Safe Browsing service in order to check if the accessed URLs are known attack sites.
If such malicious pages are detected, both browsers block them and display warning messages.
In such circumstances users are normally given the option to either leave the site or override the block and continue to load the page.
The pages look exactly the same as the real thing, except for a button that reads “Download Updates,” suggesting that security patches are available for the browsers.
The executable files served when these buttons are pressed install rogue antivirus programs, which try to scare users into paying a license fee.
Such attacks target vulnerabilities in outdated versions of popular software like Java, Flash Player, Adobe Reader or even the browsers themselves.
Successful exploitation results in malware being installed on the target computer in a way that is completely transparent to the victim.
Users are advised to keep their antivirus programs up to date and if possible to use script-blocking technologies available to their browsers, such as the NoScript extension for Firefox.
adapted via news.softpedia.com
The abundance of free/cheap and open Wi-Fi networks in restaurants, airports, offices and hotels is a great perk to the traveling user; it makes connectivity and remote access much easier than it used to be. But you need to be informed and understand the risks.
Unfortunately, most of those “Open” networks don’t employ WEP or WPA passwords to secure the connection between device and hotspot, every byte and packet that’s transmitted back and forth is visible to all the computers on the wireless LAN, all the time. While certain sites and services use full-time browser encryption (the ones that have URLs beginning with https:// and that show a lock in the browser status bar), many only encrypt the login session to hide your username and password from prying eyes. This, as it turns out, is the digital equivalent of locking the door but leaving the windows wide open.
Firesheep is a Firefox extension which makes it trivially easy to impersonate someone to the websites they log in to while on the same open Wi-Fi network. It kicks in when you login to a website (usually in a secure fashion, via HTTPS) and then the site redirects you to a non-secured page after login. Most sites that operate this way will save your login information in a browser cookie, which can be ‘sniffed’ by someone on the same network segment; that’s what Firesheep does automatically. With the cookie in hand, it’s simple to present it to the remote site and proceed to do bad things with the logged-in account. Bad things could range from sending fake Twitter or Facebook messages all the way up to, potentially, buying things on ecommerce sites.
USE SSL/HTTPS only if the website supports it — is quite simple: after you connect, the site should keep your session secure using SSL or https. Some sites, including most banking sites, already do this. However, encryption requires more overhead and more server muscle, so many sites (Facebook, Twitter, etc.) only use it for the actual login. Gmail has an option to require https and has made it the default setting, but you should make sure that it’s enabled if you use Gmail (Google Apps has a similar feature). This also doesn’t necessarily help if you’re using an embedded browser in an iPhone or iPad app, where the URL is hard-coded.
Protecting yourself from Firesheep if you use Firefox or Chrome is possible with extensions like the EFF’s HTTPS Everywhere, Secure Sites or Force-TLS. These work by forcing a redirect to the secure version of a site, if it exists. The obvious problems with these solutions are: a) you have to install one for each browser (and we have not yet found one for Safari), and b) it only works if a secure version of the site exists.
A) Don’t use open networks.
B) Use a SOCKS proxy and SSH tunnel.
C) Use a VPN.
adapted via tuaw.com
Many people tend to trust well known companies such as Google and Yahoo, but sometimes these search companies serve up some troubling links in their search results. There are many people who use these search sites to find out information about how to remove viruses, etc., but if a user types in “Security Tool Removal,” they are served up dangerous links that go to malicious websites. These websites can create even more of a security risk without the user even knowing.
All links in the SERP (Search Engine Results Page) that are marked red indicate that these sites are dangerous. The red indicator is from the WOT (Web of Trust) Firefox and Internet Explorer add-on. The WOT add-on shows you which websites you can trust for safe surfing, shopping and searching on the web.
When searching “Security Tool Removal” look at how many dangerous websites are marked red. The chances of someone clicking on one of those dangerous links are pretty good.
I encourage and recommend that you download the WOT add-on for Firefox and or Internet Explorer so that you know what links are marked dangerous preventing you from clicking on links that go to malicious websites.
Pop ups and other intrusive types of advertising are now used to thrust an ad in your face that you have no choice but to at least acknowledge. Regardless of the nature of the ad, pop ups are a nuisance, and there are now many options available for keeping them off of your computer screen all together.
1. Internet Explorer 8 (Windows Users)
The pop up blocker is integrated into the browser and can be customized by browsing to the “Tools” tab at the top of the program. Like many pop up blocker applications, personal preferences can be set to allow/block pop ups from certain sites, as well as providing customization for how the user is alerted to the fact that a pop up has been blocked.
2. Other Web Browsers (Windows, Linux, and Mac users)
There are other choices for web browsers available, and many have included a pop up blocker long before Microsoft decided to include one with Internet Explorer. Since Mozilla Firefox browser was officially released on November 9th it has included a pop up blocker. Also, check out Google Chrome and Apple Safari.
3. Browser Tool Bars
Many toolbars offer unique features intended to enhance the user’s web browsing experience in different ways, but they generally also include a pop up blocker. Although there are toolbars available from dozens of websites, Google and Yahoo are the two best available. The installation of these toolbars is quick and easy, and the most difficult part may be reading the fine print in the license agreements. Although these toolbars may do an excellent job blocking pop ups, they may also be retrieving data on your web surfing / search habits. If you feel a toolbar may be the right solution for you, stick with one from a trusted name, and just be sure to read the fine print. By the way we prefer the Google Toolbar.
4. Pop Up Blocker Software
Stand alone pop up blocking software is available from hundreds of different sources. With various interfaces, and prices ranging from free to $30 (and higher). The main drawback to this type of pop up blocking solution is that you now have another independent application running on your computer. Although they are generally not resource intensive, why run a program to do something that can be handled by one that is already running anyway? Additionally, with so many reliable solutions available to eliminate pop ups for free, spending money on one is hard to justify. We suggest you pick from options 1,2, or 3 above.
Pop ups are a fact of life on the internet, but that does not mean you need to put up with them. Among the general solutions presented above, there are literally hundreds of options available for eliminating the clutter of pop up ads, allowing you to enjoy only the content you intended to see.
Mozilla pushed Firefox 3.5.3 to servers this afternoon, fixing several security and stability issues. There’s nothing terribly exciting in this release, but it’s always good to make sure you’re using the most stable and secure release, so go to Help -> Check for Updates to upgrade to 3.5.3.
FaceCloak, implemented as a plug-in for Mozilla’s Firefox browser, allows a user to designate–using two “at” signs (“@@”), by default–what information should be encrypted and only made available to friends. A FaceCloak user holds a secret access key but also sends two other keys to her friends. Those keys are then used to access the real information, which is held on a separate server. While the same concept could be used on other social networks–such as Twitter and MySpace–Hengartner and his colleagues focused on the largest provider.