Tuesday, October 18, 2011

Browser Add-ons Part 4: Certificate Patrol

When you bank or shop online it is critical that the connection between your computer, and the server providing the services, is secure since you are passing sensitive information over the Internet in which normal traffic is open to sniffers, eavesdroppers, and man in the middle attacks. There are a few things you can do to confirm the security of your connection. Certificate Patrol is great browser add-on that aids in this process. But, before I talk about what it does let me explain a little bit about secure connections and what role certificates play.

A secure site uses what is known as Secure Socket Layer (SSL). SSL encrypts the data between the sender and receiver over the Internet. Sites using SSL are recognizable in several ways. Where to look for some of these features may vary slightly by browser, and browser version, but the most obvious is HTTPS in the address bar. The padlock in the address bar, or in the status bar at the bottom of the browser window, is also an indicator. The most recent visual effect includes more advanced security features, and is recognizable by the green address bar, or green text in the address bar. The green bar indicates that the site is using Extended Validation SSL Certificates. EV Certificates are a pretty good defense against phishing scams because the CA and the web browser providers have worked together to integrate better security into the browser making it harder for scammers and hackers to hijack your secure web session.

Businesses legitimize themselves by providing site certificates from a validating source. Site certificates, also known as SSL certificates, are issued by a number of Certificate Authorities (CAs). The role of a CA is similar to that of a Notary Public, but instead of vouching for you as a witness to a document signing, they validate that the certificates belong to the entity authorized to have it. Web browsers, by default, accept these certificates as being trustworthy because they come from a valid certificate authority.

To further complicate verification, a single site certificate isn't likely all a site would use. The main, or top level, certificate issued by a CA is known as the Root Certificate. But, sites also use subordinate certificates known as the "chain of trust". Subordinate certificates further define the security of a site, and since they are linked to the root certificate our browsers automatically trust these too.

In a perfect world, simply accepting a site certificate is all anyone would need to ensure a secure connection. But, because anyone can create a certificate, and there are legitimate circumstances for this, we can't blindly trust that the certificate we are given is the one we should have. A website, along with the padlock in the browser, and site certificates can be faked making the task of verification a bit more complicated. To protect ourselves we have to be vigilant in checking site certificates; with the help of Certificate Patrol the job of verifying site certificates just got a little easier.

Certificate Patrol is a Firefox add-on (https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/) with the main purpose of alerting you as to when a certificate changes. The first time you navigate to a secure site Certificate Patrol will alert you, with a box that appears below the browser's address bar, that a certificate is pending. You will be asked if you want to accept or reject the certificate. You can view the details of the certificate before making your decision.

When viewing a certificate look for these three main things: 1. Confirm that the website owner matches the entity you expected to have the certificate; 2. Confirm that the certificate was issued from a valid CA; 3. Look at the expiration date of the certificate. Most certificates are issued for one or two years.

Certificate Patrol also helps you manage subordinate certificates as well as alerting you to changes in previously accepted certificates. There are several customizable options for this add-on that lets you determine some of its behavior for pop-up windows and notifications. You can also decide if you want to store certificates while in private browsing.

Thursday, September 1, 2011

Browser Add-ons Part 3: Better Privacy

A lot of data accumulates on our computers just browsing the Internet, and its primary purpose is to speed up loading revisited webpages by using the local information instead of fetching it each time off the Internet. Browsers locally store browsing history, download history, form and search history, cookies, active logins, cache, saved passwords, website preferences, and offline website data. In the days of slower Internet connections, such as dial up, this was a big help. These days, with nearly everyone using high speed Internet, I question whether most of this locally stored information is even necessary anymore, or a good idea. While there are both some security and privacy issues with this model I will focus on privacy in this post.

I've mentioned in past blog posts that scripts run in the background, and its those scripts that push the advertising at us. If you have ever wondered how those advertisements seem to know your interests it's because the scripts were snooping at all that browsing data that is stored on your computer. There is more to it than just pushing ads. Some companies are also collecting our personal information for business purposes. There is nothing evil in this for the most part but, we aren't being asked if it is OK for them to collect this information. Doing it without our knowledge is what makes it a bit creepy. I don't let strangers into the house to rummage through my cabinets on a fact finding mission just so they can push more products my way, and yet this is what is essentially happening in our browsing sessions. These kinds of cookies install and track without our consent making them so unwelcome.

Like Ghostery, Better Privacy is built to manage persistent LSOs (Local Shared Objects), also known as Flash Cookies, Super Cookies, and Evercookies. LSOs are objects that return after being removed. They return because their root information is stored on our computers in a place other than where the typical browser data is stored. These kinds of cookies are becoming more prevalent, so being able to manage them is increasingly important.

I like Better Privacy because it offers finite control over which LSOs we might want to keep, and those we don't. Yeah, there actually might be a reason to keep a few of these around. For example, some gaming websites might use an LSO to store scores, or level of play. Nuking that from the computer may reset play to the beginning level or kill off the high score.

The latest versions of Internet Explorer, Firefox, Chrome, and Safari offer a couple ways to control what is locally stored on our computers. One way is to use Private Browsing, and the other is to nuke all the session data when the browser is closed. Starting with Adobe Flash Player 10.1, Flash Player will interact with the browser's privacy settings which means that Adobe Flash cookies will abide by the rules of the browser. This is a big step for Adobe because Flash cookies are the most prevalent type of LSO. So, if your browser has been nagging you to update flash player, now is a good time to do it.

Thursday, July 28, 2011

Browser Add-ons Part 2: Ghostery

Maybe most of us have become numb to the amount of advertising we are bombarded with on a daily basis. I'd like to think I am very aware of it, and how it tries to lure me into its trap. Advertising is everywhere, and as a consumer society it is not going to go away. Nearly every website that is business driven is pushing advertisements at us. All of these things seen, and unseen, is driven by a variety of web elements.

In last week's post I mentioned that scripts run in the background, and how you can't really see them running, but you can block them using No Script. Well, the Ghostery add-on will at least divulge the ownership of those scripts. You can customize how you want it to work for you. Ghostery scans each page for scripts, pixels, and other page elements then notifies you of the companies who have code present in the web page you are currently visiting.

One of its great attributes is that it is available for Firefox, Chrome, Safari, Opera, and Internet Explorer, which means that you can use it with any of the most popular web browsers. Ghostery installes a menu item in your browser so that you can change settings, view a block log, and update the bugs (also known as page tags) list making it user friendly.

When you first install Ghostery you are given the option to run a wizard to help you configure it. It's a nice tool that helps you get started. Here is a quick look at the options the wizard guides you through...

  1. Run Wizard to customize your options.
  2. Ghost Rank (an optional install): sends web page elements, number of times element has been identified, domains identified, ads and their associated companies, the browser you are using, and Ghostery version info. By participating in Ghost Rank you are helping them improve the way Ghostery works because it collects information it found in the sites you visited. If you choose to participate you are opting in, seems rare these days as most things require you to opt-out.
  3. You can enable an alert bubble which notifies you of companies with page elements on the page you are currently visiting. It's eye opening to see how many companies have elements running in a given page.
  4. You can enable the library to auto update or update manually to get the latest list of companies that operate trackers, ad servers, analytics services, page widgets and other page elements.
  5. You can also enable blocking which allows you to customize a list of trackers and cookies to block. Basically, block it if you don't want it tracking you.

After you install Ghostery I recommend you manually update the bugs list to be sure you have the latest available. I updated the bugs list after I installed Ghostery, and it added another 20 or so items.

So, what happens if you have No Script blocking all scripts on a page while you have Ghostery working too? Ghostery won't see what No Script is blocking because No Script has disabled scripts that Ghostery would otherwise see. Ghostery sees what is running not what isn't.

Where No Script helps prevent dangerous scripts from running, as well as tracking scripts, the Goal of Ghostery is to promote more transparency in regards to our privacy. Ghostery can block elements other than scripts so together with NoScript you have even more control over your browsing.

Wednesday, July 20, 2011

Browser Add-ons Part 1: No Script

I plan to devote several posts to some really great browser add-ons, also known as extensions. Sadly, I can't claim that I wrote them, but I can share them so that is what I intend to do.

Before I dive into it, a brief explanation of what a browser add-on is and does, may be in order. A browser add-on gives your Internet browser functionality it doesn't have built into it, or natively as the techies say. There are a lot of add-ons available that can do great things, but be aware that there are plenty that could do more harm than good. I couldn't begin to tell you what ones aren't safe, so instead I will focus on some that I trust, and find valuable from a security standpoint.

How websites work are far more complicated than ever before. Many incorporate Java Script and Flash content, such as those with annoying moving ads. You know the ads, "Try this one weird tip..." Long gone are the days of text only websites. The danger with these more advanced sites is that they can become infected with malicious code known as Cross-Site Scripting (XSS). To protect yourself against these attacks you can use an extension called No Script.

No Script is a powerful Firefox add-on that, by default, stops all embedded scripts from running. Why is it a good idea to block all scripts by default? Well, we can't see the scripts being executed in the sites we visit so we are blind to what they are doing. In the early days of the web, malware was frequently in your face, and made a point of letting you know it was there. These days it tends to be far more stealth and more vicious. The benefit of the No Script add-on is that it let's you control what kinds of scripts run in a webpage. Having finite control over what content loads in a website lets you decide how much risk you want to take.

A good way to get familiar with No Script is to try it on a website you trust and see what it does. You'll notice, on a script heavy page, that much of the site won't load. When you left-click No Script, in the bottom corner of the status bar, a popup menu will appear allowing you to make decisions on what you want to allow, and wether or not those permissions will be permanently trusted. On sites I am not too familiar with I will enable a script to see if it makes the page more usable, if not, I disable it immediately. I do this with each script that No Script has disabled until I can use the features of the site I want.

Internet Explorer 8 and higher has a similar tool built in, however it lacks the finite control that No Script offers, its functionality is rather limited, and by Microsoft's own admission when they rolled it out with IE8 it "is not an XSS panacea".

For Safari there is an extension by a third party developer called JavaScript Blacklist that will block all Java Script from Blacklisted domains. By default it blocks certain sites, but you can add your own to the list. That is about as much control you'll have with this extension, but it is a good start if you are a Safari user.

Chrome has an extension based on the Safari add-on called, JavaScript Blacklist that does essentially the same thing as Safari and is also customizable. Again, better than nothing.

Firefox: No Script: http://noscript.net/
Safari: JavaScript Blacklist: https://extensions.apple.com/
Chrome: JavaScript Blacklist: chrome.google.com/webstore

Wednesday, July 13, 2011

Pass The Word About Passwords

Its been my experience, over the last 25 years, that most people fail to exercise some basic safe computing principles in employing passwords.  I cannot stress enough how important it is to have strong passwords in today's computing environment.  As Internet and web technologies evolve so do the attempts to steal your personal information.

Throw out everything you thought you knew about passwords and start all over again. Hopefully, you've heard the term "strong passwords" before I typed it in the paragraph above, but maybe you aren't sure what that really means.  I'll explain, but first let me give you a brief rundown of what most people do when creating passwords.  Then, ask yourself if you are one of these people.  If you are, I hope to instill some new knowledge about passwords within you.

This is traditional criteria people have used in the past:
  1. Short passwords
  2. All lower case
  3. The same one for every account
  4. Write them on paper, tape them to keyboards or monitors
  5. Speak the password out loud in the company of strangers
  6. Use words found in the dictionary
  7. Use pet names, addresses, family member names
You are probably thinking your passwords have served you well. Why then is the above criteria no good? The bad guys have a number of tricks they use to discover passwords, and they use computers to do the work. They typically start with using what is known as a "dictionary" attack. The software they employ runs through a list of words found in dictionaries. If they discovered anything about your identity they would likely start "brute force" attacks that would employ guessing addresses, names, etc. to crack your password. Passwords that use the above listed criteria are easily discoverable. And, if you have a bad habit of sounding out your password as you type, I'd button up if I were you. Anyone listening to you may have your password. It's dangerous to use the same password for all accounts because if that password is compromised you gave the hacker access to every account you have. It is no longer safe to keep your passwords on paper physically or in a Word document on your computer.

If you are thinking it is going to be a lot of work to change all of your passwords it very well may be. It is not all that unusual to have 80 or more accounts to manage. It's easy to amass them over the years. The important thing is that you change your passwords in order to make them stronger. As a rule, I only change a password when I have evidence to suggest it has been compromised, or I think it is too weak.

Often, people are given the advice to change passwords regularly. Not once have I heard a good argument for this needless practice. It doesn't make sense to change a password for the sake of changing it. Changing all your passwords on a routine basis would create a lot of unnecessary work. You probably don't change the locks on your house unless there is evidence of a break-in, so why would you do that with your passwords? Besides, what if you change your password today, and tomorrow it is hacked? That being said, I vet my passwords annually to confirm I have no repeats, and to ensure they are still considered strong. Keep in mind that strengthening passwords is part of an evolutionary process. As the hacking abilities increase in sophistication so too must we follow suit by creating stronger passwords.

So, let's take a look at creating strong passwords and how to manage them. The sum of the list below is stronger than its individual parts. Use the following tricks together to get the best possible passwords.

Long passwords: The longer the better, simply because it will take more time to discover the password.  Eight characters used to be considered the minimum, but that is now considered inadequate because password cracking gets more advanced as time goes on. I recommend eighteen character passwords. 

Pad your passwords: Find a unique, yet memorable way to add length to your passwords.  Padding adds a simple sequence of symbols that you insert in the beginning, middle, and/or end of your passwords to make them longer and more complex.

Mix upper case letters, lower case letters, symbols, and numbers:  Random sequences are considered to increase the strength as well.

Use different passwords for every account: Without exception! One compromised password affects one account only; not all accounts.

Use a password manager: Password managers will help you keep track of all your passwords.  They encrypt all of your passwords to secure them.  You create one master password you'll commit to memory.  You can insert login credentials into secure websites. Some integrate with web browsers making this more seamless.  You can sync between devices.  You can update your list easily when you create or change account information.  Be sure to use a password manager that encrypts your data locally if you use one that allows you to store your password database online.  KeePass is a free password application that is a good start.  1Password is a very robust application that is available for Mac and Windows users and is reasonably priced.  LastPass is another option and offers to host your passwords in the cloud, touting anytime, anywhere  availability.

The point oh: You can never be too careful with passwords; they are the keys to your digital kingdom.  You don't leave your doors unlocked so don't leave your digital life unlocked. Practice smart password creation and control.  This is not something you should put off until later, it might be the difference between protecting your identity and having it stolen.

Tuesday, June 28, 2011

Today's Forecast: Cloudy with a Chance of Data

There has been a lot of chatter related to "the cloud" lately, so I decided I would weigh in on it.  The extended forecast looks sunny for cloud computing.  How archaic to say that "it" is in the ether, or on the Internet, or stored on a server.  At least it's not another acronym.

Simply stated, cloud computing is little more than storing your pictures, music, video, and documents on a remote computer that allows you to access it from any place, and any device that supports an Internet connection. As more people connect from locations other than their home computer, or multiple devices they own, access from anywhere becomes more ideal.

I won't get into the details of how cloud computing works, instead I'll focus on what's good and bad about it.

Its strong points:

1. Services are becoming less expensive, or free, as options for remote storage becomes more popular.  Keep in mind, most companies providing cloud storage are selling other services to stay in business.

2. Some providers, such as Google, allow shared editing of documents.  An incredible feature when you want to collaborate with others.

3. Your computer no longer has to be the hub for all your other devices with which to sync.

4. Access anytime, anywhere

Its weak points:

1. The big ones here are privacy and security.  You are trusting total strangers with maintaining your personal stuff and keeping their systems secure.  Be sure to read the agreements before committing to a provider.  You are being granted access to your stuff under their rules.  Providers may monitor activity and may share data with law enforcement without notifying you first.

2. Lack of connectivity, slow Internet connections, poor cellular connections, or non-secure (open) wireless networks could negatively impact access.

3. Weak passwords, or lack of file encryption, can leave you vulnerable.  Consider providers that allow you to encrypt your data before pushing it to their cloud.

4. No protocol currently exists that would make migrating your data from one service to another easy.

There are numerous companies offering cloud storage.  Apple recently retooled their Mobile Me service and relabeled it iCloud.  Amazon, Dropbox, HP, and Dell are just a few others to offer cloud services.

The point oh: Right now, cloud storage might be best suited to storing encrypted backups of your data while you still store your working files locally.  The benefit of this is that you have off-site backups of your data in the event of a local disaster.  That is not to say you can't use the cloud for other purposes.  I use Google docs for those few documents I like to be able to access no matter where I am.  Other than that, my email is the only thing I fully store in the Cloud.  I am just not ready to place my entire digital life in the hands of others.  I don't need to have access to all my stuff everywhere I go anyway.  And, since I have lived this long without it, I am certain I am not missing anything, yet.  My personal feeling is that the Cloud is the future, but it is still a toddler.  For me, it will take baby steps to embrace it completely.  Eventually, I imagine, I will have my head in the clouds.

Wednesday, June 22, 2011

Captcha: Gangsta Rap

Sounds like the name of a rapper, to me anyway.  But, it has nothing to do with rap music and everything to do with security on the Internet.

So, what exactly is Captcha, or CAPTCHA to be technically correct?  Those pesky computer acronyms!  It stands for: Completely Automated Public Turing test to tell Computers and Humans Apart.  Turing test?  Why does one explanation always require another?  I'll explain turing test in a minute, but first...

The most simple explanation I can offer for Captcha is that it is those nearly impossible squiggly words a website wants you to type in order to validate your credentials.  The point of you having to type those squiggly letters is so that the system you are interacting with knows that the input got there by a human and was not machine generated.  Mail systems such as Gmail and Yahoo need to be sure that computers are not creating mail accounts.  A spammer could use a computer to create hundreds of phantom email accounts and program those accounts to send out their junk mail and malware.  And, with hundreds of fake accounts sending mail out all day and night it could cause legitimate users poor service or potentially other issues.

The point oh: As with virtually all security measures there is an amount of failure.  In the case of Captcha it has been that character recognition software continues to improve, humans can spend their time reading and entering Captchas at will if they like, and the exploitation of bugs and vulnerabilities in software.  Captchas have gotten slightly more complicated since first introduced, but remain crackable.

Now, about that turning test.  Turing means to have a human judge and a computer that appears to be human.  In the case of Captcha it is really a reverse turning test because the subject is human and the judge is the computer.  A human inputs data while a computer decides if a human entered it, or another computer.

That might be enough for one post to boggle the mind.  I strayed from mentioning the word "bot" in explaining how spammers would automate such a task as it might require another explanation.  Oops!  I just mentioned the word I wasn't going to mention.

I'll explain what a bot is in another post.  For now let's just enjoy some Gansta Rap.

Wednesday, June 15, 2011

iPhone 3G, or not to be?

That is the question for those of you still using an iPhone 3G.  And, I have to emphasize still.  It seems that someone at Apple, let's call him "Steve Jobs", decided that two and a half to three years is much too long to use any iPhone model.  Of course, he never actually came out and said that.  I wouldn't want to be accused of putting words in his mouth, but the reality is that Apple has unofficially stopped supporting the iPhone 3G and older models.

If this was a device that doesn't store personal information, and can't be used on a cell or wireless connection this probably wouldn't even be much of a blip on my radar.  But, the problem for me is that the iPhone is a connected device, and as such it should remain a patched system.  Without firmware updates you won't get the latest security or bug fixes, and it could also mean a lack of support for your apps as developers continue to improve their apps for the newer iOS.

There have been two indications that Apple is dropping support for the iPhone 3G.

1. No firmware update for the 3G (looks like iOS 4.2.x is the end of the line) though the 3GS and newer models were updated (as of this writing 4.3.x is available).
2. At Apple's World Wide Developer Conference this month "Steve" made no mention of the iPhone 3G being supported by iOS 5 which makes sense given the first point I made here.

Is this a problem worth worrying about?  Probably not right away.  It is still unclear when the next generation iPhone will be released.  The best guess anyone has is sometime in September or October of this year.   The Japan earthquake has impacted manufacturing for a lot of companies, and Apple is no exception.

Current options for upgrading to another Apple iPhone:

If you want to bail on your 3G now you can get a brand new iPhone 3GS for $50*.  It's a good price, but since it was introduced in June 2009 my guess is that support will end unofficially in 2012.  That is next year.  You have to ask yourself if it is worth it to eek out the extra year in the hopes of something better before the end of 2012.

Or, you can get a brand new iPhone 4 for between $200-$300* (depending on model).  Introduced in June of 2010, my guess is that support will end unofficially in 2013.  Do the math, that is maybe two more years of support for that price.

Roll the dice, and wait for the next generation iPhone and pay the likely $200-$300 price tag (depending on model).  This would also have a three year life span ending support unofficially in 2014, if my theory is correct.  I'd say it is worth the gamble to wait especially if a new iPhone model comes out before the end of the year.  Apple probably won't want to miss the holidays as an opportunity to push sales of something new.  Also, this phone will most likely ship with iOS 5 installed since it was just introduced at WWDC.  Whether or not the hardware differs much from the iPhone 4 is also up for debate, but my feeling is support for the device is more important for an iPhone 3G user than what features a new phone is going to sport.

Just because I am speaking specifically of the iPhone does not mean I am suggesting you would have to continue to use an iPhone.  There are plenty of other vendors offering smart phones that have similar interfaces and features.  The point oh:  There is obsolescence in every computing device.  How fast these devices become obsolete is a matter of debate.  But, sooner or later you will need to move forward.

Maybe you have noticed, despite Apple's claims of improving the speed on the iPhone 3G with the last two firmware updates, that your phone is slow.  Nuking the phone back to factory defaults, and reinstalling everything has marginal gains in performance.  It is particularly noticeable if you benchmark those speeds against an iPhone 4 using the same apps to test.  It is, in part, a hardware issue.  The iPhone 4 uses newer technology to support better performance and its additional software features.  It just might be one more reason to retire your 3G.

* Apple's pricing: http://store.apple.com/us

Saturday, June 11, 2011


It was only a matter of time before the Macintosh operating system fell victim to a malware attack.  Frankly, I am surprised it has taken eleven years.  You're thinking, "Macs have been around since the mid 1980's!  Certainly, that is more than eleven years."  Yes, it is a lot longer.  The point here is that we are talking about OS X (version 10 of Apple's operating system).  Previous versions of Apple's operating systems got infected with viruses.  Its just taken this many years, and the popularity of the Internet to give Mac OS X users cooties.

So, what is MacDefender?  The short answer:  It is malware pretending to be legitimate anti-virus software.  It informs you that you have malware, and should pay to remove it.  It relies on social engineering to get you to give it your credit card information, and once you do the bad guys buy lots of stuff with your money.

The "point oh":  The point is don't go, "Oh, I need to get rid of this; I better pay to remove it".  You should know if you are running a legitimate anti-malware program on your Mac or PC, and you should know what the product is called along with the company that provides it.  If you have never used an Anti-malware product on your Mac it might be time to start thinking about it.

More information on how to avoid and remove MacDefender (also known as: MacProtector and MacSecurity) can be found here: