Thursday, July 28, 2011

Browser Add-ons Part 2: Ghostery

Maybe most of us have become numb to the amount of advertising we are bombarded with on a daily basis. I'd like to think I am very aware of it, and how it tries to lure me into its trap. Advertising is everywhere, and as a consumer society it is not going to go away. Nearly every website that is business driven is pushing advertisements at us. All of these things seen, and unseen, is driven by a variety of web elements.

In last week's post I mentioned that scripts run in the background, and how you can't really see them running, but you can block them using No Script. Well, the Ghostery add-on will at least divulge the ownership of those scripts. You can customize how you want it to work for you. Ghostery scans each page for scripts, pixels, and other page elements then notifies you of the companies who have code present in the web page you are currently visiting.

One of its great attributes is that it is available for Firefox, Chrome, Safari, Opera, and Internet Explorer, which means that you can use it with any of the most popular web browsers. Ghostery installes a menu item in your browser so that you can change settings, view a block log, and update the bugs (also known as page tags) list making it user friendly.

When you first install Ghostery you are given the option to run a wizard to help you configure it. It's a nice tool that helps you get started. Here is a quick look at the options the wizard guides you through...

  1. Run Wizard to customize your options.
  2. Ghost Rank (an optional install): sends web page elements, number of times element has been identified, domains identified, ads and their associated companies, the browser you are using, and Ghostery version info. By participating in Ghost Rank you are helping them improve the way Ghostery works because it collects information it found in the sites you visited. If you choose to participate you are opting in, seems rare these days as most things require you to opt-out.
  3. You can enable an alert bubble which notifies you of companies with page elements on the page you are currently visiting. It's eye opening to see how many companies have elements running in a given page.
  4. You can enable the library to auto update or update manually to get the latest list of companies that operate trackers, ad servers, analytics services, page widgets and other page elements.
  5. You can also enable blocking which allows you to customize a list of trackers and cookies to block. Basically, block it if you don't want it tracking you.

After you install Ghostery I recommend you manually update the bugs list to be sure you have the latest available. I updated the bugs list after I installed Ghostery, and it added another 20 or so items.

So, what happens if you have No Script blocking all scripts on a page while you have Ghostery working too? Ghostery won't see what No Script is blocking because No Script has disabled scripts that Ghostery would otherwise see. Ghostery sees what is running not what isn't.

Where No Script helps prevent dangerous scripts from running, as well as tracking scripts, the Goal of Ghostery is to promote more transparency in regards to our privacy. Ghostery can block elements other than scripts so together with NoScript you have even more control over your browsing.

Wednesday, July 20, 2011

Browser Add-ons Part 1: No Script

I plan to devote several posts to some really great browser add-ons, also known as extensions. Sadly, I can't claim that I wrote them, but I can share them so that is what I intend to do.

Before I dive into it, a brief explanation of what a browser add-on is and does, may be in order. A browser add-on gives your Internet browser functionality it doesn't have built into it, or natively as the techies say. There are a lot of add-ons available that can do great things, but be aware that there are plenty that could do more harm than good. I couldn't begin to tell you what ones aren't safe, so instead I will focus on some that I trust, and find valuable from a security standpoint.

How websites work are far more complicated than ever before. Many incorporate Java Script and Flash content, such as those with annoying moving ads. You know the ads, "Try this one weird tip..." Long gone are the days of text only websites. The danger with these more advanced sites is that they can become infected with malicious code known as Cross-Site Scripting (XSS). To protect yourself against these attacks you can use an extension called No Script.

No Script is a powerful Firefox add-on that, by default, stops all embedded scripts from running. Why is it a good idea to block all scripts by default? Well, we can't see the scripts being executed in the sites we visit so we are blind to what they are doing. In the early days of the web, malware was frequently in your face, and made a point of letting you know it was there. These days it tends to be far more stealth and more vicious. The benefit of the No Script add-on is that it let's you control what kinds of scripts run in a webpage. Having finite control over what content loads in a website lets you decide how much risk you want to take.

A good way to get familiar with No Script is to try it on a website you trust and see what it does. You'll notice, on a script heavy page, that much of the site won't load. When you left-click No Script, in the bottom corner of the status bar, a popup menu will appear allowing you to make decisions on what you want to allow, and wether or not those permissions will be permanently trusted. On sites I am not too familiar with I will enable a script to see if it makes the page more usable, if not, I disable it immediately. I do this with each script that No Script has disabled until I can use the features of the site I want.

Internet Explorer 8 and higher has a similar tool built in, however it lacks the finite control that No Script offers, its functionality is rather limited, and by Microsoft's own admission when they rolled it out with IE8 it "is not an XSS panacea".

For Safari there is an extension by a third party developer called JavaScript Blacklist that will block all Java Script from Blacklisted domains. By default it blocks certain sites, but you can add your own to the list. That is about as much control you'll have with this extension, but it is a good start if you are a Safari user.

Chrome has an extension based on the Safari add-on called, JavaScript Blacklist that does essentially the same thing as Safari and is also customizable. Again, better than nothing.

Firefox: No Script:
Safari: JavaScript Blacklist:
Chrome: JavaScript Blacklist:

Wednesday, July 13, 2011

Pass The Word About Passwords

Its been my experience, over the last 25 years, that most people fail to exercise some basic safe computing principles in employing passwords.  I cannot stress enough how important it is to have strong passwords in today's computing environment.  As Internet and web technologies evolve so do the attempts to steal your personal information.

Throw out everything you thought you knew about passwords and start all over again. Hopefully, you've heard the term "strong passwords" before I typed it in the paragraph above, but maybe you aren't sure what that really means.  I'll explain, but first let me give you a brief rundown of what most people do when creating passwords.  Then, ask yourself if you are one of these people.  If you are, I hope to instill some new knowledge about passwords within you.

This is traditional criteria people have used in the past:
  1. Short passwords
  2. All lower case
  3. The same one for every account
  4. Write them on paper, tape them to keyboards or monitors
  5. Speak the password out loud in the company of strangers
  6. Use words found in the dictionary
  7. Use pet names, addresses, family member names
You are probably thinking your passwords have served you well. Why then is the above criteria no good? The bad guys have a number of tricks they use to discover passwords, and they use computers to do the work. They typically start with using what is known as a "dictionary" attack. The software they employ runs through a list of words found in dictionaries. If they discovered anything about your identity they would likely start "brute force" attacks that would employ guessing addresses, names, etc. to crack your password. Passwords that use the above listed criteria are easily discoverable. And, if you have a bad habit of sounding out your password as you type, I'd button up if I were you. Anyone listening to you may have your password. It's dangerous to use the same password for all accounts because if that password is compromised you gave the hacker access to every account you have. It is no longer safe to keep your passwords on paper physically or in a Word document on your computer.

If you are thinking it is going to be a lot of work to change all of your passwords it very well may be. It is not all that unusual to have 80 or more accounts to manage. It's easy to amass them over the years. The important thing is that you change your passwords in order to make them stronger. As a rule, I only change a password when I have evidence to suggest it has been compromised, or I think it is too weak.

Often, people are given the advice to change passwords regularly. Not once have I heard a good argument for this needless practice. It doesn't make sense to change a password for the sake of changing it. Changing all your passwords on a routine basis would create a lot of unnecessary work. You probably don't change the locks on your house unless there is evidence of a break-in, so why would you do that with your passwords? Besides, what if you change your password today, and tomorrow it is hacked? That being said, I vet my passwords annually to confirm I have no repeats, and to ensure they are still considered strong. Keep in mind that strengthening passwords is part of an evolutionary process. As the hacking abilities increase in sophistication so too must we follow suit by creating stronger passwords.

So, let's take a look at creating strong passwords and how to manage them. The sum of the list below is stronger than its individual parts. Use the following tricks together to get the best possible passwords.

Long passwords: The longer the better, simply because it will take more time to discover the password.  Eight characters used to be considered the minimum, but that is now considered inadequate because password cracking gets more advanced as time goes on. I recommend eighteen character passwords. 

Pad your passwords: Find a unique, yet memorable way to add length to your passwords.  Padding adds a simple sequence of symbols that you insert in the beginning, middle, and/or end of your passwords to make them longer and more complex.

Mix upper case letters, lower case letters, symbols, and numbers:  Random sequences are considered to increase the strength as well.

Use different passwords for every account: Without exception! One compromised password affects one account only; not all accounts.

Use a password manager: Password managers will help you keep track of all your passwords.  They encrypt all of your passwords to secure them.  You create one master password you'll commit to memory.  You can insert login credentials into secure websites. Some integrate with web browsers making this more seamless.  You can sync between devices.  You can update your list easily when you create or change account information.  Be sure to use a password manager that encrypts your data locally if you use one that allows you to store your password database online.  KeePass is a free password application that is a good start.  1Password is a very robust application that is available for Mac and Windows users and is reasonably priced.  LastPass is another option and offers to host your passwords in the cloud, touting anytime, anywhere  availability.

The point oh: You can never be too careful with passwords; they are the keys to your digital kingdom.  You don't leave your doors unlocked so don't leave your digital life unlocked. Practice smart password creation and control.  This is not something you should put off until later, it might be the difference between protecting your identity and having it stolen.