Five Steps To Protect Against Browser Attacks

Some days, it pains me to see how woefully insecure some web browsers are. Every day, it seems that ten new browser-based exploits (or client-side attacks, as my presentation will tell you) are publicly released, and just because you’re on a site that you think is legitimate doesn’t mean that somebody hasn’t compromised it.

For those of you using Internet Explorer (IE), I pity you. IE, still being the #1 most commonly-used browser in the world, is the target of the most attacks by far out of all the major browsers. If you’re smart enough to use another, better browser, then you’re already one step towards protecting yourself. I’m going to assume, though, that you’re using Firefox or one of it’s derivatives such as Flock, since the plug-in libraries are huge.

1. Use the Web of Trust
My Web of Trust (MyWOT) is a plugin for Firefox that warns you about potentially risky sites. It can alert you to known scam sites, spam sites, and pages that are known for hosting malware. It’s great for getting an idea of how trustworthy the site you are visiting is, and is a great extra level of protection against attacks against your computer.

2. Block Javascript and Popups

AdBlock Plus:
The most common form of browser-based attack is cross-site scripting, or XSS. XSS uses Javascript (a scripting language that websites use) in order to force your browser to do something. Typically, Javascript usage is legitimate; when you post something on somebody’s wall on Facebook, Javascript is used there to push the new message to their wall without refreshing the page, and to create that cool sliding effect as the old posts move down the page. You can also use it for malicious use, though. Stealing login credentials is a common one, but I’ve seen Javascript sophisticated enough to hijack your browser, forcing you to visit sites without you having any input or even downloading and running malware and viruses against your will. NoScript will block all Javascript, and then you can tell it what you want to enable. It takes a while to configure properly, but after a week or so of setting it up, you’ll be a lot more secure. XSS sometimes propagates through ads, so AdBlock is nice to have as well.

3. Use Different Passwords

This always seemed like a no-brainer to me, but I know many other people who won’t do this. Using the same password for multiple sites is just stupid. If somebody manages to steal your password from one site, what’s stopping them from going to the other site (and no, having a different user name isn’t going to prevent anything). Instead of using the same password, use different ones, minimum 8 characters, and random characters. If you can’t remember all of those, take two 4-character random strings, and take the domain name, and put each random string on either side of the domain; there’s your password. For example: “4n$sFACEBOOKn4%l”. Swap “e” for “3”, “s” for “$” or “l” for “1” – think L33T!

4. Clear Those Tracking Cookies
Although you may not realize it, tracking cookies are used to track your movement around the internet. Although you may visit very different web pages, the company that displays ads on the sites may be the same. Beat these cookies with BetterPrivacy, which removes tracking cookies and LSOs from your browser cache.

5. If You Didn’t Expect To Get It, Don’t Click It

I hate to have to reiterate common sense, but sometimes it escapes us. If you didn’t expect to get a link from somebody, or they sent you a file that you weren’t planning on getting, don’t open it. I don’t care if it came from their MSN account; if you didn’t follow rule #3, there’s no reason why their account couldn’t have been hacked. If someone sends you a link, do yourself a favour and just ASK the person what it is before you click it; if you get a reply that is something that your friend would say, then you’re probably okay.

Well, that took longer than expected. Hopefully that’s of some use for people. As always, I appreciate your comments and feedback. If you like what you read, help me out by posting the article on Reddit, Facebook, or Digg (or sending the link to a friend). See you next Monday!

IPAM Presentation: November 2009

Last Wednesday, myself and the other co-op student working with me did a presentation to the Information Protection Association of Manitoba (IPAM) about attacks on web-based applications. It was certainly an interesting experience. Although it wasn’t a stellar performance, I think we did okay considering our presentation skills. Unfortunately we were expecting a slightly larger percentage of technical-minded people rather than business-minded people, and thus I got the impression that some of the talk was a little over the heads of a few of those in attendance. Regardless, it was a learning experience, and something I learned a lot from.

I was approached twice after our presentation was over. The first gentleman, to paraphrase, suggested that the presentation would be more useful had it included a mitigation strategy to prevent and (hopefully) eliminate the possibility of attack. I thought he might be on to something here. After all, wouldn’t it be great to have a check list to go through, and making sure each item is checked off would result in a secure application? For the rest of the day, I spent a lot of time going back and forth on this idea. On one hand, this check list would be nice, but I also firmly believe that a large amount of the prevention relies on the skill level of the programmer, debugger, and penetration tester, and a check list simply wouldn’t be sufficient to protect yourself from attacks. But, having the check list would be a good start. Sort of an “if you’ve done these things, you’ve covered the basics” check list. It would be a good reminder sheet for pro programmers, and a good stepping stone for those who are just starting off. To that person, your suggestion has been heard, and the check list has been added to my to-do list, hopefully to have a first draft out within a month or so, so stay tuned for that.

The second gentleman asked if the slides to the presentation would be online for later viewing. At the end of the presentation, although we took almost an hour, I was well aware that we were rushing; we probably had too much content that we wanted to cover. Before the presentation I had already planned to put the slides online as a reference; although it’s nice to see the slides during the talk, it’s also nice to go back and view them at a later date. Thus, my slides will be online here for anybody to take a look at. I will also be posting my source code, but that will be a bit later (ie. probably next week), since there’s a few sections that are a little finicky right now.