Search

About

Enter your email address:

Delivered by FeedBurner

Categories

Westfield Links

Westfield Blogs

InfoSec Favorites

4 posts categorized "Current Affairs"

Great Browser Add-ons for Better Privacy and Security

Have you ever dabbled in Firefox, Chrome or Opera web browsers?   These are all popular alternatives to Internet Explorer (IE).

Firefox (FF) burst onto the scene a few years ago as a vibrant successor to the aging Netscape communicator. What made Firefox unique is that, unlike the largely monolithic structure of IE, Firefox is built in layers like an onion.  There is a small kernel of basic browser functionality and then some default outer layers that give it the familiar FF look and feel.  But because of this onion-like structure, and because it is open-source software, users that had the technical skills could modify just about anything else about it!  By far the most popular way to modify it was to add visual themes to change the shape and location of buttons and the overall color scheme.  The next most popular modification was so-called add-ons.   Add-ons change the fundamental way the browser works and, for our purposes, how security and privacy aspects function.


On behalf of their end users, security-oriented developers knew that browsers are one of the primary conduits for malware to get onto and take over systems and their contents.  But with FF’s architecture they realized they could enhance browser security by leveraging the fact that add-ons “have dibs on seeing” incoming web site content as it comes into the browser kernel!  Thus, add-ons could give the user back control over their privacy and security.  As always – these add-ons do cost a little more in terms of user attention to their configuration and alerts.  But such is the price of increased control.  By and large the suggested add-ons below do an exemplary job of letting users tune them so security and privacy is improved without being overous.


So, here are some of my favorite FF add-ons that will raise your awareness of all things security and privacy on the web:


LastPass – truly superior, genuinely secure, browser password vault

If you allow your browser to save your web site account names and passwords then you should switch from the built-in function to using LastPass.  LastPass uses genuinely strong encryption methods to encrypt your personal information.  Furthermore, all the encryption is based on your   master pass phrase, which only you know, and all of your information is encrypted before leaving your local system – not on the LastPass web server!  This means that even LastPass employees have no access to your information (nor would anyone that successfully hacked them).  However, because your personal info is stored “in the cloud” all of your personal information is available across different browsers (FF, Chrome, IE) and across different systems (work, home, mobile).


Adblock Plus – eliminates ads in your browser, period, end-of-story

Without screwing up the appearance web pages, AdBlock Plus simply eliminates 99% of ads from your browsing experience.  It is highly controllable via a little pull down menu so if you go to, say a not for profit web site that you know is ad-supported, you can tell it to not block ads on that site.  This is security-related only insofar as that ads are a conduit for spyware entering your browser.  In addition to turning on your browser’s pop-up blocker this will go a long way towards improving security and lessening annoying unsolicited ads.  As a side effect, it will also speed up web page loading times.


Collusion – graphically exposes tracking and selling information about your browsing habits

Collusion shows you what companies are collecting information from your browser about where you go on the Net.  The graph is color coded to distinguish between the web site you went to for content (e.g., www.nytimes.com) versus partner sites which collect information about where you have been on the web (e.g. doubleclick.com).  It literally connects the dots so you can understand how the NYTimes is connected to CNN through both having cut deals with some third party tracker like Google’s DoubleClick subsidiary.  It’s purely informational, but when combined with No-Script below, it gives you control over who can learn what about your browsing.


Certificate Patrol – detects changes to secure browsing certificates (websites you access via HTTPS)
For those not familiar with HTTPS certificates, they are the heart and soul of how your browser decides it is safe for you to trust that the web site you are buying a new golf club from really is Callaway’s web site.  Certificate Patrol is a mostly passive/informational.  It tells you about the certificates your browser has seen and what has changed about them since the last time your browser was at that site.  So, while it is just nerdy to find it is interesting to discover that  Google uses several certificate authorities for different Google products (Google+, Gmail, Google Apps, etc.),  it is concretely security enhancing that it will tell you if a site’s certificates are either revoked (by the signing certificate authority), expired or forged before you input your credit card information!


NoScript – makes visible and/or stops unseen chatter between the browser & 3rd parties

Of these add-ons, NoScript is the most in-your-face.  However, in exchange for a little bit of extra interaction with web pages you gain a ton of awareness and/or control about what third party web sites your browser is “secretly” interacting with on virtually every web page you visit!  That’s right – virtually all commercial web sites have links or bits of JavaScript embedded in them which, if allowed to execute, send information about you, and the page you just landed on, off to third parties.  NoScript takes the attitude that the user should remain in control of their browser communicates, therefore, by default, it stops script execution.  As with the other extensions mentioned it provides a drop-down menu that lets you control which site’s scripts to allow.  This is a little annoying at first since it interrupts the seamless loading of a lot of web sites.  However, it has options that allow you to tune it’s default behavior to be significantly less intrusive.  In any case, the information about all the different linkages to third party tracking sites, etc. is a real eye-opener!  If you install it with the aforementioned Collusion extension you will start to see patterns of firms that track you as you browse the Net!  Another nifty feature, if you have no idea which of these “third parties” (the ones in the NoScript drop down menu) to trust, you can shift-click on their names to research, from a variety of trusted sources, what each one has a reputation for doing with tracked information such as shopping your email address around or selling information about which ads you click on.


You can get these add-ons to FF by using the Tools >> Add-ons menu item, and searching for each by name.  Then follow the installation procedure for each.  To remove an add-on on FF, just go to Tools >> Options >> General tab >> Manage Add-ons button.

What are your favorite security and privacy related plug-ins for FF or other browsers?

Credit to Steve Gibson of Gibson Research for pointing out some of these add-ons by name in his excellent Security Now!  podcast (part of the This Week in Tech network of podcasts):  http://grc.com.

John Brady is Information Security Architect Engineer at Westfield Insurance.

on 21 July 2011 |

| | | | | |

The Trusted Insider

The U.S. military’s response to all the problems it has been having with sensitive documents appearing on WikiLeaks is to prohibit the use of removable media such as USB drives.  They are even threatening court marshals.  Here is an article on CNN that gets into more detail on this:

http://www.cnn.com/2010/TECH/web/12/10/military.stops.leaks.wired/index.html?hpt=Sbin

Will this be an effective way to stop information loss?  It will certainly make things a little harder to get large amounts of data out of their secure networks.  But, in order to be useful, information does need to move around and be accessed on multiple platforms by multiple people.  As the information moves around, there are opportunities for it to move out of your organization's control.  Is there an effective technical control that could be put in place to mitigate this risk?

The problem here is not technical.  No technical control failed; it’s that a trusted user, with appropriate credentials and the required access needed to perform their job, has decided to violate their organization’s (the U.S. military) policies and trust.  The people who are uploading this information are intentionally misusing the access that they have been granted.  This is probably the worst risk that Information Security professionals everywhere have to deal with: the Trusted Insider.  You know them: the high performers with positive attitudes who have been around a long time, are working on important initiatives and who would never do anything wrong.

We can monitor logs, block websites, restrict network protocols, ban USB drives, disable DVD burners, encrypt data at rest, layer on more and more technical controls …  Will this address the issue and mitigate the risk?

Putting technical controls in place, like banning USB drives, makes it harder for the Trusted Insider to do bad things, but they are still there in your organization, accessing your most sensitive information.  How do you mitigate the risk of information misuse by the Trusted Insider? 

We'd like to hear your thoughts on this issue - please comment below.

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance.   Sharing Knowledge. Building Trust.

on 14 December 2010 | | Comments (0)

| | | | | |

Securing Mobile: When a Phone is as Powerful as a Laptop

There seems to be a disconnect between want and need with respect to smartphones and information protection.  Securing mobile is a “downer” along at least two main axes of mobile phone interaction: convenience and cost.

If your phone is as powerful as your laptop; meaning the operating system, the peripherals and the applications on your phone are as – or are more - sophisticated than those of your laptop then shouldn’t the security measures that protect the contents be similar?  The real question here is, if you’re using your phone to process the same information as your laptop, then we have to ask – how can one justify not securing it to the same degree as your laptop?

My opinion is that the only logical answer is yes.  For an increasing number of functions, phones are replacing laptops.  I believe that there are ways to secure mobile phones to the same standard as laptops while minimizing the inevitable inconveniences and extra cost. The solutions require thoughtful re-evaluation and sensible compromise.  Rather than slapping the old products from the laptop onto the smartphone, we should look at it as a qualitatively different platform. 

Drawbacks to Treating a Smartphone like a “Small Laptop”

Here’s an example of when it may be typical to treat a smartphone as a “small laptop”.

Many companies now use URL filtering perimeter systems, such as WebSense, to prevent employees from accidentally going to infected websites.  When an employee uses their laptop outside the company network, you may tell them they must “VPN into” the network before using the web. (This way, once the VPN tunnel is established, their browsing goes through the URL filter.)

It is possible to treat the smartphone like a laptop in this scenario, because there are VPN clients that work as well as the laptop version.  Employees could be told to “VPN into” the corporate network before web surfing on their smartphone. 

However, there are drawbacks: a) VPN clients take a fair amount of computational horsepower to run, and b) from a network architecture and management standpoint, why tunnel all that traffic from every mobile browser into the corporate core in order to turn around and go back out to the Internet? 

Rather than treating the smartphone like a laptop, the solution may be to change how your URL filter works.  So perhaps, instead of bringing the traffic to the filter, bring the filter to the traffic!  Put the URL filter on the Internet, and everyone’s computer (smartphone or laptop) can get to it from everywhere.  Companies such as WebSense and zScaler advocates and vendors of such solutions.

Speaking of changing the place where the processing happens – how about using another ancient solution?  How about moving where the applications run and so, where the information is processed?  I am speaking here of just using the phone as a window into the corporate computing environment.  This is déjà vu all over again, the fat client/thin client debate of the 1990s – the Unix X Window system and Citrix ICA.  The fact is that this class of “collapsed data center” solution, which once suffered complaints about bandwidth and server capacity issues has become increasingly viable not increasingly outdated.  Since the days of the mainframe terminal sessions, the thin client paradigm was always attractive from cost, administrative and data security perspectives.  Now the protocols for computing in the data center core and transmitting just the display have become more efficient and bandwidth has come down in price. Similarly, multi-core servers with dozens of gigabytes of RAM are the rule not the exception.  This makes it very attractive indeed to just load the thin client app onto the smartphone and have it connect securely to the core to process corporate information which is also on the core.  If the organization wants people to be able to drag and drop files or query results from the core within apps that run on the endpoint – then the endpoint needs heavy securing as described above.  But if the thin client is set up so that information cannot be transferred from the core to the endpoint then one has a lot less to worry about in terms of “information leakage.”  The “drag and drop” tradeoff being that the information the employee wants to transmit to their smartphone is not directly usable by other apps on their smartphone that make them more productive (e.g., transferring an address to the smartphones contact management system or its GPS app).

So where does this leave us?  I think, for now, the choice is between:

a.    Smartphones with powerful processors and awe-inspiring local apps and local corporate data loaded down with classical malware protections like encrypted file systems, anti-virus, URL filtering, anti-spam, personal firewalling (local or in the cloud)

b.    Collapsed data center where the employees log into a virtual desktop running on a big server and all the employee ever has on their smartphone is a thin interface to corporate data on a far-away desktop

The convenience trade-off is clear – I would much prefer to be able to download a spreadsheet to the app on my phone and then hop on a plane and “play with the numbers” versus having to be on the network and constrained by my company's standard spreadsheet program.  

Cost wise, the price of buying and administering standalone smartphones with high performance client software on them is much higher risk and less cost-effective than standing up a big server with desktop OS licenses, a few licenses for each app and issuing a thin client for each employee’s corporate or privately owned smartphone, laptop or desktop.

Is there is a happy medium?  What do you think?

Next time we’ll discuss modifications to these paradigms that may remove some of the downsides to both, namely, data centers in the cloud and always connected mobile  networking.

----------------------------

Some links to others thinking about the same topics:

http://www.isaca.org/About-ISACA/Press-room/News-Releases/2010/Pages/Mobile-Devices-May-Pose-Greatest-Threat-to-Confidential-Information-New-ISACA-White-Paper.aspx

http://isc.sans.edu/diary.html?storyid=9787

----------------------------

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust

on 18 November 2010 | | Comments (0)

| | | | | |

More Facebook Privacy Problems?

It seems like Facebook can’t keep itself out of the news when it comes to information security and personal privacy problems.  I just read another article in the wall street journal http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html which talks to some additional misuse of Facebook member’s information.

It seems that a number of companies are anonymously mining members profile information, creating databases and selling profiles for targeted advertising even when users have set their privacy settings to strict.  At least 25 databases and advertising firms may be involved.

Many of the most popular applications are also transferring information about their users to outside companies.  Three of the top ten actually transmit information about their user’s friends as well to companies, according to the article.

Facebook does have a “policy” that application developers must not share personal information with advertising companies but with over a half a million applications, some appear to be breaking that policy.  Facebook claims to have disabled thousands of applications that have violated its policies.

Social networking has become an important piece of many people’s lives.  I actually know people who seem to live on Facebook 24x7.  Please have fun with it but remember that ANY information you put into a third party’s hands, even if they have great intentions and tell you that they will keep it safe, is completely out of your control and will be used by someone to make a profit if they can.

Wow, with an outlook like this, its no wonder why no one wants to be my Facebook friend!

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance.   Sharing Knowledge. Building Trust.

on 19 October 2010 | | Comments (0)

| | | | | |