practising safer web browsing

Practising Safer Web Browsing

Terry Labach

Information Security Services

IST

February 17, 2012

2

"People are terrible about making security tradeoffs. If you give a naive user a choice, such as, 'If you want to see the dancing pigs, you could be compromising your machine,' most users will choose the dancing pigs over security every time."

- Bruce Schneier, security author and consultant, on how computer users manage risks while using the Internet.

[http://www.theglobeandmail.com/servlet/story/LAC.20060803.TWVISTA03/TPStory/Business]


3

Outline

• The risks• The threats• Taking responsibility• Browser configuration• Browser tools• Questions


4

The risks

• Embarrassment• Identity theft• Financial loss• Loss of productivity


5

CriminalsBusinesses

The threats

Government


6

Taking responsibility

• The basics– Use good passwords

• Not in dictionary• Reasonably long with mix of characters

– Don’t reuse passwords

• Don’t let browser save passwords– Master password– Password vault


7

"You know, I almost bore myself when I say to myself, 'It's time to get the groceries,' I certainly don't want to put it out there for people to read."

- Eugene Levy, comedian, talking about Twitter in a Canadian Press interview.


8

Taking responsibility• Thoughtful browsing

– Don’t give up personal information• Date of birth• Postal code or location• Vacation schedule• Social Insurance Number!


9

Taking responsibility• Secret questions

– Use with caution– Might be easier to reset your password than

you think

• Fun With Secret Questions & Answers


http://tongodeon.livejournal.com/890323.html

10


• Maintain safe environment– Keep operating system, browser up to date– Apply security patches– Be cautious using public Wi-Fi– Use secure communications (https)


11


• Clicking on links can introduce attacks– Poisoned search results– Clickjacking– Cross-site scripting


12


• Installing software– Know what software needed for sites you

browse– Enter software web site address yourself,

don’t click link– Don’t install software for unknown file types or

oddly named files


13


• Separate browsing environments– Have one user login id for social networking,

etc.; a different id for financial transactions

• Virtual machines (advanced)– Use separate virtual computers on your PC

for browsing with different security needs– High security virtual machine has no

unneeded software


14

Browser configuration• General principles

– Protect your information– Protect your privacy– Disallow access and execution

• Exceptions– You will want to break these principles for

good reasons at times– Use principles as your default


15

Browser configuration

• Firefox– Disable Java and JavaScript– Disable save passwords (or use master

password)


16


• Internet Explorer– Apply high security setting to Internet zone– Limit cookie permissions– Do not allow third party extensions


17


• Safari– Disable Java and JavaScript– Block pop-up windows– Disable opening of so-called safe files


18


• Chrome– Limit cookie permissions– Web content settings


19

Humans…have unacceptable speed and accuracy…. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)

- C. Kaufman, R. Perlman, & M. Speciner in Network Security: PRIVATE Communication in a PUBLIC World


20

Tools

• NoScript– http://noscript.net/– Blocks JavaScript and defends against other

potentially malicious content– Swiss Army Knife of protection


http://noscript.net/

21

Tools

• Web of Trust (WOT)– http://www.mywot.com/– Ranks websites based on feedback from

WOT users– Adds links to search engine results


http://www.mywot.com/

22

Tools

• Ghostery– http://www.ghostery.com/– Detect and block 3rd party tracking– Shows the elements of web pages served

from third parties


http://www.ghostery.com/

23

Tools

• Do Not Track Plus– http://www.donottrackplus.com/– Detect and block 3rd party tracking– Shows you who is tracking you


http://www.donottrackplus.com/

24

Tools

• View Thru– https://chrome.google.com/webstore/detail/jkn

cfnbcgbclefkbknfdbngiegdppgdd– Displays the target of shortened URLs– Known to be flaky in use


https://chrome.google.com/webstore/detail/jkncfnbcgbclefkbknfdbngiegdppgdd


25

Tools

• HTTPS Everywhere– https://www.eff.org/https-everywhere– Forces use of https protocol on web pages

that support it


https://www.eff.org/https-everywhere

26

Tools

• Adblock Plus– http://adblockplus.org/en/– Blocks ads while browsing


http://adblockplus.org/en/

27

Resources - User safety

• CERT - Securing Your Web Browser• SANS - Browser Safety• SANS - Secure Browsing Environment• Canadian Cyber Incident Response Centr

e• U.S. Computer Emergency Readiness Tea

m


http://www.cert.org/tech_tips/securing_browser/

http://www.securingthehuman.org/newsletters/ouch/issues/201011.pdf

http://www.sans.org/reading_room/whitepapers/bestprac/secure-browsing-environment_33789

http://www.publicsafety.gc.ca/prg/em/ccirc/index-eng.aspx

http://www.publicsafety.gc.ca/prg/em/ccirc/index-eng.aspx

http://www.us-cert.gov/index.html

http://www.us-cert.gov/index.html

28

Resources - Browsers• Firefox

– Privacy & Security

• Internet Explorer– Improve the safety of your browsing and e-mail activities

• Safari– Security & Privacy

• Chrome– Manage privacy and security settings


http://www.mozilla.org/en-US/firefox/security/

http://www.microsoft.com/athome/security/online/browsing_safety.mspx

http://www.apple.com/safari/features.html

http://www.google.com/support/chrome/bin/topic.py?topic=14666

29

Resources – Tools discussed

• NoScript• Web of Trust• Ghostery• View Thru• HTTPS Everywhere• AdBlock Plus• Do Not Track Plus


http://noscript.net/

http://mywot.com/

http://www.ghostery.com/


http://www.eff.org/https-everywhere

http://adblockplus.org/en/

http://www.donottrackplus.com/

30

Resources – Other Tools• Facecloak

– Protect user privacy on Facebook

• Qualys BrowserCheck– ensures browser and plugins are up to date

• Trashmail– lets you use a disposable email address

• LastPass– Secure password vault


http://crysp.uwaterloo.ca/software/facecloak/index.html

https://www.qualys.com/forms/browsercheck-business-edition/

https://ssl.trashmail.net/

http://lastpass.com/

31

Resources – Waterloo

• IST Information Security Services• Terry Labach

– Web application security• Consulting• Testing applications• Ethical hacking• Programming best practices

– Web training and education


http://ist.uwaterloo.ca/security/

mailto:[email protected]

32

Questions?


practising safer web browsing

Documents

safer web browsing6broken

safer web browsingtoday

safer web browsing8postal

store web sites

computer users

security author

security tradeoffs

dancing pigs