Archive for the ‘Security’ Category

File Under: Browsers, Security
Nov
29
2010

Secure Firefox With New HTTPS Everywhere Add-on

By

Earlier this year, the Firefox add-on Firesheep created quite a controversy by making it easy to capture unencrypted web traffic.

Firesheep sniffs unencrypted cookies sent across open wi-fi networks. That means anyone with Firesheep installed can watch your browsing sessions while you lounge at Starbucks and grab your log-in credentials for Facebook, Twitter or other popular sites. Armed with those credentials, anyone using Firesheep can essentially masquerade as you all over the web, logging in to other social sites, blogs and news sites using your Facebook or Twitter username and password.

None of Firesheep’s mechanisms are new. But Firesheep made sniffing web traffic point-and-click simple — it was suddenly dead easy to do something that used to require a good bit of hacking knowledge.

The best way to protect yourself from Firesheep is simply avoid connecting to unencrypted sites when you’re on an open wi-fi network. That means making sure that you connect over HTTPS rather than HTTP everywhere you surf. But sadly, doing so is complicated and depends on which site you’re trying to connect to.

That’s where the Electronic Frontier Foundation’s HTTPS Everywhere Firefox add-on comes in. The extension makes it easy to ensure you’re connecting to secure sites by rewriting all requests to an HTTPS URL whenever you visit one of the sites it supports.

Of course if the website you’d like to visit doesn’t support HTTPS, there’s nothing the add-on can do, but for many big sites — Twitter, Facebook, Google, PayPal, The New York Times, Bit.ly, Amazon — HTTPS Everywhere automates the process for you.

With HTTPS Everywhere installed, if you type “twitter.com” in the Firefox URL bar, the browser will automatically connect to https://twitter.com rather than http://twitter.com.

That’s a good start, but it won’t completely protect you from anyone sniffing with Firesheep. The latest beta release of HTTPS Everywhere, released over the long weekend, improves the add-on’s protection against Firesheep, but you’ll need to do some extra stuff.

First, head the HTTPS Everywhere preferences (Tools -> Add Ons -> HTTPS Everywhere -> Preferences) and check the “Facebook+” rule. Then install the Adblock Plus extension and use it to block the insecure http:// advertisements and tracking sites that Facebook (and other sites) sometimes include. There are more instructions on the EFF’s site.

Now you can browse Facebook at the coffee shop in relative peace. Certain parts of Facebook may not work properly — some applications can’t use HTTPS, and the chat app won’t work — but at least you aren’t broadcasting your login credentials to anyone who wants to listen. The EFF says it has alerted Facebook to the incompatibilities, and that it’s waiting for Facebook to fix them.

See Also:

Tags: , , ,
File Under: Browsers, Security
Mar
25
2010

Web Browsers Crushed in ‘Pwn2Own’ Contest

By

iphone_finger200px

Think your web browser is secure? Think again. Nearly every common browser on the web has been compromised as part of the Pwn2Own contest at the annual CanSecWest security conference.

Whether it was Internet Explorer on WIndows 7, Safari on OS X, Firefox on Windows or Mobile Safari on the iPhone, just about every browser on the market proved compromisable in some way.

Perhaps the most notable of the hacks is the iPhone exploit, in which a hacker managed to download the entire SMS database of a fully patched (non-jailbroken) iPhone 3GS, grabbing the complete list of contacts and any stored messages.

As in the real world, the Pwn2Own exploit code was delivered via specially-crafted, malicious websites which target a specific flaw in your browser.

Safari, Firefox and Internet Explorer were all compromised, but there is one notable exception — Google’s Chrome browser.

One of the key aspects of Chrome that has — thus far — stopped the Pwn2Own hackers is its tightly sandboxed code, which makes it very difficult to exploit. Which isn’t to say there aren’t bugs in Chrome, just that exploiting them to do dirty work outside of Chrome, and thus compromise Windows, Linux or OS X, is much more difficult than it is with other browsers.

For users of IE, Firefox, Safari and Mobile Safari, the only real solution for any security woes is to wait for software updates patching the flaws. Microsoft, which is a CanSecWest sponsor, says it’s already investigating the flaws in Internet Explorer.

Given that one contestant arrived at Pwn2Own with some 20 working exploits for OS X, we’re hoping Apple does the same, but sadly, the company is notorious lax when it comes to patching security flaws in its software.

If you’d like more information about the specific exploits used on each browser, see CNet’s coverage of the nitty-gritty Pwn2Own details.

See Also:

Tags: , , ,
File Under: Programming, Security
Mar
24
2010

XSS Vulnerabilities, Raw SQL Top List of Common Programming Errors

By

bobbytablesNo programmer is perfect, but some mistakes are more dangerous than others. While some mistakes might just slow down your site, others can open up vulnerabilities that expose your code, your database and even your users to all manner of attack.

To help you identify the more serious errors common in programs of all types, a group of top software security experts in the US and Europe have released their Top 25 Most Dangerous Programming Errors.

Unsurprisingly, cross-site scripting vulnerabilities and improperly handled SQL top the list of common and dangerous mistakes. Remember kids, sanitize your database inputs; you just never know when someone is going to name their child: “Robert’) DROP TABLE Students;”

While not all the errors in the list are common in web programming, some of the more serious things are concerns for web developers — cross-site request forgeries, missing encryption of sensitive data and unrestricted file uploads are all common web programming issues.

Also interesting is the weaknesses by language section, which breaks down common mistakes in PHP, Java, Perl and C/C++. No doubt web developers would like to have seen Python and Ruby in that list, but it should at least be useful for PHP and Perl programmers.

See Also:

Tags: , , ,
File Under: Browsers, Security
Mar
2
2010

Google Chrome Beta Adds Privacy and Content Controls

By

The latest beta release of Google Chrome adds a slew of much needed privacy and content controls — as well as automatic page translation — to Google’s fast, but slightly feature-deficient browser.

The new features — which put Chrome on par with other browsers when it comes to privacy controls — are so far only available to those using the beta channel. Google says the new privacy controls will make it to the stable channel in the coming weeks. If you’d like to switch channels, and try out the new features now, head to the Chrome channel changer page.

The new features allow for much more fine-grained control of cookies, images, JavaScript, plug-ins, and pop-up windows, allowing you to always block them, always allow them or only allow them from trusted sites. The ability to whitelist specific sites matches what Firefox (and others) have long offered and helps close the feature gap between the two browsers.

To access the new controls in the latest release, head to the wrench menu and select “Options.” From there, click the “Under the Hood” tab and chose “Content settings.”

If you elect to disable cookies (or any of the other options) Chrome will display an icon in the URL bar which you can click to add an exception. The process is unfortunately a bit awkward, requiring you to type in the domain exceptions yourself. Choosing the “Ask me” option provides a more automated experience (and a quick lesson in just how many cookies are being set in your browser).

In a particularly nice touch, Chrome offers a link to control Flash cookies via Adobe’s setting page. Other browsers do not (without extensions) provide a way to stop these particularly pernicious cookies.

Chrome’s new features aren’t just for privacy either. The image-blocking feature could be used as a primitive ad blocker, provided you’re willing add the necessary domains. Image blocking can also be handy in situations where your internet connection speeds are slow.

Also part of the new beta release is automatic web page translation. When the language of the page you’re visiting is different from your language setting, Chrome will now offer to translate the page using Google Translate. While machine translations aren’t perfect, Google Translate isn’t bad for conveying the basics of a multilingual page.

If you’d like to take Chrome 4.1 beta for a spin, head over to the beta download page. For more details on the privacy controls, here’s Google’s video intro:

See Also:

Tags: ,
File Under: Backend, Security
Feb
15
2010

Set Up a Linux Firewall on Your Network

By

Go outside and pop the hood of your car. You should see a thick metal barrier at the back of the engine compartment. This is called the firewall. To see how it works, poke a small hole in the fuel line so that a tiny amount of gasoline starts dripping on the engine block. Now close the hood, start the car, and head out on the highway (Some of you may choose to save life and limb (and time!) by merely visualizing this exercise).

If you have positioned the puncture correctly, within a few minutes the escaped gasoline should ignite and cause a small engine fire. At this point you may see smoke emerge from the engine compartment. Continue driving. You should be able to proceed a considerable distance before the heat becomes uncomfortable and toxic fumes and flames start to enter the passenger compartment.

The reason you can drive so far with a flaming engine is because the firewall is a highly effective barrier between the engine compartment and the passenger compartment. If your car had no firewall, the engine fire would have already melted the dashboard electronics and plastic, destroyed the upholstery, and toasted you to a crisp.

Now. Pull over and very carefully extinguish the fire.

A similar principle can be applied to networked computers. Picture your machine as the cozy, tricked-out interior of your automobile, and the outside world as the dirty but powerful engine that makes it go. It won’t do to have the vulnerable components of your network exposed to the engine’s maliciously raging heat — it’s best to install a firewall.

Let us abandon our weakening metaphor here before it carries us into a ping-pong tournament without a paddle. A firewall, in the networking sense, is a machine that straddles the interface between a private network and the Internet at large, and follows predetermined rules for allowing certain traffic to pass, while blocking traffic that’s unwanted.

So, how to get yourself one of those disaster-averting firewalls? You can start by reading on.

Continue Reading “Set Up a Linux Firewall on Your Network” »
Tags: ,
« OLDER POSTS