Category Archives: Infosec Communicator

  • 1

Choosing the Safest Browser

There’s always discussion among techies about which internet browser is better. Most of them end up bashing Internet Explorer. Does it really matter which browser you use?

Maybe, but not for the reasons you might think. Here’s a list of the five most common browsers, in no particular order:

  • Opera
  • Firefox
  • Safari
  • Internet Explorer
  • Google Chrome

Which of these browsers is the safest? The one with the fewest number of reported vulnerabilities? I asked my Cyber Self Defense class last quarter to guess which browser had the most vulnerabilities.

Here’s the order they came up with:

  1. Internet Explorer
  2. Safari
  3. Opera
  4. Firefox
  5. Chrome

According to the  Symantec 2008 Internet Threat Report, here’s the list of browsers ranked from most reported vulnerabilities to the least:

  1. Firefox
  2. Internet Explorer
  3. Safari
  4. Opera
  5. Chrome

Is this the order you expected? Did you think that Internet Explorer would have the highest number? If we go strictly by number of vulnerabilities reported, Google Chrome would be the safest browser to use and Firefox the worst.

Another way to look at browser safety is how long it takes for a reported vulnerability to be fixed. How would you rank these same five browsers from shortest to longest patch time?

Again, the class assumed the worst browser would be Internet Explorer. However, Safari had an average “exposure” time of nine days, compared to the “best,” Firefox, which normally took only one day to patch.

Internet Explorer is attacked the most. Why? Because it’s used by the most people and provides a higher ROI for cyber criminals. Because it’s attacked the most, it MAY be safer to use a different browser. However,  safer Internet browsing has as much to do with safe practice as it does browser choice. If you browse unsafe sites, you’re more likely to be attacked.

Here’s what we’re telling students, faculty, and staff at the Rochester Institute of Technology about safer internet browsing.

Browser Security

How can you tell how secure your web browser may be? Scanit’s Browser Security Test checks your browser security settings and provides a report explaining the vulnerabilities, the potential impacts, and how to correct them.

Update Regularly

It is important to keep your browser up-to-date on security patches. This can typically be done from within the browser, or directly from the vendor’s website. Check for updates at least monthly.

 

Anti-Phishing Tools

Internet Explorer 7.x and higher, Safari 3.2 and higher, and Mozilla Firefox 3.x and higher all provide some protection against phishing.

The Netcraft Toolbar is a browser plug-in available for Internet Explorer and Firefox. The toolbar helps stop phishing attempts by blocking known phishing sites and providing hosting information about the sites you visit.

The McAfee Site Advisor is a browser plug-in available for Internet Explorer and Firefox. The Site Advisor warns you of websites known to have malicious downloads or links by checking them against a database at McAfee.

 

Limited Account Privileges

Limiting account privileges provides simple but effective protection when working online. Limited accounts allow you to do most daily activities but do not allow you to install software (only accounts with administrative privileges can install software on the computer).

Many attacks take advantage of administrative privileges to install malware on your computer. If you’re using a limited account, attackers and malicious websites will not be able to install malware. (This is less of an issue with Windows 7 and Mac OS X because they ask you to confirm software changes.)

Ben

Postscript: I’ve included links below to my 6/30/11 posts updating this article.

Enhanced by Zemanta

  • 6

On the Eve of the Latest Facebook Privacy Fix

Facebook is releasing its latest privacy fix on Wednesday, May 26. I don’t have high expectations for the new controls as Facebook has not shown any ability to make the controls user friendly, or really understand what their users want for privacy.

A much bigger issue is that we seem to have abrogated OUR responsibility to protect our private information.

Fundamentally, information security is about managing risk. ANY involvement in social networking increases the risk of something negative happening–whether it’s loss of privacy, cyberstalking, identity theft, embarrassment, etc. It’s up to us to manage the risk. We should not expect the same amount of privacy protection from a free service that we would get from a credit card company, hospital, etc.

Although Facebook, Google, LinkedIn are all provided “free” to us, that freedom comes with a price–reduced privacy and some tracking of our web habits.

It’s up to us what we choose to share on social networking sites. We agree to EULAs (end user license agreements) that we click through to get to the “good stuff.” We blithely provide requested personal details and install apps that ask for even more and that tell us up front that they may share our information. Do you have to publish your date of birth? Hometown? 20 favorite things? (I’m just waiting for the next Facebook posting asking us, “What’s your mother’s maiden name?” and urging us to send the posting to all of our friends!)

Yes, Facebook, Google, and the other social networking applications have a responsibility to protect our information. However, WE have the responsibility to share ONLY the information we choose.


  • -

Safe(r) Use of Social Media: Facebook, Blogging, and Online Privacy

Concerns over Facebook privacy settings have increased steadily, with more and more mainstream media running stories about the issues. Although it is possible to more or less “lockdown” your privacy settings, Facebook makes frequent changes that may require you to review these settings on a regular basis. CNET recently discussed the controversy and suggested two tools to help determine and lockdown your current privacy settings. These tools include SaveFace (a browser helper tool) and a privacy scanning tool from ReclaimPrivacy.org.

I thought it would be useful to share some “safe practices” we created to help Rochester Institute of Technology students practice safer(r) social networking. (It’s never going to be completely Safe.)

Ben

Protecting Your Information: Safe Practices

Keeping your information out of the wrong hands can be fairly easy if you adopt a cautious attitude. Here are some tips to make sure your private information stays private.

Don’t Post Personal Information Online!
It’s the easiest way to keep your information private. Don’t post your full birth date, your address, phone numbers, etc. Don’t hesitate to ask friends to remove embarrassing or sensitive information about you from their posts either.

Use Built-In Privacy Settings
Most social networking sites offer various ways in which you can restrict public access to your profile, such only allowing your “friends” to view your profile. Of course, this only works if you only allow a few people to see your postings-if you have 10,000 “friends” your privacy won’t be very well protected. Your best bet is to disable all the extra options, and re-enable only the ones you know you’ll use. These best practices can be applied to any social networking or blogging website.

Be Wary of Others
Research by Sophos (2007) found that 41% of Facebook users were willing to befriend a plastic green frog named Freddi Staur (an anagram of ID Fraudster), subsequently revealing their personal information. Most sites do not have a rigorous process to verify identity of members so always be cautious when dealing with unfamiliar people online.

Search for Yourself
Find out what information other people have easy access to. Put your name into Google (make sure to use quotes around your name). Try searching for your nicknames, phone numbers, and addresses as well-you might be surprised at what you find. If you don’t want your content publicly searchable, many blogging sites have instructions on how to exclude your posts from appearing in search engine results using something called a “robots text file.”

What Happens on the Web, Stays on the Web

Before posting anything online, remember the maxim “what happens on the web, stays on the web.” Information on the Internet is public and available for anyone to see, and security is never perfect. With browser caching and server backups, there is a good chance that what you post will circulate on the web for years to come. So be safe and think twice about anything you post online.