Internet Safety Archives - Page 9 of 9

02
Jun 10
1

Choosing the Safest Browser

Category:Information Security,Infosec Communicator,Internet Safety,Uncategorized Tags : Browser Firefox Internet Explorer Internet Safety Safari

There’s always discussion among techies about which internet browser is better. Most of them end up bashing Internet Explorer. Does it really matter which browser you use?

Maybe, but not for the reasons you might think. Here’s a list of the five most common browsers, in no particular order:

Opera
Firefox
Safari
Internet Explorer
Google Chrome

Which of these browsers is the safest? The one with the fewest number of reported vulnerabilities? I asked my Cyber Self Defense class last quarter to guess which browser had the most vulnerabilities.

Here’s the order they came up with:

Internet Explorer
Safari
Opera
Firefox
Chrome

According to the Symantec 2008 Internet Threat Report, here’s the list of browsers ranked from most reported vulnerabilities to the least:

Firefox
Internet Explorer
Safari
Opera
Chrome

Is this the order you expected? Did you think that Internet Explorer would have the highest number? If we go strictly by number of vulnerabilities reported, Google Chrome would be the safest browser to use and Firefox the worst.

Another way to look at browser safety is how long it takes for a reported vulnerability to be fixed. How would you rank these same five browsers from shortest to longest patch time?

Again, the class assumed the worst browser would be Internet Explorer. However, Safari had an average “exposure” time of nine days, compared to the “best,” Firefox, which normally took only one day to patch.

Internet Explorer is attacked the most. Why? Because it’s used by the most people and provides a higher ROI for cyber criminals. Because it’s attacked the most, it MAY be safer to use a different browser. However, safer Internet browsing has as much to do with safe practice as it does browser choice. If you browse unsafe sites, you’re more likely to be attacked.

Here’s what we’re telling students, faculty, and staff at the Rochester Institute of Technology about safer internet browsing.

Browser Security

How can you tell how secure your web browser may be? Scanit’s Browser Security Test checks your browser security settings and provides a report explaining the vulnerabilities, the potential impacts, and how to correct them.

Update Regularly

It is important to keep your browser up-to-date on security patches. This can typically be done from within the browser, or directly from the vendor’s website. Check for updates at least monthly.

Anti-Phishing Tools

Internet Explorer 7.x and higher, Safari 3.2 and higher, and Mozilla Firefox 3.x and higher all provide some protection against phishing.

The Netcraft Toolbar is a browser plug-in available for Internet Explorer and Firefox. The toolbar helps stop phishing attempts by blocking known phishing sites and providing hosting information about the sites you visit.

The McAfee Site Advisor is a browser plug-in available for Internet Explorer and Firefox. The Site Advisor warns you of websites known to have malicious downloads or links by checking them against a database at McAfee.

Limited Account Privileges

Limiting account privileges provides simple but effective protection when working online. Limited accounts allow you to do most daily activities but do not allow you to install software (only accounts with administrative privileges can install software on the computer).

Many attacks take advantage of administrative privileges to install malware on your computer. If you’re using a limited account, attackers and malicious websites will not be able to install malware. (This is less of an issue with Windows 7 and Mac OS X because they ask you to confirm software changes.)

Ben

Postscript: I’ve included links below to my 6/30/11 posts updating this article.

Updated: Choosing the Safest Browser, Part One (benwoelk.wordpress.com)
Choosing the Safest Browser, Part 2 (benwoelk.wordpress.com)
Avoiding Phishing (benwoelk.wordpress.com)

25
May 10
6

On the Eve of the Latest Facebook Privacy Fix

Category:Facebook,Information Security,Infosec Communicator,Internet Safety,Privacy,Risk,Social Networking Tags : Facebook Facebook privacy Privacy Risk social networking

Facebook is releasing its latest privacy fix on Wednesday, May 26. I don’t have high expectations for the new controls as Facebook has not shown any ability to make the controls user friendly, or really understand what their users want for privacy.

A much bigger issue is that we seem to have abrogated OUR responsibility to protect our private information.

Fundamentally, information security is about managing risk. ANY involvement in social networking increases the risk of something negative happening–whether it’s loss of privacy, cyberstalking, identity theft, embarrassment, etc. It’s up to us to manage the risk. We should not expect the same amount of privacy protection from a free service that we would get from a credit card company, hospital, etc.

Although Facebook, Google, LinkedIn are all provided “free” to us, that freedom comes with a price–reduced privacy and some tracking of our web habits.

It’s up to us what we choose to share on social networking sites. We agree to EULAs (end user license agreements) that we click through to get to the “good stuff.” We blithely provide requested personal details and install apps that ask for even more and that tell us up front that they may share our information. Do you have to publish your date of birth? Hometown? 20 favorite things? (I’m just waiting for the next Facebook posting asking us, “What’s your mother’s maiden name?” and urging us to send the posting to all of our friends!)

Yes, Facebook, Google, and the other social networking applications have a responsibility to protect our information. However, WE have the responsibility to share ONLY the information we choose.

21
May 10
0

Safe(r) Use of Social Media: Facebook, Blogging, and Online Privacy

Category:Facebook,Infosec Communicator,Internet Safety,Privacy,Social Networking,Uncategorized

Concerns over Facebook privacy settings have increased steadily, with more and more mainstream media running stories about the issues. Although it is possible to more or less “lockdown” your privacy settings, Facebook makes frequent changes that may require you to review these settings on a regular basis. CNET recently discussed the controversy and suggested two tools to help determine and lockdown your current privacy settings. These tools include SaveFace (a browser helper tool) and a privacy scanning tool from ReclaimPrivacy.org.

I thought it would be useful to share some “safe practices” we created to help Rochester Institute of Technology students practice safer(r) social networking. (It’s never going to be completely Safe.)

Ben

Protecting Your Information: Safe Practices

Keeping your information out of the wrong hands can be fairly easy if you adopt a cautious attitude. Here are some tips to make sure your private information stays private.

Don’t Post Personal Information Online!
It’s the easiest way to keep your information private. Don’t post your full birth date, your address, phone numbers, etc. Don’t hesitate to ask friends to remove embarrassing or sensitive information about you from their posts either.

Use Built-In Privacy Settings
Most social networking sites offer various ways in which you can restrict public access to your profile, such only allowing your “friends” to view your profile. Of course, this only works if you only allow a few people to see your postings-if you have 10,000 “friends” your privacy won’t be very well protected. Your best bet is to disable all the extra options, and re-enable only the ones you know you’ll use. These best practices can be applied to any social networking or blogging website.

Be Wary of Others
Research by Sophos (2007) found that 41% of Facebook users were willing to befriend a plastic green frog named Freddi Staur (an anagram of ID Fraudster), subsequently revealing their personal information. Most sites do not have a rigorous process to verify identity of members so always be cautious when dealing with unfamiliar people online.

Search for Yourself
Find out what information other people have easy access to. Put your name into Google (make sure to use quotes around your name). Try searching for your nicknames, phone numbers, and addresses as well-you might be surprised at what you find. If you don’t want your content publicly searchable, many blogging sites have instructions on how to exclude your posts from appearing in search engine results using something called a “robots text file.”

What Happens on the Web, Stays on the Web

Before posting anything online, remember the maxim “what happens on the web, stays on the web.” Information on the Internet is public and available for anyone to see, and security is never perfect. With browser caching and server backups, there is a good chance that what you post will circulate on the web for years to come. So be safe and think twice about anything you post online.

18
May 10
0

Protect Yourself Online–Anti-Phishing Toolbar

Category:Infosec Communicator,Internet Safety,Social Networking

Today I received an Alert from Google that my name had appeared online. (Being in information security breeds paranoia, so I’d set up a Google Alert for occurrences of my name online–and for the rest of my family as well!)

The Phishing Attempt

Here’s the Google Alert I received:

Ben Woelk (bwoelk) on Twitter
Infosec Communicator, Trainer and Policy Analyst at RIT. STC Rochester VP. Educause A&T co-chair. Community builder applying Web 2.0 to security awareness.
retwite-dot-appspot-dot-com/bwoelk

Curious to find out where my name had appeared and thinking that Google had alerted me about Twitter, I clicked on the link. (And yes, I really should know better!) Clicking on that link brought me to a site that looked exactly like my Twitter page, a potential phishing site. Or I should say, “almost brought me” to the site?

How did I know it was a phishing site and why didn’t I arrive there?

One indication that it’s a possible phishing site is the URL, which clearly is not Twitter.

The other indication was that my Netcraft Toolbar plugin on Firefox blocked access to the site and asked me to confirm that I wanted to go there. Here’s what the Netcraft Toolbar showed me when I tried to go to the site:

Netcraft warning message

After I chose “No,” my browser window showed:

Netcraft blocked site confirmation message

Netcraft Toolbar Features

The toolbar also provided some information about the site itself. The diagram below (captured and edited with TechSmith Snagit 9.x), shows the information the toolbar provides:

Netcraft Toolbar at Twitter Homepage

Netcraft and Me

I’ve been using the Netcraft Toolbar for several years and have been pleased with its performance. It blocks known phishing sites and also provides you the opportunity to submit suspect sites to them for verification. If Netcraft decides that it is indeed a phishing site, it serves as a neighborhood watch group and blocks all Netcraft Toolbar users from reaching the site. Netcraft provides versions for both Internet Explorer and Firefox.

Highly recommended!

NOTE: There seems to be a good deal of discussion about whether retwite.appspot.com is really a phishing site or a proxy. Either way, the toolbar works in the same manner to protect from other reported phishing sites.

You may also want to visit the RIT Information Security Safe Practices webpage for more information about protecting yourself and others.

Category Archives: Internet Safety

Jun 10

1

Choosing the Safest Browser