28. October 2010 · Comments Off on hackademix.net » Forcing HTTPS with NoScript · Categories: Encryption, Security-Compliance · Tags: , , ,

hackademix.net » Forcing HTTPS with NoScript.

Looks like those of you already using the NoScript Firefox add-on, you do not need another add-on to enable/force SSL when it’s available.

Fortunately NoScript, for more than two years now, has also allowed us to manually select the web sites which we want to browse via HTTPS only, by adding them in the NoScript Options|Advanced|HTTPS panel. Of course not all the web sites like to have HTTPS pushed down their throats, so you should pick only those already supporting HTTPS, and still may expect a tiny few of them to misbehave. However your online banking, your webmailaddons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now and the aforementioned addons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now.

14. September 2009 · Comments Off on Two more high profile Web 2.0 exploits – NY Times, RBS Worldpay · Categories: Breaches, IT Security 2.0, Malware, Secure Browsing · Tags: , , , , , , , , ,

Two more high profile organizations have succumbed to Web 2.0 based exploits, New York Times and RBS Worldpay. These highlight the shortcomings of traditional IT security. I have no doubt that both of these organizations had deployed traditional firewalls and other IT Security tools, yet they were still breached by well understood exploit methods for which there are are proven mitigation tools.

I discussed this issue, Web 2.0 requires IT Security 2.0, at some length recently.

The current RBS Worldpay problem was merely a hacker showing off a SQL Injection vulnerability of RBS Worldpay's payment processing system. Late last year RBS Worldpay suffered a more damaging breach involving the "personal and financial account information of about 1.5 million
cardholders and other individuals, and the social security numbers
(SSNs) of 1.1 million people."

The New York Times website itself was not breached. A third party ad network vendor they use was serving "scareware" ads on New York Times site. Martin McKeay points out on his blog:

"it appears that the code wasn’t directly on a NYT server, rather it was
served up by one of the third-party services that provide ads for the
NYT.  Once again, it shows that even if you trust a particular site
you’re visiting, the interaction between that site and the secondary
systems supporting it offer a great attack vector for the bad guys to
gain access through."

On the other hand, the average user coming to the New York Times site is not aware of this detail and will most deservedly hold the New York Times responsible. Web sites that use third party ad networks to make money, must take responsibility for exploits on these ad networks. For now, as usual, end users have to protect themselves.

I recommend that Firefox 3.5 users avail themselves of Adblock Plus and NoScript. Adblock Plus obviously blocks ads and NoScript by default prevents JavaScript from running.

What's particularly interesting about NoScript is that you can allow JavaScript associated with the site to run but not the JaveScript associated with third party sites like advertising networks. Based on my reading of Troy Davis's analysis of the exploit, if you were using Firefox 3.5 and running NoScript with only New York Times JavaScript allowed, you would not have seen the scareware ad.

06. September 2009 · Comments Off on Browser vendors add innovative security features · Categories: Risk Management, Secure Browsing, Security Management · Tags: , , ,

The browser vendors are adding innovative security features to help protect users against web-based attacks. Here are some examples:

  • Firefox 3.5.3 will check your Adobe Flash add-in and warn you if it's not current. It is believed that as many as 80% of browser users are using older versions of Adobe that contain vulnerabilities that are fixed in new versions.
  • Internet Explorer 8 added a raft of security features including URL filtering, Cross Site Scripting (XSS) filtering, click-jack prevention, domain highlighting, and data execution prevention (requires Vista SP1). The Cross Site Scripting filter is very impressive. Here is a detailed explanation of XSS and how the IE8 filter works. XSS attacks are particularly nasty because it can
    happen through no fault of yours. All you have to do is go to a site
    that has been successfully exploited. Details on the other features are here.
  • Opera 10, just now shipping, also includes URL filtering.
  • Safari 4, when running on Windows, will integrate with your Windows anti-virus software to check any files, images, or other items you are downloading via Safari. It also has URL filtering watching for phishing sites and sites known to harbor malware.
  • Chrome 2.0.172.43 was released on August 25, 2009 and fixed several high severity issues.

Firefox has long benefited from third party security and privacy add-ons. NoScript is one of the more popular add-ons that blocks javascript and let's you selectively turn on javascript per content source.

While I have not personally checked these security features, assuming they all work as advertised,  Microsoft's Internet Explorer 8 leads the way in security innovation.