June 19, 2008
updating Top Tips for your security -- keep the Mac, Firefox 3, add NoScript?
I keep a list of "Top Tips" for the non-techie people over on the right side of the blog. They have to be simple, easy, and user-friendly, workable for grandma. Time for a review.
McAfee / AverLabs reported last year that the news was good for Mac OSX:
Today we know of over 236,000 malicious malware items. These are mostly meant for the MS-Windows environment. Only about 700 are meant for the various Unix/Linux distributions. Current known Mac OSX malware count is even less with 7, so pretty much non-existent at the moment.
That's a bit old, but the #1 tip for improving your security remains to buy a Mac. It would have saved you from practically all malware for the last several years, and will probably be good for another year or two. As far as I am aware, there's no solid evidence out there that the Vista release has changed anything.
Tip #2 is to download Firefox. That's more controversial, but it works out like this: although the Mac operating system is secure, the Apple browser (Safari) has not kept up to date with User Security Interface changes that have been forced on us by the arisal of Internet fraud. The Firefox team are too slow for my liking, but Firefox 3 does now include some new stuff, which I've been trying out for the last month. Additionally, there are plenty of plugins for security, which Safari doesn't have.
Hence, tip #2 stays: download Firefox 3.0 and use that.
It could all change and/or get more complicated if experience shows that the new features in CardSpace / InfoCard in Internet Explorer show any benefit, or if say Vista starts to make a difference. (What we are really lacking is some research on the correlation between operating systems, browsers and frauds. That would be great for focussing attention.)
Tip #3 needs a bit of a change. Petnames and Trustbar were both experimental plugins, more for research purposes, and they have not been updated of late it seems. Does anyone have an update to their situation, or can recommend alternates?
One I have loaded up is NoScript, and I can report preliminary comments: NoScript turns off all the scripts in a website, all of them, on the basis that most exploits from bad websites will come from such active code. At this it works well.
It has two side-effects, one good and one bad: the bad thing is that ... obviously .. many sites now stop working and seem to have bugs in them. Until I remember to click on the menu item and then enable the scripts. It is somewhat annoying, but it is the price of being in control, I suppose.
The good side-effect is that it stops Firefox from going haywire, and from crashing over complicated stuff. On just about any machine I've access to, complicated visual sites cause most browsers to go into CPU-overload, which causes fan-noise and heat. As an engineer this is really irksome, the machine should not be doing that unless I tell it to... Also, as the complications pile on, Firefox tends to get upset and various delays happen. I would vote for NoScript on this alone because it makes browsing so much more comfortable.
However, one thing stops me adding it to the top-tips list: the rule is that this is the tips for *you* the end user, especially those who have little time, experience of patience with tech. I'm keen to hear whether you find this too much of a nuisance -- the user must win in this question. Download NoScript and try it for yourself, let us know.
Which leads to #4: write passwords down. I should rethink that. Not the writing down part, but how to manage them. We need a good cross-platform, cross-meatspace method here. For now it can stay, but scaleability issues are here, as we aren't seeing any reduction in passwords.
Posted by iang at June 19, 2008 11:31 AM
I'm not so sure a break-up based on OS will be useful. There'll be an natural user bias, yes? Those on *nix will, quite possibly, have a lower percentage of successful attacks.
financialcryptography.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)
I am curious ... do you think when someone is using HTTPS, should they allow non-secure content or not?
I strongly believe not , cos for actual sites there are some attacks which utilise this. For e.g , in gmail a MITM could easily hijack your password.
So.. why is your getFirefox logo not on https ?
Also, I don't think noScript is that bad... a good thing would be if it came with a default on setting for common sites. While I would hate this myself, I believe it might help *end* users :)
that is known and there is no way to fix that. Even if he pays for a VeriSign cert, how do you know the root cert in your store is correct? So, just go to CACert and get the root cert and install it on your comp, or put in an exception in your settings. Also , I didn't understand what you meant by the first line.
the first part of my comment was in reply to:
"What we are really lacking is some research on the correlation between operating systems, browsers and frauds"
I'm saying that it might not be a very good metric, no? But re-reading it, I'm going to have to remove my foot from my mouth. Gently. The purpose, it would seem, is to uncover the bias. *doh*
As for the last bit, I don't really understand the technicals. I was just pointing it out. So you're saying a Verisign cert is not worth it?
> financialcryptography.com uses an invalid security certificate.
> The certificate is not trusted because the issuer certificate is unknown.
> (Error code: sec_error_unknown_issuer)
Ha, yes, that's a CAcert certificate, and CAcert is not in your browser unless you add it. There's nothing invalid about it, it is just not known to the browser.
The messages Firefox gives you are a bit confusing, but maybe things will improve in time.... If you have Firefox 3, what you can do is use their new "exceptions" interface. Look at the thing that pops up and click on "Add an exception".
ian: I never understood why you insist on using HTTPS for the blog... maybe you can shed light ?
Have a look at today's post and see if it answers the question! Click on the link below.
Also, it is not exactly insistence, as the HTTP website is also present. As with most things, the security of this blog has its component of pretence.
On the Firefox logo, to the right: look closely, the logo should come from the same (http or https) place that the main page is on. If not, that's a bug!
While I agree that having only 1 mode and thats secure will help, I *strongly* disagree that it is even remotely possible. The Web just don't have enough resources for that. Running everything over HTTPs would destroy caching etc. etc. Last time I checked the Web ws in a very fragile state .. tiger woods played US Open and ppl thought they were being DOSsed.
Well, that's a question isn't it: resources or security? Think of it this way, there are two opinions here. One is that we have the resources for all those customers and inefficient resource use will lose us customers and revenue. Another is that if a user just got phished because the resources equation caused security to take a backseat, then ... perhaps who ever made that decision should take on the full responsibility for phishing?
But there is another way to look at it, and that is: resources plus security. The decision to split the model down the middle has IMO consumed more resources than it saved. Although it has saved "cpu cycle" resources ... it has consumed programming, user interface, debugging, user support, police and courts time, etc resources, which are actually a lot more expensive than cpus.
Theoretical danger of a trojan kit being discussed for Mac. Note that this is not "in the wild" as yet because it hasn't been found on infected computers:
Rare Mac Trojan exploits Apple vuln
By John Leyden
Published Monday 23rd June 2008 10:07 GMT
A rare Mac OS X Trojan has been spotted on the internet. The AppleScript-THT Trojan horse exploits a vulnerability within the Apple Remote Desktop Agent to load itself with root privileges onto compromised Mac machines. The malware, which is capable of infecting Mac OS X 10.4 and 10.5 boxes, surrenders control of compromised systems to hackers. ....
SecureMac, which specialises in making anti-spyware software for Mac PCs, reports that miscreants have published multiple variants of the Trojan on a hacker-controlled website. Hackers on the site are discussing the possible distribution of the Trojan through the iChat instant messaging client and Limewire file sharing software.
The Trojan comes packaged either as a compiled AppleScript, called ASthtv05, or as an application bundle, weighing in at around 3.1 MB. Despite the use by the Trojan of a recently-discovered Apple Mac vulnerability, users need to download and open the Trojan horse before they become infected.
>perhaps who ever made that decision should take on
>the full responsibility for phishing?
hmm ... I would rather say that when he made the decision it looked like the (to shamelessly use your own term)"pareto-secure" decision for him to make .. .give the guy a break! Security was added on as an after thought ... the orignal internet was made just because ASCII pr0n just doesn't cut it when you are a lonely scientist in the heart of the alps in switzerland (www.infoq.com/presentations/soa-without-esb)
A (imho) useful tip for security is to use 2 firefox profiles .. one for normal browsing and one for banking/credit card payments etc. so that the really important cookies or whatever are hidden from the normal browsing profile.
For keeping all those many passwords, (including the ones you should not be storing in Firefox) KeePass is the most secure and easy to use solution I've seen. There are also unofficial versions for non-Windows platforms also. This is 100% free and 100% open-source naturally.
Do yourself a big favor with saved time on lost passwords and check it out......