My stories today on Infosecurity Magazine…
…including, what price privacy (answer: a BlackBerry); the danger in automated filtering (anti-censor political party gets censored); and Mozilla’s semi-hidden warning to Microsoft (watch out for anti-trust suits).
The Singularity Hub, ‘a community for those excited about the future’, has taken another look at the Blackberry Project and concludes that the younger generation is embracing a new view of privacy.
14 May 2012
While the Pirate Party wins seats in the German North Rhine-Westphalia state elections, a “shitstorm” about automated filtering starts to brew.
14 May 2012
Windows is not Apple’s iOS, says Mozilla’s top lawyer after the organization complained that Firefox and other browsers would be excluded from Windows RT running on ARM systems.
14 May 2012
My news stories on Infosecurity Magazine from Thursday 22 March until Wednesday 28 March…
Digital Crime: Fourth great era of organized crime
Organized digital crime is growing – but we still know little about the structure of organized digital crime groups. A new report from BAE Detica Systems and the John Grieve Centre for Policing and Security at London Metropolitan University seeks to change this.
28 March 2012
2600 to broadcast interview with Richard O’Dwyer’s mother
2600 is one of the world’s longest running ‘hacker’ publications. Richard O’Dwyer is a UK citizen likely to be deported to the US for operating the website TVShack.net and providing links to ‘copyright infringing’ material.
28 March 2012
Legislation to enforce Google filtering proposed by MPs’ committee
Parliament’s Joint Committee on Privacy and Injunctions has reported: “This could involve giving Ofcom or another body overall statutory responsibility for press regulation.”
28 March 2012
PwC report highlights senior management complacency about security
Financial services are, not surprisingly, increasingly subject to economic cybercrime. According to a report from PwC, cybercrime is now second only to asset misappropriation as the most popular way of defrauding an organization in the financial services (FS) sector.
27 March 2012
Security concerns delay deployment of NGDCs
A survey from Crossbeam Systems shows that 94% of IT personnel identify network security as the main cause for stalled next generation data center (NGDC) deployments.
27 March 2012
The new Oxford Cyber Security Centre
Final proof of the extent to which information security has become embedded within society comes from Oxford university, Home of the Humanities. The university has announced a new Oxford Cyber Security Centre.
27 March 2012
Strong showing for the Pirate Party in German elections
Saarland is the smallest (apart from the city-states) of 16 states within Germany, with a population of just over 1 million inhabitants. Politically it is generally considered to be a conservative area.
26 March 2012
Anonymous launches Operation Imperva
Anonymous has declared a new target: Imperva Inc, a security firm, is now the subject of Operation Imperva.
26 March 2012
Microsoft takes control of 800 domains associated with Zeus botnets
In a major action against the banking trojan Zeus, Microsoft with FS-ISAC and NACHA and research from Kyrus Tech and F-Secure have succeeded in disrupting a number of the most harmful Zeus botnets in “in an unprecedented, proactive cross-industry action.”
26 March 2012
Europe’s first information risk maturity index developed
PwC and Iron Mountain have joined together to develop a risk maturity index for European SMEs; and finds them generally lacking.
23 March 2012
Firefox will use HTTPS by default
Encrypted searching should become available by default for all Firefox users within a few months – a big win for privacy.
23 March 2012
Indian call centers sell UK financial data and DVLA gives access to Indian workers
On the same day that the Sunday Times reported Indian workers offering UK finance details for sale at as little as 0.02p, the Observer reported that IBM contractors in India will have access to the data of 43 million UK drivers held by the DVLA.
23 March 2012
Privacy: the great EU/US debate
The two great western trading blocs are taking personal privacy very seriously. In January the EU published a draft proposal for a new Data Protection Regulation, and in February the White House released its privacy blueprint, including the Consumer Privacy Bill of Rights.
22 March 2012
Almost half of UK educational establishments have had mobile devices stolen
A new survey from LapSafe Products has revealed that that 45% of education establishments have had mobile devices – such as laptops, netbooks, MP3 players, tablets and gaming devices – stolen between 2009 and 2011.
22 March 2012
Dame Fiona Caldicott to review patient data confidentiality
The people currently responsible for protecting the confidentiality of patient information in the UK are known as the Caldicott Guardians, so named after Dame Fiona Caldicott. Dame Fiona will now lead a new independent review into patient privacy.
22 March 2012
Consultants and statisticians have a similar function: to confirm the preferences and prejudices of the client.
On December 9, Accuvant LABS produced a security analysis of the different browsers – and demonstrated that Chrome is the most secure. Well what do you expect? It was commissioned by Google. Now this is not to suggest for one moment that there is anything misleading in Accuvant’s report, nor that Google is attempting anything underhand: merely that prejudice will out.
But some have certainly cried ‘bias!’. One has been NSS Labs. “If you choose to read the Google/Accuvant report, do so with the understanding that the methodology appears to be skewed in Google’s favor, and does not reflect real world attack scenarios.” It is, of course, purely co-incidental that NSS’ own browser test comes to a completely different conclusion – that IE9 is considerably, nay, very, very considerably, superior security-wise to Chrome. While NSS claims that Google is undermining Firefox in favour of Chrome, one could also suggest that NSS is undermining the Accuvant report in favour of its own.
Prejudice will always out.
Having said that, NSS certainly has a point. Firefox, once a close friend of Google, is now a pain. I tried Chrome for a few weeks because, as a user, I love its built-in searching capabilities. But I soon got fed up with the adverts Google was spraying all over the place – adverts that Firefox or its add-ons were seamlessly hiding from me; and I went back to Firefox. This hits Google below the financial belt – no adverts equals less revenue.
So what is the answer? How can we navigate our way through this minefield of well-funded unprovable prejudice? “Who has the manliest browser?” asks Rob Rachwald, Director of Security Strategy at Imperva.
Browsers are very much like cars only in earlier stage of their life cycle. In the beginning, the competition was on who has the best basic features (e.g., driving from point A to point B or showing web content). After the basic functionality was achieved, Maslow’s law of hierarchal needs sets in. Namely, users’ focus moves to functionality and efficiency (e.g., fuel consumption or speed of rendering).
However, when comparing security features, some of the logical conundrums that plague cars similarly plague browsers:
- If one car has ABS system and the other one has air bags – who is safer?
- If one browser runs flash in sandbox and the other has anti-XSS filter – who is the safer?
Rachwald points to some basic differences in the way the two tests were conducted: “The NSS study focused solely on malware blocking… The Accuvant study, by contrast, added and focused on other criteria. URL reputation and application reputation are barely considered. In fact, the category “URL Blacklisting” is – oddly – virtually ignored…”
But, he concludes
If you’re a geek, go for security through obscurity: The best way to minimize accidents’ consequences to is to avoid it altogether. The way to avoid cyber accident is by using a platform which is less targeted by hackers due to its small market share. Such an example would have been Firefox with Linux when Windows and IE dominated the web. At the time, Firefox wasn’t less vulnerable than IE but it was less exploited due to its marginal market share. This method is of course limited to tech geeks willing to invest in installing learning and dealing with exotic platforms in rapid manner. But this won’t work for the masses who may not have the time nor expertise to learn a new browser.
For consumers, use newer browsers…
But I don’t know. Nothing I read changes my own prejudices. I want to believe in Firefox. I love its open source philosophy. I feel safe with its own and added security add-ons (especially NoScript!). And I couldn’t live without Scrapbook. Therefore, relying on the final arbiter, my own prejudice, I do believe in Firefox.
Who Makes the Manliest Browser? Imperva
Well, this is embarrassing – as Firefox says when it fails to restore previous tabs. I know that WordPress has started dropping Pulse 360 adverts on my, and many other, blogs. I know that I’m not happy. Two reasons:
- they are hardly the discreet adverts that WP warns it might include occasionally to defray its costs
- their positioning is downright offensive. They are added at the bottom of my text, giving the implication that I either have something to do with them, or are happy with them, or even endorse them.
But my embarrassment comes from not immediately knowing why they don’t show up on my main machine: an iMac running Firefox. I know Adblock can stop them; but I’m not using Adblock.
No, the culprit – or I should say silent friendly partner – appears to be a much-admired Firefox add-on I have installed and frequently forget: TACO with Abine 4.3. It sits quietly in the background and does the work for me. Check the screenshot below: TACO has stopped more than 4000 tracking attempts on WordPress alone since I installed it.
And now check the settings (click for full-size):
TACO opts me out of no less than 123 Ad Networks and is blocking more than 630 web trackers (I’ve seen it as high as 1500). Near the top of the Ad Networks section, flagged as ‘NEW’, is Pulse360.
So I switched off TACO. But, still no adverts – maybe it wasn’t TACO defending me after all… How about NoScript? I switched off NoScript. Low and behold, I have adverts! So NoScript stops the Pulse 360 adverts.
I switched off NoScript, and switched on TACO. No adverts again. So TACO also stops Pulse 360.
So here’s my recommendation, a very, very firm recommendation: just to be sure, use both. They’re both free add-ons with the best free browser: Firefox. And if we all block Pulse 360, maybe companies like WordPress will stop using them.
PS If you allow the ads to show, and just keep pressing Reload, WordPress logs show each reload as a separate visit, even when you’re the owner. Cheat. I’ve just had my best ever day on the blog – 10,000 visits in one day, and counting…
Last week, Qualys’ CTO Wolfgang Kandek told me that the “modern attacker has decided that the easiest thing to do is to attack the website that the user is going to visit rather than setting up special malicious sites and trying to drive users to them.” (The Top Cyber Security Risks Report) I found this quite disturbing because it makes me wonder if I am actually as safe on the internet as I had always thought I am.
You see, I use Firefox and NoScript. And NoScript will stop any script at all, whether benign or malicious, running in Firefox – unless I temporarily or permanently whitelist the page in question. This has to be a good thing. It means that when I visit a site and nothing much happens, I am forced to ask myself: do I trust this site? If I do, I can whitelist it and get the full experience. If I don’t, I can just move on confident that nothing untoward has happened.
But that was before Kandek’s comment. This sounds like a game-changer. If the bad guys compromise a good site, when I ask myself ‘do I trust this site’ I will probably say yes. And if the site in question was either TechCrunch or SongLyrics (two good sites recently hacked), I might have whitelisted a site that had been compromised.
Does this mean, I had to ask myself, that NoScript is no longer as useful as I thought? Well, who better to really ask than NoScript’s developer, Giorgio Maone. “Had I visited TechCrunch a couple of weeks ago, even with NoScript, would I now be infected?” I asked him.
In other words, even when TechCrunch was compromised, it was not TC that was dangerous, it was the site that was linked – let’s call it GetHackedHere.ru – that was dangerous. And so long as you don’t whitelist GetHackedHere.ru, then NoScript will continue to keep you pretty safe.
But Maone didn’t stop there. Did you know, he asked, “that middle-clicking on site names shown in the NoScript menu opens a tab where a few tools are linked, giving information on that site?” I didn’t, so I tried it on TechCrunch. It gave me four options: the WOT Scorecard, the McAfee SiteAdvisor Rating, the Webmaster Tips Site Information, and Google’s Safe Browsing Diagnostic.
I clicked the last.
In the last 90 days, 58 pages on techcrunch.com have been compromised – although nothing since 6 September. But note that, confirming Maone’s comments, the actual malware was hosted on virtuellvorun.org, not on TechCrunch. So NoScript users would have remained protected even if they had whitelisted the compromised TechCrunch because NoScript would have disallowed any scripts from the still blacklisted virtuellvorun site.
I’m not quite as smug as I used to be – but I’m just as well protected by NoScript as I ever was. And I can and do wholeheartedly still recommend Firefox and NoScript to anyone who wants to stay safe on the Internet.
NoScript download (for Firefox users)
Some things are good. Some things are very good. Some things are very, very good. But this is better.
You may have noticed that I am paranoid about my privacy. It is for me to give away; not for others to take without my knowledge. The problem is that when out surfing, they tend to just take it. And I want to know who takes what.
That’s why this is so very good. It is Abine for Mozilla Firefox 0.523. It’s an add-on. And it’s free.
This morning Firefox updated it for me. I’d forgotten I’d even installed it – just to opt out of targeted advertising I think. But now it does so very much more. I started noticing discreet little pop-ups at the bottom of the browser window whenever I opened a new page. They stayed for a few moments (just long enough to read) and then they faded away.
Here’s a sample:
This one is innocuous – I happened to be at Graham Cluley’s blog, so you’d expect him to be nice. But you should see how many tracking sites and ad networks that sometimes show up! I remembered the Firefox update when I logged on, and checked the add-ons to find out who was giving me this useful information. It could only be Taco 3.0 with Abine. The Preferences option let me explore a bit further. I found the button top-right of my browser, and explored!
It is, quite simply, packed full of options to protect your online privacy. I’m not going to bore you with everything right now; just look at this:
So, as you might expect: if you’ve got Firefox and you haven’t got this, you’re being just a tad silly.