Firefox

Apr 29 2009   1:02PM GMT

Google has published a browser security handbook for developers

Posted by: Troy Tate
browser, Security, web security, browser security, Internet Explorer, Chrome, Safari, Firefox, web development

If you develop websites or manage webservices, then you should check out the Browser Security Handbook that Google publishes on their code.google.com website. The Browser Security Handbook currently has three sections:

Part 1: Basic concepts behind web browsers

• Uniform Resource Locators
  • Unicode in URLs
• True URL schemes
• Pseudo URL schemes
• Hypertext Transfer Protocol
• Hypertext Markup Language
  • HTML entity encoding
• Document Object Model
• Browser-side Javascript
  • Javascript character encoding
• Other document scripting languages
• Cascading stylesheets
  • CSS character encoding
• Other built-in document formats
• Plugin-supported content

Part 2: Standard browser security features

• Same-origin policy
  • Same-origin policy for DOM access
  • Same-origin policy for XMLHttpRequest
  • Same-origin policy for cookies
  • Same-origin policy for Flash
  • Same-origin policy for Java
  • Same-origin policy for Silverlight
  • Same-origin policy for Gears
  • Origin inheritance rules
  • Cross-site scripting and same-origin policies
• Life outside same-origin rules
  • Navigation and content inclusion across domains
  • Arbitrary page mashups (UI redressing)
  • Gaps in DOM access control
  • Privacy-related side channels
• Various network-related restrictions
  • Local network / remote network divide
  • Port access restrictions
  • URL scheme access rules
  • Redirection restrictions
  • International Domain Name checks
  • Simultaneous connection limits
• Third-party cookie rules
• Content handling mechanisms
  • Survey of content sniffing behaviors
  • Downloads and Content-Disposition
  • Character set handling and detection
  • Document caching
• Defenses against disruptive scripts
  • Popup and dialog filtering logic
  • Window appearance restrictions
  • Execution timeouts and memory limits
  • Page transition logic
• Protocol-level encryption facilities

Part 3: Experimental and legacy security mechanisms

• HTTP authentication
• Name look-ahead and content prefetching
• Password managers
• Microsoft Internet Explorer zone model
• Microsoft Internet Explorer frame restrictions
• Mozilla and Safari HTML5 storage experiments
• Microsoft Internet Explorer XSS filtering
• Script restriction frameworks
• Origin headers
• Mozilla content security policies

This is a good resource for developers and administrators to understand browser & web security considerations.

Thanks for reading and let’s continue to be good network citizens.

Dec 3 2008   3:50PM GMT

Holiday greeting cards, holiday shopping and computer security awareness

Posted by: Troy Tate
administration, Firewalls, Security, Microsoft Windows, Browsers, IT education, spam, antivirus, homeland security, Data security, malware, SSL, phishing, Firefox, Microsoft, anti-virus, online identity, risk, awareness, vulnerability, education, data loss

I just sent this email reminder to all users in my organization. I would recommend you do something similar if you are not already ensuring users are aware of these issues. Feel free to use my content and add your own.

 It is that time of year again when folks send electronic holiday greeting cards to one another. Some of the greetings may also be games that bear holiday messages. It is also a time when malicious software spreads using these same types of messages and software. You should also be cautious when doing any holiday shopping online or at stores. It is important that you and those you communicate with understand these risks. Your finances and identity are always at risk in today’s technology environment, but you may be less attentive during the holiday season. The following 10 tips are meant to remind you of some important security precautions.

 

1.    Do NOT use your company email address for personal holiday greetings or shopping activities. Merchants may sell your email address to other non-reputable sources and this puts your company identity at risk.

 

2.    If you receive personal holiday greetings or “cute” games at your company email address, ask the sender to not send those to you at work. Use a personal email account for those communications.

 

3.    If you do receive holiday greetings or games at your personal email address, check with the sender before opening to be sure they sent the message. Spammers and malicious software writers can easily deceive you through social engineering. They will do everything possible to get you to open their message and potentially damage your computer and/or harvest your email address as a valid address.

 

4.    Don’t trust everything you see online. Finding something on the internet does not guarantee that it is true. Anyone can publish information online, so before accepting a statement as fact or taking action, verify that the source is reliable.

 

5.    If it looks too good to be true, it probably is. You have probably seen many emails promising fantastic rewards or monetary gifts. However, regardless of what the email claims, there are not any wealthy strangers desperate to send you money. Beware of grand promises—they are most likely spam, hoaxes, or phishing schemes. Also be wary of pop-up windows and advertisements for free downloadable software—they may be disguising spyware. Close the pop-up windows by clicking the X in the top right corner. Do not click the YES, NO, or CANCEL buttons in the window. It may cause unwanted computer issues if you do. Do not trust what you see in these pop-up windows. Contact IT support if you have any questions or issues.

 

6.    Avoid phishing schemes. Banks and other institutions will not actively solicit personal information by email. When you click a link in an email asking for this type of information, your choice may risk your finances and personal identity. The link may take you to a website hosted by someone with malicious intentions. If you enter your personal information on the website, you have just had your identity taken by a social engineering attack and may have incurred a financial loss.

 

7.    If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html).

 

8.    If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account. Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).

 

9.    Do not participate in forwarding chain letters or perpetuating hoaxes or urban legends. Hoaxes attempt to trick or defraud users. A hoax could be malicious, instructing users to delete a file necessary to the operating system by claiming it is a virus. It could also be a scam that convinces users to send money or personal information. Phishing attacks could fall into this category. Urban legends are designed to be redistributed and usually warn users of a threat or claim to be notifying them of important or urgent information. Another common form are the emails that promise users monetary rewards for forwarding the message or suggest that they are signing something that will be submitted to a particular group. Urban legends usually have no negative effect aside from wasted network bandwidth, server resources and time. If you want to check the validity of an email, there are some web sites that provide information about hoaxes and urban legends: Urban Legends and Folklore - http://urbanlegends.about.com/;  Urban Legends Reference Pages - http://www.snopes.com/; Hoaxbusters - http://hoaxbusters.ciac.org/; TruthOrFiction.com - http://www.truthorfiction.com/; Symantec Security Response Hoaxes - http://www.symantec.com/avcenter/hoax.html; McAfee Security Virus Hoaxes - http://vil.mcafee.com/hoax.asp

 

10. Protect yourself while shopping online. Use and maintain anti-virus software, a firewall, and anti-spyware software. Keep software, particularly your web browser, up to date. Do business with reputable vendors. Take advantage of security features like secure passwords and encrypting information between your computer and the vendor’s website (look for the “lock” symbol in the browser or the website address beginning with “https” rather than “http”. Use a credit card rather than a debit card. Check your statements for any unusual or unauthorized activity.

 

Hopefully these tips will help you and those around you to have a happy holiday and reduce the risk of an unwelcome holiday event due to being uninformed. Please feel free to share these tips with your friends and family to help increase awareness and reduce risky behavior.

 

See the CERT Cyber Security Tips website for more information like this.

Sep 19 2008   12:53PM GMT

Did you see this? - Encyclopedia of internal network security threats

Posted by: Troy Tate
Networking, forensics, Security, tools, Microsoft Windows, Monitoring, Browsers, web, reporting, WWW, antivirus, homeland security, Data security, malware, Policy, design, Firefox, Microsoft, website, troubleshooting, honeypot, botnet, risk, research, awareness, vulnerability, man-in-the-middle

Promisec has released an online encyclopedia of internal network security threats. This is available online for free. There is a lot of information to look through and decide how the risks affect your organization.

Take for example the entry describing GoogleTalk. The site rates it as one of the top 5 internal threats.

The more we know about these risks the better prepared we can be. Thanks for your time. Let’s be good network citizens together & practice safe networking!

Jul 8 2008   5:12PM GMT

Browser warnings - Danger Will Robinson! - or did it just cry “Wolf!”?

Posted by: Troy Tate
forensics, Security, Development, web, reporting, Google, WWW, IT education, antivirus, Data security, malware, Policy, Firefox, website, anti-virus, honeypot, botnet, online identity, Metrics, honeynet, policy enforcement, awareness

I sometimes browse the internet using Firefox. I say sometimes because Internet Explorer is the standard browser at my company and Firefox is not supported by IT. Well, since I work in IT, sometimes you have to test things on behalf of users and also to see how certain sites are different depending on the client browser.

Well, I recently upgraded Firefox to v3. It does seem much better than v2 although some of my useful addins are now broken (when will YSlow get fixed for v3?). One of the new features of Firefox v3 is the ability to report to the user if the visited website is a known potential malware site. This is a good feature! It provides the user with some useful information and education about the dangers on the internet. However, how accurate is this feature? What if you are visiting a trusted website that you frequently visit and now get this message?

For your information, this is the message that you will see when you attempt to visit a site deemed as risky.

Reported Attack Site!

This web site at certification.xxxxxxx.org has been reported as an attack site and has been blocked based on your security preferences.

Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

I blanked out the actual website address above. However, those of you with a bit of detective in you are likely going to figure it out.

What is interesting about this particular warning message is that it is referring to a website that has security as a guiding principle. When you see this message in Firefox, you have three options presented:

• Get me out of here!
• Why was this site blocked?
• Ignore this warning - in very tiny print at bottom of message.

I was curious as to why this site would be considered as a danger. I clicked on the Why was this site blocked? option. The report I received was interesting and as I mentioned earlier, could this be an example of someone crying “Wolf!”?

The report was as follows:

What is the current listing status for certification.xxxxxxx.org

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 6 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 07/06/2008, and the last time suspicious content was found on this site was on 07/06/2008.

Malicious software includes 1 scripting exploit(s). Successful infection resulted in an average of 3 new processes on the target machine.

Malicious software is hosted on 3 domain(s), including lokriet.com, clrbbd.com, catdbw.mobi.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including catdbw.mobi.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, certification.xxxxxxx.org did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

• Return to the previous page.
• If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center.

This is great educational stuff, but did it really happen to this particular website? I don’t know, but apparently Google does. With the report of just one incident, does it make this site really worth the notification? How many incidents should it take before a site is considered malicious and who determines what malicious is?

Just something else to mull over in your copious time as you go perusing websites in Firefox.

Thanks for your time. Let’s be good network citizens together & practice safe networking!