Transcript Slide 1

Safer Web Browsing
Terry Labach
Information Security Services
IST
"People are terrible about making security tradeoffs.
If you give a naive user a choice, such as, 'If you
want to see the dancing pigs, you could be
compromising your machine,' most users will
choose the dancing pigs over security every time."
- Bruce Schneier, security author and consultant, on
how computer users manage risks while using the
Internet.
[http://www.theglobeandmail.com/servlet/story/LAC.
20060803.TWVISTA03/TPStory/Business]
2011
Outline
•
•
•
•
•
The risks
Taking responsibility
Browser configuration
Browser tools
Questions
2011
The risks
•
•
•
•
Embarrassment
Identity theft
Financial loss
Loss of productivity
2011
Taking responsibility
• The basics
– Use good passwords
• Not in dictionary
• Reasonably long with mix of characters
– Don’t reuse passwords
• Don’t let browser save passwords
– Master password
– Password vault
2011
"You know, I almost bore myself when I say to
myself, 'It's time to get the groceries,' I certainly
don't want to put it out there for people to read."
- Eugene Levy, comedian, talking about Twitter
in a Canadian Press interview.
2011
Taking responsibility
• Thoughtful browsing
– Don’t give up personal information
•
•
•
•
Date of birth
Postal code or location
Vacation schedule
Social Insurance Number!
2011
Taking responsibility
• Maintain safe environment
– Keep operating system, browser up to date
– Apply security patches
– Be cautious using public Wi-Fi
– Use secure communications (https)
2011
Taking responsibility
• Clicking on links can introduce attacks
– Poisoned search results
– Clickjacking
– Cross-site scripting
2011
Taking responsibility
• Installing software
– Know what software needed for sites you
browse
– Enter software web site address yourself,
don’t click link
– Don’t install software for unknown file types or
oddly named files
2011
Taking responsibility
• Separate browsing environments
– Have one user login id for social networking,
etc.; a different id for financial transactions
• Virtual machines (advanced)
– Use separate virtual computers on your PC
for browsing with different security needs
– High security virtual machine has no
unneeded software
2011
Browser configuration
• General principles
– Protect your information
– Protect your privacy
– Disallow access and execution
• Exceptions
– You will want to break these principles for
good reasons at times
– Use principles as your default
2011
Browser configuration
• Firefox
– Disable Java and JavaScript
– Disable save passwords (or use master
password)
2011
Browser configuration
• Internet Explorer
– Apply high security setting to Internet zone
– Limit cookie permissions
– Do not allow third party extensions
2011
Browser configuration
• Safari
– Disable Java and JavaScript
– Block pop-up windows
– Disable opening of so-called safe files
2011
Browser configuration
• Chrome
– Limit cookie permissions
– Web content settings
2011
Humans…have unacceptable speed and accuracy….
(They are also large, expensive to maintain, difficult to
manage, and they pollute the environment. It is
astonishing that these devices continue to be
manufactured and deployed. But they are sufficiently
pervasive that we must design our protocols around
their limitations.)
- C. Kaufman, R. Perlman, & M. Speciner in Network
Security: PRIVATE Communication in a PUBLIC
World
2011
Tools
• NoScript
– http://noscript.net/
– Blocks JavaScript and defends against other
potentially malicious content
– Swiss Army Knife of protection
2011
Tools
• Web of Trust (WOT)
– http://www.mywot.com/
– Ranks websites based on feedback from
WOT users
– Adds links to search engine results
2011
Tools
• Ghostery
– http://www.ghostery.com/
– detect and block 3rd party tracking
– Shows the elements of web pages served
from third parties
2011
Tools
• View Thru
– https://chrome.google.com/webstore/detail/jkn
cfnbcgbclefkbknfdbngiegdppgdd
– Displays the target of shortened URLs
2011
Tools
• HTTPS Everywhere
– https://www.eff.org/https-everywhere
– Forces use of https protocol on web pages
that support it
2011
Tools
• Adblock Plus
– http://adblockplus.org/en/
– Blocks ads while browsing
2011
Resources - User safety
•
•
•
•
CERT - Securing Your Web Browser
SANS - Browser Safety
SANS - Secure Browsing Environment
Canadian Cyber Incident Response
Centre
• U.S. Computer Emergency Readiness
Team
2011
Resources - Browsers
• Firefox
– Privacy & Security
• Internet Explorer
– Improve the safety of your browsing and e-mail activities
• Safari
– Security & Privacy
• Chrome
– Manage privacy and security settings
2011
Resources – Tools discussed
•
•
•
•
•
•
NoScript
Web of Trust
Ghostery
View Thru
HTTPS Everywhere
AdBlock Plus
2011
Resources – Other Tools
• Facecloak
– Protect user privacy on Facebook
• Qualys BrowserCheck
– ensures browser and plugins are up to date
• Trashmail
– lets you use a disposable email address
• LastPass
– Secure password vault
2011
Resources – Waterloo
• IST Information Security Services
• Terry Labach
– Web application security
•
•
•
•
Consulting
Testing applications
Ethical hacking
Programming best practices
– Web training and education
2011
Questions?
2011