OK Digital Warriors, this lesson is Secure Browsing Part 2.
We’ve already covered Part 1 – Installing Firefox, HTTPS Everywhere, and what HTTPS/SSL is. In this short lesson, we are going to cover the risks you face. In the next lesson, we’ll talk about how to combat the risks with settings, add-ons and OPSEC.
Why is this important? As stated in Part 1, your browsing is probably your largest daily online exposure next to your phone. Your data is collected, correlated, associated with others, and your patterns are analyzed (Culper’s SPACE again). Furthermore, there are ways to use malicious code to penetrate your End Point Security through the browser. You need to be aware these threats so you can eliminate or counter them.
This is probably a good place to repeat this sage advice from Sam Culper:
3 Laws of OPSEC:
1. If you don’t know the threat, you don’t know what information to protect.
2. If you don’t know what information to protect, you can’t know how to protect it.
3. If you aren’t protecting it, they’re taking it.
The information below may seem daunting at first. We are trying to keep this as simple as possible, but you do need to at least see what you are up against. Ultimately, nearly all of this can be countered with discipline, OPSEC, and some browser add-ons.
If you don’t come away with anything else, remember these 2 points:
- Browser risks are the result of browser settings, tracking, and executable code.
- We will show you tools and behavior that will collectively neutralize threats without you needing to become an IT guru.
Keep the faith and press on. There are a lot of links below. These are not necessary to read, but we provided them for those of you that want to read a little more about each type of risk.
This will be a brief familiarization of each of these risks:
- Browser Settings
- Cookies (Session, Persistent, 3rd Party Tracking)
- Flash Cookies
- Browser Fingerprint
- Canvas Fingerprint
- Document / Image hidden information
- Exploiting Security Flaws
- Dangerous Links (Trojans)
Let’s get started. One way to categorize the risks could be:
- Browser Settings
- Website Tracking and Profiling
- Executables & Malicious Code
Browser based settings are things your browser wants to do for you to help your browsing experience become easier. These include things like auto-fills, remember password, remember history, syncing and searching. The risk here is that your preferences and information are stored and made persistent, and potentially even uploaded (sync’d or synchronized) to central servers. The data could then be exposed by your browser and/or compromised by malicious code.
Although not a browser exploit, we recently saws nude celebrity photos sync’d from iPhones get hacked from iCloud.
Repeat after me – “Patriots Don’t Do Clouds”.
Website Tracking & Profiling
Key Terms: cookies, LSO, Fingerprinting
Websites and their advertisers attempt to track your browsing habits in a number of ways. The most common way is by placing a cookie on your computer, which is really just a small text file that holds some information about you. A cookie can have a legitimate desired function, like storing data needed for your session (session cookies) while shopping online. Some maintain a long-term login for you to make visiting sites more convenient (Yahoo logins), while others are just to track your habits. To summarize, there are actually 3 types of common cookies – Session, Persistent and 3rd Party Tracking.
Lightbeam (H/T to Tensmiths for calling this out a couple weeks ago) is a great FireFox add-in visualizer that will let you see the depth of 3rd party tracking. As you can see below, these are the 3rd party sites that my browser connected to (the triangles) during a recent test.
There is a newer, more persistent tracking object that is generated by Adobe Flash Players called a Local Shared Object, or LSO. It is commonly referred to as a Flash Cookie. Flash cookies are more insidious than regular cookies. There are no browser controls to prevent them. We won’t go into details on all these different types of tracking objects, but we will show you what to do in the next lesson to remove them or block them.
In Lesson 0018 we already introduced you to BleachBit and CCleaner which will scrub all cookies (including LSOs) any time you run the programs. The goal here is to prevent or delete them aggressively. Your OPSEC will help contain creation, leakage and association as well.
The websites below will give you greater detail for those interested.
(This is the CCleaner tool we recommended in Lesson 0018) https://www.piriform.com/docs/ccleaner/ccleaner-settings/cleaning-flash-cookies
Fingerprinting Emerging Threats:
Ultimately, most of these types of trackers are designed specifically to collect and correlate data about you and your habits. Data collection companies are constantly devising more complex, hard-to-detect and hard-to-counter ways to track and profile you, and the next two threats are new on the scene – Browser Fingerprints and Canvas Fingerprints.
A browser fingerprint takes advantage of the fact that your browser and PC configuration have so many customizations (fonts, add-ons, etc) that it often can be considered a unique signature. Take a look at the Panopticlick tool on our System Tests page to see how unique your browser fingerprint may be.
Canvas Fingerprints: “…canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.”
The trick with both of these will be to keep your browser boring, anonymous, and looking like everyone else’s. We’ll show you some techniques (and one cool add-on) that will do just that in future lessons.
Document / Image Information
Before we leave this section, we’ll discuss one other identity risk – Document Information. Microsoft Office Documents, PDF’s and image files (pictures like jpeg) all contain varying degrees of user information, including your geolocation. You need to thoroughly scrub information from documents and image files (called EXIF data in image files). Better yet, don’t use, upload or distribute MS Office docs at all. Use simple text editors. We’ll probably do a separate lesson on this. Open Office is an open source alternative to MS Office, but even here, be careful with pre-populated information.
Executables & Malicious Code
Key Terms: Program, Executable, macro, script, Flash
Other web dangers are PDF’s or MS Office documents you might open (they can contain macros or scripts), as well as any videos that use Flash. This makes Youtube a risk if it is using Flash, and most videos do (HTML5 is an alternative to Flash).
Adobe (Flash, Shockwave, Acrobat PDF) actually deserves a category all by itself, due to LSOs, security flaws and promiscuous settings that have historically plagued it. Here is additional reading if you are interested, but not necessary for this lesson.
Exploit Security Flaws:
We are also going to lump in the idea that any legitimate “executable” like a browser, java, Quicktime, Flashplayer or Acrobat PDF reader can have security flaws in it that can be exploited. This is why it is important to first use as few programs as needed, and keep what you do use as up to date with patches and latest versions as possible. COMPARTMENTALIZE your activities, even to the point of separate computers (Tenet #5).
Lastly, a common technique by hackers and State Level Agencies is to get you to click on a link that subsequently downloads a Trojan or other spyware. If attackers can get you to click a link and /or download something (and you may not know a link is downloading something), they don’t have to crack your encryption…they now own your computer because they put their own Executable Code on your device that they control. The FBI does this, and so do hackers.
Snowden said… “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
Snowden’s follow-on sentence is equally important: “Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”
Endpoint means the software you’re using, the computer you’re using it on, and the local network you’re using it in. If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn’t matter at all. If you want to remain secure against the NSA, you need to do your best to ensure that the encryption can operate unimpeded.
This was Lesson ID=>0021