Secure Browsing, Part 2 – Risks

OK Digital Warriors, this lesson is Secure Browsing Part 2.

We’ve already covered Part 1 – Installing Firefox, HTTPS Everywhere, and what HTTPS/SSL is. In this short lesson, we are going to cover the risks you face. In the next lesson, we’ll talk about how to combat the risks with settings, add-ons and OPSEC.

Why is this important? As stated in Part 1, your browsing is probably your largest daily online exposure next to your phone. Your data is collected, correlated, associated with others, and your patterns are analyzed (Culper’s SPACE again). Furthermore, there are ways to use malicious code to penetrate your End Point Security through the browser. You need to be aware these threats so you can eliminate or counter them.

This is probably a good place to repeat this sage advice from Sam Culper:

3 Laws of OPSEC:

1. If you don’t know the threat, you don’t know what information to protect.

2. If you don’t know what information to protect,  you can’t know how to protect it.

3. If you aren’t protecting it,  they’re taking it.

 

The information below may seem daunting at first. We are trying to keep this as simple as possible, but you do need to at least see what you are up against. Ultimately, nearly all of this can be countered with discipline, OPSEC, and some browser add-ons.

If you don’t come away with anything else, remember these 2 points:

  • Browser risks are the result of browser settings, tracking, and executable code.
  • We will show you tools and behavior that will collectively neutralize threats without you needing to become an IT guru.

Keep the faith and press on. There are a lot of links below. These are not necessary to read, but we provided them for those of you that want to read a little more about each type of risk.

This will be a brief familiarization of each of these risks:

securityprivacy
  • Browser Settings
  • Cookies (Session, Persistent, 3rd Party Tracking)
  • Flash Cookies
  • Browser Fingerprint
  • Canvas Fingerprint
  • Document / Image hidden information
  • Malicious code (javascript, macros) on websites and in documents
  • Adobe
  • Exploiting Security Flaws
  • Dangerous Links (Trojans)

 

Let’s get started.  One way to categorize the risks could be:

  • Browser Settings
  • Website Tracking and Profiling
  • Executables & Malicious Code

Browser Settings

Browser based settings are things your browser wants to do for you to help your browsing experience become easier. These include things like auto-fills, remember password, remember history, syncing and searching. The risk here is that your preferences and information are stored and made persistent, and potentially even uploaded (sync’d or synchronized) to central servers. The data could then be exposed by your browser and/or compromised by malicious code.

Although not a browser exploit, we recently saws nude celebrity photos sync’d from iPhones get hacked from iCloud.

Repeat after me – “Patriots Don’t Do Clouds”.

Website Tracking & Profiling

Key Terms: cookies, LSO, Fingerprinting

Cookies:

Websites and their advertisers attempt to track your browsing habits in a number of ways. The most common way is by placing a cookie on your computer, which is really just a small text file that holds some information about you. A cookie can have a legitimate desired function, like storing data needed for your session (session cookies) while shopping online. Some maintain a long-term login for you to make visiting sites more convenient (Yahoo logins), while others are just to track your habits. To summarize, there are actually 3 types of common cookies – Session, Persistent and 3rd Party Tracking.

Lightbeam (H/T to Tensmiths for calling this out a couple weeks ago) is a great FireFox add-in visualizer that will let you see the depth of 3rd party tracking. As you can see below, these are the 3rd party sites that my browser connected to (the triangles) during a recent test.

 

Lightbeam

 

Flash Cookies:

There is a newer, more persistent tracking object that is generated by Adobe Flash Players called a Local Shared Object, or LSO. It is commonly referred to as a Flash Cookie. Flash cookies are more insidious than regular cookies.  There are no browser controls to prevent them.  We won’t go into details on all these different types of tracking objects, but we will show you what to do in the next lesson to remove them or block them.

In Lesson 0018 we already introduced you to BleachBit and CCleaner which will scrub all cookies (including LSOs) any time you run the programs.  The goal here is to prevent or delete them aggressively.  Your OPSEC will help contain creation, leakage and association as well.

The websites below will give you greater detail for those interested.

Cookies: http://www.reputation.com/reputationwatch/articles/how-companies-collect-manage-and-use-your-private-information-when-you-browse-online

Flash / LSOs: http://www.wired.com/2009/08/you-deleted-your-cookies-think-again/

(This is the CCleaner tool we recommended in Lesson 0018) https://www.piriform.com/docs/ccleaner/ccleaner-settings/cleaning-flash-cookies

Fingerprinting Emerging Threats:

Ultimately, most of these types of trackers are designed specifically to collect and correlate data about you and your habits.  Data collection companies are constantly devising more complex, hard-to-detect and hard-to-counter ways to track and profile you, and the next two threats are new on the scene – Browser Fingerprints and Canvas Fingerprints.

A browser fingerprint takes advantage of the fact that your browser and PC configuration have so many customizations (fonts, add-ons, etc) that it often can be considered a unique signature.  Take a look at the Panopticlick tool on our System Tests page to see how unique your browser fingerprint may be.

Browser Fingerprinting: http://www.forbes.com/sites/adamtanner/2013/06/17/the-web-cookie-is-dying-heres-the-creepier-technology-that-comes-next/

Canvas Fingerprints: “…canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image.  Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.”

Canvas Fingerprinting: http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block

The trick with both of these will be to keep your browser boring, anonymous, and looking like everyone else’s. We’ll show you some techniques (and one cool add-on) that will do just that in future lessons.

Document / Image Information

Before we leave this section, we’ll discuss one other identity risk – Document Information. Microsoft Office Documents, PDF’s and image files (pictures like jpeg) all contain varying degrees of user information, including your geolocation.  You need to thoroughly scrub information from documents and image files (called EXIF data in image files). Better yet, don’t use, upload or distribute MS Office docs at all. Use simple text editors. We’ll probably do a separate lesson on this.  Open Office is an open source alternative to MS Office, but even here, be careful with pre-populated information.

Executables & Malicious Code

Key Terms: Program, Executable, macro, script, Flash

Malicious Code:

Programs are things like Microsoft Excel, a ballistics calculator, or Photoshop. Programs are written in programming languages (code) which are sets of instructions. Running a program is the same thing as executing a program, and the program itself is often called an executable. You’ll bump into these terms, so you might as well know them. Smaller bits of executable code are things like scripts or macros. A macro in Excel is an example of a smaller bit of executable code that runs in the spreadsheet itself. A webpage often runs a dozen or more bits of code called javascript when the page loads. Javascript makes web pages creative and more useful.

Unfortunately, these executables can also do malicious things, including inspecting your private data, taking over your computer, or sending information about you to someone else without you knowing it. There are many types of executables that are threats. In a browser (and you are using Firefox now, right?), the biggest threat is javascript and java.

Other web dangers are PDF’s or MS Office documents you might open (they can contain macros or scripts), as well as any videos that use Flash. This makes Youtube a risk if it is using Flash, and most videos do (HTML5 is an alternative to Flash).

Adobe:

Adobe (Flash, Shockwave, Acrobat PDF) actually deserves a category all by itself, due to LSOs, security flaws and promiscuous settings that have historically plagued it. Here is additional reading if you are interested, but not necessary for this lesson.

http://krebsonsecurity.com/2014/05/why-you-should-ditch-adobe-shockwave/

http://money.cnn.com/2013/10/08/technology/security/adobe-security/

http://www.welivesecurity.com/2010/10/06/adobe-flash-the-spy-in-your-computer-part-1/

Exploit Security Flaws:

We are also going to lump in the idea that any legitimate “executable” like a browser, java, Quicktime, Flashplayer or Acrobat PDF reader can have security flaws in it that can be exploited. This is why it is important to first use as few programs as needed, and keep what you do use as up to date with patches and latest versions as possible. COMPARTMENTALIZE your activities, even to the point of separate computers (Tenet #5).

Dangerous Links:

Lastly, a common technique by hackers and State Level Agencies is to get you to click on a link that subsequently downloads a Trojan or other spyware. If attackers can get you to click a link and /or download something (and you may not know a link is downloading something), they don’t have to crack your encryption…they now own your computer because they put their own Executable Code on your device that they control. The FBI does this, and so do hackers.

Snowden said… “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

Snowden’s follow-on sentence is equally important: “Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

Endpoint means the software you’re using, the computer you’re using it on, and the local network you’re using it in. If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn’t matter at all. If you want to remain secure against the NSA, you need to do your best to ensure that the encryption can operate unimpeded.

This was Lesson ID=>0021

One comment on “Secure Browsing, Part 2 – Risks
  1. Bowman says:

    If possible I recommend folks get away from Microsoft OS (M$) and start using Linux OS ASAP. Linux Mageia is a great OS with lots of open source software. There are several desktop versions of Linux, however I feel that Mageia is great for new users switching from M$ products. With Linux you have no virus worries, no back door(s) to big brother and lots of great privacy features not found with M$ Windoze. Should you need instruction or help, Linux has a wonderful community that will help you make the transition. Believe me it’s worth the effort. Great article ffio. WE thank you..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Current Versions
Looking Glass Secure Email
Version: Latest Beta
Tor Browser: 04.09.15: Version: 4.0.8
Tails : 03.31.15: Version: 1.3.2
Gpg4win: 03.18.15: Version: 2.2.4

We suggest you do NOT follow us with your real email address. Do Lesson #2, get a new anon email, then follow us.

Join 45 other followers