Brainfoldb4u's Blog

Just another WordPress.com weblog

Archive for the ‘Browser Security’ Category

Where do popular browsers and Chat applications store their passwords

Posted by brainfoldb4u on March 16, 2010

I got this question raised in an interview with Google “Where do browsers and popular messengers store their password” I kind of wondering for an answer to this questions. After some search i found answers for those question which i thought of sharing it with you all.

Fact is major browsers and applications tend to store the password in a way to hide/prevent you from altering it. Even by knowing the location its hard to move it from one machine to another.

Google Chrome:

Google chrome browser stores the password in windows machine at [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data.

Google Chrome uses SQLite as the storage space for passwords and other web page related critical data’s. Google done a appreciate work by extracting windows specifif code from the cross-platform stuff. The only Windows specific code here is the encryption function, which can easily be ported by creating a different Encryptor object for each OS. The important piece here is CryptProtectData, which is a Windows API function for encrypting data. Data encrypted with this function is pretty solid. It can only be decrypted on the same machine and by the same user that encrypted it in the first place

For more technical explanation click here :  how Google chrome stores password

Mozilla Firefox

The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version) These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name] Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.

Firefox is much better than Internet Explorer in terms of managing “remembered” logins. In Internet Explorer, there is no built-in feature where you can manage or view your saved login information. That’s why you need third party tools to reveal the passwords hidden under asterisks. As for Firefox, you can access remembered passwords with a few clicks.

To view your remembered passwords in Firefox browser, go to Tools, and click on Options. Go to Security tab and click on the Show Passwords button. A remember password dialog box will appear. Click on the Show Passwords button again and a new column with password will appear.

Upon clicking the saved password location (tools-options-security-saved passwords), you won’t need any tools to reveal the hidden passwords under asterisks. It’s a feature that’s included in Firefox browser. So any one who has access to your work station can typically spy into your password by going around to security tab in the options location.
One useful tool that worth sharing about Firefox browser password management  is “Firepassword” . FirePassword is the console tool designed to decrypt the username and password list from Firefox sign-on database. Firefox records the login details such as username and password for every website authorized by the user and stores them in the sign-on database file in encrypted format.  It works on similar line as Firefox’s built-in password manager but it can be used as offline tool to get the username/password information without running the Firefox. It is DOS based and the manual says that FirePassword requires only 3 files which is key3.db, cert8.db and signons.txt. This 3 files can be found in Firefox profile directory.

All you need to do is place the 3 files together with FirePassword and run FirePassword.exe. Weirdly, I am able to decrypt all my username and password by copying ONLY the signons.txt file. Looks like it’s not necessary to include the other 2 files.

For detailed technical explanation click here

Internet Explorer > 7.0 (hope you all have updated from version 6.0):

  • Auto complete passwords are stored under Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
  • Documents and Settings\Application Data\Microsoft\Credentials is the credential file location used to save  HTTP authentication passwords

An automatic tool that used to retrieve IE password is IE PassView can be used to recover these passwords

Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile

Safari: Safari stores password data via Keychain. /Applications/Utilities/Keychain Access (on Mac)

On PC, All that data is stored in plist files at: C:\Documents and Settings\(UserName)\Application Data\Apple Computer\Safari

I believe it is FormValues.plist

ThunderBird: The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name] You should search a filename with .s extension.

Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]

MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]

Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with “WindowsLive:name=”. These passwords can be recovered by both Network Password Recovery and MessenPass utilities.

Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager – “ETS” value. The value stored in “ETS” value cannot be recovered back to the original password

Posted in Auditing, Browser Security, Google, Security tools, vulnerability assessment | Tagged: | 1 Comment »

Browsing safely with WOT

Posted by brainfoldb4u on March 12, 2010

Web attacks are getting more frequent now a days and its very hard for an average user to identify which site is good and which site will harm his computer. Our browser of chose becomes to play a big role in protecting our computers.  Despite browsers like Firefox, Google chrome, IE, Opera and safari gives a level of protection, its still worthy to have a assurance from an independent body regarding the worthiness of the website from an  unknown source.

I came across this application/add-on from a company called Web of Trust providing a significant level of assurance regarding the website that we are visiting. Say if your web site sells something or “sign up here”button, people are in real dilemma to trust or not the web site. Instead of clicking be not being sure  now with Web of trust a website cab show  that your online business is trusted by millions of members of  Web of Trust. The WOT community has rated 26 million websites for trustworthiness, vendor reliability, privacy and child safety. Use it to your advantage!

WOT is available as an add-on for major browsers for download here (Firefox, Google Chrome, IE)

Installation on Google Chrome:

Installing WOT on Google Chrome is very easy as adding another addon.

WOT as an add-on for Google Chrome

Once you have accepted the license agreement and Chrome has started, the WOT button will be located at the right side of the address bar (default location). As with other aspects of the Google Chrome  interface, you can easily move the WOT button to a new location that best suits your needs. You may click the “O” symbol to change its setting.

WOT Sceen shot with setting option

Setting page gives us more options like Guide to educate how the websites are rated, option to customize your feel of protection, WOT search page and pop up options.

WOT Searching page sample

WOT protecting level settings page

Its pretty much the same procedure to install in Firefox. It got some end user license and  user name registration procure with firefox. Upon installing you will find WOT symbol at left hand side of the URL box.

Checking the rating of a website

After installing the add-on, Go to a web site for which you want to check the reputation scorecard and click the “O” symbol on your left hand side of firefox.

WOT Icon

WOT Scorecard

Score card for a chosen website would look like the above screen shot.  User have an option to provide their opinion about the particular website. But users opinion does not affect the website rating.

Posted in Browser Security, Free but useful tools | Tagged: | 1 Comment »

Google Chrome Forensic

Posted by brainfoldb4u on January 22, 2010

This post is actually posted in SANS computer forensic lab by Kristinn under Browser Forensics, Computer Forensics. This is pretty useful information about Google Chrome so i am linking it in here..

Google Chrome stores the browser history in a SQLite database, not unlike Firefox.  Yet the structure of the database file is quite different.

Chrome stores its files in the following locations:

  • Linux: /home/$USER/.config/google-chrome/
  • Linux: /home/$USER/.config/chromium/
  • Windows Vista (and Win 7): C:Users[USERNAME]AppDataLocalGoogleChrome
  • Windows XP: C:Documents and Settings[USERNAME]Local SettingsApplication DataGoogleChrome

There are two different versions of Google Chrome for Linux, the official packets distributed by Google, which stores its data in the google-chrome directory and the Linux distributions version Chromium.

The database file that contains the browsing history is stored under the Default folder as “History” and can be examined using any SQLlite browser there is (such as sqlite3).  The available tables are:

  • downloads
  • presentation
  • urls
  • keyword_search_terms
  • segment_usage
  • visits
  • meta
  • segments

The most relevant tables for browsing history are the “urls” table that contains all the visited URLs, the “visits” table that contains among other information about the type of visit and the timestamps and finally the “downloads” table that contains a list of downloaded files.

If we examine the urls table for instance by using sqlite3 we can see:

sqlite> .schema urls
CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,
typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,
favicon_id INTEGER DEFAULT 0 NOT NULL);
CREATE INDEX urls_favicon_id_INDEX ON urls (favicon_id);
CREATE INDEX urls_url_index ON urls (url);

And the visits table

sqlite> .schema visits
CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN);
CREATE INDEX visits_from_index ON visits (from_visit);
CREATE INDEX visits_time_index ON visits (visit_time);
CREATE INDEX visits_url_index ON visits (url);

So we can construct a SQL statement to get some information about user browser habit.

SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition
FROM urls, visits
WHERE
 urls.id = visits.url

This SQL statement extracts all the URLs the user visited alongside the visit count, type and timestamps.

If we examine the timestamp information from the visits table we can see they are not constructed in an Epoch format.  The timestamp in the visit table is formatted as the number of microseconds since midnight UTC of 1 January 1601, which other have noticed as well, such as firefoxforensics.

If we take a look at the schema of the downloads table (.schema downloads) we see

CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,
start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state

And examine the timestamp there (the start_time) we can see that it is stored in Epoch format.

There is one more interesting thing to mention in the “visits” table.  It is the row “transition”.  This value describes how the URL was loaded in the browser.  For full documentation see the source code of page_transition_types or in a shorter version the core parameters are the following:

  • LINK. User go to the page by clicking a link.
  • TYPED. User typed the URL in the URL bar.
  • AUTO_BOOKMARK. User got to this page through a suggestion in the UI, for example,through the destinations page
  • AUTO_SUBFRAME. Any content that is automatically loaded in a non-toplevel frame. User might not realize this is a separate frame so he might not know he browsed there.
  • MANUAL_SUBFRAME. For subframe navigations that are explicitly requested by the user and generate new navigation entries in the back/forward list.
  • GENERATED. User got to this page by typing in the URL bar and selecting an entry that did not look like a URL.
  • START_PAGE. The user’s start page or home page or URL passed along the command line (Chrome started with this URL from the command line)
  • FORM_SUBMIT. The user filled out values in a form and submitted it.
  • RELOAD.  The user reloaded the page, whether by hitting reload, enter in the URL bar or by restoring a session.
  • KEYWORD. The url was generated from a replaceable keyword other than the default search provider
  • KEYWORD_GENERATED. Corresponds to a visit generated for a keyword.

The transition variable contains more information than just the core parameters.  It also stores so called qualifiers such as whether or not this was a client or server redirect and if this a beginning or an end of a navigation chain.

When reading the transition from the database and extracting just the core parameter the variable CORE_MASK has to be used to AND with the value found inside the database.

CORE_MASK = 0xFF,

I’ve created an input module to log2timeline to make things a little bit easier by automating this.  At this time the input module is only available in the nightly builds, but it will be released in version 0.41 of the framework.

An example usage of the script is the following:

log2timeline -f chrome -z local History
0|[Chrome] User: kristinng URL visited: http://tools.google.com/chrome/intl/en/welcome.html (Get started with Google Chrome) [count: 1] Host: tools.google.com type: [START_PAGE - The start page of the browser] (URL not typed directly)|0|0|0|0|0|1261044829|1261044829|1261044829|1261044829

0|[Chrome] User: kristinng URL visited: http://isc.sans.org/ (SANS Internet Storm Center; Cooperative Network Security Community - Internet Security) [count: 1] Host: isc.sans.org type: [TYPED - User typed the URL in the URL bar] (directly typed)|0|0|0|0|0|1261044989|1261044989|1261044989|1261044989..
The script reads the user name from the directory path the history file was found and then reads the database structure from the History file and prints out the information in a human readable form (this output is in mactime format).  To convert the information found here in CSV using mactime

log2timeline -f chrome -z local History > bodyfile
mactime -b bodyfile -d > body.csv

And the same lines in the CSV file are then:
Thu Dec 17 2009 10:13:49,0,macb,0,0,0,0,[Chrome] User: kristinng URL visited: http://tools.google.com/chrome/intl/en/welcome.html (Get started with Google Chrome) [count: 1] Host: tools.google.com type: [START_PAGE - The start page of the browser] (URL not typed directly)
Thu Dec 17 2009 10:16:29,0,macb,0,0,0,0,[Chrome] User: kristinng URL visited: http://isc.sans.org/ (SANS Internet Storm Center; Cooperative Network Security Community - Internet Security) [count: 1] Host: isc.sans.org type: [TYPED - User typed the URL in the URL bar] (directly typed)
Original information is published in this link

Posted in Auditing, Browser Security, Hacking | Tagged: , | Leave a Comment »

Gmail's GPG Encryption

Posted by brainfoldb4u on January 15, 2010

Better security typically goes hand in hand with increased inconvenience. But some human rights activists who used Gmail right now likely wish they’d put up with a little hardship to help keep hackers at bay. I’m not going so far as to recommend you use e-mail encryption, but I think this is a good time to take a close look at it.

To know how to use a collection of free or open-source software packages: GPG, or GNU Privacy GuardMozilla Messaging’s Thunderbird e-mail software, and its Enigmail plug-in. CNET Download.com also hosts Thunderbird for Windows and Mac and Enigmail for all platforms.

Public key cryptography
Encryption scrambles messages so that only someone with a key (or a tremendous amount of computing horsepower, or knowledge of how to exploit an encryption weakness) can decode them. One form is called, curiously, public key encryption, and this is what GPG and Enigmail use.

Here’s the quick version of how it works. You get a private key known only to yourself and a public key that’s available for anyone else to use. The person you’re corresponding with also has such a pair of keys. Although the public and private keys are mathematically related, you can’t derive one from the other.

To send a private message, someone encrypts it with your public key; you then decrypt it with your private key. When it’s time to reply, you encrypt your message with the recipient’s public key and the recipient decodes it with his or her private key.

Messages in transit from one machine to another are a bunch of textual gobbledygook until decoded. If you’re being cautious enough to encrypt your e-mail, you should be aware that there’s still some information that leaks out to the outside world. The subject line isn’t encrypted, and somebody might take interest in the identity of your active e-mail contacts and the timing and frequency of communications.

So how do you find out what your correspondent’s public key is? You can either fetch the key firsthand from the correspondent, or you search for it on public computers on the Net called key servers–mine is stored at pool.sks-keyservers.net.

This form of encryption has another advantage: you can sign your e-mail electronically so the recipient knows it really is from you. This time the process works in reverse: you sign your e-mail with your private key, then your recipient verifies it’s from you using your public key.

Continue reading Cnet for more insight

Posted in Browser Security, Google, Information Security | Leave a Comment »

4 Quick Sites That Let You Check if Links Are Safe

Posted by brainfoldb4u on January 10, 2010

Whether you’re accessing popular social networking sites or other communication apps such as your webmail portal and IM clients, the links let you dive into a world of new information. With one click, you may end up enjoying a great story, or on the other hand unfortunately trying to crawl your way out of a potentially harming website.

You may have your anti-virus and malware removal tools programs installed, but they will not prevent you from clicking any of those potentially-harmful-but-so-interestingly-looking Twitter, Facebook or email links. Even if you have security toolbars and add-ons installed, the following online tools may help you find out whether a website really is safe, especially if you would like to get a second opinion (e.g. you suspect the site’s review hasn’t been updated) or if you decide that you don’t need more add-ons slowing your browser’s performance. click the link below from makeuse.com

4 Quick Sites That Let You Check if Links Are Safe

Posted using ShareThis

Posted in Browser Security, Hacking, Information Security, Security tools | Tagged: , , | 1 Comment »

Flash cookies

Posted by brainfoldb4u on January 8, 2010

Flash-cookies (Local Shared Objects, LSO) are pieces of information placed on your computer by a Flash plugin. Those Super-Cookies are placed in central system folders and so protected from deletion. They are frequently used like standard browser cookies. Although their thread potential is much higher as of conventional cookies, only few users began to take notice of them. It is of frequent occurrence that -after a time- hundreds of those Flash-cookies reside in special folders. And they won’t be deleted – never.

Some flash cookies properties are

  • They are never expiring – staying on your computer for an unlimited time.
  • By default they offer a storage of 100 KB (compare: Usual cookies 4 KB).
  • Browsers are not aware of those cookies, LSO’s usually cannot be removed by browsers.
  • Via Flash they can access and store highly specific personal and technical information (system, user name, files,…).
  • Ability to send the stored information to the appropriate server, without user’s permission.
  • flash applications do not need to be visible
  • there is no easy way to tell which flash-cookie sites are tracking you.
  • shared folders allow cross-browser tracking, LSO’s work in every flash-enabled application
  • the company doesn’t provide a user-friendly way to manage LSO’s, in fact it’s incredible cumbersome.
  • many domains and tracking companies make extensive use of flash-cookies.
  • These cookies are not harmless.

In order to track our flash cookie information we need to go to Adobe flash web site. There will a setting manager , its a special control panel that runs on your local computer but is displayed within and accessed from the adobe website. Adobe has no access to these setting, its completely users responsibility to change the setting as he requires it. Click on this link to access your security manager setting.  To change your settings, click the tabs to see different panels, then click the options in the Settings Manager panels that you see on the web page. The five tabs are Global storage settings, Global security settings, Global notification settings, website privacy settings, website storage settings.  To read more about those tabs click here

When SWF or FLV content is being played, the settings you select for Flash Player are used in place of options you may have set in your browser. That is, even if you have specified in your browser settings that you do not want cookies placed on your computer, you may be asked if an application that runs in Flash Player can store information. This happens because the information stored by Flash Player is not the same as a cookie; it is used only by the application, and has no relation to any other Internet privacy or security settings you may have set in your browser.

Similarly, the amount of disk space you let the application use has no relation to the amount of disk space you have allotted for stored pages in your browser. That is, when SWF or FLV content is being played, the amount of disk space you allow here is in addition to any space your browser is using for stored pages.

No matter how you may have configured your browser, you still have the option to allow or deny the application that runs in Flash Player permission to store the information, and to specify how much disk space the stored information can occupy.

Solution

Firefox Extension Better Privacy is a cookie manager for LSO flash objects and DOM storage objects. Local storage objects are placed on the computer by a flash application like the YouTube video player.

BetterPrivacy can stop them, . by allowing to silently remove those objects on every browser exit. So this extension becomes sort of “install and forget add-on”. Usually automatic deletion is safe (no negative impact on your browsing), especially if the deletion timer is activated. The timer can delay automatic deletion for new or modified Flash-cookies which might be in use. It also allows to delete those objects immediately if desired.

With BetterPrivacy it is possible to review, protect or delete new Flash-cookies individually. Users who wish to to manage all cookies manually can disable the automatic functions. BetterPrivacy also protects against ‘DOM Storage’ longterm tracking, a browser feature which has been granted by the major browser manufactures.

To know more about flash cookies and how to’s click the following links

Recommended comprehensive Flash cookie article (topic: UC Berkeley research report)
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/

Wikipedia LSO information:
http://en.wikipedia.org/wiki/Local_Shared_Object

Privacy test:
http://netticat.ath.cx/extensions.html
Navigate to BetterPrivacy (right column)

Posted in Browser Security, Information Security | Tagged: , | Leave a Comment »

Phishing

Posted by brainfoldb4u on January 1, 2010

Phishing:

One of the hot topic of 2009 Information Security industry is phishing. According to a Truster’s  recently released report with the sample of 3 million users over the period of 3 months time, it is identified that 45% of the time, users were spoofed into a fake  log on page.  The report also claimed that  most of the discovered phishing sites are live and also has the capability to bypass anti-spam and anti-phishing protection if any present on the victims browser.  Banking along with online shopping cart users are the most targeted and affected among the phishing victims.Below graph from Phishtank shows phishing sites by country of host for Nov 2009.


In phishing attack, hackers create an almost identical looking replica of a chosen banking or online shopping web site , then attempt to trick users to show personal information and log in credentials like user name, password, PIN number. Trapped user will fill the form thinking it as the legitimate website , exposing wide window of opportunity to hackers to misuse  victims sensitive information.

Hackers uses various phishing techniques to victimize users to make them access their fake web page, one such method is by sending email that pretend to be from your debit or credit card company asking you to update your personal information. Being a look-alike of a legitimate website, recipient will click on the link in the email, they are directed to the fake website and where they are tricked to expose their information.

To stay protected, below are some of the steps a user can take:

  • Check for digital signature, unless the email is digitally signed, email cannot be trusted to pass on the sensitive information.
  • Be aware of such fake emails, remember it is highly unlikely that your bank will ask your sensitive information by email.
  • When there is a need to fill in your log in details in a webpage look for https in your URL box. Also look for lock symbol on the lower right hand corner of the web browser. Double clicking the lock will enable your access to digital certificate. If you don’t see both https and secure lock do not give your information. Alternatively contact your bank by telephone.
  • Instead of clicking the link from your email message, try typing the URL into your web browser .
  • Mozilla’s current version 3.5 has good anti phishing functionality and using Mozilla Firefox may provide more advantage over phishing sites.
  • Make sure to update your web browser of choice with updated security patches.
  • Check your bank account regularly once making transaction, if you note any suspicious activities, report your bank immediately
  • Always report “phishing” or “spoofed” e-mails to the following groups:
  1. forward the email to reportphishing@antiphishing.org
  2. forward the email to the Federal Trade Commission atspam@uce.gov
  3. forward the email to the “abuse” email address at the company that is being spoofed (e.g. “spoof@ebay.com”)
  4. when forwarding spoofed messages, always include the entire original email with its original header information intact
  5. notify The Internet Crime Complaint Center of the FBI by filing a complaint on their website: www.ic3.gov/

Phishing statistics for the month Dec 2009.

Phishing statistics below are from 1st December 2009 records from phishing. While visiting the below mentioned websites make sure to verify the above mentioned tips and minimize the risk of getting victimized.

Popular Targets

Top 10 Identified Targets Valid Phishes
1 PayPal 10,361
2 Internal Revenue Service 870
3 Tibia 784
4 eBay, Inc. 458
5 Facebook 439
6 Bank of America Corporation 270
7 JPMorgan Chase and Co. 202
8 HSBC Group 201
9 Google 146
10 HSBC 121

Phishing URLs

In November, 278 phishes (5% of valid phishes that month) used an IP address (i.e. http://12.34.56.78) and 4,980 (or 95%) used a domain name (i.e. http://example.com).

Top 10 Domains (valid phishes)
1 atspace.com (237)
2 submissionradio.com.au (67)
3 oksamyt-inter.com.ua (60)
4 85studio.pl (50)
5 sisek.net.ua (49)
6 virtualbattlespace2.com (44)
7 wilsden.com.au (40)
8 110mb.com (39)
9 aidastreasures.com (37)
10 dezigner.ru (34)


Posted in Browser Security, Hacking, Information Security | Tagged: | Leave a Comment »

Browser Security 2

Posted by brainfoldb4u on December 27, 2009

In my last review i have posted some basics in choosing the right web browser for use. But web security threats are more than just choosing the right browser, so in here we will see the next step in safe browsing. Current day threats are very dangerous, simple mistakes like as one visit to malware site or clicking a loaded shareware to install can affect your computer performance and usage.  Some of the consequences are like annoying pop-up screens with advertisements, your browsers home page will be changed, default search engine will be altered. Some time the intruders who hacked your computer will blackmail you for money or personal gain  or even worse of stealing your money from bank account could happen. Having  an antivirus installed is not enough with the amount of virus and spyware it is very hard for firewall vendors to keep in time. Ofcorse, there are few free firewall vendors like PC tool, Avast, Avira, Comodo internet security, Online Armour to provide free version of their internet security tools suites,  anti-spyware tool and firewalls  to ed. But it is necessary  to learn different approach to overcome these threats.

Sanboxing:

In computer security world, sandboing is a mechanism used to separate running programs. Using it for tasks like executing untested code, running untrusted programs from unverified third parties and untrusted users. Given that open source and distributed computing getting more popular, sandbox concept will be very useful mode of protection from unwanted hacking. Sand box typically provides tight control over the untrusted program even if anything goes wrong the impact will not affecting your computer or its resources.

To get a sand boxed environment we can use a free program called Sandboxie which is available for windows OS later than Win 2000. Downloading this piece of software creates a sandbox like environment on your PC. Startup is just like normal other browser other than the inconvenient nag screen that pops until the application opens.  Browsing inside Sandboxie gives you greatest protection by isolating the browser from portions like your OS, hard drive, memory locations, altering registries, OS sessions. So what ever browsing or downloading you do will be within the box and will not affect your PC. Upon downloading and saving a file, Sandboxing comes with an option asking whether to save it permanently or not. Better option will be to add your default downloads folder to the Quick recovery settings so all files saved there will automatically saved in your hard drive which avoids you manually copying the files into real hard drive.

Say for instance if you have downloaded a virus or Trojan by mistake, you close the browser and right-click to delete all its files and processes by doing so will get your PC back to normal state as it was before starting the session. Latest version comes with advanced option like in-depth defense, blocking access to your personal files, allowing us to choose what program to run and not. Some other advanced features also helps us protecting from Key-loggers. Overall it protects us from viruses, Trojan software, ad-ware, spyware and other malware that could infect your PC from web (internet).

Online Armour:

To Make browsing more safer there is another option available from a company called Online Armor and they give us free firewall protection as well us an option called “Run Safer“.  Run Saver works with privileges. All files, process and programs running in OS will have at-least two level of permission one with read only access and second as full access ( read, write, change). Users with admin login credentials will typically bound to have full access and users with normal login credentials will  have low-level access so that they cannot make any harm. Typical home users will use his admin log on for all day-to-day tasks he do in his/her machine as it convenient. But it is not safer to do so- if a dangerous program happen to get into your computer it will be also convenient for the virus/trojan/malware to crash or take control of your computer.

Online Armor’s run safer option helps protect against this by automatically “stepping down the rights” that your web browser or any other program you run has to a limited user. You may claim any one can do this but the tool does it with transparency. This way you can make your web browsing  more safer.

PC Tool Firewall +

PC tool Firewall plus a very useful personal firewall that provides Host based intrusion Prevention system (HIPS) through enhanced security mechanism. It relies on list of programs and attempts check for valid digital signatures and alerts the users if it identifies any possible malicious behavior. It gives us protection as its commercial equivalent does in regards with performance. Simple installation and very user friendly in its default settings and produce fewer popups for common tasks. Some key highlights are

  • Hides your PC from Internet hackers.
  • Fine-grained control over inbound and outbound traffic.
  • Easy to use. Designed for both novice and expert users.
  • No interruptions when playing full-screen games.
  • Optional password protection for rules and settings.
  • Best of all it’s FREE. No catches, limitations or time-limits.

Additional features include “full screen mode, mode to suppress all alerts, password protection, automatic updates. For detailed list of its more features click here . So over all its a free good firewall option for home users. Paid version gives enhanced features for 49 dollars which is relatively cheaper than its costly counterparts.

PC Tool’s Spyware Doctor:

PC tool’s Spyware doctor with antivirus which is again an awesome tool to keep you away from infections. This is more corrective measure while earlier discussed options were more preventive methods. I own McAfee paid version installed in my computer but when my computer slows with adware and spyware infections its spyware doctor who rescued my brainfold (my PC). It’s full scan almost detects and destroys all unwanted virus, Trojans, ad-wares and spyware in its best and quick possible way.  I will strongly recommend you to try installing the spyware doctor from PC tool, compare the scan with your paid protection and find the difference yourself.

Conclusion: In this post i discussed some intermediate level techniques in keeping home computer safer from exploits (attacks). Our first option is to have a sand box software installed and if you are not sure about what you are downloading try downloading it with sand box browser. Second option is also preventive option by turning safer run option ON (Online Armour) which avoid any harm to our computer by maintaining least privilege. PC tools firewall and spyware doctor are preventive and corrective measures respectively to combat from virus, Trojans, Ad-ware and Spyware infections. I hope this post is informative for home users .  Thank you again for your time if you need any further clarification or assistance in selecting any above mentioned methods please comment i will get back to you.

Posted in Browser Security, Hacking, Information Security, Open Source, Uncategorized | Tagged: , , | Leave a Comment »

Browser Security 1

Posted by brainfoldb4u on December 25, 2009

Web browsers:

Web browsers are software applications operate between your computer and web server. Computer browser contacts web server and requests information or resources, web server then locates the web page and send the information to the web browsers located in our computer. There are various sorts of information like applications, programs, animations and similar materials created with programming languages (Java, Active X) scripting languages (php, Perl, Java scripting) and AJAX a browser has to interpret and display in our computer a browser interpret . The most commonly used web browsers are Internet Explorer (70%, Firefox (20%), Chrome (5%), Opera(5%), Safari (5%), Konqueror (1%). So the theory is, more popular a web browser is, more successful it got attacked in the past.  I am planning to write about Microsoft IE browser security as a separate column as it got lots to talk about. So you may not find IE browser content in this page.

Web browser security became one the hot topic in information security industry not choosing the right browser and not updating it may lead you to variety of problems like spy-ware being installed, intruder taking control of your computer and many. The software attacks that take control of browser vulnerabilities are increasing much and hence it is significant for users to choose browsers that well address our needs.   Unauthorized disclosure of content stored in the computer running the web browser is a major threat needed to be addressed. For example, Apple fixed a flaw on their 2009-001 security updates which allowed access to files on local hard drive due to execution of arbitrary javascript in the local computer. Trend micro 2008 threat information indicates that more than half of thee most common infections were due to direct downloading from  the internet. Attackers can do this in low-cost way with focus will be to take control of your computer, steal your information, destroy your files and also can be used to attack other computer by using yours as a proxy. Some of the common factors that leads to browser exploit are as follows

  • User tend to click on links without thinking about the risk and consequences it could bring
  • Not running the updates.
  • Web browsers are configured for increased functionality without worrying about security
  • clicking the links that takes you to malicious site
  • Configuring computer systems with additional softwares without knowing its functionality and that increases the number of vulnerability that may be attacked.
  • Third party software that has no mechanism to receive software updates
  • Some websites requires additional features or install more software putting our computer at risk.
  • And as a result exploiting vulnerabilities in web browser has become a famous way to attackers to compromise security.  I thought of putting together an article to emphasize the balance between usability and security of web browser.

    Some software features that provide functionality to a web browser, such as ActiveX, Java, Scripting (JavaScript, VBScript, etc), may also introduce vulnerabilities to the computer system. These may stem from poor implementation, poor design, or an insecure configuration. For these reasons, you should understand which browsers support which features and the risks they could introduce. Some web browsers permit you to fully disable the use of these technologies, while others may permit you to enable features on a per-site basis. You may have multiple web browsers installed in your system. software applications on your computer, such as email clients or document viewers, may use a different browser than the one you normally use to access the web. Also, certain file types may be configured to open with a different web browser. Using one web browser for manually interacting with web sites does not mean other applications will automatically use the same browser. For this reason, it is important to securely configure each web browser that may be installed on your computer. One advantage to having multiple web browsers is that one browser can be used for only sensitive activities such as online banking, and the other can be used for general purpose web browsing.  This can minimize the chances that a vulnerability in a web browser, web site, or related software can be used to compromise sensitive information

    Google Chrome:

    • Chrome Mailer: Chrome Mailer is an add-on for Google Chrome which automatically opens and composes a Gmail message whenever you click on a mailto: link. Windows’ default mail client is bypassed in favor of Google’s Web-based offering, making this a very useful addition for those who favor Gmail when working within their Chrome browser. Toggling this behavior on and off is as simple as clicking a button within Chrome Mailer’s interface. Support for Google Apps users with domains other than gmail.com” is also included.”
    • Incognito Surfing: Lets you surf the web with relative anonymity, means details of your web surfing are not retained. This can be useful when browsing on public systems like library and school PC’s. With Incognito the sites you open and files you download are not logged in the browser history and all new cookies are removed when the session closes.
    • Sand Box type: While other browsers run one instance of the browser engine with multiple associated processes google chrome run in a sandbox like functionality. Which means even if one  or more browser windows or tab crashes, it will not crash the web browser engine and will not take down other tab/process running. Malware or issues in one tab can not affect other open browser instances, and the browser is unable to write to or change the operating system in any way- protecting your PC from attack.
    • Safe Browsing: This feature mainly relies on certificates to verify the authenticity of the server that connected to. Google Chrome compares the information provided in the certificate with the real server being connected to and alerts you if the information doesn’t jive. If Chrome detects that the address specified in the certificate and the actual server you connect to are not the same, it issues this warning “‘This is probably not the site you are looking for!” .
    While there have been a couple security flaws and vulnerabilities identified, no web browser is perfect and in Google’s defense Chrome is still in Beta testing.Chrome does have a variety of innovative features and a unique interface that many users have quickly come to prefer over Internet Explorer and Firefox. Many users also report that it is faster at loading pages than other web browsers. The more security controls should prove valuable in helping you surf the Web safely. Google Chrome is definitely worth taking a look at.
    Overall : Google Chrome is best suited for ever day causal browsing where usability comes first. If you want a browser to open fast, look simple and help you browse fast i guess Google chrome can be your best option. In Chrome, Google utilises tabbed browsing and in its version the tabs have individual processes with sandbox capabilities which restrict privileges for third-party apps,Additionally, Chrome uses a blacklist that alerts users of ‘bad’ sites and has an ‘incognito’ mode for private browsing. Fully customizable and supports huge amount of languages .  It has more than 70 language including Tamil to choose from. More over i love it because it can be translate into Tamil!!

    Mozilla Firefox:


    Mozilla Firefox supports many features of the same features as Internet Explorer, with the exception of ActiveX and the Security Zone model. Mozilla Firefox does have the underlying support for configurable security policies (CAPS), which is similar to Internet Explorer’s Security Zone model, however there is no graphical user interface for setting these options.

    • Firefox protection: Firefox protects your computer by not loading Active X controls. It also has huge variety of features specially designed for security to protect your privacy and personal information. Firefox are configured to cut pop-up ads from web browsing which is a major inconvenience with windows. Firefox seems to be more secure by default and, being open source, any issues that might arise should be addressed and patched more quickly.
    • Anti-Virus Software: Firefox integrates elegantly with your anti-virus software. When you download a file, your computer’s anti-virus program automatically checks it to protect you against viruses and other malware, which could otherwise attack your computer.
    • Anti-Malware: Firefox protects you from viruses, worms, Trojan horses and spy ware. If you accidentally access an attack site, it will warn you away from the site and tell you why it isn’t safe to use. Firefox checks every part of a Web page before loading it to make sure nothing harmful is sneaking in the back door.
    • Anti-Phishing: Shop and do business safely on the Internet. Firefox gets a fresh update of web forgery sites 48 times in a day, so if you try to visit a fraudulent site thats pretending to be a site you trust (like your bank), a browser message—big as life—will stop you.
    • Down-loadable Fonts: View a wider variety of fonts on Web sites while you surf. Site designers and developers can create custom fonts that will be displayed and rendered properly even if you don’t have the font installed on your computer
    • Developer Tools: If you’re a Web developer, Firefox’s developer tools will make your life easier. The Mozilla Add-ons site offers many tools to streamline the development process, including Firebug to edit, debug, and watch CSS, HTML, and JavaScript live in any Web page, Tamper Data to view and change HTTP/HTTPS headers and POST parameters, and the DOM Inspector to check any HTML or CSS element with a simple right-click.
    • Organic software:  Firefox, is created by an international movement of thousands, only a small percentage of whom are real employees. They are motivated by promoting openness, innovation and opportunity on the web and not business concerns like profits or the price of our stock .
    • Outdated Plugin Detection: Some web pages needed to install small applications called plugins to watch videos, play games or view documents. These plug-ins are written by other companies, and it can be hard to make sure they’re always up to date. Since outdated plugins are a security risk, Firefox will let you know when you have a plug-in that’s vulnerable to attack and direct you to the right site to get the updated version.
    • Private browsing: As Google chrome, Firefox supports under hood browsing , with this feature enabled you won’t leave a single browsing fingerprint behind for others to discover.

    http://www.youtube.com/watch?v=lrgf49fUWc8  

    Overall: I would say Firefox is best suited for heavy users and users who carry on sensitive tasks very often and who gives security top priority than usability. Fully customizable and supports huge amount languages .  It has more than 70 language including tamil to choose from.

    Opera Browser:

    pera is my third favorite browser with faster and safe web browsing experience. Opera takes less space to install and makes our browsing experience more efficient. It has many unique features like Opera unite (share content in quick and easy way), Opera Turbo (speed booster), Visual tabs, customizable speed dials, mouse gestures, Trash can (reopening closed tabs ). Many of these features can be seen in Firefox or chrome but opera has these features with unique identity.  As far as security is concern opera provides features like

    • Content blocking: Block images, pop-ups, and plug-ins you do not want to see. Right-click and choose “Block content” to disable annoying elements selectively. To make Web pages load more quickly, or to avoid offensive content, temporarily turn off images by pressing the image button. In Opera, smart pop-up blocking is turned on by default.
    • Auto Update: Opera makes it easier than ever to stay up-to-date with the latest version. With auto-update you can choose to have completely automatic updates or to be notified when an update is ready for you install. As always with Opera, it is your choice
    • Delete private data: Opera can be configured to clear the history and cache when exiting, to protect your privacy. Any kind of private data can easily be erased
    • Security Bar: Opera displays security information inside the address bar. By clicking on the yellow security bar, you get access to more information about the validity of the certificate.
    • Encryption: Opera supports Secure Socket Layer (SSL) version 3, and TLS. Opera offers automatic 256-bit encryption, the highest available security of any Web browser.
    • Fraud protection: Fraud Protection is enabled by default, automatically detecting and warning you about fraudulent Web sites. Fraud Protection is powered with phishing information from Netcraft and PhishTank and malware protection from TRUSTe. In addition, Opera supports Extended Validation certificates (EV). This provides added assurance and trust for secure Web sites. Read more about Opera Security.

    Apple Safari:

    Safari is another content rich web browser from apple.  After iphone release safari gained its popularity more than ever before due to the fact it comes inbuilt with iphone . iphone sales were 245% by 2009 and think about the number of users who uses safari.  It is designed to emphasize browsing more than the browser. Its browser frame is a single pixel wise and scroll bar are noted only when needed. IT comes with many features like , you can hide almost the entire interface, removing almost every distraction from the browser window. Safari gives an enjoyable browsing experience regardless of platform.  The first browser to deliver the “real” Internet to a mobile device, Safari renders pages on iPhone and iPod touch just as you see them on your computer. But this is more than just a scaled down mobile-version of the original. It takes advantage of the technologies built into these multi-touch devices. The page shifts and reformats to fill the window when you turn it on its side. You zoom in just by pinching and extending your fingers. Of course, no matter how you access it, Safari is always blazing fast and easy-to-use.

    • ARIA: Safari supports Accessible Rich Internet Applications (ARIA). The ARIA standard helps web developers make dynamic web content more accessible for people with disabilities. With ARIA, sites taking advantage of advanced technologies like AJAX and JavaScript can now easily interoperate with assistive technologies.
    • Next gen standards support: Safari continues to lead the way, implementing the latest innovative web standards and enabling next-generation Internet experiences. With support for HTML 5 media tags, CSS animation, and CSS effects, web designers can create rich, interactive web applications using natively supported web standards. A standards-compliant browser, Safari renders current and future web applications as they were meant to be seen.
    • Acid 3 compliance: Apple claims that safari is the only browser to be acid 3 compliant Acid 3 tests a browser’s ability to fully make pages using the web standards used to build dynamic, next-generation websites, including CSS, JavaScript, XML, and SVG.
    • Database: Safari is the only browser that includes tools for managing the offline databases that will be part of the next generation of websites. The Databases pane in Safari 4 allows you to view tables and databases and even execute SQL queries.
    • powerful mac like tools for windows: Apple has brought its ability in Mac OS X and iPhone development tools to the web. Safari 4 includes a powerful set of tools that make it easy to debug, tweak, and optimize a website for peak performance and compatibility. To access them, turn on the Develop menu in Safari preferences

    Internet Explorer:

    Internet explorer 8 has got some security mechanisms that update it for the current threat environment. They have Smart-Screen Filter to help you avoid socially engineered malware phishing Web Sites and online fraud  when you browse.

    • Smart Screen Filter:  Checks Web sites against a dynamically updated list of reported phishing and sites, Checks software downloads against a dynamically updated list of reported malicious software sites, Helps prevent you from visiting phishing Web sites and other Web sites that contain malware that can lead to identity theft.
    • XSS Filter: Helps to prevent inclusion of target ed site by a frame. The Cross-Site Scripting Filter event is logged when Internet Explorer 8 detects and mitigates a cross-site scripting (XSS) attack. Cross-site scripting attacks occur when one Web site, generally malicious, injects (adds) JavaScript to otherwise legitimate requests to another Web site. The original request is generally innocent, such as a link to another page or a Common Gateway Interface (CGI) script providing a common service (such as a guestbook). The injected script generally attempts to access privileged information or services that the second Web site does not intend to allow. The response or the request generally reflects results back to the malicious Web site. The XSS Filter, a feature new to Internet Explorer 8, detects JavaScript in URL and HTTP POST requests. If JavaScript is detected, the XSS Filter searches evidence of reflection, information that would be returned to the attacking Web site if the attacking request were submitted unchanged. If reflection is detected, the XSS Filter sanitizes the original request so that the additional JavaScript cannot be executed. The XSS Filter then logs that action as a Cross-Site Script Filter event.
    • Data Execution protection: Data Execution Prevention/No Execute (DEP/NX) option in Internet Explorer 8 prevents code from running in non-executable memory. When a violation occurs, the browser stops responding instead of running malicious code. When Internet Explorer 8 has recovered from a crash caused by DEP/NX, this event is logged. Typically, DEP/NX failures occur due to attempts to exploit the browser or its add-ons. But it is possible that a browser add-on is not compatible with DEP/NX, and failures occur even without malicious content.
    • In-private browsing: As like Firefox, IE also comes with in-private browsing enabling reduced storage of browsing history information.

    Conclusion:

    Currently the threat to web browsers is severe. Flaws in the browsers and plugin’s are numerous and high impacting. In my opinion IE 8 got some security mechanism to face vulnerability but all these features make the a heavy weight browser and hence it impacts the browsing experience.  For mac and iPhone apple’s safari is a competent browser. Other than its frequent crash Opera is well customizable browser with rich content experience. Mozilla has some enterprise level lock-down capability and its security posture is substantially enhanced by the No-script add on. In my view light weight browser Google Chrome inches ahead with tabbed browsing and in its version the tabs have individual processes with sandbox capabilities which restrict privileges for third-party apps,Additionally, Chrome uses a blacklist that alerts users of ‘bad’ sites and has an ‘incognito’ mode for private browsing. smooth, fast and crash free browsing experience.

    Posted in Browser Security, Information Security | Tagged: , , , , | Leave a Comment »