Browser security

The SecurityFocus web sites have been running a series of articles on web browser security. The articles target the two major browsers, IE (6 and 7) and (strangely) older versions of Firefox (1.5 and 2.0). The current article looks at attacks on Password Managers. The user is given a false sense of security because they "expect that the browser, possibly in conjunction with the operating system, will protect their information". The significant take away was that these browsers are not to be trusted to store personal information such as usernames, passwords and other stored form information.

Firefox's password manager (version 2.0) as of November 2006 has a software flaw that allows a user's credentials (from the site is currently visited) to be posted to any URL if the user clicks a maliciously crafted link.

And IE( 6 or 7) has this issue:

Internet Explorer is usually a prime target for malware infection. These vulnerabilities converge at a dangerous point where malware programs are specifically targeting AutoComplete information. These programs gain confidential information and then send it back to the attacker.

So what we do to reduce the risks? Fortunately, the article provides some defensive strategies. They suggest avoiding password managers altogether, using a strong ( not easy guessed ) password to protect the password manager, using an alternative password manager that supports encryption, strong and unique passwords for every site, and even some programming tips for web developers.

On my Mac, I use 1Password. 1Password uses a master password, encrypts stored passwords and form data, and can generate unique random passwords for any site. You can Download 1Password here and give it a test drive.

Check out this article on the The Real Life Risks Of Re-Using The Same Passwords.

Windows Live Safety Center: Free online scanner for PC health and safety

Live seems to be all the buzz from Microsoft. Not sure where all this is going. What is the strategy for making money on this? Or is this an attempt by Microsoft to garner some Google-like buzz?

The software is in beta, which Microsoft makes sure to explain and works with Internet Explorer only. The user can choose from Protected, Clean Up, Tune Up or a full service scan.

The protection scan checks your system for a virus or other potentially unwanted programs. Note the "Share information with Microsoft" checkbox. Unless you uncheck this, your scan results will be uploaded to Microsoft. For what purposes? Your guess is as good as mine.

Clean-Up works similarly to the Windows XP clean up system tool removing unnecessary files. These tools require the user to download an Active X control and report information to Microsoft.

Each scan type presents the user with the scan results and a recommended course of action if any.

The user can exit the app when the scan and changes have been made. There is a disclaimer on this page.

Windows Live Safety Center: Free online scanner for PC health and safety: "Windows Live Safety Center is a new, free service designed to help ensure the health of your PC. * Check for and remove viruses * Learn about threats * Improve your PC's performance * Get rid of junk on your hard disk Use the full-service scan to check everything, or turn to the scanners and information in the service centres to meet your specific needs. "

Internal IP address - NAT addresses, Private IP, NATed Addy

I am discovering just how challenging it is to be secure and anonymous while using the web. Aparently Java code embedded in a web site can read various configuration settings of your computer while you are browsing that site. This happens without prompting the user. In my case I was browsing the Audit My PC web site using Firefox, a browser most consider to be more secure than Internet Explorer. The only option available to the user is to disable Java and JavaScript. Of course this prevents the user from experiencing the full functionality of some sites such as Gmail which make heavy use of AJAX. I guess the lesson here is while connected to a remove server one must be ever vigilant.