May 24, 2015

Safer browsing #GUIDE

Safer browsing
It is clear that browsing has the most low cost attack vectors for data theft by hackers, tracking by corporations and governmental spying. Safer browsing is a good investment all around.
cookies

Threats

Phishing

Bruce Schneier calls these Semantic Attacks, where the attacker targets the interface between the machine and user. Phishing is an attack where emails are sent out to people in a spam-like broadcast, attempting to get account information. In general, the email seems to come from a genuine (usually banking) institution and includes a URL which the victim is tricked into following. Anno 2015, browsers contain built-in phishing and malware protection.
.linkview overflow:auto; .lv-slider ul, .lv-slider li margin:0; padding:0; list-style-type:none; list-style-image:none; .lv-slider li overflow:hidden; text-align:center; .lv-slider img max-width:100%; .lv-row overflow:auto; .lv-multi-column float:left;

Malware

Malware can be installed via a web page script which exploits a browser vulnerability. The program will automatically be launched when a user visits an infected site. Compromising a browser is relatively easy and it is cross-platform, hence an often chosen attack vector.

Fingerprinting

If we ask whether a fact about a person identifies that person, it turns out that the answer isn’t simply yes or no. If all I know about a person is their ZIP code, I don’t know who they are. If all I know is their date of birth, I don’t know who they are. If all I know is their gender, I don’t know who they are. But it turns out that if I know these three things about a person, I could probably deduce their identity! Each of the facts is partially identifying.There is a mathematical quantity which allows us to measure how close a fact comes to revealing somebody’s identity uniquely. That quantity is called entropy, and it’s often measured in bits. Intuitively you can think of entropy being generalization of the number of different possibilities there are for a random variable: if there are two possibilities, there is 1 bit of entropy; if there are four possibilities, there are 2 bits of entropy, etc. Adding one more bit of entropy doubles the number of possibilities. ~ A Primer on Information Theory and Privacy One of the hallmarks of cutting-edge cybersurveillance is that it can be conducted remotely and automatically, virtually and near invisibly, constantly and near costlessly. In recent years, digital fingerprinting has been used to describe a method of identity tracking combining details (IP address, login identity used on multiple sites, operating system installed, web browser and version of it used) to add to a fingerprint.
A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off. Most browser fingerprinting techniques require Javascript to gather enough information to uniquely identify a user.

Cookies

Cookies are not software. They can’t be programmed, can’t carry viruses, and can’t unleash malware to go wilding through your hard drive. But tracking cookies and especially third-party tracking cookies are commonly used as ways to compile long-term records of individuals’ browsing histories.

Search leakage

In most search engines, when you do a search and then click on a link, your search terms are sent to the site you clicked on (via the HTTP referrer header). This is called “search leakage.”
Not only the site you intend to visit, but also the search engine gets data from your machine. For example, that Google tracks user searches and online behavior is no secret and Google often shares this information with governments that request it. Google usually follows the law, and does not comply with requests which do not meet the law. See the Google Transparency Report for more on that. Its CEO Eric Schmidt has made plenty of controversial statements in the past.

Computer forensics

Countermoves


Obvious-Web-browser-observation_o_112179

Choose your browser carefully

Always use a GNU free software browser. This ensures it can be freely audited. Doesn’t mean it is audited or reviewed. Check for that. Google Chrome is not open-source, but Chromium is.

Configuring browsers

When you visit any site on the interwebz, your computer automatically sends information about it to that site (including your User agent and IP address). Built into Firefox are a number of “under the hood” settings, which can be changed to improve your privacy and anonymity when browsing.
For not accepting third party cookies:
  • Firefox: Preferences > Privacy > Accept third-party cookies > Never.
  • Chrome (also chromium): Settings > Show advanced settings… > Content settings > Block third-party cookies and site data.
When you change the default cookie “lifetime” from “Keep until: they expire” to “Keep until: I close Firefox”, Firefox changes any persistent cookies that sites set to session cookies. To allow a site to set a persistent cookie, you need to make an exception (site permission). For clearing cookies on exit:
  • Firefox/Tools > Options > Privacy > “Use custom settings for history” > Cookies: Keep until: “I close Firefox”.
  • Chrome (also chromium): Settings > Show advanced settings… > Content settings > Keep local data only until you quit your browser.
When you turn on the clearing of history at shutdown and include cookies, that runs a completely separate process which does not pay any attention to cookie lifetime or exceptions (site permissions). It just nukes them all. (Note that some cookies might survive clearing at shutdown if they are encoded into your session history file, the one Firefox uses to restore your previous session windows and tabs.)
For disabling flash:
  • Firefox: Add-ons > Plugins > Flash > Never Activate.
  • Chrome (also chromium): Settings > Show advanced settings… > Content settings > Do not run plugins by default.
For disabling java:
  • Firefox: Add-ons > Plugins > Java > Never Activate.
  • Chrome (also chromium): Settings > Show advanced settings… > Content settings > Do not run plugins by default.

You can also install a Tor Browser bundle (based on firefox) as an “anonymising” browser. Tor tunnels application data through TLS connections and it is not possible to decrypt such connections by performing traditional man-in-the-middle attack. Tor also sends application data in chunks to make it harder to guess exactly how many bytes users are communicating. For more on such cloaking see the mage arena guide. And further under the hood:

Securing browsers with extensions

The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank). There is mozilla talk of “adding NoScript functionality into the core browser”.
The closest Extension to NoScript that I have found for Chromium is ScriptSafe, which has certain operational differences: Apparently ScriptSafe acts more stringently concerning components of Web pages compared to NoScript.
A disctinct feature of HTTP Switchboard is that it is a scriptblocker and also an adblocker. It is no longer developed. The project has been split into two distinct, more advanced extensions: uBlock Origin and uMatrix.

Fixing tracking with extensions

After installation of browser, you can fix tracking – be careful, some extensions or plugins are not what they seem, nor are all nixes, for instance if you are on Ubuntu, fix it. Blockers listed here do not prevent the execution of inline javascript. For that see securing browsers with extensions.
Clean all teh things:
And play with some really fun add-on stuff:
Depending on your context, purpose, threat model, do not make yourself stand out like a “Big Red A-Team Tank Vehicle” on the internet highway. Really, browsers talk too much.

Checks and balances

Sharing contents and information with others

  • Be suspicious of any email with urgent requests for personal (financial) information.
  • Avoid filling out forms in email messages that ask for personal (financial) information.
  • The contents you share (videos, photos, documents) may contain metadata connected to your true identity, so be very careful, learn how to delete metadata and switch off the GPS in your smartphone, mobile devices and camera before you capture images or videos.

Hoaxes & scams

Search

Startpage can also be combined with the Ixquick proxy. On the Startpage search results page, a ‘View by Ixquick Proxy’ option can be used to visit the search result with a proxy. Startpage has SSL and HTTPS add-ons for Mozilla Firefox.

Anti forensics