Archive for the ‘Definitions’ Category

My dentist was asking about his computer this evening. He’s been having some trouble that might indicate a virus or could just be a sign that the computer’s getting a bit old. Along the way, he talked about some add-ons that seem to have added themselves to his system and he wasn’t really sure what they were. Between the novocain and the drill, I’m sure my answer was completely incoherent so here is an attempt to better answer the questions “What is an add-on” and “Should I let it be added to my computer”.

First, what is an add-on? (Other names include plug-in, extension and sometimes theme. More on that later.) An add-on is an optional software component that, in theory, increases the functionality and/or usability of the original program. Most people learn about add-ons in the context of their internet browser, especially if you are a Firefox user. Add-ons can improve your computer’s security (by blocking scripts and ads), make certain actions easier (like viewing pictures or updating webpages), improve compatibility with other programs such as Java or QuickTime or just customize the look and feel of the computer.

Add-ons can also be malicious trojan horses, bringing along all sorts of viruses and vulnerabilities to your computer. If you find an add-on you like – and there are some good ones out there – be sure that you get it from a reliable source. If you’re looking for add-ons to Mozilla’s Firefox, for example, go to Tools/Add-ons and look for the Browse all add-ons link. That will take you directly to the official Mozilla site. Internet Explorer has a similar path.

Some add-ons can be very helpful. I really like NoScript and AdBlock for Firefox. Between the two of them, they make my browsing much safer.

Many add-ons are neutral from a security point of view – they may make your browsing experience better but they neither help nor hurt your computer’s security.

Some are downright dangerous – add-ons that include some hidden code that lets the author control your computer or that otherwise subvert your security. Those tend to get filtered out of the legitimately sponsored sites pretty quickly but they are a real danger in chat rooms and unmoderated forums.

And an unfortunate number of add-ons are offered with a good heart but either badly written or just don’t take into account all the possible configurations that are out there – and when used in combination with some other add-on or program, they create new vulnerabilities that didn’t exist before. I put all the Google and Yahoo Toolbar add-ons in this category – well-intentioned but fundamentally unsafe.

Add-ons also tend to go out of support fairly quickly. They are often written by volunteers, after all. Microsoft has a financial incentive to keep programmers pounding away, patching their products. If a hacker finds a hole in an add-on, it may or may not get fixed quickly.

If you find an add-on you like, read the reviews to see what other users say about it. See if anyone has had concerns about unexpected interactions or problems. See if it’s been updated recently and find a legitimate download site. Then back everything up on your computer before you install it.

On the other hand, if your computer “spontaneously” offers to install an add-on, the right answer is almost invariably to reject it. If it looks like it might be useful, go to a legitimate site and read the reviews, then decide for yourself.

When an add-on is primarily designed to change the look and feel – background colors, fonts, logos, maybe even layout and organization of buttons – but not to change the underlying function of the program, that’s usually called a “theme”. There are literally thousands of themes available including ones for just about every sports franchise imaginable. They are commonly available not merely for your browser but also for your phone and for many other computer applications such as Media Player. Themes are usually safer to load since they are not supposed to affect the program but be careful. Something advertised as merely a theme can still include malicious code. And a badly written theme can cover up functions you do need, like say, the undo button – it’s still there but you can’t reach it because some other button is in the way. Like other add-ons discussed above, only consider themes from reputable sources. If you’re not sure, stick with the default theme.

This post is a little more technical than our norm but I think it’s important to understand some of the buzzwords around security. SQL Injection attacks (pronounced see-kwel) are a tactic that a hacker can use to get your computers to do more than they should.

SQL stands for Standard Query Language and is the code that almost all databases use when answering your questions. SQL is what brings up your account when you log onto your bank to see your latest statement. Any but the most rudimentary website uses a SQL database to hold, sort and present the content to you, the reader.

As long as the user plugs in things that make sense (like a name into the username field), the query will run properly and will return only the results for your account. But what happens if you type something unusual into that field? What if you put in an account number instead? If the website was well-designed, the request will simply fail. If, however, the website was not designed properly, the computer may return something – but it won’t be anything that you intended.

For example, a hacker might try typing ' OR 1=1 -- into a date field. The “OR 1=1″ part will always be true. The -- characters tell the computer to consider everything after as a comment (that is, a note the programmer left to him/herself as an explanation of the code). The result is a request for all lines of data where the first part is true. But 1=1 is always true so the computer spews out all the data in that table. Not only does the hacker get his own account details, he gets yours and everyone else’s as well.

Other commands can be crafted to modify data, add tables, execute commands, etc. If a site is vulnerable to a SQL-injection attack, there is little that the hacker can’t do.

How do you stop it? The easiest way to prevent a SQL-injection attack is to design your application to validate its inputs. The username field should have only text characters (or maybe also some numbers but nothing that looks like computer code), the credit card number field should only accept numbers, etc. Define the acceptable character sets and enforce those whitelists. Force the inputs to conform to specific patterns when special characters are needed (i.e. dd-mm-yyyy). And validate the data length of all inputs.

These are all basic checks that the folks building your website should be making. Put the IT processes and controls in place to make sure that they are building you a quality product and won’t leave your data vulnerable to the world.

By the way, to test whether a site has their own security in place, type something unusual into a field and see what happens. If you get a simple error telling you the allowable format (or if the computer simply rejects the request), you’re probably okay. If you see a lot of computer gobbledy-gook, you might not want to let that company have your confidential data.

In general, web filtering is the idea of setting some kind of filter on your internet connection to block users who try to browse to a site with inappropriate content. You may not care about pornography on an adult’s computer at home (and indeed, it’s protected under free speech laws) but few businesses want to deal with the reputational damage that comes from finding one of your computer’s digital ‘footprints’ in the logs of a questionable site. Web filters are commonly put in place to help keep your users within your corporate Acceptable Use policy (or, at home, to make sure that you’re kids are staying at age-appropriate kinds of sites).

Corporate examples of web filters include Websense and OpenDNS. Home tools might include NetNanny or CyberSitter.

All of these tools work by building long lists of webpage addresses and categorizing each site. Amazon gets classed as a shopping site, Playboy as adult content, YouTube as streaming media, ESPN as a sports site and the local high school as an educational institution. When a user attempts to go to a webpage, the URL is compared to the filter’s master list. If the URL is on the list and allowed, the content flows through to the user’s browser. If the URL is in a blocked category, the user gets an error message on his/her screen instead.

There might be as many as a hundred different categories. You decide whether to permit or block each category on the list based on the risks to your organization including the risk that you will interrupt the business accidentally. Block too much and you’ll find that you’ve gotten in the way of business. Or that you’ve cut off some service that your younger employees take for granted, hurting morale and making retention more difficult. Don’t block enough and you increase legal and employment risks unnecessarily. And no matter how much or little you block, there will always be some false positives – legitimate sites that are mistagged by the vendor. (Breast cancer research sites, for example, are frequently mistagged as adult content.)

The problem now is that the hackers are starting to find ways around the web filters. Inappropriate sites are often up for only a short while, then moved to a new address faster than the filter-makers can update their lists. Inappropriate content is also hidden on hijacked sites that some legitimate business or person failed to properly protect. No matter how hard they try, some inappropriate sites can always slip through. (For more about the limitations of web filters, read this article from CSOonline.)

Even with those limitations, I strongly recommend that every organization install a webfilter to stay safe from hostile workplace suits and other employment risks. It won’t be perfect but it’s still an important part of your layers of defense. I also recommend that any parent with children still living at home install a filter. Kids may seem very web-savvy but they still don’t know how to fully protect themselves from strangers, hackers and other age-inappropriate content. Help to protect them from themselves.

Clickjacking is a relatively new technique to trick internet users into giving up their confidential information or letting a hacker steal access to their computers while they are browsing at what appear to be innocent sites. Clickjacking has been in the news because Microsoft claims to have solved the problem in their new browser, though more recent reviews suggest that their protection may not be as effective as was originally hoped.

Clickjacking works by hiding code on a webpage that gets activated when the user clicks on a button on the page. The page often appears to be a trusted site (or at least an innocuous site) like a computer game but is overlaid with a transparent page using a technique called frames. The user thinks that he/she is interacting directly with the visible page but in fact is clicking on invisible buttons on the transparent overlay. The buttons on the computer game are then carefully placed to match the location of the buttons on the hijacked screen. As the user plays the game, he/she is simultaneously doing something on that other screen.

If you have your own webpage, you should add some hidden “framekiller” code to your own page which will prevent it from being hijacked by a clickjacker. This will also make it slightly harder to steal any copyrighted content that you publish online though it may disrupt legitimate uses of frames.

As an internet reader, your best defense against clickjacking is to disable JavaScript. If you are a Firefox user, you can add the “NoScript” extension to your browser. NoScript lets users selectively block the scripts on each page. Because clickjacking requires scripts, the attack fails when NoScript is active. If you are an Internet Explorer user, you can control your JavaScript permissions via Tools/Internet Options or you can upgrade to IE 8 for their embedded protection.

You can read more about clickjacking at wikipedia.org.

You just got a popup on your computer that “there is an error with XYZ’s certificate” and asking whether you’d like to accept the certificate forever, accept it only for one visit, or choose not to accept it. (See the example below) What exactly is a web site certificate and should you accept it or not?

Certificate

Certificates are small bits of code used by organizations to show that they are who they say they are online. Certificates are generally purchased from third parties called ‘certificate authorities – trusted companies who give the on-line equivalent of a Good Housekeeping seal of approval on the connection. Note: Certificate authorities do not evaluate the company, the website or their products. A certificate does not mean that the site is free of viruses or other malicious content. Certificate authorities merely verify that the web address actually belongs to the organization buying the certificate. When you type a URL or follow a link to a secure web site, your browser will check the certificate to make sure that the web site address matches the address on the certificate and that the certificate is signed by a certificate authority that the browser recognizes as a “trusted” authority.

If the organization wants to set up a secure website (that is, one that uses https instead of just http and has the yellow padlock in the bottom right of the window), they will need a site or host-certificate to set up the encryption. By making sure that the website encrypts your information and has a valid certificate, you can reduce your online risks.

The problem is that almost anyone can create the piece of code that looks like a certificate. Many legitimate companies want to set up secure connections but don’t want to pay extra to the certificate authority for verification so they self-generate a certificate. Hackers can generate certificates, too, and use them to more closely mimic the legitimate secure site.

If the certificate is not from a trusted authority that your browser recognizes (there are about 100 trusted authorities loaded into your browser by default) or has some error or inconsistency, you have to decide whether or not to trust the web address and allow the connection.

To verify a certificate, look for the certificate feature in the browser’s menus. In Internet Explorer, you can find it under File/Properties when you are on the secured site. When you click on the certificate button, it should show:

  • who issued the certificate – Make sure that the issuer is a legitimate, trusted certificate authority.
  • who the certificate is issued to – This should match the owner of the web site.
  • expiration date – Most certificates are issued for one or two years. Be cautious of certificates that are valid for longer than two years or that have expired.

If you want to see all of the certificates currently on your machine, try Tools/Internet Options/Content and look for the certificate button.

If you have the time and need, you can verify every aspect of the certificate by contacting the company or the certificate authority. For most sites, you don’t need to bother. But if it’s a connection that you’re using for highly confidential information (like your banking website) or if you have a reason to be suspicious of the site (perhaps a phishing site), take the time to verify the certificate. You’ll only have to do it once – your computer will remember your decision thereafter.