Weblog of a “Switcher”

Well, actually for users of all web browsers that 1Password supports, which is pretty much all the mainstream and even some of the not so mainstream browsers.

The great program 1Password has updated their software to version 2.6 and added a great new feature to it's program that allows it's browser extension to test visited web sites against an online database of known Phishing sites called PhishTank.

It's great to see 3rd party software stepping up to the plate to help make our World Wide Web experience and enjoyable and safe as possible.

I have been a very happy user of 1Password for quite some time now and use it to hold Credit Card info as well as my wife's Social Security Number (I get asked for that number quite a bit since I have been seeing quite a few doctors lately).

With 1Password, you can take all your secure information and store it on your mobile device or iPhone in such a way that only you can access it. This feature has saved my behind several times now!

The program is only $34.95 and well worth every penny.

written by Dave M. \\ tags: 1password, anti-phishing, iPhone, Safari, Security

I usually don't discuss Windows security issues here at Weblog of a "Switcher", but this issue is pretty serious:

Hundreds of Thousands of Microsoft
Web Servers Hacked:

Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines.

...

According to Finnish anti-virus maker F-Secure, the number of hacked Web pages serving up malicious software from this attack may be closer to half a million.

...

These types of attacks that infiltrate legitimate, trusted Web sites are precisely the reason I so often recommend Firefox over Internet Explorer. There is a great add-on for Firefox called "noscript," which blocks these kinds of Javascript exploits from running automatically if a user happens to visit a hacked site. Currently, there is no such protection for IE users, and disallowing Javascript entirely isn't really an option on today's World Wide Web. True, you can fiddle with multiple settings in IE to add certain sites to your "Trusted Zone," but that option has never struck me as very practical or scalable.

This kind of thing is one of the main reasons I switched to Macintosh. Mind you, I don't run a web server on my home computers, but I do surf the web. If I were doing so on a Windows based system with Internet Explorer, I could be in severe risk due to the fact that a "Trusted" web site could have been hacked by this new vulnerability and I wouldn't know it.

Actually I'm a little baffled by the author's clam that running Firefox with the extension "noscript" will protect you:

These types of attacks that infiltrate legitimate, trusted Web sites are precisely the reason I so often recommend Firefox over Internet Explorer. There is a great add-on for Firefox called "noscript," which blocks these kinds of Javascript exploits from running automatically if a user happens to visit a hacked site.

He clearly states that this attack hits sites that "are trusted". Since it can get into a trusted site, "noscript" won't help the user at all since the user has stated that they "trust" the site in the first place. Doing so allows javascript to run for that site and allows the attack to occur.

Update (4/26/08 - 5:05pm): Thanks to commenter Giorgio Maone, I have a much better understanding of what NoScript does and retract the above statement. (I'm leaving the text in since I don't want to make it look like I'm trying to cover up my ignorance.)

It's quite clear from NoScript's website that they will not run javascripts that are not hosted by the "trusted" domain. They also help protect against XSS and CSRF attacks. This is something that a lot of web developers are talking about on the web and are very concerned about.

I have to say that with this new info, running Firefox with NoScript is pretty much a no brainer.

I still feel that if you are running OS X or Linux, you will probably be safe from most exploits except for possibly the XSS/CSRF exploits. However, if you only have one browser open and one webpage open when doing on-line banking and other web based services that need to be secure, odds are you will be safe then too.

My understanding of XSS and CSRF exploits are that they need another webpage open with a javascript or Flash program running that will monitor your activity on a secure site like a banking site and send that data to someone other than yourself. (Giorgio Maone, is that an accurate description?) So if you just have the one web page open, you should be pretty safe.

The only real protection from this attack is to be surfing with either OS X or a Linux distribution since the malware that it will attempt to download will not run on either of those OS's.

The first part of this attack goes after all versions of IIS web servers. I've never understood why someone would want to run a Windows web server to operate their website. IIS has a huge history of attacks where Linux running Apache has a pretty clean history. It's possible that IIS offers greater flexibility in what the web developer can do, but is that really worth the risks taken?

So if you are a Windows user, please make sure you are not running any version of Internet Explorer. If you are, quickly head over and download Firefox, Opera or even Safari to browse the web with. They may not fully protect you, but at least you have a better chance of surviving a session of web surfing than you would with Internet Explorer.

written by Dave M. \\ tags: iis, javascript, Security, Windows