Securing your Browser and your email client

Index

• Javascript and Security
• Securing your Email
• Tips

A lot of security info in this newsletter. You will want to read it, unless you don't care about making your computer/network secure and you think you are already protected (I call that a "false sense of security"). Computer security is an ever changing landscape and to stay in the "safe zone", you have to be constantly on the offensive. Fortunately, I think a time will come when surfing the Internet will become as safe as walking and chewing gum at the same time (yes, I know some of you have trouble with that too).

Javascript and Security

I spoke of NoScript in last month's newsletter, which is an add on/extension to the Firefox browser. Well, the new security issue out there right now is javascript loading malicious code onto your computer and/or network that could have devastating results. Knowing what I know now, I would never browse without using this great extension. You can "white list" the sites that you know would be safe (such as Amazon.com and my own site's of course), and black list sites that you are unsure of. I highly recommend you use this extension if you are browsing with Mozilla Firefox. If you were to go to a malicious web site that would load javascript through your browser, you may ask "How bad could that be?"

Well, imagine that you are behind a router that has it's firewall enabled and you think you are perfectly safe. A script (and this does exist right now) would find your router or router/modem (remember this code was run on your now compromised computer through your browser) and then find other computers on this network, change the firewall settings and wireless settings from its secure settings (WEP or WPA) and remove them. Not a happy situation, since this happens without your knowledge and you may not find out until it was too late. It would be like running around naked in your house at night with the lights on and all the curtains and blinds wide open in a crowded neighborhood (your butt hanging out in the wind sort of). That is what you are doing if you let code run without your permission on a site that you are unsure of. Let that sink in for a minute...

Stopbadware.org

Now the good news. Currently, there is a project under way that will help all of us stay away from sites that run bad or malicious code. Stopbadware.org in conjunction with Google is creating a "black list" of those sites (it is understood that currently 10 percent of the links in Google are malicious!). The hope is that when you click on a bad site that you will be redirected to stopbadware.org first to warn you. This is very good for those that do not take a proactive role in keeping their PC's secure.

Securing your Email

You ask... How about email? Well, it isn't getting any easier and tactics have changed to also using scripting in email by utilizing not only Javascript, but HTML itself which is embedded now in so much email. Yes, it is now possible for you to activate a script on your PC simply by viewing an email! A good article about this can be read here. One thing I am doing is not having my message pane open. This way when you click on an email to read it you will not be opening it up until you double click on it. In Thunderbird you disable/enable the message pane by simply pressing F8. In Outlook 2003, select View|Reading pane|Off. Again, when you want to read an email, just double click on it and it will open in a new window. Another issue is HTML code within the email itself. If you view your emails as only text view, many emails (especially companies that you buy from, like Overstock and formatted email like this one) will not display correctly. No quick way to do this (that I know of). To switch between HTML, Simple HTML and Plain Text in Thunderbird, go to View|Message Body As and then select your preference. Thunderbird needs to add the option to allow HTML format to parse for those in your address book or from email sender's you choose (let's hope they do that!). I like HTML email, so I leave mine enabled. The choice is yours and of course it does come with some risk to the recipient. Also, at the very least you should turn javascript off and the loading of images off by going to Tools|Options|Privacy|General. Make sure you turn on Junk Message filtering in Thunderbird and that will also help. For more details on this and other ways to lock down your email, be sure to read the article from informationweek
http://www.informationweek.com/story/showArticle.jhtml?articleID=191902044&cid=RSSfeed_IWK_All.

One last thing about email and that is phishing. I have talked it about it in past newsletters, but you know...the email from PayPal that wants you update your records and provides a link in your email to supposedly a legit PayPal website. Only it turns out the bad guys are sending you to their site that looks like PayPal to glean your login, password, CC number, etc. from you. Substitute PayPal for any bank, they are all the same (I received one yesterday from what appeared to be Fifth Third Bank that was such a scheme). Well I have spoken about Spoofstick also in the past, but a more proactive add on is from Netcraft. This toolbar is available for both IE and Firefox and can be found on Netcraft's Website. It has already protected me a couple of times when I did not expect it. Rather then go long winded here, go to the link above and read what it does and then install it.

Tips

September Tip of the Month

Google has re-lauched Writely, the online word-processor they recently bought, in public beta. Writely does everything Word does, for free -- and saves its output as PDFs and even RSS feeds (subscribe to a word-processor doc!). It features collaborative editing -- multiple editors on the same doc at once. FANTASTIC! Update - program is now a part of Google Docs.

Thunderbird Tip!

Have Noia 2.0 eXtreme theme installed on Firefox (not sure...go to Tools|Extensions in Firefox)? To have the same theme for your email client Thunderbird, go to this page and follow the instructions.

Firefox Tip!

You are browsing a page that you would like to see full screen. Press F11 and this will go to full screen mode. Want to go back? Just press F11 again!