Browser Tabs…Friend or Foe?

I’ve written about many of the threats that we face on the internet in many of my past posts. Quite frankly, it just seems to never end. Thankfully, due to the blog-o-sphere, many of us are now aware of what to look for. Phishing, spear phishing, man in the middle, etc. are all terms that, in the very recent past, may not have been familiar to many of us. Because of this fact, many are now aware of the attacks, what to look for, and how to prevent them. As a result, the hackers are forced to come up with new and more devious methods of stealing your personal information. Well they have done it again.

In the past phishing scams have required you to click on links in a malicious email from someone pretenting to be you bank and asking for your personal information in order to fix a “problem with your account”. When you click on the link, it directs you to fake site that will look very much like your bank’s web page, and once you fill in the ‘User Name’ and ‘Password’, you have given away your personal banking log in credentials. But as I said earlier, users are becoming more and more aware of these phishing scams and the use of them is becoming less and less effective.

Tab Napping, or Tab Hijacking is fast becoming the new scourge of our browsing woes according to Aza Raskin, a security expert on Mozilla’s Firefox Web Browser Team. Extra special care is going to be needed when using our browsers, especially if you are prone to using numerous tabs at one time.

This is how it works…..

A hacker can actually detect when a tab, in your browser, has been left idle for a long period of time. By replacing that tab with a fake website that looks just like a real site, such as your banking site, they will ask you to reauthorize your credentials by entering your User Name and Password. Knowing that your bank will often do this when your account has been idle for a period of time, you don’t think anything of it and re-enter your credentials. At that point, they now have your personal banking log on information. They can then actually redirect you to your actual banking site, as you never were really logged out to begin with. Plus, the damage has already been done. By doing this, you will never even realize that you have just had your banking information stolen.

How Can I Protect Myself From Tab Napping?

Even though this is a serious problem, being aware of the signs, can make this a relatively simple thing to avoid.

First off, as always, before entering your personal credentials to any website, look at the actual Uniform Resource Locator (URL) for the page that you are on, and make sure that you are, in fact, where you think you are.

Secondly, while glancing at that URL, make sure that you are on a secure page, one that begins with https:// and not just http://. Never enter any personal information on a page that begins with only http://.

Thirdly, whenever doing any banking, instead of opening a new tab (Ctrl-t) in your browser, open a new window, (Ctrl-n) for your banking log on. This way only one tab will be open in that window, confusion will be less likely, and tab inactivity will be avoided.

Next, avoid leaving tabs open that are asking for your log in credentials. Always close log in pages to your bank, ecommerce sites, or any other site that is looking for any personal identifying information. You can always re-open these pages should you need them again.

I think that making sure you are where you think you are is the most important thing in avoiding these phishing scams. Before entering any personal information on any site, look at that URL and make sure that it is actually from the company or institution in which your are logging into. If unsure of how to do this, check out my two part post on Uniform Resource Locators by clicking HERE and HERE.

Uniform Resource Locator

The Uniform Resource Locator or URL is an address that identifies an available source and where that source can be located. URL’s indicate the server location, subfiles, and file names where specified web pages can be found on the internet. However, with the onset of malware on the web it is important to understand the format of URL’s in order to keep from being tricked into going to a malicious website. You need to be sure that you are going exactly where you want to be going and the only way to know that is by understanding how to interpret what the URL means.

Before we get started, you will need to click on the “Title” of this post so that the URL will make sense to you. My “Home Page” will show you the URL labeled “https://macarooni.wordpress.com/” but by clicking on the title which is named “Uniform Resource Locator”, it will lead you to a page named “https://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/”. You will need to see this entire address in order to comprehend what is coming up next.

The first item in a URL is the “http://” (http://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/) which stands for Hypertext Transfer Protocol. The actual understanding of the technology behind this is not important, however, this technology was what led the the creation of the World Wide Web. All URL’s, except those using Secure Socket Layer (SSL) all begin with “http://”.

The next item in a URL, will be the “www.”, (http://www.macarooni.wordpress.com/2010/01/13/uniform-resource-locator/) which stands for World Wide Web. This is saying that your query will be on the web. What? You may be saying, I do not see a “www.” in this post’s URL. This can be a little deceiving. Most DNS Server’s do not require that the www. be a part of the web address. It can, in most instances, be left out, as the DNS  and your browser will recognize that you obviously want to go to the web. If you type “http://google.com”, your DNS Server and browser will know that you are looking for Google and will direct you to “http://www.google.com”. Likewise, should you just type “Google.com” in the URL, your DNS Server should be smart enough to direct you to Google’s home page. The more popular the site is, the more likely that typing in vague URL’s will direct you to the correct page, without going to a search result page.

I know what you are saying…..Why is this so confusing?

It is confusing and it will only get more so, but this is something that needs to be understood in order to surf the web safely.

In most cases, the next item will be the server in which you are looking to connect to. In the case of Google, the server name is “Google.com”. In the case of this page in which you see “macarooni.wordpress.com”, the “macarooni” is stating a specific area on the server in which to connect.  WordPress’s servers are shared by many other blogs besides this one, so each blog will have it’s own section on the server in which the data will be stored. So “macarooni.wordpress.com” is sending you to my section of the wordpress.com server. Here is what it should look like….http://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/

Folders and Subfolders. These will follow the naming of the server and location on the server and is always separated with a slash (/). So if you look at the URL for this post, you have the http:// and then the www. and then the server that you are going to, which is named “macarooni” and the domain or server  is “wordpress.com, meaning that you are connecting to servers at WordPress.

I did not mention this and it is an important point. All domains consist of a name followed by a dot and then a Generic Top Level Domain (gTLD) name. These are web site categories maintained by a certified authority, namely the IANA (Internet Assigned Number Authority) which are used by the DNS (Domain Name System) for use on the internet. Some of these categories are unrestricted, like .com (commercial sites), and .info (information sites). These unrestricted categories can be used (registered) by anyone. Others are restricted, such as .gov (government), .mil (military), and .edu (education), which can only be used by sites that fall into their particular category. There are also categories based on location, such as .ru (Russia), .fm (Federated States of Micronesia), and .tv (Tuvalu). Now there are many other categories that you may encounter, but these are a few of the main ones. To get more information on the categories, you should visit the Wikipedia site HERE.

Ok, back to Folders and Sub-Folders. Like I said, these are always separated with a Slash (/) mark. The easiest way to explain these is to think of a file cabinet and I am going to use the URL for this site as an example. Think of the domain (http://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/) as being the File Cabinet itself. Now this file cabinet has drawers in it. After the first slash is a folder named “2010” (https://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/). So that represents the drawer in your file cabinet that is labeled “2010”.

Now you open up that drawer and find that you are looking at a bunch of hanging folders in that cabinet drawer. One of those folders will be labeled “01” (https://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/). This is known as a sub-folder. There can be a lot of different sub-folders in a URL, but most sites try to keep these as minimal as possible to make it as easy as it can be.

Next in this sites URL is the “/13/”. Think of this as being a manila folder, that is labeled “13”, stored within the hanging folder that is labeled “01”. https://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/

The last item in the URL is the actual file that you are going to display. In the case of this site, it is a file named “uniform-resource-locator”. In our file cabinet example, this would be the actual document that you pull out of the manila folder.

The actual file that displays on your computer….

(https://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/).

in the manila folder….

(https://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/),

in the Hanging Folder…..

(https://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/),

in the drawer

(https://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/)

that is in the file cabinet

(http://macarooni.wordpress.com/2010/01/13/uniform-resource-locator/).

The first most important thing to understand is to how the gTLD is displayed. It will always be followed by the last dot and, secondly, that all folders and sub-folders are separated by a slash (/).

Why is this so important?

Check for my next post which will explain how these URL’s can be manipulated to redirect you to sites that contain malicious software. I will also explain a little about Secure Socket Layers (SSL) encryption.

Let me know what you think…..Does this make sense?

Feel free to leave a comment….

Internet Explorer…..oops, We did it again!!!!

Microsoft has just announced a hole in it’s Internet Explorer browser.  This is a “Zero Day” exploit which means that Microsoft discovered this hole after it had already been effecting computers in the “Wild”.  Microsoft deems this exploit as being “critical”.  This is a Video Active X exploit which would enable a hacker to take complete control of your computer simply by having you visit a malicious website or a legitimate website that has been compromised.  Microsoft has stated that  “An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention,”  The weird thing about this is that this Active X control that has been left over from past versions of IE is of absolutely no use.  Even Microsoft admits that it has no reason why this file is even there as there is no current application that would need it.  Now to Microsoft’s credit, they have released this notice, which is out of character for them, and a leftover .dll file is something that could easily happen, due to the tremendous amount of these libraries that “litter” windows. Even though Microsoft is aware of this exploit, it is doubtful that a fix will be available anytime soon, almost certainly it will not be available on “Patch Tuesday”, July 14th.  However, I would keep my eyes open for an out of sequence update to Windows to come later in the month.

Now Microsoft claims that this exploit only effects their Windows XP and Server 2003 systems, however being that this Active X application does absolutely nothing, it is probably prudent to disable it even if you are using Vista or the Windows 7 RC.  Read on to find out how.

Symantec has also said that it only effects IE6 and IE7.  Meaning, according to them, you are safe if you are using IE8.  I don’t know if I believe that though as this Active X is still in IE8 and you would think that the vulnerability could be exploited.

To read Microsoft’s Security Advisor (972890) you can click HERE……

Now one thing nice that Microsoft has done which enable user’s to easily fix problems that are discovered in Windows is their “Fix It” buttons on their “Help and Support” pages.  All you need to do is click HERE to go to their “Help and Support” page and click on the “Enable Workaround” option to disable this Active X.

In my humble opinion, the easiest way not to subject yourself to this exploit is to simply use a more secure browser.  I recommend Firefox and you can download it for free HERE.  It is faster, and as I stated is more secure than Internet Explorer.  Really, the only reason that you should need IE is to get Windows Updates. The masses are starting to realize this as Firefox is fast gaining market share on Internet Explorer.  Click HERE to see browser stats.

Firefox Upgrade!!!

I don’t know, it seems difficult to get excited about a new browser upgrade, but this one just seems to be different as I find myself waiting with baited breathe for this release.  Well, the wait is over as Mozilla announced the release date for it’s new Firefox 3.5 browser (code named “Shiretoko”), and the day has finally come…..tomorrow morning Pacific Time you will be able to install this new browser upgrade.  The enhancements to this browser just get me thinking about where we are going.  An upgrade like Private Browsing (sometimes called “porn mode”) which does not save any browsing history, cookies, etc., and keeps your browsing private is not new as the other major browsers like IE8, and Google Chrome already have this capability.  Firefox 3.5’s enhanced JavaScript rendering, using a new engine called “TraceMonkey” should majorly enhance the browser’s speed.  But probably the thing that I am most interested in seeing is Firefox 3.5’s ability to use the new HTML5 audio and video tags, which will, once the HTML5 tags are incorporated into websites, enable video and audio to be placed in the body of the page, thus not having the dedicated little box on the left or right where the video is played.  HTML (Hyper Text Mark-up Language) is the ‘language’ that is used to create web pages. I think this is going to make innovative and interesting web pages “come to life”.  Being able to put video and audio directly in the body of the page is going to be something to see, with the potential of making web pages that are more interactive.  When I say embedding them into the body of the page, it is kind of like comparing a picture in an email that is seen in the message, as opposed to being shown at the bottom of the page as an attachment.

Originally the new version was going to be called Firefox 3.1 (current version is 3.0) but according to Mike Shaver, Mozilla Corp.’s VP of Engineering…..”The increase in scope represented by TraceMonkey and Private Browsing, plus the sheer volume of work that’s gone into everything from video and layout to Places and the plug-in service, make it a larger increment than we believe is reasonable to label .1″.

According to Net Applications, a browser usage company, Firefox now touts a 22.5% market share of browser use.  Lead by IE, Firefox comes in the second spot, followed by Google Chrome, Apple’s Safari, and Opera.  Having this large a market share may cause a huge volume of upgrades on the 30th of June.  This could very well slow or crash their server, as it did in June of 2008, when the 3.0 upgrade was instituted so expect delays if you plan on “standing in line” to get this new update when it first is released.

To see the Top 10 enhancements to this browser, check out Lifehacker.com’s article HERE!!!

If you are currently not using Firefox and want to see what the fuss is all about, you can get it HERE (free of course)!!!

If you are a current Firefox user, the update will eventually come through automatically, but if you want to be first in line, just click on the “Help” option in the toolbar and select “Check for Updates”.  You know I will “Be In Line”!!!!

Let me know your thoughts…..