I’m paranoid about the web, and with good reason.

The #1 way hackers get into computers today is through your web browser from an infected website.  The battle for control of your computer has spread from e-mail and attachments. Another battlefront has opened up on your web browser.  A large number of big-name sites have been hacked recently and nobody is completely sure just what the hackers made off with.  Hackers use DNS spoofing to trick computers into coming to an infected website, so you can’t completely be sure that you ended up on the website you intended to visit. They also buy up common misspellings of big sites to catch anyone that makes a typo.

Hackers have been using SQL injection vulnerabilities to break into websites for years (it is in fact one of the primary ways hackers get into a server), and these vulnerabilities still go unpatched. Now they are infecting websites in order to set up complex computer/browser/plugin fingerprinting engines that detect vulnerable versions.  These engines deliver attacks custom-tailored to infect the visitor’s computer with slimy botware.  Take out the cookies, pop-ups, plugins and JavaScript and you’ve stripped your attack surface these engines can attack, down to just your web browser. But this makes browsing less user friendly and a lot more frustrating in the short term, and confusing for people who aren’t technical.

Of course, whenever someone starts talking about a really secure platform, the Mac fanboys jump right in to tell me how secure Apple MacOS is–never mind that the MacOS/Safari combo gets hacked every year (2007200820092010,2011)  during PWN2OWN at CANSECWEST.  Never mind that the hackers have now developed a crimeware kit for the Mac, which means Mac users will need to be on the lookout for a deluge of malware from now on.

With so much dangerous malware and so many threats, how do I stay secure online?

Before I go online:

  1. Update my Internet Protection Suite (antivirus)
  2. Update Windows (and reboot if required)
  3. Update the browser (usually Google Chrome)
  4. Update all the plugins for all browsers
  5. Clear out all cookies and cache
  6. Switch to Chrome’s incognito mode
  7. Use various tools on the web to help verify sites are the real sites, and are safe.
That last item is what I do while I’m actually surfing.  It’s somewhat difficult for most people because they don’t know about the tools and they don’t know how to use them, or what the output from the tools mean.  A quick Google/Yahoo search for the website or domain name with the words ‘hack’ or ‘scam’ can help.  Knowing where to find and use WHOIS, DNS lookups and website reputation services also helps, a lot.

I usually run Chrome with cookies, pop-ups, plugins and JavaScript blocked or disabled by default, or Mozilla Firefox with the NoScript plugin enabled, or Opera.  I use Internet Explorer only when I absolutely have to, like my bank’s website which doesn’t support any other browser.  They insist on using Active-X, the least secure web technology, for their site’s core functions.  Because TLS 1.0 has been proven vulnerable, and MSIE 9 supports TLS 1.1 and TLS 1.2, I have to use Internet Explorer.  Opera is the only other browser that currently supports TLS 1.1 or TLS 1.2, but it doesn’t work with websites that are built on Active-X.

I don’t generally install or use toolbars, apps or helpers except the NoScript plugin where appropriate.  The only active content plugins are the standard Adobe Acrobat, Adobe Flash, QuickTime and Java plugins, and as I previously mentioned, the browser usually runs with plugins disabled.  The automatic update feature for all of these plugins, and for the web browser and Windows Update are turned on and set to run daily.

Since I run Windows, I enable User Account Control & Data Execution Protection. Windows 7 has address randomization in the kernel and a number of other security features. If they 0day Chrome, it’s sandboxed and all they get is the browser tab and they’ll have to work a lot harder to get control of the computer.  I have a complete Internet Protection Suite installed, enabled and configured to automatically perform updates at the most frequent interval it permits, about every 4 hours.  That’s not nearly fast enough to keep up with the speed at which malware is adapted and released by hackers, and hackers run the malware they produce through the most current version of several Internet Protection Suites before they are released, so even this is no guarantee of protection.

But all that makes for darn inconvenient web surfing.  Most pages don’t work properly and you end up accepting cookies (reload the page), then enabling JavaScript (reload the page) then the Flash or Java applet (reload the page) and that quickly gets tiresome.  However, Chrome will let you set individual exceptions to the ‘deny all’ configuration, as does the NoScript plugin for Firefox.  Over time, the browser becomes configured to make exceptions for sites you visit often and your web browsing smooths out a bit. However, if any site ever gets infected, you’re wide open to attack from that site.

Short of switching to a LiveCD (a Linux distribution that boots from CD) and virtualization to run a temporary copy of a Windows (which I can delete after use), I can’t think of a much more secure posture while using Windows, let alone any other OS.

There really is no ‘perfect’ way to stay protected and there are no magic bullets.  Preparation and Awareness are the two biggest tools in my arsenal for avoiding computer infections.