Trusting Websites
Trusting website can be difficult and you’re not always going to get it right. Think of it like going to a restaurant or driving down the highway. If you went to a restaurant and it was dirty and had roaches all over the place, you wouldn’t eat there. Same goes for a crazy or drunk driver on the highway, would you stay there? No, you would slow down and get out of the way. Trusting websites is about noticing the signs and acting on them.
I would like to start off by saying that I’ve had customers call me and tell me that they just went to a website that they have been visiting to for years and, bang, they got infected, their computer restarted, now nothing is working and the computer is asking them for a credit card to fix the problem. A website that you trust today can be compromised tomorrow. Unfortunately, there isn’t much that can be done except, clean your computer, notify the website and return to the website when you are sure the site is safe again. Remember, most websites want you to visit there site, view the content and come back often so most websites will do everything they can to keep their site safe and clean.
We are going to take the tree examples from the previous post in this series “How to Identify Unsafe Websites” and expand on them.
Big Websites
Let’s start with the larger websites like www.msnbc.com, www.cnet.com, lifehacker.com (one of my favorites), and www.microsoft.com. If you visit anyone of these sites, you’ll notice that the layout of the site has been well thought out and everything is in a uniform and consistent order. These larger sites have advertising; however, the advertisement is well placed, consistent with the website and isn’t excessive. Also, the advertisements on these sites are considered unobtrusive in that, they aren’t pop-up’s and they aren’t rapidly flashing multiple different colors. Visiting these types of site is usually an enjoyable experience and one that you would consider repeating often. Trusting larger websites like these is easy and they do their best to make it easy for you to trust them.
There are really big websites that are very safe but you still need to be mindful of certain things. Amazon.com is a great example of a website that is safe, you (may or may not) visit often and one that you need to be careful of. Sites like Amazon and Google are spectacular sites that offer a lot of services and value to its visitors. However, sites like Amazon and Google also collect a lot of unique information about you and what you do on their sites and with their service. In interviews with different employees at Google, different employees have been quoted saying that Google doesn’t delete any information that it collects; ever. That means that somewhere in Google’s massive server-farms, there is a search that you did in 2000 and they will keep it forever. They use that information to better their services, yet, it’s a lot of, what might be considered, personal information. The larger websites out there are easy to trust from a security stand point, but remember, they are going to do what’s best for them as a business and for most of them, that means collecting as much information about you and what you do and, in some cases, selling for profit.
Mid-size & Small Websites
Mid-size to small websites suffer from a lot of the same problems; yet, this is where I spend most of my time on the Internet. Mid-size and small websites service the special interest that we all have and contain a lot of the non-mainstream information that we look for. Websites like www.killsometime.com, www.xkcd.com and many others offer all the information we could possibly want on any subject that we can think of. They have specialized in things like: Best places to visit while you’re in California, How to easily make a website without special programs, How to safely build a rocket, entertainment like videos of people jumping off of houses and video games, and a lot of companies that keep information online to support their products or services. These sites are great and they make up a huge portion of the Internet. All of these websites make the Internet a place where you can find absolutely anything and nothing at the same time.
With these types of websites, you can run into a lot of different problems. Because very few of these websites have the resources available to higher web and information security personnel, they can’t always respond to security issues fast. They are usual understaffed and with the decreased amount of traffic there will be fewer users to report any problems. Website security is very important because there is only three or four main web browsers (Internet Explorer, Firefox, Safari and Chrome) and two or three operating systems (Windows, Apple and Linux) that everyone in the world use. Having standard software has many advantages for regular users; however, it makes it easier for the bad guys. With one virus, a bad hacker could attack 50% or more of the world; those that uses Windows XP and Internet Explorer for example. On a lot of smaller websites, you need to be careful of the links you click on because they could say one thing and take you somewhere else (give it a try: www.hnsecurity.com). Also, you have to be careful with anything that you download from them as well. Even though it’s a program that you want or one that you downloaded before, you need to make sure that no one has tampered with the program before you run it on your computer.
Mid-size to small websites will also be less profitable and will sell a lot of advertising to anyone willing to pay them for it and, in turn place those advertisements everywhere they can. As mentioned in part one of this series, the advertisements that are placed can be very harmful and if the site owners aren’t diligent during the screening process, if they have one, they can easily load malicious code onto their websites and infect anyone that visits. One of the biggest security issues on the Internet is something called cross-site-scripting and its where bad hackers will use the interconnected nature of the Internet and web-applications (Adobe Flash, Java, etc) to infect your computer and they can easily be placed in many types of advertisements.
What You Can Do
When visiting larger websites, try to be mindful of the information you’re giving them. A lot of the larger sites are very careful and respectful of your information. They do everything they can to make sure your information is secure; you just want to make sure they don’t collect anything you don’t want them to. There are a few things you can do to keep some of your information privet. Disabling all cookies in your browser works really well for most sites. Cookies report information about you and your browser back to the website and by disabling them, they can’t report anything back. One drawback of doing this: you won’t be able to logon or stay logged onto almost any websites including Yahoo Mail, Gmail, AOL, and most banking sites. These types of sites use special cookies to make that after you login; you’re still you (Confusing? Maybe more about cookies in a later post). There are browser extensions (Stealther for Firefox) and settings (InPrivate Browsing for Internet Explorer) that will allow you easily enable and disable cookies and other traceable settings.
For websites where security is more of a concern, there are a few things that you can do to be safer. Let your anti-virus software of choice do its job. When you download anything from any website, even those you trust, don’t ever select “Run” or “Open with” from the download box. By doing this, you bypass your security software and dramatically increase you chance of getting a virus. You should always select “Download”, then right click on the file or program and select “Scan with XYZ Anti-Virus” from the menu. This forces you AV program to scan the file and check it for viruses which keeps you a lot safer. Lastly, if you wanted to be absolutely sure about the integrity of the file that you have downloaded, look for a “hash” value for the file. You can get more information about file hash (sometimes called checksums) here.
As for cross-site-scripting and other security issues with the actual website; there isn’t much that can be done other that avoiding the web site all together because the main problem is with your chosen Internet browser and operating system (like Internet Explorer 7 and Windows XP).There are browser extensions (NoScript for Firefox) that will, for the most part, protect you from a lot of different types of website security problems but there are prices to pay. I have personally tried the NoScript Firefox extension and to be honest, I would rather take my chances. A web without any scripts is like watching CNN on a big, HD TV with only the tickertape going across the bottom of the screen. To be fair, NoScript is a great program and if you’re diligent in setting it up it’s a great tool to help you stay safe. Another great technique you can use is to have your search engine open the page for you. If you look carefully at each search result you will notice that there is a little link called “Cached” at the end of the search result. Most search engines will keep a copy of any website that they have been to and it’s used to help speed up search results. The great thing about these “Cached” pages is they have been stripped of most, if not all, of their active content which includes most cross-site-scripts making it a lot safer and allowing you an opportunity to see if you can trust the website.
Finding websites you can trust is hard and you’re not always going to get it right. Use the information in this post to help you identify the websites you can and those that you can’t.
Thank you for reading this post and look for part 3: The truth about Anti-Virus: They don’t do it all, they don’t even try.
Eryk Voelker
(408) 829-4995
Home Network Security
www.hnsecurity.com
Trackbacks /
Pingbacks