How to Avoid the Common Pitfalls While Browsing the Web

Web browser exploits are on the rise due to the ease with which they are executed. Too often, the user starts with the browser that ships with their device and then downloads from the pre-installed browser their favorite browser.

The problem?

The default configuration on the original browser is probably not secure in the first place, plus it’s rarely removed after the preferred browser is subsequently installed, leaving opportunities for exploitation. The downloaded browser, too, may not have a secure default configuration, and every time it’s used, new vulnerabilities are waiting.

“Click to install” is very convenient, but it can lead to troublesome vulnerabilities, including malware, remote code execution, violations of privacy, stolen data, or even escalation of privileges.

This last point is especially concerning for security professionals, since their organization’s typical user isn’t concerned with security when using their favorite browser to surf the web, but it can lead to disastrous consequences for the organization.

Here are a few tips security pros can pass along to users (and family and friends) for safe internet browsing.

Disable Third-Party Cookies

Websites use cookies that store data about a user’s browsing activity to enhance the user’s experience.

For instance, data about search habits, geolocation, or site preferences are used to help tailor the content the user sees or remember what the user last did when visiting the site. Cookies are saved as little packets of data on the user’s machine and sent back to the browsed site each time the user returns. Cookies are designed to be readable only by the website that created them.

This goes for advertisements placed on the host web page, too. Any advertiser who embeds an ad on a web page — and there are many which is why so much content is served up for free — has the ability to track a user’s habits, location, and preferences.

Ever wonder why, suddenly, you are seeing helpful “suggestions” for diet and exercise programs near you after you’ve written an email mentioning a desire for salad from a web browser?

Yeah, those are cookies (and not the tasty kind you can eat after the salad).

These third-party cookies are helpful to the advertiser, but in the hands of a malicious adversary, a user’s privacy and security can be compromised. In addition, some websites use cookies for authentication, which means that if an attacker gains access to credentials, he can gain unauthorized access to the site and/or other areas of the user’s system, unbeknownst to the user.

A stealthy attacker can build a profile of a user if he is persistent enough, and this is dangerous to the user and potentially the organization to which the user’s system is connected.

Fortunately, most modern browsers allow for control of privacy settings and users can disable third-party cookies and keep their browsing habits more secure. Because most browsers allow third-party cookies by default, the user should adjust his or her settings as soon as the browser is installed.

Enable “Click to Play” for Third-Party Content

PDF and Flash are two well-known vulnerable content delivery mechanisms that are also ubiquitous. Websites use Flash to enhance the user’s experience, and the more interactive web content becomes, the more it is used by businesses that want to engage customers and create stickiness for their brand.

PDF is used constantly and consistently across businesses to create more official, professional-looking, and unalterable documents. Unfortunately, Adobe vulnerabilities are also well known. Patches for Adobe vulnerabilities are issued regularly, but often it’s after an exploit, and, as all security pros know, patching doesn’t occur as frequently as it should.

Adobe isn’t the only concern; Java, HTML5, and other markup languages are commonly the basis for interactive web-based content. This content, along with USBs and other removable media, are typically set to AutoPlay — a feature that can introduce malicious code on a user’s system. For example, an infected USB was the source of infection for the Stuxnet virus, which illustrates the disastrous effects AutoPlay can cause.

To eliminate the problem of AutoPlay, disable it through the settings in your control panel. Additionally, be sure to update old versions of tools and apply patches regularly.

Use an Add-On Like NoScript

JavaScript, also known as ECMAScript, is a dynamic scripting language used to make websites more interactive and user friendly.

JavaScript is also responsible for several malicious attack types like cross-site scripting (XSS) and cross-site request forgery (XSRF). These vulnerabilities can occur because JavaScript is embedded in an HTML page so the site can perform specific functions, like serving up an online form, for example. The problem with JavaScript, however, is that it interacts with the web page Document Object Model (DOM) and executes malicious content or obtains unauthorized permissions from the site.

To keep sites that use JavaScript safer, users should employ add-on services like NoScript, which only allows executable content if the site is trusted and has been whitelisted.

NoScript is a free, open source status bar that is installed on the user’s computer after download and appears on every page the user visits. As with disabling AutoPlay, a service like NoScript gives the user more granular control of what can and cannot run on his or her system.

Don’t Ignore Browser Updates

Browser updates are bothersome but can be one of the best ways to keep web browsing secure.

Old, outdated browser versions may not have the ability to discover current vulnerabilities, which are issued daily. Malicious websites take advantage of out-of-date browsers because it’s an easy and low-cost way to compromise a user’s machine.

Many browsers will prompt the user when it’s time for an update, but users can also check their own versions:

Internet Explorer: To turn on automatic updates, click the Internet Explorer icon on the taskbar, select the Tools option (or click Help in the menu bar), and then click About Internet Explorer. Select the Install new versions automatically checkbox, and then click OK.

Mozilla Firefox: At the top of the Firefox window, click the Help menu and select About Firefox. The About Mozilla Firefox window will open, and Firefox will begin checking for updates. If an update is available, it will begin downloading automatically.

Chrome: Open Google Chrome on your computer. In the top right, click the Chrome menu and select Help > About Google Chrome. The current version number is the series of numbers beneath the “Google Chrome” heading. Chrome will check for updates when you’re on this page. Click Relaunch to apply any available update.

Safari: You can keep Safari up to date by keeping OS X up to date. To get the most recent version of Safari, install the latest version of OS X from the Mac App Store and keep an eye out for all available Safari and OS X updates.

Limit Browser Extensions

Browser extensions offer users new ways to interact with their browser and to access other features not available through the browser alone and can increase the functionality of a website.

For instance, the Recorded Future Look Up extension allows users to dig into the details of technical indicators of compromise by simply right-clicking on a piece of information on the web page. Some extensions add fun functionality, like installing a toolbar that gives the user access to new types of emojis, or offers plug-ins, like the Pinterest plugin, that enables users to create an online interest board by clicking on the little logo in their browser.

Like any web tool, though, extensions are not 100% bug free. Malicious extensions can install malware, snoop on your browsing, or even steal sensitive data when you interact with various websites.

To keep your browser safe, install extensions only from trustworthy sources after conducting a bit of research. Some browsers provide a list of the permissions required to download the extension. Whenever possible, check permissions before downloading and limit permissions to only those that are necessary to run the extension. Adding a toolbar with emojis, for example, shouldn’t require access to the user’s contacts database.

Conclusion

The web is a risky place — there’s no getting around that. It’s also core to our daily personal and business lives. With just a little effort, however, users can practice safe internet browsing and keep their activities more private from prying eyes.