Friday, March 6, 2015

Shrinking Your Online Vulnerability

"As NSA general counsel Stuart Baker has said, 'Metadata absolutely tells you everything about somebody's life. If you have enough metadata, you don't really need content."
-- Dr. David Cole

"We kill people based on metadata."
-- Michael Hayden, former NSA and CIA director

Metadata is data about data...

"The main purpose of metadata is to facilitate in the discovery of relevant information, more often classified as resource discovery. Metadata also helps organize electronic resources, provide digital identification, and helps support archiving and preservation of the resource. Metadata assists in resource discovery by "allowing resources to be found by relevant criteria, identifying resources, bringing similar resources together, distinguishing dissimilar resources, and giving location information."
-- National Information Standards Organization


 

In the realm of communications security, and specifically internet based communications, it is generally agreed that the largest attack surface for end users is the web browser. This applies whether you are using an "unsafe" operating system like Windows/Mac or a safer Linux based one. I have touched on the operating system issues in past articles and will cover it again in greater detail later, but for now lets take some small easy steps to bolster our privacy defenses.

First off, and I just want to address this briefly as it is an article unto itself, this guide assumes that you are utilizing a VPN for most if not all of your internet adventures.

Second, we will be working with the latest Firefox build (Chrome/Chromium still have some trouble respecting your privacy). We are going to employ a series of "under the hood" hacks as well as some various browser extensions. I am going to list them in order of importance and offer some alternatives as well (you may find some of the addons less annoying than others).

First lets get under the hood - open your Firefox browser and follow along,

1. type about:config into the address bar and hit Enter. Accept the warning that pops up, type tls in the search bar and confirm the following "value" column settings:

security.tls.version.max    3
security.tls.version.min     1

If they do not match the above settings, change them to match.

2. Go back to the search bar where you first typed "tls" and instead type media.peer . Find "media.peerconnection.enabled" and change it from true to false.

So what we have done so far is to make sure that the web browser will not allow a site with depreciated SSL (Secure Sockets Layer - how websites encrypt HTTP traffic) to achieve a connection, which would leave your traffic potentially exposed. Ideally, the sites you visit will have option "3" enabled (TLS 1.2) which provides PFS (Perfect Forward Security).....in other words, a site using TLS 1.2 for encryption will negotiate a new key for every session, meaning if a key or session was somehow compromised, it would only give the attacker access to that one session and not your complete browsing history.....the implications should be obvious.

Now we will tackle the Firefox addons in order of importance.

It is debatable which of the following addons belong at the top of the list, as differing circumstances can shift the relative importance of the addon. That being said, I am going to start off with -

1. HTTPS Everywhere which enforces an encrypted website session as long as the website being contacted supports it.

2. Ghostery (this can be found in the Firefox menu under addons), is effective at blocking a large amount of the cookies, analytics and trackers that plague the internet. An alternative that is pure opensource is Disconnect. In my experience Ghostery is the more effective of the two, but your results may vary.

3. Random Agent Spoofer . Your default user agent string is a big part of that metadata mentioned earlier, as it is one of the contributing data points used for browser fingerprinting. This clever addon will, as the name implies, randomly select user agent strings to present to internet land thus shrinking a major metadata factor.

4. No script is a script management addon. A script (javascript in this case) in layman's terms, gives a browser the ability to run "programs". Some of these "programs" could be malicious in nature and in fact this, historically speaking, is responsible for the majority of computer attacks. Even if you choose to disable the script blocking function (it can make browsing difficult at times), it still offers some valuable protective features and is highly recommended.

5. FreeSpeechMe . This addon gives you access to ".bit" websites. Dot-bit, unlike .com - .net - .org and all the rest of them, does not rely on centralized corporate or government control. Instead it uses a bitcoin style decentralized blockchain to secure the domains. Read up on it, this is the future of free internet.

6. Better Privacy. This addon deletes those sneaky, hard to find cookies that might be missed by Ghostery or Disconnect.

7. Adblock Edge blocks adware without the sneaky corporate whitelist that regular Adblock uses.

8. Secret Agent is a child of the Dephormation project. It offers quite a bit of protective features and user settings. It can, however, bog down your browser - so be forewarned.

Some other settings that may need some attention:

Go into Preferences, Privacy, set it to always use private browsing mode, or at the very least, never accept 3rd party cookies and clear history on exit.

Go to Advanced, Data Choices, and de-select everything.

***

Another useful tool is to download the JonDoFox browser configuration. Once installed, this will ask you what type of Firefox session you want each time you start Firefox. The JonDo variant has several privacy controls built in and is suitable for TOR browsing as well. Be aware that if you want to use it on the regular "clear net", you need to go into Preferences, Advanced, Network, Settings - and select no proxy.

***

There is much more that needs to be done to mitigate your online risk, but this is an easy place to start that anyone can do.

More steps to follow......













No comments:

Post a Comment