In a previous post I talked about one aspect of making sure URLs you visit are safe. While writing that post, I started thinking about what I do and would recommend to browse securely while still keeping the experience usable. Of course the “usable” requirement here means excluding efforts such using a separate computer or browser for sensitive activity or only browsing in a VM or LiveCD environment.

First off, my recommended browser of choice is Firefox … not because it’s necessarily the best browser out there but more based on the number of available add-ons … especially the security ones I suggest below. One thing to consider though is to try to keep the number of add-ons to a minimum. This not only helps Firefox start and run faster but it also minimizes the risk of getting p0wned by a vulnerable add-on. Anyway, the security add-ons I use in almost all of my Firefox installs include:

• NoScript: This add-on is always the first plugin I install. Most malicious websites require JavaScript in some form to infect their victims and taking NoScripts’ disabled-by-default approach goes a long way.
• HTTPS-Everywhere: Ever since FireSheep was released last year this add-on is a must-have. It forces your browser to always use HTTPS when visiting a number of popular websites. Of course better yet is to purchase a personal VPN or use your company’s if they allow.
• Adblock Plus: This add-on is a fairly new one I’ve added to the mix based on the proliferation of malicious ads. Since most content on the web is free and ad supported, I almost hate to use it … but I value online safety more.
• Google (SSL) Search Engine: This nice search engine add-on forces you browser to use Google’s encrypted search engine when using the built-in browser search bar. I use it just in case HTTPS-Everywhere misses requests sent from this field rather than a web page.

Over the years I’ve tried many other security plugins but these are the ones I always come back to from a usability perspective. And of course be sure to add some quick bookmarks to UnmaskURL, URLVoid, and VirusTotal as these services provide additional ways to research potential malicious websites.

Now from a usable privacy perspective I usually head on over to Firefox’s Privacy preferences area and uncheck “Automatically start Firefox in a private browsing session.” Make sure all the other sub-options are checked except for “Accept third-party cookies.” Under the “Settings” button associated with “Clear history when Firefox closes,” verify everything is checked.

One of the usability consequences of locking your browser down is that you may loose your open tabs and/or sessions if your browser crashes or is running slow and you want to restart. This could be a problem if you’re like me and keep tabs open as placeholders for pages you want to look at later. To make sure Firefox gives you the option to save your tabs, verify the following preferences.

• General: Select “Show my home page” from the Startup drop-down.
• Tabs: Ensure “Warn me when closing multiple tabs” is checked.
• Privacy: Under the “Settings” button associated with “Clear history when Firefox closes,” uncheck “Browsing History.”

Unchecking “Browser History” does create a risk that some sensitive information could be carried over between sessions indefinitely. On the main Privacy tab changing “Remember my browsing history for at least” to 0 days helps mitigate this concern since any history storage would expire in less than a day.

Now if the browser crashes with 30 or so tabs opened, you at least get all your tabs back however your active sessions were probably lost. And if your browser is running slow and you want to restart, simply go to Preferences -> Privacy and uncheck “Clear history when Firefox closes.” Then close the browser and select the option to save your tabs. Now everything from your prior session should mostly reappear as you left it. Just be sure to go back in and recheck “Clear history when Firefox closes.”

#####

Do you like some of the plugins I mentioned above? Do you know that many of these plugin authors don’t make a dime off of their work? If you use any of these plugins on a regular basis, please consider heading over to their site and donating a few bucks. This kind donation helps ensure that these valuable tools remain free and up to date for the community to enjoy. See ya!

I came across an article over at GovInfoSecurity.com where they interviewed Ron Ross about the future of Special Publication 800-53. As most of you have probably heard there is a draft appendix that contains a bunch of new privacy controls. We discussed this a while ago, mentioning how in most cases new controls are not needed. But guess what? They’re not finished yet. In the interview Mr. Ross mentions adding several new controls to address fads like Cloud.

To further complicate matters many agencies treat NIST guidance as gospel and require systems to meet all controls. So adding new redundant controls could increase the cost of getting systems approved and maintained under FISMA. We already have Congress breathing down our neck about  how much each piece of paper costs … new controls are just going to create additional pieces of paper.

Now I’m not saying we don’t need controls for technologies associated with these terms du jour but we do need to be very careful about adding too many fad controls. My recommendation is to boil these new technologies down to their core components and have controls only for those. In many cases you’ll find NIST already has controls addressing these core components. For core components that are not present, first try broadening existing similar ones. If that approach doesn’t work then a new control may be in order. Also to satisfy people who want to refer to the current fad terms, I suggest creating an appendix that does nothing more than group core controls that compose these technologies.

Beyond cloud, NIST plans to create new controls addressing Insider Threats, Mobility, Industrial, Application, and Web Applications. Now I wouldn’t call these fads per say however, like cloud, if you break these technologies down into their core components, there will be a lot of overlap or similarities with existing controls.

Well the good news is that we all get to comment on these NIST guidelines … so for now go review the Privacy draft appendix [PDF] and shoot your suggestions over to sec-cert@nist.gov to let them know what you think by September 2nd.

via GovInfoSecurity.com

Ron Ross becomes animated when discussing the next revision, due in December, of NIST’s storied Special Publication 800-53: Recommended Security Controls for Federal Information Systems and Organizations. “This has been one of the most exciting projects I’ve worked on since the Joint Task Force started,” Ross told me (see Ron Ross on NIST’s New Privacy Controls), referring to the 2-year-old group of civilian-, defense- and intelligence-agency infosec experts working to produce a unified, federal IT security framework.

…

Besides privacy, Ross said, look for new controls involving insider threats – “one of the big ones.”

…

Other controls likely to be added to SP 800-53 deal with mobility, cloud computing, industrial controls, application security and web applications.
…

Continued here.

#####

GovInfoSecurity.com also did a follow-up interview with Mr. Ross. Here is the transcript for those interested.

In case you missed the announcement on Tuesday, National Institute of Standards and Technology (NIST) has released a draft of new privacy controls to be included in the next update of Special Publication (SP) 800-53. Currently referred to as SP 800-53 Appendix J, the update provides the first steps to standardizing what privacy means to the federal government. Eric Chabrow wrote up a nice article summarizing the announcement.

via GovInfoSecurity.com

The link between privacy and security is getting codified in the next version of the National Institute of Standards and Technology’s definitive security control guidance.

In preparation of an anticipated year-end revision of Special Publication 800-53, NIST Tuesday posted a draft appendix with the preliminary title, Security and Privacy Controls for Federal Information Systems and Organizations, that will be incorporated into the fourth revision of SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations.

Continued here.

I have mixed feelings about this addition. Yes, I think privacy is important and definitely needs to be focused on more … however is the extra effort worth it? There are already controls within SP 800-53 that covered most of what they are adding. Further, the suggested updates add eight new families and 22 new controls, which is going to significantly add to the expense of the meeting FISMA.

One of our NoVA infosec security twits who knows a lot more about all this NIST stuff than I do, @cyberhiker, posted a series of tweets expressing his views in relation to the Eric’s article.

• @GovInfoSecurity It would probably help if they more clearly defined what is and is not privacy data. #
• I don’t know that I need 8 new control families and 23 new controls. #80053AppendixJ #
• The first question I am going to get about #80053AppendixJ: What baseline does it apply to? A: You need to tailor them into each baseline. #
• 2nd Q about #80053AppendixJ: These are Mgmt controls, so I can inherit these from the Govt right? A: No. U need to read more closely. #
• More of a stmt about #80053AppendixJ: “Looks like there is a R4 now, glad we didn’t update our policy to R3″ “No. U should’ve updated. Now!” #

Some interesting things to consider there… Just shoot your suggestions over to sec-cert@nist.gov to let them know what you think by September 2nd. In the meantime, why don’t you let us know your thoughts in the comments below?

#####

If you are interested in other work by @cyberhiker, check out his RedSpartan compliance framework project.

I came across an article yesterday discussing the Office of Management and Budget’s (OMB) recent guidance allowing the government to use “persistent cookies.” For over a decade they have not been able to use such technologies to track user website visits. The new guidance, M-10-22, permits the use of “web measurement and customization technologies, including cookies – small pieces of browser software that track and authenticate web viewing activities by users.”

One of the more interesting points I noticed in the article is the decision to leave the choice of using an “opt-in” versus an “opt-out” model up to the individual agencies. I wish OMB would have set an example here and made a cross-the-board statement that users MUST opt-in. Instead they danced around the subject and passed the decision onto the individual agencies for better or for worse.

I know as a website operator how “neat” these statistics can be however the most important stats (e.g., total hits or page views) can often be collected without the use of tracking cookies or similar techniques. We are all tired of commercial companies taking advantage these technologies at the expense of our privacy. Each of the individual agencies need to take a stand and choose the “opt-in” model as a small step in showing the commercial world how it should be done.

I know this opinion may not be popular in some circles … but in the end, it’s just the right thing to do!

There’s been quite a bit of buzz surrounding this year’s PrivacyCampDC, and it’s easy to see why. Described as “an unconference about [p]rivacy with a particular focus on electronic privacy and Government Policy,” the goal of PrivacyCampDC is to “connect researchers, developers, practitioners, citizens and other enthusiasts for a day of intense collaboration and knowledge sharing.”

And lets be honest: the world ‘camp’ just sounds so much more interesting than ‘conference,’ doesn’t it?

We’re really excited to see how this event plays out, so if you end up attending, please drop us a line about how it went. Also be sure to check out the helpful information below.

• Who: PrivacyCampDC
• What: “[A]n unconference about [p]rivacy with a particular focus on electronic privacy and Government Policy.”
• When: 06-20 – 06-20-2009
• Where: Center for American Progress Action Fund (1333 H Street, NW – Washington, DC 20005)

For more information on PrivacyCampDC, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See the PrivacyCampDC registration page for more information.

o o o o o

If you attend this event, why not write about it for NovaInfosecPortal? Contact us if you’re interested.

While I already updated my “ShmooCon 2009 Guide – Friday Recommendations,” post, I wanted to make sure that everyone was aware of the schedule changes for this Friday at ShmooCon.

According to Podcasters Meetup, the live show, book signing, and FireTalks on Friday will be happening later than originally planned.

Setup will now start at 7:30pm, with the live show taking place from 8:00-9:00. The book signing will take place during the FireTalks, which start at 9:00.

There will also be a HacDC party that starts at 10:00pm, so be sure to visit the HacDC wiki if you’re interested in learning more.

You can get more updates at the Podcasters Meetup Twitter feed, @podcastmeetup.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

In my last two posts (“Up to this Point” and “General Advice”) I looked at the events leading up to this week and general advice for getting the most out of the conference. In this post I’m going to look at some of the different talks and activities going on Friday.

 As part of this discussion I’ll be giving my recommended activities. Keep in mind that these choices are based on my likes and dislikes. I’d advise reviewing the full list of activities yourself just to make sure you don’t miss anything that’s important to you.

Before I talk about Friday evening, I do want to take a minute to mention the plan for a Security Twits lunch meetup at 12:00pm at Harry’s Pub in the Marriott. If you plan on attending, RSVP at securitytwits{0×40}n0where.org. If you’d like more information, you can visit @securitytwits to see the original tweet.

And now, onto the evening portion of ShmooCon.

In typical ShmooCon fashion, Friday evening is dedicated to the “One Track Mind” talks. Of the “One Track Mind” sessions, three look particularly interesting to me. Being a fan of PaulDotCom and Larry’s imaginative hardware hacking exploits, how could I pass up “Building the 2008 and 2009 ShmooBall Launchers” by Larry Pesce and David Lauer at 4:30? Both SecurityJustice and Securi-D’s Weblog preview what they’ll be discussing.

Following those session, the “The Day Spam Stopped (The Srizbi Botnet Takedown)” talk by Julia Wolf at 5:00 seems like a nice post-mortem of a complex topic that I’m always looking to learn more about. In theory I understand how botnets work, but I’m continually looking for more details of them in action. And seeing a practical application of botnets—which this talk will provide—really drills those theories in.

The final “One Track Mind” session I hope to see is “Watching the Watcher: The Prevalence of Third-Party Web Tracking” by Brent Chapman, Tera Corbari, and Matt Devers at 6:30. Being a mildly paranoid person (which is probably why I migrated into the infosec field), I am always interested in learning more about who and what is profiling me through increasingly complex information gathering techniques. Plus, the advanced tracking mechanisms that many of these organizations use are simply facinating. Learning their techniques would at least help me disrupt their profile building activities. That’s my hope, anyways.

To finish out Friday night’s official activities, I’ll be going to hear what Matt Blaze has to say in his keynote talk. Speaking of Blaze’s talk in particular, one thing that has always bothered me ever so slightly at ShmooCon is that there’s no overview of the keynote. We always get nice bios but nothing concrete on the exact topic. Based on Matt’s background, it’ll probably involve the intersection of security and public policy in some way. Does anyone else have any ideas on his topic? Or did I just miss a major announcement somewhere?

According to Matt’s Wikipedia article, it looks like he’s been involved in some interesting things. He is credited with developing the forerunner of IPSec in ‘93, circumventing the wiretapping capabilities of the Clipper chip in ‘94, and rediscovering a vulnerability in “master key” security in physical locks in ’03. (It’s technically a “rediscovery” because it was an open secret among locksmiths). He also coined the term “trust management,” which means to “refer to the policy system which decides whether a particular entity should be permitted to carry out a particular action.” Currently, Matt is an Associate Professor of Computer and Information Science at the University of Pennsylvania.

Next come several unofficial ShmooCon Friday night events that you may want to take part in. There is some overlap with the official talks but you may want to check out the Podcaster’s Meetup. Setup begins at 7:30, with the live show starting at 8:00. Podcasters taking part include Hak5, PaulDotCom, CyberSpeak, Sucurabit, Security Justice, SploitCase, Unpersons, Phone Losers of America, and SMBMinute. After the recording, there will be some time for getting your books signed if you’re interested.

The FireTalks then start at 9:00. For those of you who don’t know, the FireTalk sessions include several 10 to 15 minute talks by those who have something interesting to say, but didn’t get accepted by ShmooCon or didn’t submit their proposed talk in time.

If you’d like more information, you can view the Podcaster’s Meetup post about the FireTalks, which I’ve pasted part of below.

“Have a talk that didn’t get accepted? Want the chance to share a project that you are working on? Think of FireTalks as a verbal blog post.

 The human experience is built on the ability to tell and learn from stories. At SchmooCon 2009, “FireTalks” is a supportive environment in which to either share insights or learn from others. Whether polishing a presentation (story) for conferences, meetings or training, FireTalks are the way to share, learn and improve.

 The inaugural FireTalks take place Friday night — following the Podcasters Meetup. Talks are limited to 10-15 minutes with four (4) scheduled talks and four (4) open slots. Open slots will be filled on a first come, first serve basis.

 Saturday night will be more relaxed. Come join us and present, listen and learn.”

Both the Podcaster’s Meeting and the FireTalks will take place somewhere around the press room. I guess we’ll have to figure out the location once we get there. As I mentioned in the “General Advice” post, be sure to check Twitter for constant updates about the conference.

Afterward the FireTalks are over, continue the fun with some networking at a local spot. Or if you’re interested, CharmSec is having a meetup after the keynote. Be sure to check it out if you can. You can view @charmsec for additional details. You may also want to follow @podcastmeetup on Twitter to get any last minute updates.

If there’s anything I’ve missed, please feel free to let me know by leaving a comment below.  Praise and criticism (and by that, I mean constructive feedback) is always appreciated. Additionally, has anyone figured out what the keynote topic is or where the post Podcaster’s Meetup/FireTalks “local spot” is going to be?

In my next post, I’ll be discussing Saturday’s activities with some recommended talks and other events. Choosing which sessions to attend will definitely be a lot harder given the wide range of options.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.