Accessing the Internet with lower privileges. (Subtitled: Surfing Safer)

July 5th, 2007

By default XP creates all users as full administrators on the PC. Now I know that everyone creates another account for day-to-day use that has fewer privileges, right? No?

After patching and having a firewall, including a home router, the main ways that machines are compromised are through malicious web sites or e-mail. Using one’s web browser as a full administrator makes it much easier for a computer to get ‘owned’. Where I used to work the vast majority of the users were not local administrators. Scans would be done to look for malware and occasionally there would be machines that had lots of spyware installed. In every case the user’s account would have elevated privileges.

That being said, it can definitely be a pain to have two different accounts (though there are techniques that help quite a bit. RunAs.exe, for example). Since most attacks come through web browsers or e-mail, there is a way to run them in a safer way.

One way to surf safer is to use Firefox, Opera or some other web browser besides Internet Explorer. I’m not saying IE is poorly coded but it has three things working against it:

  1. It is the most commonly used browser so it is the biggest target
  2. It is closed source which prevents thousands of security experts looking over the code
  3. It has Active-X which is basically a way to install a program over the Internet.  Actve-X is not as ‘contained’ as Java and can do more damage.

Many pages don’t work properly in non-IE browsers. There is great plugin that allows pages to opened inside of Firefox being rendered by IE. This plugin is set to always open Microsoft or MSN sites in IE. Other pages can be opened in IE with a right-click.

Instead of Outlook or Outlook Express for e-mail use Thunderbird or Eudora (which will be open source soon). Regardless of the e-mail client, attachments should be considered unsafe by default. Gmail is a great way to protect one’s computer from malware via e-mail as they have quite a few layers of protection.

Another option, which may not be for everyone, is to launch programs with fewer privileges. There is a tool that was recently purchased by Microsoft called PsExec which can, among other things, launch processes but it “strips the Administrators group and allows only privileges assigned to the Users group.” What is handy about this method is that all bookmarks (excuse me, Favorites) are still the same and it is possible to run the program as an admin if necessary. Here is sample syntax for launching IE with PsExec.

psexec -l -d “c:\program files\internet explorer\iexplore.exe”

I’ve changed most of my IE shorcuts to use the above syntax. I’ve been using it for about a year now and most sites work just fine. Ironically, the Windows Update site does not work unless it is running as an admin. No problem, I just launch IE from an unmodified shortcut.

Once again, none of the above techniques help with saving attachment or downloading malware and then launching it separately. Don’t trust attachments. Gmail won’t even let you download a .EXE file.

Oh yeah, some of you are wondering about Vista. Well Vista, by default, runs account with reduced privileges and then asks “Are you sure”, if the program wants to do something normally requiring admin rights.

PayPal Security Key

July 5th, 2007

Multi-factor authentication (biometrics, security token, etc.) is better than using a password alone. For $5 one can get a security key for PayPal. I’ve always been a fan of PayPal because it is safer than credit cards in that money is transferred in exact amounts to vendors. Only PayPal has to have the credit card information.

PayPal, though great, is still susceptible to attacks in that a password can be guessed or keystroke loggers can capture login credentials. The new security key takes care of those two attacks. Read more, or order your own, here.

Viewing Stored Passwords in Internet Explorer

March 19th, 2007

It is important to note that even though Firefox can display saved passwords by default, there are several freely available tools that can display passwords stored in Internet Explorer.  These tools do have to be copied/downloaded to the computer but a determined snoop can get all of one’s ‘hidden’ IE passwords in less than a minute.

Saving passwords in Firefox

March 16th, 2007

It was pointed out to me yesterday, by Andrew Rush (Instructional Technology Specialist at UMW) that Firefox has an alarming feature in that with just a few clicks all saved passwords for the browser will be displayed in plain text. The good news is that the passwords are not stored in the clear on the hard drive and there are ways to greatly reduce the chances of someone else seeing this information.

Patrick Crispen has done an analysis and I agree with his opinions on this matter.

In short, it would be worthwhile for those who use stored credentials to use the Master Password feature. In addition, everyone should really have a password protected screen saver on one’s personal computer account.