Thursday, July 3, 2008

2 simple rules for safer browsing.

A week ago I rambled a bit on the lousy state of browser security. So what can you do about your browser security? Basically, make yourself a difficult target. It's easier than you think.

What you need to know is where the threat comes from and what the Bad Guys are trying to get. Then it will be a lot clearer how to make this harder for them.

The Bad Guys

I pointed out in my post Patching is a pain in the bore that malware has pretty much been criminalized. The Bad Guys are organized crime, mostly (well, the dangerous ones, who are most likely to try to nab your Paypal info). Talented people make a living writing exploits. Now, it's not the easiest thing writing exploits - if you screw up, your 'sploit runs wild like RTFM or Farid Essebar, and everyone notices. Chris notices. The New York Times notices. Your boss notices. Your boss is mad, because stealing money is harder when every rushes to apply the security patch. Did I mention the organized crime bit?

What this means is that we're seeing an increase in quality in malware. This is A Bad Thing, because:
  1. Low quality malware makes programs crash. A crashed program can't steal data. It's a Good Thing when they can't steal data.
  2. Users notice when programs crash. The more they notice, the more likely they are to patch their program. Patching in general is A Good Thing.
  3. When users notice your malware, they send it to antivirus companies, who make signatures for your malware. This means some of your potential victims are protected by the time your exploit attacks them.
So malware is written much more carefully than it used to be. 2003 in particular was the "Year of the worm". We don't see that any more, not because we're better at patching (ha!), or because our security software is better at protecting us (double ha!), but because we no longer notice successful attacks.

What the Bad Buys are trying to get

Money. Credit card numbers, social security numbers, Paypall account info, other personal info. Your info.

Make yourself a harder target

The exploit writer needs to produce a high quality exploit - this is pretty hard, and takes some time. He's going to invest his time making an exploit that will work for the largest number of computers possible. For example: target Internet Explorer or Firefox? Well, Internet Explorer has 75% market share, to Firefox's 20%. Also, you have 3 out of 4 chance of having a successful exploit in IE (75%) vs. maybe a 1 in 3 chance in Firefox (33%). So, 75% of 75% of the market is 56% of everyone is vulnerable, vs. 33% of 20% (7% of everyone).

Rule #1: Don't ever use Internet Explorer.

Ever. Don't make me want to change my tone.

Also, browsers aren't the only part of your computing environment. Your Operating System is darn important to Exploit Boy. If he wants to install a sneaky bot (trojan, spyware, spam relay), it needs to run on your OS.

Again, let's play the percentages: 90% Windows, 8% Macintosh, 1% Linux, 1% other.

So, Tam, you're in pretty good shape. Me, too - I run Linux. Admittedly, this may not be practical for everyone (especially Kim, who's probably lost his CPU to Vista now), but it's a big, big win if you can.

Whether you or not can not use Windows, you should absolutely use a separate browser for important (e.g. financial) browsing: online banking, brokerages, 401k, Paypal - all of these should only be done in a different browser. By "different" I don't mean "open another window". I mean get a different damned browser. I like Opera. Fast, free, everything works fine in it. 0.7% market share - nobody in his right mind will target it. Did I mention the Organized Crime bit?

Rule 2: Use Opera for important financial transactions. Use Firefox for everything else.

Everything. I mean it. OK, Macintosh folks can use Safari for everything else. Actually, Windows users can use it, too, but remember that it's 7% market share vs. 0.7% market share (yeah, OK, Safari on Windows is not 7%, but still, you know what I mean).

So I don't lose my security geek street cred, I have to say that this is no panacea, yadda yadda yadda. Still, it's easy, simple, hard to mess up, and reduces your attack profile. I don't care who you are, that's a security win.

No comments: