“Warning: We believe state-sponsored attackers may be attempting
to compromise your account or computer”
Google’s new pop-up warning is part of a long-running battle over the security of the most important program used today: the web browser. However, despite its use as a gateway for hackers and cybercrime, the browser is often overlooked by users. Fortunately, with a few tweaks it’s fairly easy to make using the Internet more secure.
What kind of attacks happen in an unsecured browser?
There are two major types of attacks: Malware and Phishing
Malicious software called “malware” can be installed through the browser using programming add-ons like Javascript. Sometimes, it’s possible to use an exploit to use a benign-looking file like a video recording or a sound file to run code. The malware itself may be a computer virus or a program that will gather data by uploading locally stored files or recorded keystrokes.
Phishing is when a page is set up to look like a legitimate website, but the information is going to an outside server. This is commonly used to gather credit card information from online shoppers. Sometimes, the phishing site is at a registered domain that sounds official, while other times a script is used to place a graphics file or text object over the URL bar so the user doesn’t see the actual URL.
How can these attacks be avoided?
To make the browser secure, the settings should be altered to do five things:
– Ensure that the browser is kept up-to-date with the latest bug fixes
– Prevent malware from having a chance to run
– Send information only to websites that you are actively using
– Keep the browser from storing sensitive information
– Block connections with known phishing sites
All the major browsers have built-in capabilities to perform each of these tasks.
Why aren’t browsers set up to be secure in the first place?
Default settings are designed to be as open as possible to ensure that everything will work right out of the gate, even if that means leaving the user vulnerable. It’s up to the user to find a trade-off between flexibility and security. For the guide below choices that may cause problems with functionality are marked “Optional.” For example, unauthorized add-ons may be malware, but most users find reputable add-ons to be far too useful to disable them outright.
Setting Up Your Browser for Improved Security
Internet Explorer
Many IT managers actively discourage the use of IE because it’s closely integrated into Windows, making the operating system more vulnerable to attack.
– Updates
Open Windows Update in the Control Panel and set updates to “Daily.”
– Phishing, Sensitive Data Storage, and Data Control
Inside the browser, select Tools -> Internet Options from the menu.
Click the “Advanced” tab. Check “Turn on automatic website checking” under “Phishing.” Optional: Uncheck “Play animations” and “Play sounds.”
Click on the “Content” tab. Click on the “AutoComplete” button and uncheck “user names and passwords…”
Click the “Privacy” tag. From here, click “Advanced.” Check “Override” and “Accept” for first party cookies, and “Prompt” for third party cookies. Make sure “Always allow…” is unchecked: It’s disabled by default.
– Malicious Programs and Scripts
Click the “Security” tag. IE uses security zones to control access to the browser, dividing network connections into local systems, trusted sites, and other Internet sites. This includes Javascript. Set “Internet Security Zone” to “High” and “Trusted Sites” to “Medium-High.”
Firefox
– Updates
Firefox can be set up to automatically look for and install updates when launched.
For PC Users: Tools -> Options -> Advanced -> Update
For Mac Users: Firefox -> Preferences -> Advanced -> Update
Updates for Linux users should be automatically handled by their package manager.
– Malware, Malicious Scripts and Phishing
Open the browser and access the preferences menu.
For PC and Linux Users: Edit -> Preferences
For Mac Users: Firefox -> Preferences
Click the “Security” tab and check the following boxes:
“Warn me when sites try to install add-ons”
“Block reported attack sites”
“Block reported web forgeries”
Click the “Content” tag. Next to the “Javascript” entry, click on “Advanced…” Make sure all the boxes are unchecked.
– Sensitive Data
For PC, and Linux users: Tools menu -> Options -> Security
For Mac Users: Firefox menu -> Preferences -> Security
Uncheck “Remember passwords for sites”
Google Chrome
– Updates
Updates are handled automatically in the background whenever the browser is opened, regardless of platform.
– Malware and Malicious Scripts
Click on the Chrome menu (usually a wrench icon,) and go to Preferences -> Under The Hood. This will open a new web page. Check “Enable phishing and malware protection.” Under Javascript, check “Do not allow…” Under cookies, check “Block third-party cookies and site data”
Click the “Content Settings” button under “Privacy.” Here, check “Block third-party cookies and site data.”
– Sensitive Data
Click the Chrome menu and go to Preferences -> Personal Stuff
Under “Passwords,” check “Never save passwords”
Under “Autofill,” uncheck “Enable Autofill”
Safari
– Updates
Go to System Preferences -> Software Update and set the update manager to perform daily updates
– Sensitive Data, Malicious Scripts and Malware
In the Safari menu, click “Preferences”
Under the “Security” tab, check “Only from sites you navigate to” under the cookies settings.
Optional: uncheck “Enable plug-ins” and “Enable Java.”
Under the “Autofill” tab, uncheck “user names and passwords”
Under the “General” tab, uncheck “Open ‘safe’ files”