Tuesday, March 15, 2011

Mac Security Status Report,
Part II

--
Internet Privacy Tools

One of the quietly astounding developments on the Mac platform is the arrival of terrific tools for establishing real privacy on the Internet. 2010 was rife with stories about how our privacy and even our identity was being stripped away by everyone from the Corporate Oligarchy to the legitimate US federal government. You'd think we were still living under the thrall of The Bush League Era, the assault on privacy has been so persistent and thorough. But serious tools for reestablishing US Constitution guaranteed privacy rights are here and they work. I would go so far as to say that 2010 established an Internet revolution of user privacy. I could not be more pleased.

Here are a few of the wonderful privacy tools and events from 2010. Keep in mind that much of this has been in the works for years and that there are more privacy tools on the way:

1) The Onion/Tor/Vidalia Project: The "Onion Router" project began back in 2002 as a method for concealing Internet user's identity and network activity, preventing surveillance and traffic analysis. Amazingly, the project was originally supported by the US Naval Research Laboratory. In 2004 the Electronic Frontier Foundation (EFF) began supporting the project, providing important guidance and solidification of the project's manifesto. In 2006 the Tor Project was established as a non-profit organization gathering and providing all financial support.

There are a number of FREE pieces of software that make use of the Tor Network. The prime program is Vidalia, aka 'Tor'. This is the software that runs the show. If you use Firefox, you will also need to install the Tor Button add-on. The next useful tool is a web page called "Check". It will verify for you whether you have Tor properly running on your system and web browser. Of side interest are a few other tools such as the Tor Browser Bundle (currently in beta for Mac OS X), and the Firefox add-on FoxyProxy.

Learning how to use Tor is difficult. Try to find someone who understands it to help you out. It is very much 'geek' level technology with meagre documentation and lots of obscure tricks required to use it to the fullest. With patience you'll find that Tor is astounding, effective and important for maintaining real Net Neutrality and user privacy.

In the near future I will be providing a long promised Mac specific article about how to use Tor for overcoming media marketing blackouts on the Internet. Keep an eye on my MacSmarticles blog. If you wish very hard, you may find me providing a series of articles about how to use Tor, translating geek-speak into intermediate Mac user lingo.

2) Ghostery: This is a FREE tracking cookie and web-bug tracking system. The tracker list is frequently updated and is very thorough from my experience. It runs on-the-fly killing off inter-website tracking systems. As you move from page to page it provides you with a small window listing all the detected and blocked tracking sources. As you use Ghostery you will seriously astounded at the amount of tracking/surveillance being perpetrated at you. Maybe you don't care. Maybe you're in marketing and you believe anti-tracking tools are evil. Personally, I love Ghostery and won't leave my home page without it.

Here is what the Ghostery developers have to say about it:
Be a web detective.

Ghostery is your window into the invisible web – tags, web bugs, pixels and beacons that are included on web pages in order to get an idea of your online behavior.

Ghostery tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity...
There are THREE versions of Ghostery that work on Mac. One is the Firefox add-on. Another is the Safari extension. The last version is for Google Chrome. You can access all versions of Ghostery HERE.

3) Safari Cookies: This is an indispensable FREE add-on for Safari. It works great with Ghostery and provides further functionality. It has three main functions:
  • It allows you to create a website Cookie white list while killing off everything else.
  • It allows you to create a Flash Cookie white list while killing off everything else.
  • It allows you to create a website Database white list while killing off everything else. (I bet you didn't even know that websites could dump database information into your web browser! Very nasty).
Important: Do NOT use versions 1.6.4 - 1.6.7 of Safari Cookies. I've been in contact with the developer about their bugs and he most kindly has overcome them all with version 1.6.8 onwards. Now that it is working again, I cannot recommend Safari Cookies enough. Many thanks to SweetP Productions!

4) ECMAScript/JavaScript Prevention Tools: JavaScript is both a boon and a plague on the Internet. JavaScript allows such nifty things as Ajax coding on web pages. And yet, frequent readers of this blog know that I would very much enjoy JavaScript being erased from history and replaced with a scripting language that is actually and reliably SECURE. IOW: JavaScript is a gateway for malware and OS pwning. The blame for this catastrophic mess lies with three sources:
  1. Netscape, who invented Mocha, renamed LiveScript, the original name of 'JavaScript' before marketing-morons were allowed to license and inflict the utterly confusing and wrong 'Java' name into its title. (I despise marketing-morons. Have you noticed that? I worked with them every day for five long, stressful, infuriating years at Eastman Kodak, gawd help me. But I rant...).
  2. Microsoft, who inflicted their own typical insecure crapcode into JavaScript in the form of a monstrosity they call 'JScript'. Until recently, if you had attempted to resolve a web page that was designed using Microsoft's worst-in-class web design program 'FrontPage' you found the result to be a disaster. JScript was the main culprit. These days most web browsers comprehend JScript. But it remains a prime cause of hit-and-run website malware infections. Microsoft trolls will find this statement infuriating I exaggerate not. Just be glad that Mac users don't also have to contend with ActiveX, yet-another insecure Microsoft scripting language. (The Mozilla Project used to support Active-X but a couple years back banned it from any of their browsers for the benefit of their users and future generations of Internet users, amen).
  3. Adobe, who own what was once Macromedia, who perpetrated an insecure scripting language called ActionScript. It is mainly used in Flash and SWF embedded web pages, is one reason why Flash hacking is well known as a prime method for pwning Mac OS X. It is also one of the many reasons why Apple wisely banned Flash from their iDevices. It is also a prime source of malware for the Google Android OS.
Preventing this toxic brew of dangerous scripting languages from ruining your Internet browsing experience has become increasingly crutial. That is why I champion browser add-ons that let you choose when or whether to load JavaScript. Here are a few of the JavaScript prevention tools for Mac web browsers:

NoScript: This celebrated FREE Firefox add-on from InformAction is brilliant. It is frequently updated to keep up with the lastest in scripting crapcode. And it not only protects you from evil JavaScript! It also protects you from evil Java, Flash and other insecure web plug-in code that may be out to infect or pwn you. This add-on is one of the prime reasons to dump all your other web browsers and go 100% Firefox. I kid you not. Much as I like Safari, when I want first class web security, I use Firefox with both NoScript and Ghostery running. Get it. Use it. Enjoy!

JavaScript Blacklist: This is a rather meagre FREE Open Source add-on JavaScript killer for Safari. It allows you to block JavaScript from any web domain. Sadly, it is little more than proof-of-concept with a teeny-weeny 2.5 inch text box for inputting  your blocked website list. The best way to use it is to create your list in a text editor then copy and paste it into the teeny-weeny box. Whenever you want to add to your list, edit your text file then copy and paste again. There is no point in bothering to do any editing within JavaScript Blacklist itself. If you can deal with its shortcomings, this is a nice add-on for Safari fans like myself.

If you're ambitious, there are places to find lists of websites know to be infected with dangerous JavaScript. Ideally you could hack together a list from NoScript. But you'll find the task arduous. Don't bother.

5) Open Wi-Fi Router Defense Tools:

HTTPS Everywhere

This is a Firefox extension/add-on that specifically counters the hackware Firesheep extension/add-on. You can read about Firesheep here:

Firesheep

The general concept of this hacker war is that every website must stop using mere http connections and move over to https, SSL encrypted connections. HTTPS forces on SSL at websites exploited by Firesheep that are known to offer it.

6) Evercookie Defense Tools:

The 'Evercookie' is a concept developed this past year that threatens even the most obsessive of personal privacy web surfers. You can read about it here:

Evercookie

The basic concept is that there are multiple files tossed onto our computer as we surf the Internet. What we call browser 'cookies' are only one form. Using the Everycookie concept, a personal privacy parasite needs only one of these several files to track us across the Internet. And any one of these files can be used to respawn all the others. Therefore, with the Evercookie system, real personal privacy requires deleting every single one of these tracking files from your web browser

The best tool to combat the Evercookie so far, that I am aware of, is the BetterPrivacy extension/add-on for Firefox. You can read about hit and download it here:

BetterPrivacy

~~~~~~~~~~~~~

There are further Internet privacy tools a plenty! But this shortlist covers the best of them and will get you going. I know! These tools don't fully solve the 'Evercookie' dilemma. But I don't know anything that does, not yet anyway. Hopefully an Evercookie killing tool is in store for us in 2011.

Coming up in Part III will be my version of a comprehensive list of currently active malware for Mac OS X, including all their various names. All of them are either Trojan horses or hacker tools. I am also looking forward to putting together an article on Mac OS X 10.7 Lion security, which so far sounds like a decent improvement. Stay tuned!
--

No comments:

Post a Comment