Recently an exploit was discovered on the web that allowed bad web sites to hijack the accounts of clueless Second Life users via a script that would grab the user’s login info from wherever it’s stored in Internet Explorer. I refer to the victims as clueless not only because they use Internet Explorer, but also because they allow it to save their passwords. I will now try, as an exercise in becoming a better person, to feel some sympathy for them . . .
Nope, not working. I’m going to have to find easier exercises and work my way up to that by degrees. Perhaps I can start with feeling some sympathy for Britney Spears (though not as much as the “leave Britney alone” kid).
Maybe I can have sympathy for them by taking a moment to reflect on the fact that the virtual currency of Second Life, Linden Dollars, is convertible into actual dollars, and therefore someone whose account was compromised could be cleaned out of real money . . No, that just makes me want to laugh. Clearly I must put much more effort towards becoming a better person.
Or perhaps it’s just that for years now I’ve been telling people that if they are going to journey to the darker side of the web (porn sites, warez sites, black hat hacker sites, sleazy stock tip sites, etc., etc.), for goodness sake don’t use Internet Explorer, and whatever you are using, turn off java and javascript! THIS ISN’T ROCKET SCIENCE PEOPLE!!! Sorry, sorry, didn’t mean to shout. Clearly I have some anger issues as well.
Once, when the world (wide web) was new, some might have argued that neither java nor javascript would be exploitable, since they’re supposed to run in a sandbox stripped of all manner of privileges allowing them to do anything nefarious to your computer. However, time and experience have shown that complex systems yield unforeseen combinations. As well, it would be foolish to believe that your browser doesn’t have bugs — yes, even if you just upgraded it because the last version had bugs. There has never been a browser released where, finally, they discovered and fixed all the security holes. Your browser has security holes that no one knows about yet, or worse, are only known about by the black hats. Perhaps they are being auctioned off even now to the highest bidder on Wabisabilabi.
The other day I was googling something innocuous, clicked on a search result, and my browser (Firefox) was redirected to another site which immediately attempted to whore the system. It didn’t succeed, of course, since it was clearly targeting Windows and trying to install Windows binaries, a futile effort against a Linux machine. I even clicked on “ok” to something that would have been very, very bad for a Windows user to agree to, just to watch it gnash its teeth.
However, it does demonstrate that the old advice to take precautions only when visiting seedy sites is outdated. These days, even high-ranking Google results may point to sites that have been compromised, or designed to be evil from the start, and achieved a high Google rank by nefarious means. Most any link may function as a kind of wormhole which sucks your browser quite unexpectedly to the dark side. You just can’t say for sure where a link is going to take you.
I’ve known about the NoScript Firefox extension for some time, but never installed it as it seemed excessively paranoid. However, I’m reassessing. I have been using it for about a week and it’s really not that bad. To break it in, one simply hits the dozen or so sites that one visits regularly and adds them to the white list. There’ll be other sites you’ll need to add later for them to work properly, but most will function fine even if you don’t add them. Perhaps buttons won’t change if you mouse over them, but that may not even be worth the simple process of adding the site to the white list. It’s so little hassle that I’m going to leave it installed, even though as a Linux user I have vastly less risk than a Windows user.
bottom left corner of my web browser visiting zombo.com, showing NoScript dialogue and bits of a couple of other extensions.
NoScript isn’t a panacea for all the potential dangers out there. For instance, there are vulnerabilities related to browser image rendering (search securityfocus.com for gif and jpeg). You can turn off images (Edit=>Preferences=>Content then uncheck “Load images automatically”), though that’s pretty drastic. But if you at least cripple a site’s ability to do stuff dynamically through scripting, you will have removed some of its teeth, and very pointy ones at that.
If you haven’t already, you might also want to check out the Adblock and FlashBlock extensions. While not directly security related, they may save thine eyes from the corrupt visions of the Beast, yea, even the most foul visitations which invite you to strike a monkey, or which feign to be a Windows dialogue.
If you’ve taken these precautions, switched to Firefox, been wary of the dark side, installed NoScript, and still your system gets whored by some nefarious web site, you will most certainly have my sympathy. If it happens because you visited the dark side with a password laden Internet Explorer and someone stole all your Linden dollars, well, you may have to wait some time for me to become a much, much better person before I can shed a single tear.