Tuesday, December 02, 2008

Quick Browser and Google Bits

Just some browser bits and pieces over the last weeks that might be worth noting

Google Chrome

While still not my main browser (Firefox 3.1b1 takes that slot), Google’s Chrome browser has endeared itself to my heart for its simplicity and style.  I love using it during presentations and trainings.  It really does bring the focus away from the browser and on the content.

That said, it still lacks many basic (IMHO) features. One of which is a bookmarks manager.

That hurdle has now been cleared.

Google Chrome gains a bookmark manager - Download Squad

I’ve tried it and it does add a lot to the Chrome party.  If you haven’t updated your Chrome browser it’s time to do so, for this alone! To do so simply go to "About Google Chrome" in the Tools/Help menu.  The updater should be available.

heise Security UK also points out some other worthwhile additions:

Google has also has brought all of the privacy settings together, and has reworked the pop-up blocker.

A potential security problem has also been eliminated. Until now, local HTML files were able to use XMLHttpRequest to move data to or from the internet, something attackers were able to exploit in order to steal data. Google has now put an end to this.

Also making some news is that upcoming releases of Chrome will also be able to fully support Chrome extensions now that the framework for API development for Chrome extensions has been published. Finally.

Google Chrome: Chrome Extensions On the Way, Adblock Imminent – Lifehacker.

I have to say, of all the Firefox Add-on extensions I use, the two I would most want to see in Chrome versions would have to be (hands down) Adblock Plus and NoScript.

Everything else would be gravy

Mozilla 3.1b3 ?

While I still wait for Firefox 3.1b2 to be released, now comes some interesting news that there might be a 3rd beta in the wings scheduled for Firefox 3.1.

Mozilla eyes extra beta for Firefox 3.1 – LinuxWorld

Previous schedules published by Mozilla had limited Firefox 3.1 to only two betas before moving to a release candidate.

In a long post to the "mozilla.dev.planning" forum, Mike Beltzner, the director of Firefox, said that Beta 3 is necessary to get a feel for the severity of the remaining bugs and an idea of how long it will take developers to eradicate them. In addition, another beta will give more exposure to features landing in the browser only as of Beta 2, which has not yet been released.

Not sure how likely this will be, but if it brings added stability and bug-fixes to key features and functionality to the next version update, I’m all for it.

Fashion your Firefox – Add-ins pre-picked/pre-packaged

Completely unrelated, but interesting none-the-less is the Mozilla sponsored Fashion your Firefox. This page allows you to select a Firefox “functionality theme” and then either select some/all of the suggested Add-ons in one fell swoop.  I really like this as a starting point for new-to-Firefox users as it really helps sort out some great Add-ons to showcase how Firefox is so awesome in flexing to the needs of its users.  And from a Mozilla-blessed standpoint to boot.

Sadly, lacking in the list are any collections that are forensic/pen-testing/security centric.  If you want those you will have to look to the Security Database Tools Watch - FireCAT 1.4 package or pop over to the Package de plugins FireCAT 1.4 (natively in French so here is the English Version a-la Google) and download the compressed file and install away. 

RE: GMail Exploit or Not?

In a late November GSD post, All Over Gmail: Like Stink on a Skunk, I mentioned a possible Gmail flaw that allowed a domain hijacker to drop some incoming mail intercept filters and take over the MakeUseOf blog site among others.  At the time it was unclear if this was a new/old/non-existent exploit. Although more than a few folks thought it was.

Well now that some time has passed, Google officially has said “not so!”

Google Online Security Blog: Gmail security and recent phishing activity

We've seen some speculation recently about a purported security vulnerability in Gmail and the theft of several website owners' domains by unauthorized third parties. At Google we're committed to providing secure products, and we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability.

With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as "google-hosts.com" that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we've seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers.

So according to Google, the impacted users were victims of a phishing attack, not a Gmail exploit.  However, some good proof of concept seems to still show that it could be possible, however unlikely.

So, I still say keep an eye on your Gmail filters and check for anything unwanted and in the meantime, always use the HTTPS access login feature of Gmail just to be safe.

Other related links I collected as this story continued to develop:

Google security denies XSRF reports - Network Security Blog. A very good and brief analysis and commentary on the state of this particular story from security blogger Martin McKeay.

The fact is, I don’t see enough evidence for or against the exploitation of this vulnerability to prove either side of the story.   No amount of fact checking in the blogosphere is going to prove the point, there’s simply not enough known, it’s almost all speculation.  The Google Security team has to deny the report, it’s part of what they do.  But they have done a good thing in strongly suggesting everyone force their Gmail account only use SSL when logging in.  It’s not a perfect solution, but it is a step up from what most people are currently doing.

Gmail Exploit May Aid Domain Hijacking – ReadWriteWeb. Includes timeline of events and breakdown of the story from a wide-angle.

Hole in Google Mail allows mail to be hijacked - heise Security UK. Security site provides their perspective on the issue.

Google GMail E-mail Hijack Technique – GNUCITIZEN old post on 2007 Gmail exploit issues.

Removing your Google Cached pages for deleted content

A very dear and cherished blogger whom I follow found herself out of work some months ago.  Her blogging has continued faithfully but recently took a turn of frustration and extro-spection when she wondered if her blog and its posts were a possible drag on her employment search and application-screening process.

With more and more Net savvy employers doing Google searches for evidence of an applicant’s background on the Net, it is becoming harder and harder to present a “sanitized” version of oneself.  The past can come back and bite you, even when “deleted”. (Related: The End of Online Anonymity –ReadWriteWeb).  I worry for Alvis and constantly coach her to be careful and restrained on what she shares about herself online.  It’s fun now as a teen but when she gets out of college eight or so years from now?  Then what when she starts climbing the career ladder?

Anyway, this particular blogger was contemplating deleting some/many of her previous blog posts.  I commented that while that seemed like a good response, Google’s cache or the Internet Archive makes it harder than ever to really scrub your previous online presence from the net.

That’s good from a research standpoint but bad from a personal-privacy/regret-remediation standpoint.

To learn more about how this can be done, see this post Browsing the Web Using Google Cache – Google Operating System Blog.

Google Cache is a great solution if a web page is down. If you're visiting a site and it returns a 404 error message, you can…do a search on Google for that site (add the cache: operator, so your search query would be something like cache:www.google.com).

Google Cache Hacking - rentzsch.com has more juicy details on this feature.

Instead, after opening my heart up a bit more than usual with perspective and encouragements, I offered some advice that maybe she should instead begin seeding her blog with more technical posts that would indicate her skills and showcase why her technical knowledge would be an asset, instead of just having posts (however wonderful they are) of a strictly personal nature.  Maybe that might work to her advantage as well as providing some balancing professional counterpoint to the personal themed posts.

That said, there are some avenues to getting your content removed from Google cache listings:

Google: Deleting things from Google’s cache – Lifehacker

Removing my own content from Google’s index – Google Webmaster Help Center

If the content is currently in our index, we will remove it after the next time we crawl it. To expedite removal, use the URL removal request tool in Google Webmaster Tools.

Same goes for the Internet Archive’s Wayback machine saved page removal.  From their FAQ

How can I remove my site's pages from the Wayback Machine?

The Internet Archive is not interested in preserving or offering access to Web sites or other Internet documents of persons who do not want their materials in the collection. By placing a simple robots.txt file on your Web server, you can exclude your site from being crawled as well as exclude any historical pages from the Wayback Machine.

Internet Archive uses the exclusion policy intended for use by both academic and non-academic digital repositories and archivists. See our exclusion policy.

Here are directions on how to automatically exclude your site. If you cannot place the robots.txt file, opt not to, or have further questions, email us at info at archive dot org.

These are the only locations that previously Net posted materials may be saved, but might be the most common. 

Feel free to leave other tips on sites that cache pages even when removed and links for the removal process.

As for the dear blogger, she removed that particular post (and it wasn’t cached BTW) and I haven’t heard a response to my comments, but I did notice a few more “technical” posts on her blog.  Good show and best wishes!


--Claus V.

1 comment:

Anonymous said...

Firefox 3 Beta 3? Well, so much for the original release goal of January 2009. Well, I guess they already knew that wasn't feasible as they were saying 1st quarter 2009.

But wait, wasn't Firefox 3.1 only suppose to be a simple "enhancement" to Firefox 3? That is, implementing those features that were almost, but not quite ready when Firefox 3 was released. Now nearly six months since the release of Firefox 3, 3.1 is being plagued by the same set backs (extended Beta releases, show stopper bugs, etc.) as a major release.