Posterous theme by Cory Watilo

Avoid malware attacks using the ScriptNo Chrome extension

Despite the usefulness of the web, an unfortunate reality is that the web is used for many, if not most, malware attacks.  It used to be that to infect your system, you had to run an executable piece of software on your computer, usually by being tricked into running an email attachment or by running cracked, infected software for example.

Attackers have become a lot more sophisticated since those days.  While regular virus infections such as those are still a threat, nowadays your machine can become infected just by clicking a bad link, or worse, visiting a regular, normally trustworthy site that has been compromised by the bad guys.  These attacks usually get your browser to run the infected program without asking you and without any visible indication that the bad guys have succeeded.  They make use of holes in your browser software, Javascript, Java, PDFs or other technologies that can be abused.

Frequently, the first step is to get your browser to do something that you have no control over and that you don't see happening, such as running Javascript or using hidden iframes, zero-pixel pictures, and other dirty tricks.  Even some otherwise-legitimate sites use some of these tricks for tracking purposes so they can better track your online movements.

For this reason, I recommend using Google Chrome, the third most-popular browser on the Internet.  I recommend it both because it's an excellent browser, my favorite from an ease-of-use perspective, but also because it is less directly targeted by malware authors because of its "runner-up" status (look for this to change as it becomes more popular, which I believe it will continue to do).

Chrome supports extensions, add-on pieces of software that change how it functions.  If you are security conscious, ScriptNo is one such excellent add-on. 

ScriptNo blocks scripts and other web nasties from running by default, showing you an icon in the toolbar whenever you visit the page.  This icon is important because it tells you whether the page is trusted or not, and how many items have been blocked from running on the page.  Visit one of your favorite sites and you may be shocked to learn that some are running 20 or 30 of these items on a page, not just from the site itself but from all over the web.

While "normal" sites tend to run many fewer than that, it's not out of the realm of possibility.  And to be fair, many if not most of these items are innocuous or useful.  For example, most page animations and popups (such as picture "lightboxes") are scripts.  These are good and useful most of the time.

However, even legitimate sites include a lot of stuff I find objectionable, mostly related to tracking your movements on the web for advertising purposes.  These things are blocked by ScriptNo as well unless you explicitly enable them.

And, for the most part, many many pages load and run fine without all of the added junk.

The drawback (and there's a drawback of course), is that the pages that _do_ need the added junk won't work when you first install ScriptNo.  This is a problem.  You go to read your email and the page loads partially, but no email shows up.

That's because all scripts are blocked by default and "web apps" like email and facebook need them to be allowed.  To do this, you go back to the icon in the toolbar and click it.  It then shows you a list of all the places on the Internet that this page is loading scripts from (yes, a page can load scripts from anywhere else on the Internet that it wants, and you never see that).

A word about these sites.  Usually you can go ahead and "allow" the site name that you're visiting without too much further thought.  However, it loads a lot of scripts from places you've never heard of.  These show up in the list, but how to know whether to enable them or not?

For the most part, you shouldn't.  Go ahead and enable the main site name and see if the page starts working (more on how to do this in a moment).  However, if the page still doesn't work, it takes some judgment.  I normally avoid anything I already know is an advertising-related site.  It gets easy to figure out which these are over time because you see them *everywhere*.  For the rest, if I see something with CDN in the name, those are candidates because they are content distribution networks, which feed large files like video and images.  Others I address on a case-by-case basis and see if they affect the page's usability.

There are a couple important buttons by the site names when you list them from the ScriptNo icon:

Rating: If I don't know what a site is already, I click this and it shows me WOT's (Web of Trust) page on the site.  Their color coding system makes it easy to weed out the untrustworthy sites.  If it's green, I generally allow it.

Temp: temporarily allow the site while this browser is open.  I use this to see if a site makes the page usable, and if so I allow or trust it later.

Allow: allow just that particular now and in the future.

Trust: allow all sites it that domain now and in the future.  I generally use this for major sites like google.

Distrust: never allow all sites in that domain.  I use this on tracking sites and anything WOT rates orange or red.

ScriptNo saves all of this information, so it learns over time and becomes less intrusive.  You always need to train it on new sites whose functionality relies on scripts though, which are a good portion of sites.  This is the price you pay for security, is less usability and more intrusiveness.

Having been the victim of drive-by web attacks before, it is sad to say but for me an extension like this is a necessity and I use it on all of my computers.  However, I'm knowledgable about how it works, the good sites versus the bad, and I'm willing to pay the usability price.  Your average user wouldn't choose to do this on their own unless all of those things were true.  To each his own, and I don't recommend this tool for everyone.

However, there is one kind of user for whom I'd strongly recommend this extension, and that's anyone who handles major financial transactions on-line.  Or anyone piloting unmanned drones on bombing missions, but I digress.  If you run your business account online, either do it on a computer expressly dedicated for that purpose and strongly secured, or at least do it with this tool.  Many bank accounts have been looted after being compromised unknown to the user.