DAVEY WINDER
The name’s Bond, Davey Bond. Our intrepid spy shares his security lockdown tips and reveals the ad blockers he employs when it’s safe enough to browse.
As I sit here writing this column, it’s just a few days before the biggest infosecurity event in Europe takes place in that there London. Infosecurity Europe – not the most imaginative name, I grant you – is where security vendors and researchers, law enforcement, regulators and government all come together with the media for a week of cybersecurity information sharing.
Unfortunately, some of the information that gets shared isn’t done so intentionally. Attendees at DEF CON in Las Vegas have long since got used to the “Wall of Sheep” display that advances security awareness by watching network traffic for evidence of people logging into email and so on unencrypted. It then shows the login username and first few characters of the password on a huge screen. And those are the good guys. Bad guys also flock to these events and Infosecurity Europe is no exception, but they keep their activities stealthier.
Like most serious attendees to these shows, by which I mean those more concerned with the practicalities of information security rather than those trying to sell it, I have a security routine that I always stick to. This starts at the hotel, a prime location for hackers to hang around sniffing for any useful data. Hotels are a prime location at the best of times, but there is none better when a big conference is in town. So I never stay at hotels near the venue, preferring to be based a good few miles away.
Even then, I never use the hotel Wi-Fi, “protected” and paid for or not. I always stick to the harder-to-nosearound-with-and-compromise 4G connectivity, firmed up even further with a double VPN (which connects to two VPN servers in different locations) for good measure. This applies to my phone as much as my laptop. Speaking of which, my daily-use smartphone is always switched off before I get anywhere near the event location and I switch on my burner phone instead.
That burner is a “Mars Bar” phone, in my case a Jelly Pro, which as the name suggests is a tiny device but with 4G and a touchscreen.
I tend to carry a Chromebook for such occasions as it’s harder to compromise and can be re-flashed in just a few minutes to a clean state without sacrificing myself to the gods of hefty devices. I don’t use the conference apps that event organisers love so much, not least as there have been too many cases of these being insecure in the past for me to have any confidence in them at all. I am also, and this will make my friends and family laugh, even more aware of the risk to my data security than ever. I say laugh as they already call me “Davey Bond” thanks to the length of passwords (and the breadth of my swearing when having to enter one on a television set) and amount of multifactor authentication options that I employ.
But being aware of the risk at these events is half the battle won. I have used press laptops in the press room after respected journalists have filed reports on them, only to discover they haven’t cleared caches, let alone logged off. In some cases, I’ve even emailed them a friendly warning about their risky behaviour, which is usually well received.
I mention all of this as, except for using burner phones (I’m a tad paranoid sometimes), all this advice is pretty good to remember and apply to your normal routines – even if you never go anywhere near a conference full of hackers…
Ad-blocking double act
I’m often asked if I use an ad blocker when browsing the web and my answer is no. I use two. Before I reveal which two, I feel that I should point out that I’m well aware of the need for content providers to make money from their sites if they are to stay in business. Here’s the thing, though: it needs to be done in an as unobtrusive a way as possible. If the chosen route is via on-page advertising, and truth be told that’s a terminally ill business these days, then it shouldn’t be at the cost of my browsing experience.
As soon as advertising gets in the way of my being able to consume the content on offer, I have one of two choices: either remove the advertising or go elsewhere for my content consumption. When the content is worthy enough, and there is no subscription model to remove the
advertising, I will and do use ad blockers. Content providers have to realise that, while the reader may well be the product, the product is actually quite tech-savvy these days as a rule.
Those sites that demand I disable my ad-blocking software to visit them get a mixed response based upon my previously stated “is the content worth it?” and “how invasive is the advertising?” formula. Interstitial pages I can do without, but still I prefer them to autoplay videos and pop-ups. Video adverts are the pits, which is why I have a YouTube subscription that removes the damn things. I also have a number of active subscriptions to sites where the non-video content is of a high quality.
So, back to answering the “which ad blocker?” question. The reason I use two is that content providers are also tech-savvy folk and have any number of ways to circumvent the blocking of advertising. Some even have what I would describe as dodgy deals with the ad-blocking companies to allow their sites to be excluded from the filtering.
After a lot, and I mean a whole wheelbarrow-full, of trial and error testing I have settled with the combination of uBlock Origin by Raymond Hill ( github.com/gorhill/
uBlock) and Privacy Badger from the Electronic Frontier Foundation, or EFF ( eff.org/privacybadger) as my daily defaults. I implement these as extensions for the Chrome, Firefox and Vivaldi browser clients. I avoid Edge like the plague, so haven’t bothered checking for that.
At this point those of you who know about such things are probably thinking: hold on a minute, isn’t Privacy Badger a tracker blocker, rather than an ad blocker? And you would be right. However, I’m not just talking about removing the annoying adverts from the screen but also preventing the underlying adverttracking analytics. uBlock Origin is my preferred option over Adblock Plus as it blocks invisible trackers by default and adding the EFF tool into the mix provides even stronger blocking to ensure that nothing squeezes through any gaps in my defences. Both tools are also supremely easy to configure, with the defaults working fine for most people, as well as to disable on a per-site or temporary basis. Being able to just hit a button and disable the tracking and blocking to view content and then re-enable after is vital given the amount of research I do in every working day.
What’s more, uBlock Origin also has one-click options to block all pop-ups, “large” media elements, remote fonts and JavaScript for any site, plus a handy zapper tool to remove any element on a page you don’t like – at the risk of page functionality borking, of course. Speaking of which, Privacy Badger has a reporting option for when it breaks a site because it shouldn’t ordinarily do so. Anyway, if you value both ease of content access, as well as your privacy, I heartily recommend giving these two essential tools a try.
Strange but true (part one)
No, I haven’t had one too many beers. Microsoft really has released a security extension for the Chrome browser that works by, erm, sending users to Microsoft Edge instead. Actually, it’s not as insidious as it at first sounds. It’s all part of the Defender Advanced Threat Protection (ATP) platform for users of Windows 10 Pro, Enterprise and Education, which brings hardware-based isolation to the infosecurity party.
This revolves around the virtualised sandboxing protection provided by the Windows Defender Application Guard that was previously a plaything for Microsoft Edge users only. So, what’s going on? The Chrome extension works by using a native application from Microsoft to support communication between the browser and the device’s Application Guard settings, assuming the relevant configuration is correct and the companion app is installed.
This means a user visiting any untrusted resource, those not whitelisted in other words, will be diverted to a Microsoft Edge session inside a Hyper-V-enabled container that provides isolation from the underlying Windows operating system and network. Once here, all of the untrusted sites can be browsed at will as there is no risk to the rest of the system.
Or that’s what Microsoft said when launching this extended functionality. I’m not convinced that is the case, though, if you look beyond the system isolation. Someone saying “no risk” is like a red rag to a bull as far as I’m concerned and is right up there with “unhackable”. There’s always going to be some risk to the business from users browsing sites with malicious intent, and social engineering is top of my list. If the user lands at a site crafted to facilitate the entering of login credentials, then Windows Defender Application Guard won’t stop them from doing so. Nor will it prevent them from revealing other sensitive or potentially threatening to the security of the business information. It will prevent malware from hitting the network as the container is destroyed after each session, taking any malicious code with it, but security must always be viewed through a wide-angle lens.
“Someone saying ‘no risk’ is like a red rag to a bull as far as I’m concerned”
Which means this is a good move by Microsoft, but only if it’s used alongside a defence-in-depth approach to securing the business.
Strange but true (part two)
And speaking of virtualised Microsoft environments, here is one you probably haven’t heard of yet. Unless you’re part of the Windows Insider program, that is, and even then as it’s not enabled by default you may well have missed it. Certainly, a number of people I spoke to in that program, where ordinary folk can get early access to pre-release builds of the Windows operating system, had no idea that Windows 10 now had a sandbox feature. Not that it matters much as Microsoft promptly broke it with an update that totally borked the sandbox.
So, assuming you are an “insider” and are using Windows 10 Pro or Enterprise, what is the sandbox exactly? As the name implies, it’s a virtualised desktop environment that enables you to execute potentially harmful files without any impact to your system. Except it’s less like a traditional virtual machine and more like an app that can be launched from the taskbar. It works, or should work, right out of the box with no additional software required as it’s part of the operating system itself.
It appeared with the 14 May “1903” Windows update and was quickly borked by the KB4497936 update across all three Insider rings. The “file not found” error this introduced should be fixed by the time you read this, so any insiders may want to take a look and enable the Windows Sandbox for a play.
Meanwhile, I’m left with a continued feeling of déjà vu over Windows updates. These things are meant to keep our systems safer by patching vulnerabilities and fixing bugs, yet every single month it seems that they break something. I know I won’t make any friends at Microsoft for saying this, but it’s about time that Microsoft took ownership of the update problem so end users could install them with some semblance of confidence. That’s really not too much to ask, is it?