Check Your Browser's Security Level

Wide spread use of social networks and web based services has made web browsers one among the of the most used software, which also made them the weapon of choice for spammers,phishers and hackers. Even people who insists to keep their system up to date, forget to update some of the  browser components( browser add-ons/ plug-ins etc.) as these may not have an auto update feature.

Qualsys has released a free service that will allow you to check you web browser security. It supports all the main stream browsers ( Firefox,Chrome,Opera,IE and Safari) on a variety of platforms like Windows ( XP,Vista etc..), Mac and Linux. Though the service is in beta stage in some platforms and browsers, its still worth to check them out. Detailed list of supported platforms and plugins are available here.

Browsercheck will ask you to install a plugin to continue scanning (I was not asked to install plugin in Ubuntu with Chrome as well as FF4, guess the beta versions is not full fledged yet ), the plugin is signed by Qualsys. Install it to continue (read the FAQ to know the need for installing plugin and to know their privacy policy).
Once installed you are good to go to check your browser's patch level.Click the scan now button.

Browser check will scan your browser, plugins and addons against known vulnerabilities and give you a report with installed plugin/addon details along with its patch status. Detailed status report descriptions are available in FAQ, but as a rule of thumb "Green" means fully patched and "Red" means vulnerable. 
Clicking the button will give you more details regarding the problem and possible remedy. Mostly it will be a link to download the latest version.
After fixing all the security holes in your browser, I strongly recomment to scan it once again to ensure the security, as some times plugins/addons comes with additional software( for eg google toolbar) that may ruin the security of your browser.
On a final note  as with any security solution, browsercheck is not a single self sufficient solution for online security, the ultimate security comes with awareness.
Happy browsing with a secure browser :)

Tabnabbing : All your tabs belongs to me!!

Ever heard of the word "tabnabbing"??? well I haven't until a few days back. Guess what, a new word to the  community and new method of attack to the bad guys!!. Its a new method of attack, that can be used for phishing, unveiled by Aza Raski, Creative Lead of Firefox, exploiting the weakest element in the chain Humans!!.

Well since the introduction of tabbed browsing, most of us surf the web with multiple tabs open, since its very convenient, and keep switching between them.You read news,chat with friends,update your FB status, all in different tabs. Here comes the problem, since all the tabs are open by us, we tends to trust them!!. Its not possible that the webpage in one tab might have changed while we are browsing in another right??.

Wrong!! as demonstrated by Aza, its possible for an attacker to detect that your viewing another tab and change the content of a particular tab to a phishing page.It happens relatively fast so that users won't normally see the page getting reloaded.

How Exactly the Hack Happens?
1. Someone is sending you a link to a web page say an article about present job market to your gmail id.
2.You open that page in a tab, which seems like a legitimate article.
3.After giving it a quick read, you navigate to another tab to check the cricket score.
4.Attacker's page detect that you have navigated away and haven't interacted to it for a while.It replaces the favicon icon with that of gmail's,the title with “Gmail: Email from Google”,  and change the page contents to look like the login page.
5.As the user scans through the open tabs, he/she will see the familiar looking Gmail favicon and title, without much doubt he/she will be ready to enter the username and password in the page thinking that it might have been automatically signed out, which is a normal situation.
6.The credentials goes to the attacker and you will be redirected back to gmail's page.

Well the attacker got what we wanted,and you have no clue!!.If the same password/username combination is re-used in a bank OR if the attack is performed with a bank's login page then the loss of the victim will be much more.

Still not convinced!!!??? See the video and you will understand.


[The video is taken from aza's original post which you can see here]

So How Do We Fix It?
The attack is based on human psychology,rather than any vulnerability in the software, which makes it difficult to prevent.Firefox is coming up with Firefox Account Manager which will protect users from these kind of attacks and makes logging into websites easier, at least they claim it that way.Another method is to use NoScript to block all the un-necessary scripts/flash/java in a webpage, which will block not only this attack but a bunch of others too.