A side effect of this is that most advertisements and other script driven objects and elements will be blocked as well by the extension.

NoScript offers more than just script blocking and whitelisting though. It comes with additional modules to enforce HTTPS usage, Cross-Site Scripting filters, Clickjacking protection and a firewall like component that the developer calls Application Boundaries Enforcer.

The developer of NoScript has been working for quite some time on a Firefox Mobile port of the extension. The recently released NoScript 3 Alpha 9 version is the first feature-complete version of the security add-on for Firefox Mobile on Android and Maemo devices.

NoScript Mobile in particular offers the following major security features that the desktop version of the add-on offers:

• A domain based content permission management for scripts
• Anti-XSS (cross-site scripting) filtering options
• Clickjacking protection called ClearClick
• The web application firewall App Boundaries Enforcer

NoScript Mobile furthermore introduces permission presets that can be configured after installation and later on in the extension’s options.

The developer has added four different permission presets to the add-on.

• Easy Blacklist – The user picks the sites where JavaScript and plugins are blocked on
• Click to Play – Plugins are automatically blocked until activated with a click by the user
• Classic Whitelist – The standard setting on NoScript for desktop Firefox versions. Blocks all scripts automatically and will only run whitelisted scripts.
• Fortress – Like the Classic Whitelist setting but all contents are blocked even on whitelist sites until clicked on.

Another interesting feature that will be implemented eventually is the ability to synchronize NoScript settings between desktop and mobile versions.

Users interested in running NoScript on mobile devices can download the latest version from the NoScript Anywhere project website.

The following is a short list of simple things you may not think about. In each, an opportunity is created… one you want to avoid. The idea is to tell you what not to do and why. Some advanced methods, like phishing, are a bit more complicated than what is covered here.

1. Recovery E-mail Accounts Can Expire

A recovery e-mail account is method a lot of systems use to help you get back into an account that you have lost the password for. This could be for a site like Facebook or for another e-mail account like Gmail. The idea is simple. You ask the site to send you your password (some will just reset it). The site says: “Sure, it’s been e-mailed to you.” As long as you have access to that other account, you are just fine and dandy.

Check your recovery e-mail account every three months or so. If you do not, the account may be deleted. Someone else can now claim it. If someone claims that account accidentally and you reset your password, then you just lost control of your main account. If it was on purpose, then the next step is to simply go through the password recovery process.

My advice is to check this account before reading any further if you have not done so recently. This is the one tip that I found I had not followed when I heard about it. Fortunately, I grabbed the accounts back before someone else did.

2. Avoid Duplicate Passwords

An easy way to get hacked is to give a site your e-mail address and then use the same password at that site. The same goes if you use the same user name and password at two or more sites. If the site does not encrypt the password, then there is a huge problem. Anyone who works for the site and has access to this information (or gains it) now has everything they need to log-in to your account. While most sites protect passwords, there are still ways for employees to get it. Attacks from within a company are actually the most common. At the least, use a different password for your e-mail account than everything else.

3. Beware Onlookers

Pay attention to your surroundings. A person standing behind you as you sign in to a website may not be as casual as they seem. In age where so many phones and MP3 players can record video, they don’t even need to be facing you. If a person sees you enter your password, there is a good chance they can remember it.

4. Use Public Computers Differently

Watch the settings you use on public computers and always remember to sign out. Be sure to double check this. Most of us have formed habits from using personal computers. We often leave that little box checked “Remember me.” underneath the sign in box. Some may click “Yes” to “Do you want to save this password?” after they log in. Forgetting to click “log off” when a session is finished is common place. This is convenient when it is a personal machine, but disastrous on a public machine. Your account is now as easy for someone else to get into as if it was their own personal machine. There are ways to steal passwords that are saved too.

5. Only Use Trustworthy Computers

Trust the computer you are using as much as you trust the owner. By trust, I refer to both the integrity and the aptitude of the person. For a person who lacks integrity, they may intentionally have software running that records what keys you press (called a “keylogger”). Companies in the U.S. can legally install them on any computer they own. For a person who lacks aptitude, they may unknowingly have spyware on there machine. Spyware can sometimes have the same abilities as a keylogger. In either case, once you use that computer to quick check your FaceBook, your account is compromised. If you used that password for you e-mail or banking, you have a larger problem.

6. Avoid Commonly Used Passwords

Do not use the name of your pet, child, team, favorite color, date, etc. as a password. Never use “password” as a password. Too many people use “123456″ (at least at hotmail and rockyou). All of these are easy to guess. A cracking tool is not required to figure them out.

7. Guard Written Passwords

If you choose to write down a password, protect it like your life savings. Would you leave twenty dollar bills sitting around? Your password is much more valuable than that if it is used for your bank account. Nevertheless, I see passwords siting out in the open. It is not a bad idea to never write down your passwords, but the problems of that are obvious. There is no shame in writing them down, but keep them in a safe place… I’m thinking a safety deposit box at the bank.

Closing

In summary, while most of this stuff is common sense, I hope to help a few people avoid having their accounts compromised. Whether a person is just curious, or they have been a victim of the experience, it is only natural to ask how these things happen.

Lastly, remember the first rule of passwords: don’t ever give them out or share them!

This happens completely in the background. The attacker does not have to enter the account credentials to initiate the synchronization. The original user furthermore will not be notified about the transfers, and the new device will not be added to the list of allowed devices in the Dropbox account settings.

To make matters worse, there is only one option to block the attacker from synchronizing and downloading files from the original user’s Dropbox: By removing the original device from the list of authorized devices in the Dropbox account. But for that, the owner needs to know that the computer was compromised. Changing the account password does not invalidate the config.db file, it can still be used to synchronize data.

One could say that the original user has other problems if someone managed to get access to the computer, and that’s definitely true. With that access, one could easily transfer data from the local Dropbox folder, access mounted True Crypt volumes or access other files like mailboxes that the user has access to.

It does not however make it less worrying that the reliance on config.db for authentication is inherently weak. One step in the right direction would be to implement safeguards, for instance by linking the file to the system it has been authorized on, and by using a notifications system to inform the user of new devices that have established a connection with the Dropbox account.

You can check for unauthorized access manually on the Dropbox website, but there is no notifications option available. And even then, the attacker’s device would not appear in the list of devices.

But what about encryption? If you encrypt your Dropbox data you are safe right? Encryption is not really an option either, considering that an attacker who got local access to a computer system could very well have the means to log the decryption on the local system. And it would render the file and folder sharing on Dropbox useless.

So what is it that you can do right now? You could for instance make sure that you do not host important files on your Dropbox, and if you do, you should consider encryption as it adds another layer of protection around the Dropbox files. But as we mentioned earlier, it is not a complete safeguard.

You could also start monitoring the config.db file or try to change the rights of the file so that it cannot be accessed by standard system users.

The underlying insecurity, as rare as its exploitation may be, needs to be fixed by Dropbox. You can read Derek’s article and several interesting comments on his personal website.

As an IT Security professional, I know what you need to be one step ahead of the cretins out there who are trying to scam you and the rest of the online world. The web has become a security and privacy nightmare, and I would like to help you navigate just a bit more safely.

Most recently I was selling an item on craigslist. This was honestly my first time doing so and was astounded at the amount of scammers sending me replies to my ad which also contained masked URL’s using URL shorteners from services such as Bitly, and Tiny URL.

One click on these links will turn your perfectly good day into a rotten one. So the next time anyone sends you a shortened URL and you are suspicious as to what is lying behind that URL mask, try out: URL X-Ray.

You can check links right on site or make use of the bookmarklet that makes the process a bit more comfortable. It’s okay to not trust every web link that is sent to you. After I generally find out the web link and it’s still looks sketchy but the curiosity is getting the best of me, I must refrain from letting gullibility take over.

Scanning the actual URL is the very next step. There’s only one option for you on this dilemma. You can use the Web of Trust WOT add-in for your browser. These days I have graduated to the WOT add-in for my Chrome browser (also works in Firefox). You can also go to their website and enter the URL and you get a short, sweet easy to understand report as to what is on the site before you access the website and face potential dangers.

The four step ranking system is great in my opinion. The other part that I really like about the system in place is that other users of WOT are able to contribute as well. So the reliability is based on everyone’s input and not just some corporate husk trying to package a product that is only half decent if at all. Let’s recap, there are two things you must have in your toolbox for keeping your computer and online reputation out of harm’s way when online. Find out what web link you were sent in the first place with URL X Ray, and then scan the site before you access it by employing the WOT toolbar/plugin or the actual website to get the full report of the site’s content.

Web of Trust is not the only service offering to scan a website and give you an assessment of its online standing. Alternative tools include Norton Safe Web and AVG Web Page Scanner.

Each section is divided into two subsections that link to the presentations and videos. The Powerpoint presentations have to be downloaded to your computer while the videos are embedded on the website itself. Most tutorials on the website are clearly aimed at users with some background knowledge.

If you take a look at the C++ tutorials in the Language section you see that they are not beginners tutorials for instance. The first tutorial is named C++ Threads while the second and last New Features in the Next C++ Standard. Nothing a beginner to C++ programming would want to start with.

The videos however are excellent, the C++ Threads video for instance has a playtime of 1 hour 29 minutes. Strangely though the other video which was hosted on Youtube is not available anymore which is the only video that was not available. All other videos were hosted on Google Video and ran fine.

The website has a Curriculum Search as well which should help to find teaching material. It’s basically a custom Google search.