OFFICIAL SECURITY BLOG
October 24, 2013 | BY Adam Kujawa
Don’t get me wrong, I love Chrome, I think it’s a fantastic browser and has a great track record of protecting users from exploits and malicious sites. However, their attempts at making it “easier” for users to find where they want to go, makes me think that their security purview isn’t focused enough on the internal threats.
So, if you use Chrome, you might have noticed that anytime you open up a window or a new tab, you get something like this:
A nice search bar, which I have no problem with, and then a listing of your most visited sites. Now, to the casual observer I am sure there is nothing wrong here. Users visit certain sites more frequently and therefore it should be easy for them to get there quickly, Chrome makes this possible.
Consider, if you will, someone who you don’t know, getting on your system or even looking over your shoulder. Maybe, they cracked your systems login password or you maybe you didn’t have one at all. Once they open the browser, they are instantly given access to not only your personal surfing habits, but also how you interact with social media, email and where you bank.
If you were in an office environment and left your desk quickly to use the restroom, a stranger or co-worker could hop onto your system and open up one of the commonly visited sites that you might still be logged into.
They can do this just by opening a new tab and thereby cause all kinds of havoc.
The above screenshot shows a scenario where you could easily tell that this person banks with Bank of America and based on that information alone, an attacker or even just someone nosey could create a profile on you.
They could also see that this person spends a LOT of time on Reddit, Buzzfeed and Amazon, using a spear phishing attack against this person would be easy if an attacker masked their identity as the Admin at Buzzfeed or some reseller at Amazon.
This information could be used against you without even having access to your system, just walking by while you were opening a new tab.
So how do you get rid of this potential threat?
We have all heard for many years how important it is to clear out browsing, data, be it your history, temp internet files, etc. However, the browser vendors never make it easy as they seem to frequently change around where they put the option to accomplish such a task. So, here is a step-by-step tutorial on it:
Without your browsing data, Chrome won’t be able to populate the start page with anything meaningful. To do this simply click on the icon to the right of the URL bar and select ‘Settings’
Next, scroll to the bottom of the settings tab and select ‘Show Advanced Settings’
After that, go ahead and scroll down to the Privacy section and click on “Clear Browser Data”
I highly recommend deleting EVERYTHING from THE BEGINNING OF TIME but that is just me, you should be good just deleting your browsing history, download history, cookies and plug-in data and emptying the cache, I still recommend from THE BEGINNING OF TIME though.
After you restart your browser, you should no longer have any sign of your browser habits apparent on the start screen:
If the first method is too time consuming and you would rather just not bother with it every time you decide to surf the web, try the second method
My second and greatest recommendation is to use a special extension for your browser that can redirect when you open a new tab to any page you want. To do this go back to the settings tab and on the left side click on “Extensions”, then “Get More Extensions” and a new tab should open up. From there, type into the search bar to the top left of the page “New Tab Redirect”
In the “Extensions” search listing, you should find an entry for “New Tab Redirect” go ahead and install that by clicking on the blue, “+ Free” button to the right of it.
Once the extension is done installing, it will open up a page that gives you the chance to modify the extensions Options. Click on that and at the top of the page you will be given the chance to type in any website you want to open when you open a new tab.
In the example above I present a pretty decent option for you. ;P Though you could easily just type in ‘google.com’. Once done, restart your browser and from now on, when you open a tab, all you will see is your custom defined page.
So Chrome has a special “mode” that it can go into that saves no information whatsoever to your system when you visit websites and it is accessible by pressing Ctrl+Shift+N in Windows or ⌘-Shift-N on a Mac.
This mode is a great option if you want to go unnoticed on the net, however it doesn’t protect against human behavior, and therefore, Google provided a list of possible threats that Incognito mode won’t save you from.
We use technology in every aspect of our lives these days and with that benefit and privilege comes a responsibility from ourselves to keep things private and secure from wandering eyes or malicious forces.
There are of course numerous other methods of protecting your browsing habits from wrong-do’ers and if you were targeted by a remote access trojan, such as BlackShades, it would be a matter of just a few clicks to determine where you go the most, and a few more to determine your credentials.
Though using common security practices, like the one described in this blog post, will keep you safe from the people who are bordering on malicious or just bored.
Thanks for reading and safe surfing! DFTBA!