The eli4d Gazette – Issue 065: NPM’s JavaScript Report and Firefox Monitor

NPM’s JavaScript Report

I mentioned the amazing 2018 State of Javascript report in the last issue. Right on the heels of this report, NPM came out with its own survey results.

It’s interesting to compare NPM’s survey results with the 2018 State of Javascript report. It is also important to keep in mind that NPM is a private company whose goal is to enhance and increase the usage of its services (nothing wrong with that but it’s important to know which grains of salt to use).

Some related information:

Firefox Monitor: A way to check if your email address was part of a data breach

A recent episode of Security Now mentioned Firefox Monitor. It is well worth to check your email(s) against sites that have been breached. I checked Monitor with an email address that I’ve used for over a decade and discovered that it was part of 4 data breaches.

Firefox Monitor also gives you some great advice regarding breach related next actions (from the site):

  1. Change your passwords, even for old accounts: If you can’t log in, contact the website to ask how you can recover or shut down the account. See an account you don’t recognize? The site may have changed names or someone may have created an account for you.

  2. If you reuse an exposed password, change it: Hackers may try to reuse your exposed password to get into other accounts. Create a different password for each website, especially for your bank account, email and other websites where you save personal information.

  3. Take extra steps to secure your financial accounts: Most breaches only expose emails and passwords, but some do include sensitive financial information. If your bank account or credit card numbers were included in a breach, alert your bank to possible fraud, and monitor statements for charges you don’t recognize.

  4. Get help creating good passwords and keeping them safe: Password managers like 1Password, LastPass, Dashlane, and Bitwarden generate strong passwords, store them securely, and fill them into websites for you.

Recently Finished Reading

I just finished “Forging Zero”…sigh. I so wanted this independent author to be awesome. The story is similar to taking five extremely different boxes of different jigsaw puzzles and mixing them all in one big jumble. The book had some excellent descriptions of aliens, but the coming-of-age story combined with military grind was exhausting, and the stuttering plot lines kept kicking me out of the story. I ground through the finish but (unfortunately) I won’t be reading any more stories from this author.


Thoughts? Feedback? Let me know: @eli4d on Twitter


Advertisements

The eli4d Gazette – Issue 024


Issue 024: 2017-03-01

Tech Pick

It’s coming up on tax season, which in turn means emailing documents with sensitive data (or potentially doing that). My favorite^1000 security podcast (Security Now) covered two simple approaches to encrypting this data:

Media Pick

I found the latest episode of Exponent (episode 105) to be an eye-opening examination of Mark Zuckerberg’s manifesto, as well as the implications for Facebook and the world through this document.


Thoughts? Feedback? Let me know: @eli4d on Twitter


PS: If you’re interested in learning PHP – I’m teaching an online class this coming spring

Tidbit: Disable Adobe Flash on your browser

This is some quick security information related to Adobe Flash browser’s security. The usual disclaimers apply. If you’re worried that this page has links that may lead you to some malware sites then please just go to DuckDuckGo (just type in https://duckduckgo.com in your browser) or Google and search on the items that I’m referring to.

The Analogy

You’re camping in the woods with your family and some friends and your prankster friend John gives you a bottle of suntan lotion telling you that it’s the best stuff he’s ever used (he hasn’t pulled a prank in a long time, so you’re lulled into a sense of trust). Unbeknownst to you – John substituted %75 of the sun tan lotion with pure honey.

You slather the stuff and lie back on the camping chair to absorb the sunshine. You fall asleep in a nice midday nap. An hour later, you wake up with a stinging sort of pain all over your arms and legs – the very places where you put that honey infested suntan lotion. Bees are stinging you, and all kinds of bugs are chewing on you and that wonderful smelling lotion. You run screaming into the questionably clean camp showers as you vow to give John some payback.

As you scrub off the lotion you discover….

Who

Adobe Flash and you.

What

Adobe Flash is that honey from the analogy and the stinging bees/bugs are all those hackers that want to get your data (personal information, log-in access to your online bank account, and anything else that might be of value). Adobe Flash is an old technology that at one point provided the ability to receive rich media when browsers didn’t good native capabilities to do so (whether web games, videos like YouTube or those graphical billboard like ads).

Technology has marched forward while Adobe Flash has become a sweet target for malicious entities on the Internet. All of the rich media that Adobe Flash provided at one point can now be done through standard non-proprietary technologies: HTML5, JavaScript, and CSS (in other words – the stuff that already comes built in with the browser).

Steve Jobs wrote a very scathing and clear letter about Flash’s problems. His criticisms of Adobe Flash are as relevant today as they were in 2010. Although he focused on its use on mobile devices, the problems he outlined apply to Adobe Flash and its ilk across the board.

Where

Your browser. Any browser that you are using regardless of operating system (whether it is on Mac, Windows or Linux).

When

Now. You are vulnerable right now.

While Adobe Flash has had a continuous string of security issue, recently it has had several zero day vulnerabilities that have come to light through the hacking of an Italian company called Hacking Team.

Why

You need to to deal with Adobe Flash because it is a HUGE attack vector in order to reduce your attack surface.

How

You need to learn to practice computer hygiene (just like flossing):

  1. Update your operating system with the latest patches
  2. Update your browser to the latest version (this page also seems to good procedures to update but be careful and wary of reading anything you read on this page including the page that you are currently reading 🙂 )
  3. Enable ‘click to play’ on Flash. This will prevent Flash from running automatically and it will give you the ability to play if you have to though most times you won’t have to.
    • Note that the latest version of FireFox does this for you, but to be safe you should still make sure that Adobe is not enabled by default.
    • You can tell that Adobe Flash is running by going to Adobe’s site (). If you see a spinning cube that keeps bouncing around at the top of your screen, then Flash is enabled by default.
  4. Look at the plug-ins in your browsers and remove anything that isn’t necessary. Spring cleaning time on the web is every day. Adobe Flash is the current poster child for browser plug-in security problems but there are plenty of other browser plug-in parasites. To remove browser plug-ins check:

Conclusion

If you want perfect safety, then you need to shut off your wifi and disconnect any Ethernet cables from your computer (if applicable). Do what you can and let’s be careful out there