Concerned about web security? One thing that may prove more valuable than any amount of supposed security software (anti-virus and the like) is the simple good practice of logging out of web sites at the end of each session.<\/p>\n
Here\u2019s the reason. Let\u2019s say you are logged into some site \u2013 could be Facebook, or Google, or the admin screen on your router<\/a>, and you\u2019ve left checked the option that says \u201ckeep me logged in\u201d. Then you visit some other site. The vast majority of web pages today run JavaScript code in the background, and these scripts execute on your computer, not on the web server. What if one of those scripts sends a request to a site where you are logged in? The request comes from your computer, so it looks like you to the web site. If you are unlucky, the script will be able to perform any action you could perform, but without your awareness \u2013 such as changing your password, or reading confidential information.<\/p>\n For this hack to work, a couple of things need to have gone wrong:<\/p>\n 1. You are running a malicious script. This implies that the site you are visiting has been hacked, or has a vulnerability such as forum software which allows users to post content that might trigger a script. Even a link to an image in a forum post might be sufficient.<\/p>\n 2. The site where you are logged in doesn\u2019t make any additional checks on the source of the script. Although it is running on your computer, the HTTP request generally includes referrer data, revealing the URL of the page from which the script came. By checking this value, the site can figure out that there is something wrong. Another idea is to have unpredictable URLs for sensitive data.<\/p>\n Still, you\u2019ll notice that neither of these things are under your control, whereas generally the option to log out of a site is under your control. Even that might not always be true – a developer could code a site without an option to log out \u2013 but that is unusual.<\/p>\n The O2 attack referenced above<\/a> exploits this flaw to get into your router admin, if you are running an O2-supplied broadband router. It is a huge vulnerability, since if the router is re-configured a wide range of further attacks are possible. One example is DNS poisoning, where familiar URLs might take you to malicious destinations. It could also disable firewall protection and redirect external requests to one of your home or small business PCs \u2013 very nasty.<\/p>\n Here\u2019s a couple of things that will improve security:<\/p>\n 1. Don\u2019t use the broadband supplier\u2019s equipment, if it is not entirely under your control. Use your own; turn off universal pnp, change the admin password, don\u2019t stay logged into the admin.<\/p>\n 2. Don\u2019t stay logged into any site which matters. Even sites which don\u2019t appear to matter can be a security risk, if they expose passwords or security questions that you use elsewhere, for example. Personally I always log out of Facebook, Google and Twitter, for example, even though sites like these should be aware of the risks and be coded appropriately \u2013 they mostly are, but mistakes<\/a> happen<\/a>.<\/p>\n Unfortunately many sites encourage you to stay logged in, because it reduces the friction of using the site. Still, there are compromises which work. I notice with Amazon<\/a> for example, that it uses cookies to give you personalized information even when not logged in, but displays password prompts with boring regularity for actions that spend money \u2013 though Amazon also advises you to log out completely if using a public or shared computer<\/a>. <\/p>\n Concerned about web security? One thing that may prove more valuable than any amount of supposed security software (anti-virus and the like) is the simple good practice of logging out of web sites at the end of each session. Here\u2019s the reason. Let\u2019s say you are logged into some site \u2013 could be Facebook, or … Continue reading O2 router attack shows danger of staying logged in<\/span>