Category Archives: security

Anti-virus software continues to fail

I received an email from Trusteer noting that anti-virus detection rates for the latest Zeus variant are very low. This analysis shows that at the time of writing only Panda, among the major anti-virus products, picks it up. Does this mean we should all switch to Panda? No, because next time it will be one of the others that works, or none of them will work. You can only sympathise with users who imagine they are protected from malware because they have security software installed which tells them so.

The solution? Well, white-listing, visiting only trusted web sites, not opening attachments, keeping your OS fully patched, and so on. None of them perfect.

Alternatively, a new model of computing. One of the attractions of locked-in platforms like Apple’s iPhone and iPad is that they are harder to infect. Google’s forthcoming Chrome OS is even better designed from a security perspective. I am surprised that this aspect of cloud+device computing does not get more attention.

Setting up RemoteApp and secure FTP on Windows

I spent some time setting up RemoteApp and secure FTP for a small business which wanted better remote access without VPN. VPN is problematic for various reasons: it is sometimes blocked by public or hotel wifi providers, it is not suitable for poor connections, performance can be poor, and it means constantly having to think about whether your VPN tunnel is open or not. When I switched from connecting Outlook over VPN to connecting over HTTP, I found the experience better in every way; it is seamless. At least, it would be if it weren’t for the connection settings bug that changes the authentication type by itself on occasion; but I digress.

Enough to say that VPN is not always the best approach to remote access. There’s also SharePoint of course; but there are snags with that as well – it is powerful, but complex to manage, and has annoyances like poor performance when there are a large number of documents in a single folder. In addition, Explorer integration in Windows XP does not always work properly; it seems better in Vista and Windows 7.

FTP on the other hand can simply publish an existing file share to remote users. FTP can be horribly insecure; it is a common reason for usernames and passwords to passed in plain text over the internet. Fortunately Microsoft now offers an FTP service for IIS 7.0 that can be configured to require SSL for both password exchange and data transmission. I would not consider it otherwise. Note that this is different from the FTP service that ships with the original Server 2008; if you don’t have 2008 R2 you need a separate download.

So how was the setup? Pretty frustrating at the time; though now that it is all working it does not seem so bad. The problem is the number of moving parts, including your network configuration and firewall, Active Directory, IIS, digital certificates, and Windows security.

FTP is problematic anyway, thanks to its use of multiple ports. Another point of confusion is that FTP over SSL (FTPS) is not the same thing as Secure FTP (SFTP); Microsoft offers an FTPS implementation. A third issue is that neither of Microsoft’s FTP clients, Internet Explorer or the FTP command-line client, support FTP over SSL, so you have to use a third-party client like FileZilla. I also discovered that you cannot (easily) run a FTPS client behind an ISA Server firewall, which explained why my early tests failed.

Documentation for the FTP server is reasonable, though you cannot find all the information you need in one place. I also found the configuration perplexing in places. Take this dialog for example:

image

The Data Channel Port Range is disabled with no indication why – the reason is that you set it for the entire IIS server, not for a specific site. But what is the “External IP Address of Firewall”? The wording suggests the public IP address; but the example suggests an internal, private address. I used the private address and it worked.

As for RemoteApp, it is a piece of magic that lets you remote the UI of a Windows application, so it runs on the server but appears to be running locally. It is essentially the same thing as remote desktop, but with the desktop part hidden so that you only see the window of the running app. One of the attractions is that it looks more secure, since you can give a semi-trusted remote user access to specified applications only, but this security is largely illusory because under the covers it is still a remote log-in and there are ways to escalate the access to a full desktop. Open a RemoteApp link on a Mac, for example, and you get the full desktop by default, though you can tweak it to show only the application, but with a blank desktop background:

image

Setup is laborious; there’s a step by step guide that covers it well, though note that Terminal Services is now called Remote Desktop Services. I set up TS Gateway, which tunnels the Terminal Server protocol through HTTPS, so you don’t have to open any additional ports in your firewall. I also set up TS Web Access, which lets users navigate to a web page and start apps from a list, rather than having to get hold of a .RDP configuration file or setup application.

If you must run a Windows application remotely, RemoteApp is a brilliant solution, though note that you need additional Client Access Licenses for these services. Nevertheless, it is a shame that despite the high level of complexity in the configuration of TS Gateway, involving a Connection Authorization Policy and a Resource Authorization Policy, there is no setting for “only allow users to run these applications, nothing else”. You have to do this separately through Software Restriction Policies – the document Terminal Services from A to Z from Cláudio Rodrigues at WTS.Labs has a good explanation.

I noticed that Rodrigues is not impressed with the complexity of setting up RemoteApp with TS Gateway and so on on Windows Server 2008 R2:

So years ago (2003/2004) we had all that sorted out: RDP over HTTPS, Published Applications, Resource Based Load Balancing and so on and no kidding, it would not take you more than 30 minutes to get all going. Simple and elegant design. More than that, I would say, smart design.

Today after going through all the stuff required to get RDS Web Access, RDS Gateway and RDS Session Broker up and running I am simply baffled. Stunned. This is for sure the epitome of bad design. I am still banging my head in the wall just thinking about how the setup of all this makes no sense and more than that, what a steep learning curve this will be for anyone that is now on Windows Server 2003 TS.

What amazes me the most is Microsoft had YEARS to watch what others did and learn with their mistakes and then come up with something clean. Smart. Unfortunately that was not the case … Again, I am not debating if the solution at the end works. It does. I am discussing how easy it is to setup, how smart the design is and so on. And in that respect, they simply failed to deliver. I am telling you that based on 15+ years of experience doing nothing else other than TS/RDS/Citrix deployments and starting companies focused on TS/RDS development. I may look stupid indeed but I know some shit about these things.

Simplicity and clean design are key elements on any good piece of software, what someone in Redmond seems to disagree.

My own experience was not that bad, though admittedly I did not look into load balancing for this small setup. I agree though: you have to do a lot of clicking to get this stuff up and running. I am reminded of the question I asked a few months back: Should IT administration be less annoying? I think it should, if only because complexity increases the risk of mistakes, or of taking shortcuts that undermine security.

Switching from Windows will not protect your data, says Trusteer CEO

I’ve just been sent some quotes from Mickey Boodaei, CEO of Trusteer, which caught my eye. It’s a response to the story that Google is directing employees not to use Windows because of security concerns.

Boodaei says that while switching from Windows may reduce the prevalence of common malware, it will not protect against “targeted attacks” – in other words, attempts to penetrate a specific network to steal data:

Enterprises that are considering shifting to an operating system like Mac or Linux should realize that although there are less malware programs available against these platforms, the shift will not solve the targeted attacks problem and may even make it worse. Mac and Linux are not more secure than Windows. They’re less targeted. There is a big difference. If you choose a less targeted platform then there is less of a chance of getting infected with standard viruses and Trojans that are not targeting you specifically. This could be an effective way of reducing infection rates for companies that suffer frequent infections.

In a targeted attack where criminals decide to target a specific enterprise because they’re interested in its data assets, they can very easily learn the type of platform used (for example Mac or Linux) and then build malware that attacks this platform and release it against the targeted enterprise.

The security community is years behind when it comes to security products for Mac and Linux. Therefore there is much less chance that any security product will be able to effectively detect and block this attack. By taking that action the enterprise increases its exposure to targeted attacks, not reducing it.

This sounds plausible, though there are a couple of counter-arguments. Windows has some flaws that are not present on Mac or Linux. It is still common for users to run with full local admin rights, even though user account control in Vista and Windows 7 mitigates this by requiring the user to approve certain actions. On Windows, it’s also more likely that you will have to give elevated rights to some application that wants to write to to a system location; there’s a specific “Run as administrator” option in the compatibility options.

Further, I’m always sceptical of statements from the Windows security industry. Are they simply trying to protect their business?

Still, I’m inclined to agree that switching OS is not a silver bullet that will fix security. Take a look at this recent report of malware-infected web sites offering tips for a current hit game, Read Dead Redemption.

The attack is essentially psychological. It plays on the common knowledge that Windows is vulnerable to malware, informing the user that malware has been detected and they must clean it up by running a utility. The utility, of course, is in fact the malware. The chances are good that the user will consent to giving it elevated permissions, once they have been taken in. In principle this kind of attack could work on other operating systems, except that the user might be more sceptical about the presence of malware because it is less common – a rather frail defence.

The insecurity of Verified by Visa and MasterCard SecureCode

An article on the H points to this paper by Steven Murdoch and Ross Anderson, from the University of Cambridge Computer Laboratory, on the poor security design of the 3-D secure (3DS) protocol used by Visa and MasterCard in the UK and catching on worldwide. In addition, 3DS undermines privacy by sending a full description of each transaction to the card issuer or its contractors.

Banks also use the supposed additional security of 3DS to shift liability for fraudulent use towards the customer.

What’s wrong with 3DS? The authors list a number of issues. The 3DS system throws up a request for additional authentication in a pop-up dialog or iFrame, which means you cannot easily check its source; it could be a phishing attack. The memorable pass phrase that is meant to prevent this is vulnerable to man-in-the-middle attacks, as well as impatient users who might not bother to read it. Password reset mechanisms are often poorly implemented, and may depend on semi-public information such as date of birth.

The authors suggest that a simple approval process, such as a text message to your phone asking for an authorisation code, would be more secure, even if only as a stop-gap before adopting a more robust solution.

I find it surprising that 3DS has been adopted so widely despite well-known flaws. As the authors note:

3-D Secure has received little public scrutiny despite the fact that with 250 million users of Verified by Visa alone, it’s probably the largest single sign-on system ever deployed.

Well, with this post I am doing my bit.

The end of Code Access Security in Microsoft .NET

In the early days of .NET I remember being hugely impressed by Code Access Security. It gave administrators total control over what .NET code was permitted to run. It’s true that the configuration tool was a little intimidating, but there were even wizards to adjust .NET security, trust an assembly, or fix an application – great idea, that last one.

image

Well, now the truth is out. Code Access Security was too complex for humans to configure. Buried deep in the documentation for .NET Framework 4.0 you can find Microsoft’s confession, under the heading Security Policy Simplification:

In the .NET Framework 4 Beta 2, the common language runtime (CLR) is moving away from providing security policy for computers. Historically, the .NET Framework has provided code access security (CAS) policy as a mechanism to tightly control and configure the capabilities of managed code. Although CAS policy is powerful, it can be complicated and restrictive. Furthermore, CAS policy does not apply to native applications, so its security guarantees are limited. System administrators should look to operating system-level solutions such as Windows Software Restriction Policies (SRP) as a replacement for CAS policy, because SRP policies provide simple trust mechanisms that apply to both managed and native code. As a security policy solution, SRP is simpler and provides better security guarantees than CAS.

The section below, headed Obsolete Permission Requests, is even more damning of the old system:

Runtime support has been removed for enforcing the Deny, RequestMinimum, RequestOptional, and RequestRefuse permission requests. In general, these requests were not well understood and presented the potential for security vulnerabilities when they were not used properly.

It goes on to explain why they did not work, with explanations like this one for RequestOptional:

RequestOptional was confusing and often used incorrectly with unexpected results. Developers could easily omit permissions from the list without realizing that doing so implicitly refused the omitted permissions.

The new .NET Framework 4.0 no longer enforces these obsolete permissions.

Microsoft is right. As far as I’m aware, few used the .NET Configuration tool, and I cannot even find it in Windows 7, even though Visual Studio and all the versions of the .NET Framework are installed. Developers feared, with justification, that tinkering with the settings would simply cause mysterious exceptions that were hard to resolve.

I recall though that Code Access Security was considered a highly strategic feature when .NET was first released. One of the promises of .NET was that applications would be more secure and malware less prevalent. The fine-grained permissions were a selling point versus Java.

The painful lesson is that simplicity is a feature. Of course some things are inherently complex; but technology succeeds when it simplifies rather than complicates the tasks that we face.

Government security advice is misguided; switching browsers will not make you safe

I have mixed feelings about the recent government recommendations from France and Germany to switch from Internet Explorer for security reasons.

Although raising security awareness seems on the face of it to be a good thing, this is naïve advice and may do more harm than good. Security is a complex and multi-faceted problem, and it does people no service if they believe it can be fixed by switching browsers. Another common illusion is that running anti-virus software, or even up-to-date anti-virus software, makes you safe. It does not. Anti-virus software does not detect all viruses, and in particular it frequently fails on those that are most dangerous, in other words, those which are newest.

Another factor is that many of the most successful malware attacks come via social engineering. That’s not browser-specific, though there are attempts to maintain bad site lists, which don’t in my experience work very well.

The danger is that people think they are safe, and take fewer other precautions, ending up less safe than before.

Is FireFox, Chrome or Opera safer than IE? I’m not even sure about that. The latest versions of each are massively safer than IE6, for sure. But how does a fully-patched IE8 compare to the latest fully-patched versions of the other browsers? At least one test [pdf] says that IE8 is actually safer, though unfortunately it dates from March last year and does not cover drive-by downloads:

Microsoft Internet Explorer 8 (RC1) was the standout in our tests, achieving a best-in-class 69% catch rate against Malware. It is clear that Microsoft is making an effort to provide security to their customers with IE8.

Know a better one? I’d be interested in more recent tests.

Microsoft is not always competent; read this blog for evidence. But it has made genuine efforts to improve security and has a comprehensive update mechanism that mostly works. IE now has protected mode on Vista or Windows 7, which is no panacea but helps a little.

But what about the known zero-day vulnerability in IE? Isn’t that enough to make switching browsers necessary, if only temporarily?

I’m not so sure. Frankly, it would surprise me if there are not known multiple vulnerabilities in all the major browsers, if you move in the right (or wrong) circles.

How then do you do secure computing? Don’t connect to the internet. OK, how else? The risk cannot be eliminated but it can be reduced … don’t run with local admin rights, don’t run unknown executables, only enable plug-ins and scripting for web sites you know to be safe, keep your operating system patched and up-to-date, and so on.

Another thing you can do is to browse the web in a virtual machine – a sort of super protected mode – not perfect, but would prevent some attacks at the expense of convenience.

If you are really serious you can use AppLocker, or another whitelisting technique, to control what can run on your box.

And passwords … one thing I do hold against Microsoft is that the company has a brilliant authentication mechanism called InfoCard that is almost never used, even by Microsoft. Unfortunately that’s not something any individual can change; but it is possible at least to use more complex passwords and not to pass them over the internet in plain text.

I’m not sure, even today, that many people realise that when they use Twitter on an airport or hotel or conference wi-fi, or collect email via POP3, that they are likely passing their credentials in plain text over the internet for any smart hacker to read.

I am also depressed how often I see “security questions” on registration forms, asking for things like mother’s maiden name to be used in case of lost password. It is obvious that these are actually insecurity questions; they lower security while easing the burden on support desks. All too often, these organisations then lower it further by emailing your password back to you in plain text. It also sometimes turns out that the password itself is stored in plain text on their web-connected databases, accessible to hackers.

Overall the IT industry is desperately bad at security, and by and large convenience has won. Yes, I think that should change. No, after years of reporting on IT I am not optimistic that it will, certainly not soon. And knee-jerk instructions to switch browsers may please Mozilla and Google, and web developers for whom Internet Explorer is a constant irritation especially in old versions, but will do little else to improve the situation.

Have Windows OEM vendors learnt anything from Apple?

I’ve just set up a new consumer Windows 7 PC – it was HP’s Compaq Presario CQ5231UK, not bad value at £399 (VAT included) with Core 2 Duo E7500 (2.93 Ghz), 3GB RAM, Windows 7 Home Premium 64-bit – yes, 64-bit Windows really is mainstream now – 500GB hard drive and NVIDIA G210 graphics.

For comparison, the cheapest current Apple Mac is the Mini at £499 – it’s not directly comparable since its neat compact size is worth a premium, but it is slightly less well specified with slower processor, 2GB RAM and 160GB drive. As for an iMac, this comes with a screen but costs more than twice as much as the HP Compaq.

A good deal then; but have Microsoft’s efforts to make Windows 7 “quieter” and less intrusive been wrecked by OEM vendors who cannot resist bundling deals with 3rd parties, otherwise known as crapware?

I draw your attention to my interview with Microsoft’s Bill Buxton last year, when I raised this point. He said:

Everybody in that food chain gets it now. Everybody’s motivated to fix it. Thinking about the holistic experience is much easier now than it was two years ago.

I was interested therefore to see what sort of experience HP delivers with one of its new home PCs. Unfortunately I forgot to keep a list, but I removed a number of add-ons that the user agreed were unwanted, including:

I also removed a diagnostics tool called PC-Doctor and an HP utility that stuck itself prominently on the desktop, HP Advisor Dock. It is possible that these tools might in some circumstances be useful, though I’m wary. I have no idea why HP has decided to supply its own Dock accessory after Microsoft’s efforts with the Windows 7 Taskbar.

We left in place an application called HP Games which is a branded version of WildTangent ORB and includes some free games.

The short answer is that the Windows ecosystem has not changed. The deal is that your cheap PC is subsidised by the trialware that comes with it. Another issue is OEM utilities – like HP’s Advisor Dock – which jar with the careful design Microsoft put into Windows 7 and offer overlapping functionality with what is built in.

In mitigation, Windows 7 runs so well on current hardware that even this budget PC offers snappy performance. I also had no difficulty removing the unwanted add-ons. The speed of setup – number of restarts – was much better than I recall from the last Toshiba laptop I set up.

Nevertheless, on the basis of this example there is still work to do if the experience of starting with a Windows PC is to come close to that offered by the Mac. Further, bundling anti-malware software that requires a subscription is actually a security risk, since a proportion of users will not renew and therefore end up without updates. I would be interested in other reports.

Technorati Tags: ,,,,

Sophos Windows 7 anti-virus test tells us nothing we don’t already know

Sophos is getting good publicity for its latest sales pitch virus test on Windows 7. This tells us:

We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft’s claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.

Unfortunately Chester Wisniewski from Sophos is vague about his methodology, though he does say that Windows 7 was set up in its default state and without anti-virus installed. The UAC setting was on its new default, which is less secure (and intrusive) than the default in Windows Vista.

My presumption is that he copied each virus to the machine and executed it – and was apparently disappointed (or more likely elated) to discover that 8 out of 10 examples infected the machine.

It might be more accurate to say that he infected the machine, when he copied the virus to it and executed it.

I am not sure what operating system would pass this test. What about a script, for example, that deleted all a user’s documents? UAC would not attempt to prevent that; users have the right do delete their own documents if they wish. Would that count as a failure?

Now, it may be that Wisniewski means that these executables successfully escalated their permissions. This means, for example, that they might have written to system locations which are meant to be protected unless the user passes the UAC prompt. That would count as some sort of failure – although Microsoft has never claimed that UAC will prevent it, particularly if the user is logged on with administrative rights.

If this were a serious study, we would be told what the results were if the user is logged on with standard user rights (Microsoft’s long-term goal), and what the results were if UAC is wound up to its highest level (which I recommend).

Even in that case, it would not surprise me if some of the malware succeeded in escalating its permissions and infecting system areas, though it would make a more interesting study. The better way to protect your machine is not to execute the malware in the first place. Unfortunately, social engineering means that even skilled users make mistakes; or sometimes a bug in the web browser enables a malicious web site to install malware (that would also be a more interesting study). Sometimes a user will even agree to elevate the malware’s rights – UAC cannot prevent that.

My point: the malware problem is too important to trivialise with this sort of headline-grabbing, meaningless test.

Nor do I believe the implicit message in Wisniewski’s post, that buying and installing Sophos will make a machine secure. Anti-virus software has by and large failed to protect us, though undoubtedly it will prevent some infections.

See also this earlier post about UAC and Windows security, which has links to some Microsoft statements about it.

Technorati Tags: ,,,

Hands On with Microsoft Security Essentials – terrible name, but product looks good

Microsoft has released its free Security Essentials software, antivirus and antispyware protection aimed at home users. It runs on XP 32-bit, or Vista or Windows 7 32-bit or 64-bit, the only technical restriction being that Windows must validate as “genuine”.  Businesses are meant to use Forefront Client Security, though “home-based small businesses” are specifically permitted in the license agreement. I installed it on my Windows 7 64-bit desktop PC.

Installation was smooth, guided by a simple wizard with a castle logo:

The trickiest moment comes when the installer recommends that you “remove other antivirus and antispyware programs”:

I am glad that Microsoft is confronting this issue, since running multiple antivirus applications is terrible for performance. It does make the point that this free software will not be good for competitors at this end of the market. The other issue is that removing other security software will probably mean a reboot as well as passing one or more dialogs pleading with you to reconsider. Do this before running the installer.

Once done, Security Essentials – a terrible, unmemorable, tongue-twisting name – announces that your computer is at risk while it goes off and downloads updates:

When the update completes, it does a quick scan, which took around 30 minutes on my machine. I let this complete – nothing was found – and then had a poke around the tabs and settings.

The user interface is nicely designed and there isn’t much to see. Be default Security Essentials will scan your PC once a week on Sunday night. You can specify quick or full scans. The software also monitors all file activity looking for malware. I get the impression that Microsoft has tried to make Security Essentials as unobtrusive as possible, which is most welcome.

One thing that did annoy me is the settings for recommended actions:

In patronising style, Microsoft offers “Recommended action” as the default when malware is detected, but does not tell you what that action is. It is explained here – for severe or high alerts, it attempts to remove the malware, while for medium or low alerts it quarantines it. However, it does seem to ask first, which is important in the case of false positives.

I couldn’t find any way of setting the frequency of updates, which surprised me.

I gave Security Essentials an easy test by downloading eicar, a harmless file which for testing antivirus software. Security Essentials sprang into life:

I clicked Show details and got another red dialog offering to perform the recommended action, which was Remove. Another click, and it claimed to have done it, with the dialog turning a reassuring shade of green.

Is it any good? That’s a tough one. I don’t have high expectations of any security software based on scanning for known malware. Such software tends to fail when new viruses appear, as they do constantly. Another problem is that the bad guys can run the same security software as you, and design their malware to avoid its effects. In general, it is obvious that antivirus software has failed to prevent the spread of malware. I rate other things as more important, such as keeping systems up-to-date with patches and observing best practice concerning what you allow to execute. Unfortunately clever social engineering can often defeat good intentions.

Still, if you consider antivirus software a necessary evil, this one impresses by being nicely designed and mostly staying out of the way. If you are looking for the highest detection rates, you will have to wait for statistical analyses to be done. I am sure the commercial security companies will be quick to report on failures.

Personally I’m delighted that users can now get the Windows security center (Action Center in Windows 7) to stop bugging them without installing third-party software. Another advantage is that the software won’t stop updating when the user fails to subscribe or renew. Microsoft has plenty of incentive to get this one right, and to deliver something at least as good as the competition without slugging performance or annoying the user with advertisements and/or  constant exhortations to upgrade. I think it is worth a try.

O2 router attack shows danger of staying logged in

Concerned about web security? One thing that may prove more valuable than any amount of supposed security software (anti-virus and the like) is the simple good practice of logging out of web sites at the end of each session.

Here’s the reason. Let’s say you are logged into some site – could be Facebook, or Google, or the admin screen on your router, and you’ve left checked the option that says “keep me logged in”. Then you visit some other site. The vast majority of web pages today run JavaScript code in the background, and these scripts execute on your computer, not on the web server. What if one of those scripts sends a request to a site where you are logged in? The request comes from your computer, so it looks like you to the web site. If you are unlucky, the script will be able to perform any action you could perform, but without your awareness – such as changing your password, or reading confidential information.

For this hack to work, a couple of things need to have gone wrong:

1. You are running a malicious script. This implies that the site you are visiting has been hacked, or has a vulnerability such as forum software which allows users to post content that might trigger a script. Even a link to an image in a forum post might be sufficient.

2. The site where you are logged in doesn’t make any additional checks on the source of the script. Although it is running on your computer, the HTTP request generally includes referrer data, revealing the URL of the page from which the script came. By checking this value, the site can figure out that there is something wrong. Another idea is to have unpredictable URLs for sensitive data.

Still, you’ll notice that neither of these things are under your control, whereas generally the option to log out of a site is under your control. Even that might not always be true – a developer could code a site without an option to log out – but that is unusual.

The O2 attack referenced above exploits this flaw to get into your router admin, if you are running an O2-supplied broadband router. It is a huge vulnerability, since if the router is re-configured a wide range of further attacks are possible. One example is DNS poisoning, where familiar URLs might take you to malicious destinations. It could also disable firewall protection and redirect external requests to one of your home or small business PCs – very nasty.

Here’s a couple of things that will improve security:

1. Don’t use the broadband supplier’s equipment, if it is not entirely under your control. Use your own; turn off universal pnp, change the admin password, don’t stay logged into the admin.

2. Don’t stay logged into any site which matters. Even sites which don’t appear to matter can be a security risk, if they expose passwords or security questions that you use elsewhere, for example. Personally I always log out of Facebook, Google and Twitter, for example, even though sites like these should be aware of the risks and be coded appropriately – they mostly are, but mistakes happen.

Unfortunately many sites encourage you to stay logged in, because it reduces the friction of using the site. Still, there are compromises which work. I notice with Amazon for example, that it uses cookies to give you personalized information even when not logged in, but displays password prompts with boring regularity for actions that spend money – though Amazon also advises you to log out completely if using a public or shared computer.