What I learned during the TAG Cyber Attack & Business Continuity Simulation

Georgia’s Governor Nathan Deal proclaimed February 25th, 2014 to be “Business Cyber-security Day in Georgia”.

As part of the initiative, the Technology Association of Georgia (TAG) ran a Cyber Attack & Business Continuity Simulation, which I attended. It was an amazing presentation, not only of content but also of coordination.

The simulation was of a fictional company (The Logistics Company, aka TLC) and how it would respond to different attacks on its systems. There were seven attacks carried out during the simulation. There were roughly 30+ people involved with the simulation and the entire event was broadcast to multiple locations around the US as well as to Kuwait. Making it more interesting, the people involved hold the same positions in their real companies as the people they were portraying in the simulation. The people playing the C-suite in the simulation, are really C-suite executives in their respective companies, the lawyers in the company are really corporate lawyers in the real world, etc.

In addition, due to the Governor’s proclamation, the entire event was hosted at Dobbins Air Force Base and included participation from the Georgia Air National Guard, the Cobb County Police/911 department, the GBI, as well as the FBI.

There were five cyber attacks, one physical attack, and one social engineering attack.

In reverse order, the social engineering attack was left until last and was more informative vs. something that the business needed to directly respond to in the simulation. An outside resource recruiter informed the business that she had been approached by a Chinese company to try & poach recruits from TLC’s supply chain division. She was approaching TLC because she had become suspicious after following up with each of the recruits to see how their interviews had gone with the Chinese company and been told that the interviews were all one way with the Chinese company asking all the questions & not following up to actually hire any of the interviewees.

The end result was, the Chinese company was trying to gather intel about TLC for a variety of potentially nefarious reasons. I assume the logical response of TLC would be to warn/train its employees about how to respond to strange recruiting requests. Obviously, TLC cannot mandate that their employees don’t talk to recruiters at other companies, but they do need to be aware that every time they talk to someone outside the company, the information could be used to hurt TLC.

The physical attack proved very interesting to me because it helped me realize the role of police and other emergency response personnel in an emergency. The fictional attack was two ex-employees sabotaged the company’s data center (it turned out to be their backup data center, so it wasn’t as large of a crisis as it could have been). The employees went and destroyed cooling towers as well as backup generators so the data center had to be taken down immediately or risk frying all the equipment.

The immediate business response was to call 911. After which, they realized it was their backup facility and it did not hurt their primary data center. They then quickly made arrangements to back up their main facility to a third-party data center. In real life, the backup would take a while to accomplish but so long as their primary facility didn’t go down, it would not hurt their day-to-day operations.

The problem with the immediate business response was, as soon as the police arrive at a potential crime scene, the business loses all control of the scene until the police allow them back in. Therefore, if the business needs access to computers, data, etc. they may lose access to all of it until the police finish collecting the evidence they need. This can potentially hurt the business even more than the actual damage if they cannot complete in-progress business at the time of the crime.

The cyber attacks ranged widely in nature (I forgot what the fifth one was):

• An international hacker encrypting the business’s data files & demanding a ransom
• Disgruntled employees installing Raspberry Pi’s to override PLC (Programmable Logic Controller) instructions to disrupt a sorting & packaging facility
• Hackers disrupting the shipment routing system and sending critical shipments of organ transplants to random addresses
• The DoD finding out that routers shipped by TLC included malware which was spying on the data flowing through the networks

All of the cyber attacks were pretty complicated and included potential damage to the business’s brand image in the marketplace (especially when the critical organ transplants were not delivered on time), as well as complications involving contracts and insurance policy questions. The main lesson learned here was to ensure that your legal team is involved in preparing your business continuity planning to ensure that you are not breaking contracts with suppliers, clients, or insurance policies depending on how you respond in an emergency situation. There may be SLAs, legislation (such as HIPAA or other privacy laws), or other contractual agreements which you may be bound to regardless of what has happened to your company.

The three main points I got out of the simulation were:

1. Having a single page listing all important phone numbers is better than any 8 inch thick binder full of amazing plans, because the binder will get left on the shelf during an actual crises.
2. The act of planning is almost more important than your response in a situation. The act of planning forces you to organize and think through your response so that you at least do something instead of freezing in an emergency situation.
3. It’s important to have a good response team put together – but even more important is to have all of them in communication during a crisis. Get the key decision makers in one room, or on one conference call. No one leaves until the crisis is over. If they need information, send out others to collect it. Keep your decision makers in the loop at all times so they can respond as soon as the situation changes.

I’m looking forward to attending next year’s simulation!

The Power of Complaints: Parking Security?

I had a fascinating insight into one of my blind-spots with regards to both security and complaining today that I would like to share.

Here are the facts:

• For the past couple of months I have been working at a new building for one of my clients.
• The building has many different tenants and it has a huge parking deck. One level of the deck has a gated, paid visitor parking area while employees park for free in different, gated areas.
• As a visitor, you enter through a different door and the security guards in the lobby ask all guests to sign in.
• When you sign in, they ask for your name, company you are visiting, time in, & time out.
• When you enter or leave the parking deck, some or all of the gates are sometimes open, allowing anyone to drive through – usually without paying.
• Because I was coming to the building on & off for a couple of months, the desk security began to recognized me and told me that since I was a regular visitor, I didn’t have to park in the paid parking area, I could simply pull up to any of the employee gates, press the intercom and tell them: “Employee trying to get in (or out)”.

Those are the facts. How I interpreted these facts (and was the basis for my complaint) was:

Obviously the building security didn’t have a clue or didn’t care that it was:

• Losing revenue by leaving the gates open
• Not protecting the vehicles parked in the lot by leaving the gates open
• Did not have a way to contact any visitor to the building in the case of an emergency (because they didn’t ask for contact info)
• Had no way to know if a real employee was trying to use the employee parking area!

Based on my view, my conclusion was, the security was inadequate for protecting property or people and therefore was stupid.

As I said, this was my complaint and helping me validate it was, everything making up my complaint was true!

However, I realized that I was being inauthentic because this was only my view and I didn’t have a clue what the view of the people administering the “security” to the building was. Today, I walked up to the lobby security and told them that I was very confused by what the parking and building security appeared to be from my view and I asked them why they did what they did.

This is what their view turned out to be. They are only interested in ensuring that visitors have places to park and that visitors pay for their parking. Therefore they:

• Leave the gates open at random intervals because the visitor lot is utilized by restaurant across the street for random events & those visitors do not have to pay for parking.
• If you come in through the visitor’s door, they ask you to sign in so that they can check your name against the list of employees in the building to ensure that you’re not an employee using up a visitor spot.

As you can see – their security goals are entirely different from what I thought they were trying to accomplish! They are actually trying to protect their visitor spots from building employees! Not the building employees or their vehicles from any external harm!

What I discovered from all of this is that my view, while always true (according to my view), is by definition, not the same view as someone else.
I also discovered that security goals are not always going to be obvious or make sense from the outside and that you need to really ensure that you understand the driving force behind the security measures before attempting to critique them.

Edit: Finally, & most importantly, I discovered that there is always something missing which is causing my complaints and that by looking at them and by figuring out what is missing, I can make my complaints disappear. Finally, I discovered that my complaint was not the truth. Having the complaint in the first place was inauthentic of me because I should not have a complaint about something I obviously didn’t understand, and that by taking action to explore what was possible (such as asking another for their view) made my complaint disappear.

Once I understood that my complaint was based on what I felt should be, versus what actually was, my complaint disappeared!

I enjoyed sharing these awesome discoveries with you & I would love to hear your feedback!

~Yosef B.

Batch scripts to turn on & off Tasks in Task Scheduler

In a previous post (Microsoft Task Scheduler Tips & Tricks) I told you how to create a basic task in the Microsoft Task Scheduler to remind you to stand up once every 30 minutes.

While this is a great way to create a reminder – it can be time-consuming to go into Task Scheduler to turn your reminder on or off (e.g. you don’t want your reminder popping up while you’re giving a presentation or watching a movie).

Here’s a new tip on how to create two batch scripts to quickly turn your reminder on or off:

To turn your task off:
Open a notepad application (As a plug – I prefer Notepad++) and save the following script:


SCHTASKS /change /tn "Stand Up Reminder" /DISABLE
PAUSE


You will need to change the text in quotes (e.g. “Stand Up Reminder” above) to match whatever you named your script in Task Scheduler.

Next, save the script with a name like “Disable standup reminder.bat” (Note: you must save the file with the extension “.bat” instead of a “.txt” document). I suggest you save it to your desktop or pin it to your Start bar for easy access.

To turn your task back on – follow the same steps as above but use the following script instead:


SCHTASKS /change /tn "Stand Up Reminder" /ENABLE
PAUSE


As always, please let me know if you have any questions in the comments below!

How to create an HTML Email in Microsoft Access

A recent client of mine wanted me to make some enhancements to an Access database. The enhancements were all aimed at reducing the workflow. One of the issues they were encountering was at the end of the workflow, the user clicked a button inside the Access database that opened a Word file. This Word file would then walk the user through doing a Mail Merge from within Word to get elements out of the database and then create e-mails in Microsoft Outlook.

The problem was there were quite a few steps involved and at the end of it all, the user had to go back into the database and wipe out some temp tables to be able to restart the process the next day. If they got up from their desk and then came back – it was pretty easy to forget where they were in the workflow and could miss steps.

The client wanted to know if there was a way to do the entire mail merge process inside Access so that everything was automated and the wouldn’t have to go out to Microsoft Word. Piecing together a bunch of different scripts online, I was able to duplicate their Word template as an HTML formatted email, generated from within Access with all the appropriate data elements included in the e-mail.

Here is the outline of the code I used – I have included comments to explain what different parts are doing in the code. If you have specific questions, please let me know in the comments below.

Enjoy!

Private Sub send_mail() 'Substantiate the script

'Create application and mail objects
Dim olApp As Object 
Dim objMail As Object

'Create a query definition and set it to run a specific query.
'Change "Email Query" in square brackets to match query name in your database.
Dim qd As QueryDef
Set qd = CurrentDb.QueryDefs![Email Query]

'Create a record set and run the query defined above
Dim rst As Recordset
Set rst = qd.OpenRecordset()

'The following code loops through each record brought back by the query and
'creates an email for each record.
rst.MoveFirst
Do Until rst.EOF

strElement1 = rst![DataElement1]
strElement2 = rst![DataElement2]

rst.MoveNext

   On Error Resume Next 'Keep going if there is an error
   Set olApp = GetObject(, "Outlook.Application") 'See if Outlook is open

    If Err Then 'Outlook is not open
       Set olApp = CreateObject("Outlook.Application") 'Create a new instance
    End If

    'Create e-mail item
   Set objMail = olApp.CreateItem(olMailItem)
   With objMail
   'Set body format to HTML
     .BodyFormat = olFormatHTML
     .To = "address@yourmailaddress.com"
     '.Cc = "ccaddress@yourmailaddress.com" 

Uncomment out above line to add a carbon copy e-mail address

     '.Bc = "bcaddress@yourmailaddress.com"

Uncomment out above line to add a blind copy e-mail address

    .Subject = "E-mail Message Subject Goes Here"
    .HTMLBody = "<!DOCTYPE html>"
    .HTMLBody = .HTMLBody & "<html><head><body>" 

You can keep building out the html using the same syntax of adding .HTMLBody from the line above & tacking on whatever is new:

    .HTMLBody = .HTMLBody & "<h1><u>This is an example header line</u></h1>"
    .HTMLBody = .HTMLBody & "<h2><u>This is an example header 2 line</u></h2>"
    .HTMLBody = .HTMLBody & "<table>"
    .HTMLBody = .HTMLBody & "<tr><td>Element 1</td><td>"& strElement1 & "</td></tr>"
    .HTMLBody = .HTMLBody & "<tr><td>Element 2</td><td>"& strElement2 &"</td></tr>"
    .HTMLBody = .HTMLBody & "</table>"
    .HTMLBody = .HTMLBody & "<br><br><img height=""20"" width=""684"" border=""0""
    src=""C:\Users\USERNAME\Desktop\image001.png"" style=""width: 684px; height: 20px;""/img>"

Above is an example of adding in an image to the Email HTML

    .HTMLBody = .HTMLBody & "<br><br>Email Customer Service at 
    <a href=""mailto:Support@youremailaddress.com"">Support@youremailaddress.com</a>"

Above is an example of adding a URL to the Email HTML

    .HTMLBody = .HTMLBody & "<br>or call 1-800-YOUR NUMBER HERE (Mon – Fri, 8am - 8pm Eastern)."
    .HTMLBody = .HTMLBody & "</body></html>"

By ucommentiong out the "Send" command below, emails will be sent out without allowing the user to review them first. Using the "Display" command brings up all the emails as draft emails and allows the user to review them prior to sending them.

     '.send
     .Display
   End With
Loop

End Sub

Automating File/Folder Deletion

As promised in my last post, here is a sample batch file for automating deletion of files or folders.

For a tutorial on setting up a task in Windows Task Scheduler – please see the following previous post:

Assuming you have set up your temporary file structure as suggested in my last post, save the following code in a .BAT file and set up an automated task to run it as a program on a scheduled.


REM CD C:\TMP\
RMDIR /S /Q C:\TMP\

REM CD C:\TEMP\
RMDIR /S /Q C:\TEMP\

REM CD "C:\Users\USERNAME\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\"
RMDIR /S /Q "C:\Users\USERNAME\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\"

REM CD "C:\Users\USERNAME\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\"
RMDIR /S /Q "C:\Users\USERNAME\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\"

PAUSE


You will need to update the code with your username in the 4 places that say “USERNAME”.

This code will delete all files in the C:\TEMP & C:\TMP folders as well as cleanup after Macromedia’s Flash Player which I find tends to leave quite a few temporary folders and files behind.

When the code runs, it will pause at the end for you to review its progress until you press any button.

Happy New Years!

Temp Files Cluttering Your Hard Drive? Consolidate!

Note: The following instructions are for Windows PCs and should be pretty consistent for both Windows XP, Windows 7 & Windows 8.

Your computer stores temporary files all over the place. Sometimes it is smart enough to clean up after itself – most of the time it’s not.

If you direct your main temporary directories to point to one location it will make it much easier to manage cleaning up these temporary files.

Anytime I setup a new computer (or help a friend), there are 3 main temporary directories which I re-point.

• C:\Windows\TEMP
• C:\Windows\TMP
• C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files where is your Windows log on username.

Before we begin, navigate to the folders above and delete as much out of them as Windows will allow (if there are any files it gives an error for, select the “Skip” option.

To re-point the following temporary directories:

• C:\Windows\TEMP
• C:\Windows\TMP

1. On the start menu, open the Control Panel



2. In the top right of the window, there is a drop down menu called “View By”. In the drop down, select either Large or Small Icons (depending on your viewing preferences)



3. Select “System” from the list
4. On the left hand side of the window, select “Advanced system settings”



5. The window that opens should default to the “Advanced” tab. Click on the “Environment Variables” button at the bottom of the window



6. There are two sections in the Environment Variables window. The first are variables that are unique to your user profile on your computer. The second are System variables which are global and apply to any profiles that are on your computer.
7. In each section there should be two variables (so 4 in total): TEMP and TMP
8. For each variable, highlight it and click the “Edit” button



9. In the pop up window, you want to type the folder location of where you want the variable to put it’s files. I like to have my TEMP files go into a TEMP directory right under my root (main) directory which is usually your “C” hard drive. So I type in “C:\TEMP”.



10. For TMP Files, I create a second folder called “C:\TMP”.
    The reason I like to keep them separate is that different programs use different folders and it can be easier to track down temporary files (if I need them) if I split up the files.
11. When you are done inputting the new variable values, click the “OK” button.
12. When you have finished re-pointing all 4 of your TEMP & TMP variables to their new location, continue click “OK” buttons until all windows are closed.

Re-pointing the Internet Explorer temporary directory:

C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files where is your Windows logon username.

1. Open Internet Explorer



2. On the menu bar, select “Tools” and then “Internet Options”. Note: If you don’t see the menu bar, hit the “Alt” button on your keypad and you should see the menu bar appear.
3. In the Internet Options window, on the “General” tab, select the “Settings” button in the “Browsing history” section.



There are two things to change here:

4. The size of Internet Explorer’s cache – a browser cache is where a browser stores local copies of web pages and pieces of web pages (such as pictures, videos, etc.) which you view. It cache’s these pieces so that the next time you visit that web site it will load quicker. In general, you will not notice a big difference in performance so long as you have a relatively fast internet connection, regardless of how big you make your cache. Therefore, I usually set my browser caches (this works for any browser, Firefox, Chrome, etc.) to between 10 and 50 mega bytes (MB).
5. The location of the folder where Internet Explorer stores this cache of temporary files.
6. In the “Disk space to use” box, input size of cache – I typically put 10 – I don’t think you need more than 50.



7. Click the “Move folder” button



8. Browse to the location of your new C:\TEMP folder and select it
9. Click “OK”
10. Continue to click “OK” – Windows will inform you that it needs to log you off your profile in order to move the folder. Select “OK” and it will log you off. Log back into your profile and your Temporary Internet Files folder will be moved into your C:\TEMP folder.

So now you have your main culprits of temporary files in one location on your hard drive.

You can either:

• Manually go into these folders on a regular basis (once a week is fine) and delete all files in these folders (note: Windows will not allow you to delete all the files each time – if it gives you an error on a file, just click the “Skip” button)
• Or you can set up a task and script to go and delete these files for you on a regular basis. I have a script that runs once a day to clean out my temporary files.

My next post will detail how to automate a deletion script.

Excel Filename Reference Length

I am finally getting around to posting this tip.

I came across an error while helping a colleague of mine a couple of months ago. They were trying to figure out what the easiest way was to update an Excel file that had many reference links to other Excel files. Every time he opened the main file & refreshed the connections, the formulas would give him a #REF! error message.

We eventually figured out that due to the huge folder structure he was storing everything in, the length of the filenames to the referenced Excel files were too long for Excel to digest! Since I had never come across this issue (probably because I always try to keep my file structure as flat and as short as possible), I figured it would be good to post about it to help others who might come across this error.

Microsoft support does have an article detailing this issue which you can read about here: http://support.microsoft.com/kb/213983

In summary, this is what you need to know about filename length:

If you save or open a file where the path to the file (including the file name) exceeds 218 characters you will get an error. This limitation includes three characters representing the drive (e.g. “C:\”), the characters in folder names, the backslash character between folders, and the characters in the file name. In addition, it appears that the file extension (e.g. “.xlsx”) contributes to the length of the filename when causing this error.

This behavior is based on a 256-character limitation in Excel for creating links to another file. This limit of 218 characters for the path name is based on the following:

Up to 31 characters in a sheet name.
Apostrophes and brackets used to denote the workbook name.
An exclamation point.
A cell reference.

For example, the path for a file might resemble the following:

c:\excel\personal\...\[my workbook.xls]up_to_31_char_sheetname'!$A$1

This behavior will also occur if there is a square bracket in the path.

Hopefully this will help encourage you to keep your file structure & file names as short as possible to avoid issues such as these!

Gaining Visibility in Enterprise IT Security

Hi All,

I’m pretty excited to announce that my first paper article has been published! Please check out my article entitled “Gaining Visibility in Enterprise IT Security”, co-authored with a client of mine, Jeff B. (no, his last name is not the same as mine 🙂 ). It was published in the Jabian Journal and is available online here: http://joom.ag/d42X/p60

Here’s the link to the entire contents of this edition of the Jabian Journal: http://www.jabian.com/jabian-journal/jabian-journal-fall-2013-main/

I would love to get feedback on it so please drop me a line or post something in the comments below.

Thanks!

~Yosef

Best Presentation Tips

Over the years I’ve given and watched my fair share of presentations. While I don’t believe I’m the best presenter in the world, I feel that at this point I have enough experience to give some decent advice.

The reason I decided to post this today is because I watched a couple of presentations last night during a competition and some of the presentations suffered from the get-go because the presenters did not follow very basic rules.

When I started to write these tips down, I wanted to start every sentence with “First & foremost” because it seemed like all of the points were the most important. To ensure a great presentation I suggest you follow all of them! 🙂

Know your content! How do you know if you know it well enough? First, you don’t need to look at your slides (other than maybe a quick peek to remind you which slide you’re on) and second, you can answer any questions your friends (who are helping critique your presentation) can come up with.

Have your content & delivery (of said content) peer-reviewed and of course practice, practice, practice!

Whether your presentation includes visualizations or not – walk around! Interact with the audience! Make sure you maintain eye contact (trick: Focus on those that are smiling back at you). One trick I learned from a seasoned presenter is – play a game with your self. See if you can make it to the back of the audience during your talk.

Obviously this depends on your location – if you’re on a stage facing a multi-tiered audience, I don’t suggest this or if you need a mic that’s not portable this isn’t possible. By walking around, you accomplish multiple things. It will make your audience feel more connected to you and more engaged. It also helps to give them something else to look at besides your slides – audiences can grow bored very quickly.

Remember that you are taking your audience on a journey. Whether it’s a technical journey to discuss the inner workings of string theory or a culminating presentation of the baskets you built during basket-weaving class – in order to keep your audience engaged you have to tell a story.

For Presentations with Visualizations:

• Check ahead with whomever is responsible for setting up the room where you will be presenting to ensure that you will have the necessary equipment (e.g. lapel microphone, laptop, projector, etc.).
• Come early to set up and double-check that everything is working.
• If you will need internet access to show a video or demo a website, make sure you will have access.
• When it comes to your content in the presentation – less is more. I know there are multiple trains of thought about this but in my experience, keep it simple. Pictures are worth more than words (I’m trying not to fall back on any clichés 🙂 ), and bullets are certainly better than paragraphs!
• Make sure you are comfortable with whatever technology you are using. In the presentation last night – there were a few presenters that did not know how to use PowerPoint. Make sure you know how to:
• Put a presentation in Slide Show mode (F5)
• Restart a presentation at the current slide (ALT+F5)
• Use a presentation remote/clicker (i.e. you have to be in presentation mode for the clicker to work, etc.)

I realize this isn’t a comprehensive list and you probably won’t be able to go out and give a TED talk after reading this. That being said, if everyone followed these points, presentations would become a lot more enjoyable to sit through and you as a presenter will feel much more comfortable in your role.

No more horrible presentations! Please share your best presentation tips below!

Increase your Firefox Productivity using about:config settings

My browser of preference is Firefox for many different reasons: Security, add-ons and customizability. Today’s post will focus on one of the lesser known aspects of Firefox’s customizability – the “about:config” settings.

To get to these settings, open a new tab in Firefox, type “about:config” into the URL bar (also called the “Awesomebar” in Firefox lingo) and load the page (hit Enter).

At the “This might void your warranty!” page – click the “I’ll be careful, I promise!” button. This will take you to a humongous list of undocumented settings. In addition to the ones listed – you can even create & add your own!

Disclaimer: You can easily break Firefox by changing settings that you don’t understand. Please reference the comprehensive list of about:config options here: http://kb.mozillazine.org/About:config_entries

This list is the basic list of settings that I immediately change/create whenever I setup a new instance of Firefox. All of them help me browse the web faster and/or safer.

Faster tips:

1: Disable the Delay When Installing New Extensions

When you install a new extension in Firefox, there is a countdown of 5 seconds delay before you can install the add-on. To regain those 5 seconds of your life, in the “Search” field on the about:config screen, search for security.dialog_enable_delay and set the value to “0”.

2: Don’t Close Firefox after Last Tab is Closed

One of my pet peeves in Firefox is that by default, it will close the entire program if you close the last tab. To stop this behavior, set the browser.tabs.closeWindowWithLastTab setting to “False”.

3: Open Search Results in a New Tab

If you use the default search box in Firefox (I actually disable mine & just search from the Awesomebar), you can force Firefox to open search results in a new tab so that it does not override the page you’re currently viewing.

To do so, search for browser.search.openintab and double-click the setting to change it to “True”.

4: Force Spell Checking in all Text Boxes

By default, Firefox only spell checks words that are typed in multi-line text boxes. To force Firefox to spell check words in all text boxes, search for layout.spellcheckDefault and set the value to “2”.

5: Preview Tabs

In Windows you can cycle through open programs using the “Alt”+”Tab” keys. In Firefox you can do the same thing with “Ctrl”+”Tab”. To preview a tab before viewing, set the browser.ctrlTab.previews setting to “True”. (Note: This only seems to work if you have 3+ tabs open, 2 tabs just switches without previews.)

Safer tips:

1: Show “http” in the Awesomebar

By default, Firefox cleans up the URL displayed in the Awesomebar. This makes it difficult to ensure that you’re on a https (secured) vs. http (unsecured) website. To show the http(s) section of a URL, set the browser.urlbar.trimURLs setting to False.

2: Turn off Geo-Location

Firefox is pretty good about alerting you when a website wants to know your location – if you’re like me & don’t want ANY websites tracking your location, you can force Firefox to never report (or annoy you by asking to report) your location to a website by setting the geo.enabled setting to “False”.

3: Set encryption preferences

When you connect to an “https” secure website, the server has a list of different types of encryption protocols and ciphers that it can handle. The server also “prefers” certain ones over others.

These preferences are set by the server admin and may be set to “prefer” a lower form of encryption for many reasons. They may want less powerful encryption to lower processing overhead on the server, or they may not understand what they are doing when they set it up, etc.

You can force Firefox to only use certain protocols and ciphers, however certain websites may fail to load in which case you will need to determine what type of encryption they allow and then turn that type back on. (See my articles on HTTPS Protocols and Ciphers and HTTPS Protocols and Ciphers Continued for more information).

Search for each of the following settings & modify every setting that’s returned as follows:

• tls Set all Boolean lines to “True”
• ssl2 Set all Boolean lines to “False” (Note: Newer versions of Firefox will not even list any ssl2 options.)
• ssl3 Set all Boolean lines to “False” EXCEPT lines that contain “aes_128” or “aes_256”. The AES encryption algorithm is much stronger than the RSA or RC4 ciphers.
• EXCEPTION: “security.ssl3.rsa_des_ede3_sha” Initially set this setting to “False” – however, this is the weakest cipher and may be needed for some older SSL sites so if you find certain sites are not working, this is probably the culprit – try setting this back to “True”.