AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home


Go Back   AOA Forums > Software > Data Security

Data Security Viruses, Firewalls and Safe computing


Reply
 
LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 8th July, 2008, 03:55 PM
danrok's Avatar
AOA Staff
 
Join Date: March 2003
Location: Great Britain
Posts: 18,917

Online risk due to browser flaws

Almost half the online population is at risk because users have not installed security updates to their browsers, says a study.

See front page:
http://www.aoaforums.com/frontpage/content/view/4297/1/

Comments?
__________________
Desktop PC: AMD FX-8370E / Asus M5A99X Evo R2.0 Motherboard / 16GB DDR3 RAM / GeForce GTX 970
AOA Team fah
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 11th July, 2008, 08:28 PM
MUff1N's Avatar
Member
 
Join Date: October 2007
Location: Payson/AZ
Posts: 1,905

This doesn't surprise me in the least. There are so many Stupid & or ignorant people who use computers that don't have the first clue about Internet Security!!!
This is something I learn in detail over 8 years ago...My computer is very Locked down & Secure.
This is the readout I have with ShieldsUp!
Attached Thumbnails
Online risk due to browser flaws-image-0.jpg  
__________________



EVGA GTX 470 SC 37% OC (855/1710/2004) 160.5Gbs
3DMark Vantage: P24352
3DMark 11: P5119

Last edited by MUff1N; 11th July, 2008 at 08:32 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 12th July, 2008, 02:43 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

ShieldsUp! is nothing more than a basic port scanner though. (The particular test you've run only detects the old NetBIOS ports, which have pretty much been superseded since Win2K). As far as browser attacks go, it won't tell you anything. JavaScript is a interesting language, and it's quite possible to produce malicious code that runs entirely within the browser.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 13th July, 2008, 06:21 AM
MUff1N's Avatar
Member
 
Join Date: October 2007
Location: Payson/AZ
Posts: 1,905

There isn't anything that runs on my computer without my permission.
I have every single unnecessary service turned off too.
I also use a Linksys router, Spybot S&D (Immunize), SpywareBlaster & Kaspersky Internet Security all always up to date & run FF3 with NoScript so nothing is allowed to run freely in the background without my permission.

But basically common sense works the best for avoiding problems altogether.
It's always easier to keep them out than it is to get them out once they're in. If something needs permission to run, I usually don't trust it unless it's MS Update or MS Office Update.

It's been about 5 years now that I haven't had anything get into my computer.
__________________



EVGA GTX 470 SC 37% OC (855/1710/2004) 160.5Gbs
3DMark Vantage: P24352
3DMark 11: P5119
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 13th July, 2008, 11:12 AM
PorPorMe's Avatar
Member
 
Join Date: January 2008
Location: Othello, Wa
Posts: 3,207

If you set your rig up right, you don't have to worry. Muff1n has his set to his liking and the only way anything is going to get to his box is if he gets lazy.

Before XP PRO, I was constantly tweaking what ever OP I was using. Needles to say, I was Re-installing my OP on a fairly regular basis. That doesn't bother me anymore I'm set up for it.
I'm telling you this because Muff1n is 100% correct In that if you set your rig up right, nothing is going to get through. I'm set up basically the same that he is, different programs, but covered the same way. The difference is I get lazy. After 3-4-mabe 5 months of being vigilant, I quit being careful. That's when i get nailed. It may take a while but it happens. I've been hit 4 times. For me the cure is very simple. An immediate hard boot to my Xp disk and away we go agian. Simple & doesn't bother me in the slightest. That's Why I get lazy-the cure is so simple. But I haven't been hit by any of the realy bad ones either. The worst I've gotten is one that takes over your computer. I've heard of some others that are REALY nasty.
Any way you look at it, it's the operator who decides if anything gets put onto his computer.
__________________
AOA Team fah


1ST * Asus M5A99FX Pro r 2.0 *AMD FX 8350 Black Edition *Cooler Master MasterLiquid 240 CPU Cooler * Crucial 16g DDR3 * MSI Geforce GTX 1050 * Antec 650w* Thermaltake V9 Case
2nd Asus M5A99fx Pro R2.0 Mainboard *AMD FX 4300 Black edition * l6g Crutial DDR3 * Evga Geforce Gt 730 * Coolermaster Dual fan HSF * 500w Thermaltake PSU * 320g western digital HDD


Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 13th July, 2008, 04:35 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Quote:
Originally Posted by Muff1n
I have every single unnecessary service turned off too.
Technically, Windows XP doesn't need any services running at all, if you're just browsing the Internet.

Quote:
Originally Posted by PorPorMe View Post
I'm telling you this because Muff1n is 100% correct In that if you set your rig up right, nothing is going to get through.
Working in information security, I know that it is not possible to set a machine up so nothing gets through, unless you never turn the machine on.

For example, what do you do to prevent a DNS spoofing attack against your ISP's DNS servers? Such an attack could be used to poison their DNS server to provide you with the wrong address for websites. Instead of going to a website you might trust, your machine ends up at a website controlled by an attacker.

Or, for example, the exploit against Firefox 3, which hasn't been patched yet (to my knowledge).

As far as JavaScript goes, there's a lot of sites that don't work with it turned off...
__________________

Last edited by Áedán; 13th July, 2008 at 04:39 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 13th July, 2008, 07:04 PM
PorPorMe's Avatar
Member
 
Join Date: January 2008
Location: Othello, Wa
Posts: 3,207

Quote:
Originally Posted by Áedán View Post
Technically, Windows XP doesn't need any services running at all, if you're just browsing the Internet.



Working in information security, I know that it is not possible to set a machine up so nothing gets through, unless you never turn the machine on.

For example, what do you do to prevent a DNS spoofing attack against your ISP's DNS servers? Such an attack could be used to poison their DNS server to provide you with the wrong address for websites. Instead of going to a website you might trust, your machine ends up at a website controlled by an attacker.

Or, for example, the exploit against Firefox 3, which hasn't been patched yet (to my knowledge).

As far as JavaScript goes, there's a lot of sites that don't work with it turned off...
I guess I should not have given an absolute. It was a little dumb of me. One I'm no expert and 2, there are no absolutes.
That being said, a computer set up correctly, has operator error as the biggest threat. That was all I was trying to say. It is a little weird but the 4 times I got infected-I knew the very nano-second I had screwed up.
As for sites that won't work unless You allow them to use JaveScript or any thing else. The responsibility still lies with the operator.
But the one you mentioned "For example, what do you do to prevent a DNS spoofing attack against your ISP's DNS servers?" That would be a really nasty one!
__________________
AOA Team fah


1ST * Asus M5A99FX Pro r 2.0 *AMD FX 8350 Black Edition *Cooler Master MasterLiquid 240 CPU Cooler * Crucial 16g DDR3 * MSI Geforce GTX 1050 * Antec 650w* Thermaltake V9 Case
2nd Asus M5A99fx Pro R2.0 Mainboard *AMD FX 4300 Black edition * l6g Crutial DDR3 * Evga Geforce Gt 730 * Coolermaster Dual fan HSF * 500w Thermaltake PSU * 320g western digital HDD


Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 14th July, 2008, 04:47 AM
Member
 
Join Date: July 2008
Location: Austin, Texas
Posts: 28
Send a message via ICQ to brons2 Send a message via AIM to brons2 Send a message via MSN to brons2 Send a message via Yahoo to brons2

Many problems can be avoided by not working with administrative rights unless you need them. This is the model that Unix and Linux operating systems have used for years. Unfortunately with XP it is hard to do anything if you don't have admin rights, the accounts are very crippled. Vista is a move forward in this direction IMO. You can create an administrative account and then log on with some other account, then when Vista asks for elevated privileges then you just give it the admin account.

Of course I have XP on this machine because I use it for playing games and the additional overhead of Vista seems like a detriment. On my laptop though I have Vista and Ubuntu dual booted, I use them about equally.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 14th July, 2008, 09:25 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Quote:
Originally Posted by PorPorMe View Post
You allow them to use JavaScript or any thing else. The responsibility still lies with the operator.
But the one you mentioned "For example, what do you do to prevent a DNS spoofing attack against your ISP's DNS servers?" That would be a really nasty one!
One of the issues that's been happening is that other people's infrastructure (websites, DNS servers etc) has been manipulated in order to attack machines. So, part of your online security relies on systems that are outside your control! I suppose that's not a lot different from driving - where your safety relies on others getting things right too.
__________________

Last edited by Áedán; 14th July, 2008 at 09:42 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 14th July, 2008, 03:30 PM
PorPorMe's Avatar
Member
 
Join Date: January 2008
Location: Othello, Wa
Posts: 3,207

Quote:
Originally Posted by Áedán View Post
One of the issues that's been happening is that other people's infrastructure (websites, DNS servers etc) has been manipulated in order to attack machines. So, part of your online security relies on systems that are outside your control! I suppose that's not a lot different from driving - where your safety relies on others getting things right too.
Your probably right about that except there is one big difference and it's a total shift in thinking.
We get up, go to work, school, shopping, off to Grandmas house we go-And we have accepted, from the get go, that everyone else on the road is an idiot and not to be trusted.
With our computers, we are in control. We don't have any thing to do with other people unless we want to, and we can stop that in a heart beat. We still have the concept that "people" are the threat and we are relatively safe because we are alone behind our firewalls and realtime scanners. If the shift in thinking can't be made, then the proper defense will be difficult.
The security industry hasn't done to much here. I have seen a few programs that tried to deal with browser threats. They were pretty bad. If I remember right, either they were not effective or so complicated and obtrusive that I just uninstalled them.
__________________
AOA Team fah


1ST * Asus M5A99FX Pro r 2.0 *AMD FX 8350 Black Edition *Cooler Master MasterLiquid 240 CPU Cooler * Crucial 16g DDR3 * MSI Geforce GTX 1050 * Antec 650w* Thermaltake V9 Case
2nd Asus M5A99fx Pro R2.0 Mainboard *AMD FX 4300 Black edition * l6g Crutial DDR3 * Evga Geforce Gt 730 * Coolermaster Dual fan HSF * 500w Thermaltake PSU * 320g western digital HDD


Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #11 (permalink)  
Old 14th July, 2008, 04:16 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

The problem is similar to the issues that globalisation brings up, and we're not coping with that issue all that well either! As far as InfoSec goes, protecting your browser against unknown code is very difficult. Using a parallel with the real world, even the human body can't defend itself against every biological threat (such as bacteria/virus) that's out in the world. What hope does a mere computer program have?
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #12 (permalink)  
Old 14th July, 2008, 06:16 PM
PorPorMe's Avatar
Member
 
Join Date: January 2008
Location: Othello, Wa
Posts: 3,207

Quote:
Originally Posted by Áedán View Post
The problem is similar to the issues that globalisation brings up, and we're not coping with that issue all that well either! As far as InfoSec goes, protecting your browser against unknown code is very difficult. Using a parallel with the real world, even the human body can't defend itself against every biological threat (such as bacteria/virus) that's out in the world. What hope does a mere computer program have?
Like viruses in the bio world, some times it's not the big drug companies. Some times it's a Louis Pastour.
There will be 1 guy, probably not even in security, will have a light bulb moment. An idea so outside the box he would get dismissed out of hand by the 'experts'.
He will gather a few geek friends that don't know any better and SHAZAM- up pops a new Norton or AVG.
Because it will work and there still won't be anyone else who has anything.
__________________
AOA Team fah


1ST * Asus M5A99FX Pro r 2.0 *AMD FX 8350 Black Edition *Cooler Master MasterLiquid 240 CPU Cooler * Crucial 16g DDR3 * MSI Geforce GTX 1050 * Antec 650w* Thermaltake V9 Case
2nd Asus M5A99fx Pro R2.0 Mainboard *AMD FX 4300 Black edition * l6g Crutial DDR3 * Evga Geforce Gt 730 * Coolermaster Dual fan HSF * 500w Thermaltake PSU * 320g western digital HDD


Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #13 (permalink)  
Old 15th July, 2008, 09:35 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

We're still waiting for someone to have that idea. Nature hasn't managed it, and I don't think humans will manage any better.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #14 (permalink)  
Old 15th July, 2008, 04:10 PM
Member
 
Join Date: July 2008
Location: Austin, Texas
Posts: 28
Send a message via ICQ to brons2 Send a message via AIM to brons2 Send a message via MSN to brons2 Send a message via Yahoo to brons2

Quote:
Originally Posted by Áedán View Post
The problem is similar to the issues that globalisation brings up, and we're not coping with that issue all that well either! As far as InfoSec goes, protecting your browser against unknown code is very difficult. Using a parallel with the real world, even the human body can't defend itself against every biological threat (such as bacteria/virus) that's out in the world. What hope does a mere computer program have?
Zero hour threats/exploits are a big risk especially for large companies. We run two different IDS products here, one commercial and one open source. We also have the web pretty locked down for our users. DNS exploits are a concern of course. We do the best we can, and watch for strange code on the wire.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Model predicts chance of software flaws Daniel ~ OS, Software, Firmware, and BIOS 15 10th March, 2008 06:15 PM
Unholy trinity of flaws put Google users at risk danrok Data Security 0 24th September, 2007 10:45 PM
Microsoft fixes 'critical' flaws danrok Data Security 7 13th April, 2007 01:03 PM
Zombie attacks through Windows, antivirus flaws danrok Data Security 1 1st December, 2006 10:59 AM
Security flaws with Firefox... Lazgoat OS, Software, Firmware, and BIOS 1 10th May, 2005 08:39 PM


All times are GMT +1. The time now is 10:24 AM.


Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0