Discussion in 'other security issues & news' started by yabbseq, Jan 17, 2004.

Thread Status:
Not open for further replies.
  1. yabbseq

    yabbseq Guest

    hi, i was just wondering, if i log onto any forum [not this one of course :)], is it possible for that forum to infect me and remotely access my computer or snoop on me? i'm paranoid, so i want to know if the chances are totally zero. i have not downloaded any files from the forum at all, but is it possible that there is some embedded activex control or some malicious script? i'm running zonealarm at the moment, but i don't know if that will protect me against those types of attacks that are in webpages as i'm a newbie at this stuff. thanks :)
  2. bigc73542

    bigc73542 Retired Moderator

    Sep 21, 2003
    SW. Oklahoma
    have a look at the link it will explain how a webpage can infect your machine I don't know if a forum is going to do this but it wouldn't be that hard with the right tools.
  3. LowWaterMark

    LowWaterMark Administrator

    Aug 10, 2002
    New England
    The amount of access any website has to your system (and online forums like this are really still just a type of website) depends entirely upon how you access it.

    It comes down to the browser used, it's security settings and trust level granted to that site in question, and of course the potential for exploits within that browser.

    Often when people like (and trust) a website or forum they put the site name into their trusted zone. I do that myself but I'm careful what sites I do trust. Now for this YaBB SE forum, adding the site to the IE trusted sites list is actually overkill. It is more access than is really needed.

    For example, just to reconfirm this for this post, I'm using IE6 here with this forum in the trusted sites list, however I've just changed all the security settings in that zone. ActiveX (all 5 items) are now disabled. Java VM is disabled. All the Misc sections settings (except "Submit nonencrypted form data") are disabled. Only "Active scripting" is enabled (just the first item in that section, not the next two - those are also disabled). With these tighter settings, and allowing first-party cookies from this forum software works normally.

    The potential for exploit with the settings I just described are probably those simply related to known IE active scripting exploits (but only the ones that actually work without also needing ActiveX enabled).

    Technically the best way to approach security is the "least privilege" concept. Grant only the absolute minimum access and trust levels required to make the site work, and no more than that! Back that up with effective filtering or proxy tools (that scan and strip out malicious items, popups and other such things) and you are as secure as you can hope to be.

    Obviously, browser choice and security tool selection is very important, but following it up with a lot of common sense and watching where you click is also really important.
  4. yabbseq

    yabbseq Guest

    wow that was a great response. however i AM a total newbie in this area and i would like to disable scripting. initially i had thought that since i have "signed activex controls" set to prompt, that would protect me, but i guess i was wrong. another problem is that i don't have java vm from microsoft. this is because i am on windows xp and this version doesn't carry it, so i have to stick with sun java sdk 1.4.2. now i went into the security settings for IE 6, and i am wondering, what is "meta refresh" and "allow data sources across domains" and "allow mixed content" etc? These are all options under security. to be completely honest i really would like to play it safe and disable a lot of stuff (and you're right, one forum in particular IS yabb se, hence, the nickname :) ). now my question is, if i have certain things set to "prompt" am i in any danger? i almost always click no when it comes to that. what do you think?
  5. snowbound

    snowbound Retired Moderator

    Feb 18, 2003
    The Big Smoke
    Hi yabbseq :)

    Here is a thread i think will help,;start=msg112494#msg112494

    In this thread i asked similiar questions. I actually use LowWaterMark's settings with little problems. I just get prompted for activex, then i have to decide whether to allow or not.

    Hope this helps :)

Thread Status:
Not open for further replies.