Common sense security

Safe-Hex (download from trusted sources, check before install with Virus Total) is common sense security. Common sense security can be easily extended with a few tweaks in your browser

Fact1: Number one internet based infection comes from third party advertising. Adding Adblockplus (which strips those ads) reduces the chance of being infected while browsing the internet.

Fact2: Second largest infection is through websites with poor security in place which makes it possible to use loopholes in the software on which the website is build (e.g. cross site scripting -> SQL, XML, HTML, Java) or just in plain javascript triggering downloads/exploit kits.

There are several javascript interception solutions, but a non-intrusive easy solution is also available within most browsers. For instance in chrome add a simple deny javacript and allow a few exceptions on country domain level (e.g. [*.]com and for me holland [*.]nl), reduces the attack surface substantionally for most people/countries.

As an example I took the malware domain list, copied all entries of the first page (total of 112) to Word and looked for .com and .nl . There were no .nl on the first page and only 26 .com entries listed, hence an attack surface reduction of over 75% .

Fact3: IE's smartscreen and Google safe search are pretty effective IP/reputation filters. You should allways enable these internal mechanismsand preferably combine them with a third party service of choice at DNS level, extension or AV-part. According to study of AV-test safe search let 0,0025% of malware through

So the actual chance of encountering malware when browsing the web with this commen sense security measures are 0,0025% x 25% = 0,000625%

To put it in perspective, this is lower than the chance of dying this year for an average person

Regards Kees

 

You made it too simple. I feel tempted to say though that some will refute and bring about complexity to the thread just for the fun of it. Waiting for the drama to unfold (hopefully)...

 

No I am very optimistics, it will become better in the near future see https://www.wilderssecurity.com/showpost.php?p=2218399&postcount=16

A setup with Norton DNS (large paying/corporate community), Chrome (largest user community on the web) with CAMP, ABP and Trafficlight extension of Bitdefender (also large community) and Avast file shield with auto sandbox (largest free AV community) would provide the security by the numbers (reputation protection) and make security even more simpler in future.

 

Simplicity is the way to go. A nice reading Kees! Thank you for taking the time.

 

First is a blatend lie, Dragon has NO PPAPI plug-ins

Second can be achieved with some common sense, registry tweaks to use stronger SSL within Chrome/Chromium
Just save the text between lines (in blue) depening on having Chrome or Chromium. Advertising against weak certificates by Comodo is a shame since they were part of the problem (Comodo-gate certificate blunder) see next post.


Chromium
When using Chromium in a non corporate environment (home user), copy text below to notepad and save as Chromium_SSL.reg, double click this registry file to add to your registry.
____________________________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium]
"DisableSSLRecordSplitting"=dword:00000001
"AuthSchemes"="digest, ntlm, negotiate"
"DisableAuthNegotiateCnameLookup"=dword:00000000
"AllowCrossOriginAuthPrompt"=dword:00000000
"EnableAuthNegotiatePort"=dword:00000000

____________________________________________________



Chrome
When using Chrome in a non corporate environment (home user), copy text below to notepad and save as Chrome_SSL.reg, double click this registry file to add to your registry.

____________________________________________________

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"DisableSSLRecordSplitting"=dword:00000001
"AuthSchemes"="digest, ntlm, negotiate"
"DisableAuthNegotiateCnameLookup"=dword:00000000
"AllowCrossOriginAuthPrompt"=dword:00000000
"EnableAuthNegotiatePort"=dword:00000000

__________________________________________________



Regards

 

One common sense security of M00NBL00D (all credits to him )

This will also reduce man in the middle/HTTPS striping attack risks

Explanation http://www.chromium.org/sts

Note EMET 4 will bring certificate pinning to IE10

 

Have you played with hsts-hosts yet? I still haven't, but after digging a bit more, it seems one would need to use OpenSSL to retrieve the SPKI (SubjectPublicKeyInfo) and encode the sha1 to 64base.

There's still another info I'm still not sure how to get it. lol

 

Have enabled it by start switch, trusted your word for it

 

Sorry if I mislead you! When I meant one could use --hsts-hosts, it meant you had to do some work to have it working!

Twitter example (source: -http://scarybeastsecurity.blogspot.com/2011/04/fiddling-with-chromiums-new-certificate.html):

Code:

--proxy-server=localhost:1 --proxy-bypass-list=https://twitter.com,https://*.twitter.com,https://*.twimg.com [b]--hsts-hosts[/b]='{"df0sSkr4gOg4VK8d/NNTAWFtAN/MjCgPCJ5ml+ucdZE=":{"expiry":2000000000.0,"include_subdomains":true,"mode":"strict","public_key_hashes":["sha1/TXoScD1SXPfhmRO8ACTPrkXD9Yk="]},"tGm+XsbBPK211uMWtg2k071vijQkuVLvd62QzfNFol8=":{"expiry":2000000000.0,"include_subdomains":true,"mode":"strict","public_key_hashes":["sha1/06curQTaPH4PGumbNSeL79da23s="]},"wZU3atDOXaxKkaRgSdlWwB4UYjulRq46SGnIBij5I98=":{"expiry":2000000000.0,"include_subdomains":true,"mode":"strict","public_key_hashes":["sha1/O6hykhOmHJ5HQUREC0DTDeu6+mE="]}}'

Those are 64base encoded. For instance, where it says "sha1/TXoScD1SXPfhmRO8ACTPrkXD9Yk=", the encoded part is the SHA-1 one needs to retrieve from the SPKI, which OpenSSL should assist us to get it (from what I read somewhere else). But, for example, I'm not sure what this is about "df0sSkr4gOg4VK8d/NNTAWFtAN/MjCgPCJ5ml+ucdZE=". It's also 64base encoded, but not sure what it is. At first I thought it could be some SHA-256 64base encoding, but I get no matches for anything.

I'm a bit lost for now.

 

It would be nice to have some better guide to achieve this for other services. Microsoft EMET certificate pinning seems to be simpler to achieve. Only if it would work with other web browsers...

 

Thank you. I've added Adblock to my Cyberfox right now. There I additionally unchecked "Allow some non-intrusive advertising".

Does NoScript go here? Or should I better uncheck "Enable JavaScript" in the browser? Though there's no exceptions for disabled JavaScript in the browser.

Thank you.

 

With Firefox based browsers, people use NoScript. I don't know, don't use, because FF does not have Low Integrity Level sandboxes (like Chrome and IE have)

 

I'm surprised Kees didn't mention to not run as an admin user also.

 

That's a good post, Windows_Security (kees)

I like this enforcement and use it in Chrome.

One other approach if I can mention is use an application firewall to restrict browsers to remote ports 80, 443 ( and maybe a few others like 1935, 554) and omit ports like 81-82 & 8080 for example. Lots of malware hosting sites are at these latter ports, so this remote port restriction reduces the attack vector some more.

The lack of low Il and the constant maintenance of NS is why I went back *again* to Chrome. Every time I thought I had NS' whitelist up to snuff, Id have to add more to it. My surfing is too random to be using NS without being too inconvenienced. There seems to be an endless number of scripts on the 'Net required for adequate webpage rendering.

 

I felt the same way but I then allowed top level domains by default and that has helped quite a bit. Also, is ABP for Chrome out of beta yet? Last time I checked (a while ago) ABP didn't work 100% in Chrome. IIRC, it had something to do with it only hiding stuff instead of actually removing it from the page.

 

It's been out of beta for a while.

 

in firefox i also add RequestPolicy and CSlite mod

https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/?src=api
https://addons.mozilla.org/en-US/firefox/addon/cslite-mod/?src=api

 

Good info. Thank you W_S guy.

I wish that WinPatrol or another app like that would incorporate options like these in their program -- making the explanations and ability to turn on and off easier for average guys.

 

Yep, I tried that approach but it still didn't ease the "pain" as much as I'd hoped it would ...also I use ABP extension along with policy enforcement settings in Chrome