Common sense security

Discussion in 'other anti-malware software' started by Windows_Security, Apr 20, 2013.

Thread Status:
Not open for further replies.
  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,067
    Location:
    Netherlands
    Safe-Hex (download from trusted sources, check before install with Virus Total) is common sense security. Common sense security can be easily extended with a few tweaks in your browser

    Fact1: Number one internet based infection comes from third party advertising. Adding Adblockplus (which strips those ads) reduces the chance of being infected while browsing the internet.

    Fact2: Second largest infection is through websites with poor security in place which makes it possible to use loopholes in the software on which the website is build (e.g. cross site scripting -> SQL, XML, HTML, Java) or just in plain javascript triggering downloads/exploit kits.

    There are several javascript interception solutions, but a non-intrusive easy solution is also available within most browsers. For instance in chrome add a simple deny javacript and allow a few exceptions on country domain level (e.g. [*.]com and for me holland [*.]nl), reduces the attack surface substantionally for most people/countries.

    As an example I took the malware domain list, copied all entries of the first page (total of 112) to Word and looked for .com and .nl . There were no .nl on the first page and only 26 .com entries listed, hence an attack surface reduction of over 75% .

    Fact3: IE's smartscreen and Google safe search are pretty effective IP/reputation filters. You should allways enable these internal mechanismsand preferably combine them with a third party service of choice at DNS level, extension or AV-part. According to study of AV-test safe search let 0,0025% of malware through

    So the actual chance of encountering malware when browsing the web with this commen sense security measures are 0,0025% x 25% = 0,000625%

    To put it in perspective, this is lower than the chance of dying this year for an average person :doubt:

    Regards Kees
     

    Attached Files:

    Last edited: Apr 23, 2013
  2. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    You made it too simple. I feel tempted to say though that some will refute and bring about complexity to the thread just for the fun of it. Waiting for the drama to unfold (hopefully)...
     
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,067
    Location:
    Netherlands
    No I am very optimistics, it will become better in the near future see https://www.wilderssecurity.com/showpost.php?p=2218399&postcount=16

    A setup with Norton DNS (large paying/corporate community), Chrome (largest user community on the web) with CAMP, ABP and Trafficlight extension of Bitdefender (also large community) and Avast file shield with auto sandbox (largest free AV community) would provide the security by the numbers (reputation protection) and make security even more simpler in future.
     
    Last edited: Apr 20, 2013
  4. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,285
    Simplicity is the way to go. A nice reading Kees! Thank you for taking the time.
     
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,067
    Location:
    Netherlands
    First is a blatend lie, Dragon has NO PPAPI plug-ins :thumbd:

    Second can be achieved with some common sense, registry tweaks to use stronger SSL within Chrome/Chromium
    Just save the text between lines (in blue) depening on having Chrome or Chromium. Advertising against weak certificates by Comodo is a shame since they were part of the problem (Comodo-gate certificate blunder) :oops: see next post.


    Chromium
    When using Chromium in a non corporate environment (home user), copy text below to notepad and save as Chromium_SSL.reg, double click this registry file to add to your registry.
    ____________________________________________________
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium]
    "DisableSSLRecordSplitting"=dword:00000001
    "AuthSchemes"="digest, ntlm, negotiate"
    "DisableAuthNegotiateCnameLookup"=dword:00000000
    "AllowCrossOriginAuthPrompt"=dword:00000000
    "EnableAuthNegotiatePort"=dword:00000000


    ____________________________________________________



    Chrome
    When using Chrome in a non corporate environment (home user), copy text below to notepad and save as Chrome_SSL.reg, double click this registry file to add to your registry.

    ____________________________________________________

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
    "DisableSSLRecordSplitting"=dword:00000001
    "AuthSchemes"="digest, ntlm, negotiate"
    "DisableAuthNegotiateCnameLookup"=dword:00000000
    "AllowCrossOriginAuthPrompt"=dword:00000000
    "EnableAuthNegotiatePort"=dword:00000000


    __________________________________________________



    Regards
     
    Last edited: Apr 21, 2013
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,067
    Location:
    Netherlands
    One common sense security of M00NBL00D (all credits to him :thumb: )
    This will also reduce man in the middle/HTTPS striping attack risks
    Explanation http://www.chromium.org/sts

    Note EMET 4 will bring certificate pinning to IE10
     
    Last edited: Apr 21, 2013
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Have you played with hsts-hosts yet? I still haven't, but after digging a bit more, it seems one would need to use OpenSSL to retrieve the SPKI (SubjectPublicKeyInfo) and encode the sha1 to 64base.

    There's still another info I'm still not sure how to get it. lol
     
  8. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,067
    Location:
    Netherlands
    Have enabled it by start switch, trusted your word for it :D
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Sorry if I mislead you! When I meant one could use --hsts-hosts, it meant you had to do some work to have it working!

    Twitter example (source: -http://scarybeastsecurity.blogspot.com/2011/04/fiddling-with-chromiums-new-certificate.html):

    Code:
    --proxy-server=localhost:1 --proxy-bypass-list=https://twitter.com,https://*.twitter.com,https://*.twimg.com [b]--hsts-hosts[/b]='{"df0sSkr4gOg4VK8d/NNTAWFtAN/MjCgPCJ5ml+ucdZE=":{"expiry":2000000000.0,"include_subdomains":true,"mode":"strict","public_key_hashes":["sha1/TXoScD1SXPfhmRO8ACTPrkXD9Yk="]},"tGm+XsbBPK211uMWtg2k071vijQkuVLvd62QzfNFol8=":{"expiry":2000000000.0,"include_subdomains":true,"mode":"strict","public_key_hashes":["sha1/06curQTaPH4PGumbNSeL79da23s="]},"wZU3atDOXaxKkaRgSdlWwB4UYjulRq46SGnIBij5I98=":{"expiry":2000000000.0,"include_subdomains":true,"mode":"strict","public_key_hashes":["sha1/O6hykhOmHJ5HQUREC0DTDeu6+mE="]}}'
    
    Those are 64base encoded. For instance, where it says "sha1/TXoScD1SXPfhmRO8ACTPrkXD9Yk=", the encoded part is the SHA-1 one needs to retrieve from the SPKI, which OpenSSL should assist us to get it (from what I read somewhere else). But, for example, I'm not sure what this is about "df0sSkr4gOg4VK8d/NNTAWFtAN/MjCgPCJ5ml+ucdZE=". It's also 64base encoded, but not sure what it is. At first I thought it could be some SHA-256 64base encoding, but I get no matches for anything. :argh:

    I'm a bit lost for now. :D
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It would be nice to have some better guide to achieve this for other services. Microsoft EMET certificate pinning seems to be simpler to achieve. Only if it would work with other web browsers... :ouch:
     
  11. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,913
    Thank you. I've added Adblock to my Cyberfox right now. There I additionally unchecked "Allow some non-intrusive advertising".
    Does NoScript go here? Or should I better uncheck "Enable JavaScript" in the browser? Though there's no exceptions for disabled JavaScript in the browser.

    Thank you.
     
  12. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,067
    Location:
    Netherlands
    With Firefox based browsers, people use NoScript. I don't know, don't use, because FF does not have Low Integrity Level sandboxes (like Chrome and IE have)
     
  13. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    I'm surprised Kees didn't mention to not run as an admin user also. :)
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    That's a good post, Windows_Security (kees) :)

    I like this enforcement and use it in Chrome.

    One other approach if I can mention is use an application firewall to restrict browsers to remote ports 80, 443 ( and maybe a few others like 1935, 554) and omit ports like 81-82 & 8080 for example. Lots of malware hosting sites are at these latter ports, so this remote port restriction reduces the attack vector some more.

    The lack of low Il and the constant maintenance of NS is why I went back *again* to Chrome. Every time I thought I had NS' whitelist up to snuff, Id have to add more to it. My surfing is too random to be using NS without being too inconvenienced. There seems to be an endless number of scripts on the 'Net required for adequate webpage rendering.
     
    Last edited: Jun 14, 2013
  15. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    516
    Location:
    United States
    I felt the same way but I then allowed top level domains by default and that has helped quite a bit. Also, is ABP for Chrome out of beta yet? Last time I checked (a while ago) ABP didn't work 100% in Chrome. IIRC, it had something to do with it only hiding stuff instead of actually removing it from the page.
     
  16. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,285
    It's been out of beta for a while.
     
    Last edited: Jun 14, 2013
  17. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    253
    Location:
    router
  18. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Good info. Thank you W_S guy.

    I wish that WinPatrol or another app like that would incorporate options like these in their program -- making the explanations and ability to turn on and off easier for average guys.
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Yep, I tried that approach but it still didn't ease the "pain" as much as I'd hoped it would :( ...also I use ABP extension along with policy enforcement settings in Chrome :)
     
Loading...
Thread Status:
Not open for further replies.