Further thoughts on a minimal preventative setup (with novices in mind)

Part of the problem with security in today's world is that it's beginning to require a level of knowledge that most users not only don't have, but don't have the time to develop. A HIPS for instance requires proper setup to be anywhere near convenient, and unless it's a simple anti-executable requires significant knowledge of Windows. A sandbox is easier to understand but inconvenient for frequent usage. A limited account prevents a lot of software from working (at least on XP) and adds further inconvenience. Even UAC spams you with popups, and SRP/AppLocker/Trust-No-Exe/whatever whitelisting is totally out of the question for most people.

So I'm trying to think up a usable security setup FOR NOVICES that doesn't weigh a system down.

Now, as far as malware vectors are concerned, two major ones can be eliminated very easily.

- Use Panda USB vaccine or what have you to disable autorun (the @SYSoesNotExist tweak)
- Turn Windows Firewall up to maximum or install a good third-party one

Which leaves several attack vectors... But the biggest and most obvious - and, I daresay, the only one that's really unavoidable - is the browser. For pretty much everything else, I *think* (and correct me if I'm wrong!) the firewall, or scanning files with on-demand antimalware programs, should deal with it. But with browsers, you have drive-by downloads that can install stuff without your permission.

So how about focusing on the browser?

You could use NoScript, and only enable scripting for trusted websites. Now I personally don't like NoScript, because it "breaks the internets", but I'm starting to see its value.

Only problem is, if a trusted site gets hacked, NoScript won't protect you. (As far as I know anyway.) So maybe use AVG Linkscanner or somesuch? What other app is there that scans links for bad javascript and whatnot? McAfee SiteAdvisor maybe? Or is that different?

 

what "breaks the internets" are the people who create and distribute malicious scripts, links etc. Having to block scripting is in response to those and having it blocked, in any browser, except for Trusted sites, greatly reduces the chance of malware to test other defences

 

I personally think that teaching neophytes to house thier critical data to an external drive, and actually back it up is the first goal. This takes care of the most crucial concern I think.

After this comes the online banking and other features which can get identity theft, cc numbers, passwords, etc. A virtual machine or something like sandboxie which always deletes contents etc would be an easy solution, as would a livecd of some kind.

And finally, after those two primary concerns are abated, some form of imaging or rollback. Personally I believe the future of the average persons security will reside in this arena.

The idea of teaching someone how to do so many other useful things is lost on those who just don't have interest. It is what it is. Save thier data, keep clean with online transactions, easily restore the OS to a working order.

Now for the rest of us here, we thankfully have many many choises and styles to choose from.

Sul.

 

I agree that security applications like HIPS are not the ideal security scenario for such users. An application that offers sandboxing features, like SandboxIE, is of no hard use. I understand that they, probably, wouldn't know where to start - how to create sandboxes. They sure wouldn't know how to tighten-up Sandboxie even more. But, if someone shows them how to do it, and how to use it, then is a no brain. I truly believe it.

I don't know about XP, but something like SuRun would be helpful, perhaps? Of course, such users would need to understand a bit how it works. I once checked it in a VM and it didn't seem that hard to work with. Again, it's not a job to be done by someone who uses the computers for creating documents, searching the web and not much than that. They would need guidance.

A limited user account (LUA) offers no resistance to users who do not mess with the system. I'm sure XP might be an exception, but with Windows Vista and 7 things got a lot easier.

I still haven't tried to apply AppLocker to this computer, which isn't mine. It was borrowed by a family member until I get mine, which may take a few weeks still. But, I will check it out.
I do remember that with SRP there was one big problem for users connecting to the Internet with USB devices. And that problem is the fact that Windows from time to time will forget which letter it assigned to xyz USB device. So, it is necessary to reassign the old letter back and keep track of which letter has been assigned in the first place, otherwise it will be necessary to change SRP.

I hope AppLocker won't be a problem regarding that situation.

Both AppLocker and SRP are not for newbies, and that is precisely why Microsoft doesn't give it to the lower versions of XP, Vista and 7. It is directed to enterprises, where Administrators must know what they're doing.
So, if AppLocker and SRP are going to be applied, such task must be done by someone who knows what is doing; check whether or not things run smooth, and explain how it works in daily use of the system.

Panda USB Vaccine is a great tool, which will eliminate one infection vector.

If I were you, I'd leave Windows firewall. If such users do not get the hand of UAC alerts, they surely won't get the hand of outbound connection alerts.

LUA + UAC + MSE + DEP + SRP/AppLocker + common sense will do that job.

I do not use Firefox. I use Chromium with 3 different profiles under Sandboxie. The most restrictive profile is used to searches I make and that I do not know where I'll end up to; it includes blocking javascript.

Since this isn't my computer, I have installed AVG LinkScanner along side with Spyware Blaster and Spybot - Search and Destroy to immunize IE. IE is also running in Protected Mode due to UAC.

When I get my computer, before handing back this one, I'll record a few videos explaining how to use what I have installed and how it works, how it protects them and why they should keep it.

This computer had a very poor security. They were running in an Administrator account, no UAC, etc. I believe it was due to the fact this computer was bought from some other folk.

Thing is, without learning, no one will achieve nothing. Some don't have the time to do it on their own. Others do, so why won't those help those who can't?

Sure, not everyone has someone who understands how things work. That's life, I'm afraid. But, it could be solved with lectures at school, since early ages.

 

From NoScript FAQ:

 

Yeah, but I have seen cases where the malicious content was inserted into the hacked web page itself, in which case Noscript won't be enough.

 

Easy. Don't use Windows. Problem solved.

 

Sometimes an option, but not always unfortunately. That being said I've found Ubuntu LTS or other *STABLE* Linux distros to be a satisfactory solution in some cases, when the hardware supports them, e.g. my mom uses a slightly obsolete laptop with Ubuntu 8.04.

 

/resurrects thread

Well I've been messing around with Noscript, and I actually like it a lot. It seems like it could (at least in theory) prevent most driveby downloads, and the majority of websites I visit are not seriously impacted by lack of Javascript.

It seems like it would be a pretty good browser defense even for novices. Only problem is that a few sites require extensive Flash and JS, and some people like to frequently visit those sites.

Also Noscript seems to rely (at least somewhat) on the idea that certain domains, e.g. Google and the Mozilla homepage, are unlikely to get hacked. Granted that it may be true, it seems to me that relying on such things isn't such a great idea.

In short Noscript is smart and very useful, but not nearly infallible. But I'm thinking maybe a combination of Noscript and an AV with an HTTP scanner could be quite good enough.

(I'd say Noscript + Dropmyrights, but Dropmyrights AFAIK doesn't work properly in a default Windows XP install due to Windows permissions retardedness.)

 

Note this, pointed out in another thread by MrBrian:

http://noscript.net/faq#qa1_11

The same with Opera's built-in Site Preferences.

If Google is whitelisted on your computer and becomes compromised with a poisoned search entry that redirects you to the malware site, that malware site will not be whitelisted, hence, the script code will not run.

This is best illustrated by the thousands of poisoned search entries that redirect to a rogue security product site and a fake malware scan. That scan depends on javascript to load, hence, the exploit fails with NoScript in Firefox, or configured-per-site in Opera.

Nonetheless, to have other protection in place, as you suggest, is certainly wise!

----
rich

 

Doesn't Opera, when a given site is whitelisted, allow all of the domains on that site (unlike NoScript)?

 

you said minimal
answer returnil2008 [save anything to external] and sandboxie thats all you need and you don't really need sandboxie

 

I'm not sure -- maybe you can answer that from these examples.

I have the option to WhiteList specific pages on a site, but nothing about Domains. Here is the Forum Homepage for Digital Photography Review:



And one of the Forums, where I have to enable Javascript, or images and other stuff won't load:



Cookies presents a dialog box with various options, including Domains:

 

When I go to the site in your example, NoScript lists two domains - dpreview.com and img-dpreview.com, each of which can be allowed separately.

 

Let's all stick to the point.
I am using XP and would suggest something like this:
-updates, updates, updates
-make an guest account or limited user account, or at least use dropmyrights
-Firefox with private browsing and noscript (restrict all embeddings, also for whitelisted sites, when you want to run an embedded object just make temp. available and then click on the placeholder- just place noscript in the navigation toolbar)
-neo safekeys
-enable built-in firewall
-backup registry and services_startup and drivers and MBR (this would be done only once i suppose)

optional:
-spybot S&D, clamwin portable or MS security essentials
-SnoopFree Privacy Shield
-i recommend using portable apps since if something goes wrong, they can be easily replaced