no such thing as safe surfing

Firefox is not so different anymore. It has a large market share, large in the USA, larger in Europe.

Even if you don't 'use' IE (7), it will be present on your (Microsoft) system, are you sure malware can't use it ? I have software that monitors (attempted) changes to IE 7, do people who use Firefox have something similar ?

 

I thought that using the regular LAYERED protection along with sandboxie and returnil, surfing the web was absolutely safe for the vast majority of us -- let me put it 99.99999999999999999999%.

For me personally it has been 100%, and I'm sure it is the same for thousands of others as well.

Has there been even one instance of infection with the correct use of a combination of sandboxie and returnil in combination? I have yet to hear or come across of any such infection.

So I think that many will say that it is safe to surf the web if you are wearing the antimalware equivalent to "Dragon Skin".

 

It's a basic truth. The internet is not a safe place. Neither is the average road but that doesn't mean that you can't enjoy driving on it.

If you leave out specific attack vectors like javascript, flash, etc and move this discussion down to a more basic level, trust is what kills you. IMO, the entire concept of a "trusted zone" needs to be scrapped. The structure of the internet itself isn't secure. DNS has been proven vulnerable. We also have DNS trojans that can direct you to places you didn't want to go. It's also been demonstrated that our internet hardware can be attacked and settings changed. When you can't be completely certain that the site the DNS system directs you to will be the same site you wanted to visit, how can you completely trust it? When almost any site can be compromised and little scripts added that can steer you to a malicious server, how can you call a site "trusted". The sites aren't secure either.

If you want to be safe on the internet, stop trusting it. Treat it all as a restricted zone. Allow scripts, Java, flash, etc on an "as needed for this session only" basis, with "as needed" referring to what you want to see or use, not what the site wants to send you.

If you want to be safe on the internet, there's another basic truth that you have to accept.
All software is vulnerable.
There is no lock that can't be opened, no security system that can't be defeated, no fortress that is impenetrable, and no application or operating system that can't be compromised. Any application that opens unknown content will eventually be compromised. It may not happen on your system but it will happen to someone. If you want to be safe, treat those applications as vulnerable. How do you do that? You isolate them as much as possible from the operating system and from other applications. This is the exact opposite of the normal behavior of Windows software, where everything is integrated together for the sake of convenience. A vulnerability in an individual application isn't worth much if it doesn't give the attacker access to something more, like the operating system itself. With Internet Explorer, the browser IS the operating system, which means a browser exploit is an operating system exploit. When the browser opens other content using plug-ins, BHOs, etc, their vulnerabilities become browser vulnerabilities. In a fully integrated system, a flash or PDF reader vulnerability becomes an OS vulnerability because the OS allows it. Isolating these vulnerable apps, aka attack surfaces, from each other and from the OS itself will prevent many of the attacks on individual applications from compromising the whole system. There's many ways to do this, sandboxing, virtual operating systems, system configuration backed up by HIPS, etc. How you do it isn't that important, as long as you do it.

You can enjoy the internet. Just recognize it for what it is. Stop trusting it. Accept that your user apps are vulnerable and set up your system with that fact in mind.

 

Precisely.
If you look at it from a little bit different perspective - let's say for example, that you have a _safe_ source code (to be more precise: a safe under some specified circumstances, at the time of evaluating possible attack vectors). You put this code into a compiler, which itself contains a linker and a debugger etc. In the end you get a low-level machine code - how secure would it be if one of the elements in the development chain would be compromised? Even if you still have that 100% secure executable (which is highly unlikely) - security is a process, not a state and, as you said about the Internet: "stop trusting it".

Regards

 

In short, the "trust" should be placed in yourself, not in the internet or any of the apps you run, or anything else....

 

safe (adj)

Secure from threat of danger, harm or loss​

(Webster's Seventh Collegiate Dictionary)
______________________________________________________


I would like to address the threat of malware on the internet.

Anyone who is confident that she/he is "Secure from threat of danger, harm or loss" can challenge the assertion that there is no such thing as safe surfing.

In my opinion, there is too much worrying about getting malware from the internet. The situation is not helped by the media with sensational headlines such as:

Weather report: Rain predicted all week. Some conclude: it is not safe to go outside because you will get wet.
But what if you take an umbrella?

So, in surfing the internet, how do you "Secure from threat of danger, harm or loss?" Kerodo mentions trusting yourself.

For me, trusting yourself begins with understanding the two ways malware can get on to your computer,

1. Sneaking in through some vulnerability in an application (remote code execution)
   
2. Tricking the user to install something (Flash update, codec, etc)

This understanding leads to

• developing security policies for your particular situation
  
• adding necessary security solutions accordingly

I think too much emphasis is placed on the first attack method -- the remote code execution, or drive-by download. Sure, they are the most sensational and (unnecessarily) feared exploits, but also the easiest to protect against. Running as non-Administrator, or employing Software Restriction Policies (SRP), closes that attack hole effectively, and makes one secure from that type of threat or danger. The current IE7 vulnerability, exploited in the wild and yet unpatched, for example: payloads analyzed show nasty trojans. SRP will block that payload. You don't even need an additional security product.

Trusting in yourself is not to say that you ignore the situation, but that you have thought it through and are confident that you are secure (safe) because of the security strategy you have in place.

Analysts are starting to report that the second attack method, tricking the user (social engineering), is more of a threat, as discussed here:

Vulnerabilities play only a minor role in malware spread, says researcher
http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9122901&intsrc=hm_list

Two examples:

Update Flash Player

Been updatin' your Flash player lately?
http://isc.sans.org/diary.html?storyid=5437

WinAntiVirus

Report: Fake antivirus programs claim 30 million victims
http://arstechnica.com/news.ars/pos...ivirus-programs-claim-30-million-victims.html

How can one be safe (secure) from these threats? I hope the answer is obvious.

One can be sympathetic towards those unfortunate victims of any of the above, and certainly we can help to educate when the opportunity presents itself. In such situations, I always start from the premise that it is simply not necessary to accept the notion that there is no such thing as safe (secure) surfing. To do so would be starting from a premise which, when accepted in thought as inevitable, is likely to lead to unfortunate conclusions, and an unnecessarily defeatist and fearful state of mind.

Security is based on one's point of view. Everyone has their own.

And so, larryb52, while I understand your point of view, your premise should be stated differently, in my opinion. And I would be very interested in the step-by-step details of your experience on the Baseball website. Did your AV alert that a trojan was attempting to download while using Opera (I'm very suspicious of that notion), or did your AV flag the ad itself as containing malicious code? Two complete different situations. Your description, "Kaspersky catching a trojan that was part of the ad" is not clear to me. You would need to post the code so that it could be analyzed.

Regarding ads: in all of my years of using the internet, I've not used an adblocker (except a flash blocker with Opera, and that is not for fear of malware, just annoying, animated ads) and I've never encountered an ad attempting to download a trojan. It it did, it would be immediately blocked from downloading.

----
rich


________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​