Would Geswall or Haute Secure be good protection for XSS or password theft?

Discussion in 'other anti-malware software' started by spamyou, Oct 16, 2007.

Thread Status:
Not open for further replies.
  1. spamyou

    spamyou Registered Member

    Joined:
    Apr 1, 2006
    Posts:
    48
    I understand if I use sandboxie for surfing, close it, erasing sandbox, then use new browser to go to financial sites, my risk is low. I use sandboxie, wife wont.

    Anyone know if Geswall or Haute Secure would be fairly reliable protection for XSS scripting or malware that targets password/personal info theft? I guess here you are dependent on the particular method of stealing to be detected, as it violates some prewritten policy?

    XSS scripting as I understand, can be via HTML or script injection into legitimate page. Should a policy sandbox reliably intercept this? (note I would have geswall set to high so auto blocks, no chance of wife allowing by accident)

    Or said another way, can anyone think of a way that the behavoir policy would be bypassed easily for theft of password etc?
     
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    I've been using GeSWall for a short period of time so i'm limited on my knowledge on it , but the way I understand it , it should prevent this.
    Maybe someone with more experance with it can educate both of us on this.
    That's just what i'm gathering from thier web site.
    http://www.gentlesecurity.com/features.html#preventing
    I started using GeSWall and PRSC in hopes of stoping things like this. (password stealers/keyloggers)
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    If it's in the same session, i think it's the same problem (everything is just in the same sandbox). If it's another session (clean start), or perhaps another browser (maybe used just for this purpose), i think XSS would be dead provided the website you visit is not compromised, no bugs (we all expect the bank to be safe, so i guess that answers it).
    You would have to clearly separate banking/normal sessions, and when banking, do nothing else. A different browser could be simpler to handle.
    SandboxIE could flush things from normal browsing, GeSWall i don't know how to approach it (again, different browser seems to make it simple and straightforward). That brings the question of whether the flushing is needed, or just close all tabs and visit the bank from the bookmark. This is important to know.

    There's bound to be a flaw(s) in my reasoning, i can only hope that someone points it out. Please do.
     
  4. Dogbiscuit

    Dogbiscuit Guest

    Others on Wilders have pointed out that, currently, only Noscript and LinkScannerPro can provide some protection against XSS attacks, other than completely disabling Javascript.
     
  5. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello spamyou,

    Thanks Dogbiscuit for posting that link. You beat me to it.

    The following links will shed some light on XSS and LinkScanner Pro.

    https://www.wilderssecurity.com/showpost.php?p=1054528&postcount=28
    https://www.wilderssecurity.com/showpost.php?p=1062349&postcount=2

    FYI, Ilya has informed me that DefenseWall(policy restriction sandbox) will not protect against XSS, but it will protect against the interception/theft of personal information(user name, password, credit card #'s, acct. #'s, ss #'s, etc...) when using "Go Banking/Shopping" mode while banking or performing online transactions. Until proven otherwise, GesWall which is similar to DW, should also offer no protection against XSS.

    As far as Haute Secure is concerned, since it is similar to LinkScanner Pro, but with a soft sandbox and HIPS functionality, it too should offer protection against XSS.

    Hope this helps.


    Peace & Love,

    CogitoErgoSum
     
  6. spamyou

    spamyou Registered Member

    Joined:
    Apr 1, 2006
    Posts:
    48
    Crap. I need noscript for IE7. guess I will look at linkscanner.
     
  7. spamyou

    spamyou Registered Member

    Joined:
    Apr 1, 2006
    Posts:
    48
    Thanks, I am trying out haute secure now on my computer, so maybe there is some hope for that one defending against xss. It does not hinder performance, so wife would be ok with that one.

    Also thanks for links.

    Wish there was a site that collected/copied real malware exploits (only change payload so its harmless) so could test these things.
     
  8. spamyou

    spamyou Registered Member

    Joined:
    Apr 1, 2006
    Posts:
    48
    Ok, so If wife (and probably me too) surfs with IE7 with dropmyrights, and some policy based sandbox to try to just prevent malware installations.

    But all financial transactions, close IE7, clean cache, and use firefox with noscript, script only enabled on some banking sites that require it, I should be relatively safe from everything but XSS with HTML, (like the exploit at Paypal). And if add linkscanner should help prevent against HTML XSS. Is that correct?

    Assuming linkscanner wont conflict with nod32 or ZAP.
     
  9. Stephen2_Aus

    Stephen2_Aus Registered Member

    Joined:
    Feb 17, 2007
    Posts:
    37
    Your wife would prefer to have her money/identity potentially stolen, than use some software that slows down the loading of a browser by 10%?

    I know what I'd do to that wife...
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    As I understand XSS is a problem of the web, not ur system. Any sandbox like GW, DW or SandBoxie will not protect against XSS in anyway. These sandboxes isolate browser from the rest of system while XSS plays at browser/ web level( without touching ur real system) so obviously it can,t be stopped. AFAIK only protection againt XSS is turning off JS globally on all sites or NoScript( not sure how effective NoScript is). Turning off JS globally while allowing JS on certain sites in other browsers like Opera and IE is not equivalent to NoScript( with reagrd to protection against XSS- NS offers more protection).

    GW and DW stop keyloggers while sandboxie doesn,t. DW stops screenreading ( according to Ilya, I have not tested it myself) and GW probably doesn,t but I am not sure about screen reading protection. I need to test it some day but not sure how to do it.
     
  11. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    It's the only tool, and in light of a recent/not so recent discussion, very effective. Has features specifically designed with XSS in mind, and updated frequently.
     
  12. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello spamyou,

    In short, for protection against XSS with IE7, you should consider using either Haute Secure(HS) or LinkScanner Pro(LSP). For FF, No-Script is a simple and effective protection against XSS. For the Opera user, LSP is the only game in town against XSS.


    Peace & Love,

    CogitoErgoSum
     
  13. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    So then LinkScanner Pro protects aginst XXS
    and GeSWall or Defense Wall protects aginst keyloggers/password stealers.
    Am I understanding this correctly ?
     
  14. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello LoneWolf,

    Yes on both counts.


    Peace & Love,

    CogitoErgoSum
     
  15. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    Although, yet to be released to the general public, I am currently using one of the latest DefenseWall driver builds. I have personally tested it against AKLT and it passes all five tests successfully. The first three keylogger tests are detected and can be "terminated" on the spot and the two screen capture tests are not able to capture anything of consequence. In contrast, tests against AKLT, the current version of DW(v2.05) is able to detect all three keylogging attempts, but is "unable" to terminate them on the spot. On the other hand, it is still successful in passing both screen capture tests.


    Peace & Love,

    CogitoErgoSum
     
  16. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    As far as XSS- does KIS 7 protect against it? Also, what about IE7 in protected mode on Vista?
     
  17. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Good to hear about the latest driver builds.
    Any idea on when it will be available?
     
  18. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    You bet! In the end of October- early November.
     
  19. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Thanks Ilya
     
  20. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Outpost should offer some protection if the the active content plugin is used - this can filter ActiveX, J script and Java by site
     
  21. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    Great :thumb:
    Thank You :D
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That,s good.
    Very few HIPS protect against screen reading.
    BTW I wonder is there practical benefit of this feature? Any malware/ websites using it? etc
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  24. spamyou

    spamyou Registered Member

    Joined:
    Apr 1, 2006
    Posts:
    48
    Would firefox with noscript even stop these, I got these two videos off linksys pro site, which I am considering.

    Watch these two videos. Especially the bbb search one.

    http://www.youtube.com/watch?v=aWV8d2rWf8E

    http://www.youtube.com/watch?v=iD0wdzQb8XY

    Now go to the real bbb site (but imagine you clicked on fake one). The real site you cannot access until you whitelist it with noscript. Now if you whitelist that fake link because you had to for access and you though it was real, like you did real bbb, would you not be hosed?

    I just dont think my wife would be able to make that distinction.

    (by the way, I appreciate all the informative replies and help so far. I have been anal since last month the credit card my wife only uses on line got in wrong hands, around same time when she made a few evening purchases. They only tried one 3K charge which was declined as they did not have the 3 digit code, though they emailed my wife posing as a company she had just done business with, and asked for it. Luckily my wife knew not to respond. Since changed cards, email addresses and contacted company. Couldnt find any malware with multiple engines, techniques, reformatted anyway. Trying to make surfing secure, yet still enjoyable for wife.)
     
  25. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    There is no need to do it- DW has no "shutdown computer" protection as I see no reasons in it. For example, by some reasons, Explorer is turned by user to untrusted. Right after that, he will loose the ability to shutdown its computer properly.
     
Loading...
Thread Status:
Not open for further replies.