how-to block ads
|
Lilla1
join:2002-04-22
Fall City, WA
| reply to BlitzenZeus
Re: [Kerio 2.x] Locking down IE6, and using Firefo
said by BlitzenZeus  :
Lilla, if you have not seen it yet, The Department of Homeland Security has joined CERT in saying that people should not use IE for security risks. 
»Dept of Homeland Security: "Don't use IE"
I've seen it, and worse, I placed an online order at unityelectronics.com on Jun 25, it was a secure site as indicated by the lock on IE6. While I was entering my personal information including credit card information I received more than one prompt from IE that I was being directed away from the secure site, do you want to continue.
I first tried to place the order during the morning. When I received the prompt I was suspicious and quite and did not place the order.
That night, I decided I really needed to get the order placed so I returned to the site and tried again. The same thing happened with the prompts about being redirected, I decided to answered no, and see what happened. What happened was that I was not redirected, and the order processing continued in a normal manner. So I placed the order and it arrived a few days later.
I just today wrote a letter to unityelectronics.com and asked them if there site was compromised by the security alert for IE and gave them a link to an article about it.
We will see what they say.
I'm wondering if I should contact my credit card company and see if they think it would be wise to issue a new number.
I am quite concerned about this. Any thoughts?
Lilla | |
Lilla1
join:2002-04-22
Fall City, WA
| reply to Lilla1
Re: [Kerio 2.x] Kerio 2.15 w good rules fails 50%
below is Microsofts latest recommendations for using IE6. I was doing most, but not all. Now I am doing all. The item below is the one I was not doing before. I want IE6 to be as safe as possible for those times when I will use it to visit the sites that require it. For other sites I will be using Firefox.
They now recommend setting Internet Zone to High and adding sites that require ActiveX like Windows/Office Update to Trusted Sites Zone.
Increase Your Browsing and E-Mail Safety
4 Steps to Help Ward Off Hackers and Attackers
Published: October 3, 2003 | Updated: June 11, 2004»www.microsoft.com/security/incid···ngs.mspx
the article above is referenced in the article below
Microsoft - What you should know about Download_Ject: »www.microsoft.com/security/incid···ect.mspx
I do not have either of the two files they mention so I feel a bit better.
Lilla | |
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to gkweb
said by gkweb :
Without offense intended, I disagree here. I have seen a lot of people having firewalls and AV and being overwhelmed by a lot of spyware coming from nowhere, and being unnoticed by the firewall, while a very simple sandboxe (Process Guard Free ?) would alert you of a single executabel trying to launch.
So I don't see that it is "surely" misleading, just a matter of point of view.
But is this due to the same "leaktest" techniques? I do not think so. But enough of this flame thread going back and forth. I will agree to disagree I guess. One thing I will give you credit for is your Windows Doors Cleaner app; that is a very, very good idea. I'm quite surprised no-one has done it sooner.
Anyhow, take care. | |
Lilla1
join:2002-04-22
Fall City, WA
2 edits | reply to Lilla1
Re: [Kerio 2.x] Kerio 2.15 w BZ rules + Firefox
I reran the leaktests at www.firewallleaktester.com/test
after I installed Firefox and added a rule to allow IE access Windows/Office Update sites only.
Kerio 2.15 w BZ ruleset + FireFox passed 6/7 tests that I ran, and the one I didn't pass doesn't count as explained below. I ran these tests... Remember with IE I failed these same tests, now I'm back and passing them with Firefox...
- copycat
- ghost
- tooleaky
- thermite
- wallbreaker
- DNStester. I failed the DNStester test. I run with DNS Client service disabled. See Ghost's comments about "DNStest", where he said this test is contacting ISP DNS, so it's not really a relevent test.
The rules I added look like this...
Rule: IE - Ms Windows/Office Update (ActiveX)
Protocol: TCP (Out)
Local ports: 1024-5000
Remote address: 207.46.134.30-207.46.249.157
Remote ports: 80-81,443
Application: iexplore.exe
Permit
Rule: Firefox - web browser
Protocol: TCP (Out)
Local ports: 1024-5000
Remote address: any
Remote ports: 80-81,443
Application: firefox.exe
Permit
I have not blocked IE to non-microsoft sites because some sites are designed for IE and don't work/look right in other browsers. If I want to access a particular site using IE (other than the Microsoft sites I defined in my rule, see above) I must click Permit when prompted by the firewall.
Also, IE Internet Zone is set to High (default is Medium); sites that require ActiveX (Windows Update, Office Update) are entered as a trusted site. This is per latest Microsoft recommended settings for IE security.
So far I have installed just two firefox extensions:
1) IE VIEW - adds "Open Link Target in IE" and "View this page in IE" to Firefox context menu.
2) Shortcut - adds "Create Shortcut" on desktop to firefox context menu
QUESTON: In Firefox settings I can enable or disable Java, but I haven't installed Java, so I'm thinking this setting should be grayed out. Is this something that's due to being a beta? Or, is Java bundled with Firefox?
Lilla
Kerio 2.15 + BZ ruleset + Firefox rules!
BZ ruleset groupie | |
slinky_2
join:2003-12-07
Baltimore, MD
| good discussion here,
comments by ghost are spot on
on the other hand gkweb makes a good point that a trusted AP can act as a security hole
Lilla proves that more than half the battle is getting rid of IE.
My view re: leak tests - they are good for simulating your level of vulnerability, but are not realistic since they require downloading and running the .exe - it would be nice if someone could devise a test which acts more like the silent drive by trojans, to inform rather than destroy.
layered defense - is the best way to go
1) ditch IE in favor of alternative browser (Opera or Firefox 0.9 beta or above)
2) Use correctly configured firewall (k2.1.5 excellent choice)
3) Process control - PG or AP for Win2k & above (kernel level protection) or SSM ("user-mode" style hooking) for those unable to run either PG or AP.
SS&D 1.3 - immunization may help also. Tea timer may also help to monitor/protect the registry.
beta Prevx may be a new Ap to watch as it develops for Win2k & above:
»https://www.prevx.com/prevxenterprise/en···ures.htm | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to Lilla1
Re: [Kerio 2.x] Kerio 2.15 w good rules fails 50%
My post is entirely general. When we test things, we do the community a favor; my greatest gripe is when the testing isn't accompanied by explanations. Or where the explanations are made in such a rhetorical style as to create the idea in people's heads that they should expect a "firewall" to contemplate any and every possible security breach. I'm really not up to date with the content of any of the test sites, right now; I run my own tests on LAN with nMap and Ethereal and a few other apps... so I certainly don't mean to call anyone specific onto the carpet, much less point any accusations at anyone in the thread. I want to make clear, too, that nobody is supposed to be flaming anyone in this forum, and that's a reminder. Civility's my cardinal rule, in here.
What I'm suggesting is that I've seen a lot of sites that purport to test security, then regard it as sufficient to place a snip like, "your firewall should/could be blocking this", without further explanation of how the word "firewall" is being used, what the test is testing, how dangerous the threat is, why it's included...
When I test firewalls to post in the forum, I tend to take a long time explaining what I did, why I did it, and what I think can be done about it. That's my major problem with the online testing process, in general.
It's a somewhat frustrating issue for me; there are quite a lot of test sites, and I apologize if I painted with a broad brush; not intended. But my frustration comes partly from a series of leaktests I tried sometime back which exploited operating system flaws, and then, as a form of "explanation", essentially were forward enough to say, "your firewall stinks... that's what this proves... why bother running it?" --- or some variation on those lines. That made me furious; anyone with enough time and skill to code the test had the time and skill to explain what they did, how it was accomplished, and what exactly the author thinks should be done about it. Trashing a perfectly useful PC firewall because it didn't block an application layer exploit isn't a reasonable or useful suggestion. And the net result was a F.U.D. outbreak.
Then, there are the sites I've run across that blame firewalls for letting in cookies, letting out headers, and all that. They don't discuss proxies, filters or configuring browsers. They just tersly blame the firewall, and the result... sigh... is Kerio 4.x. 
Again, my sincere apologies if I wasn't clear enough in stating that I was expressing a generic frustration; if you're promoting good "computer hygene", you're performing a service. I've spent a lot of time testing the firewalls I'm interested in, and I've done so solely for my own research and satisfaction, and I've shared most of my observations and suggestions in extreme detail with my fellow users, here. I find it so frustrating to see some people demonstrate the obvious skill to create the model exploit, but lacking the consideration or sense of responsibility to explain what they're doing, why and how.
I would rather, in fact, thank you most kindly for visiting our thread. You do quite evidently feel a sense of responsibility, judging from your posts, and I wish you well in your endeavors.
--
Semper Eadem
There struts Hamlet, there is Lear,That's Ophelia, that Cordelia;Yet they, should the last scene be there,The great stage curtain about to drop,If worthy their prominent part in the play,Do not break up their lines to weep. | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to slinky_2
Re: [Kerio 2.x] Kerio 2.15 w BZ rules + Firefox
Sorry, missed that sub discussion... Yes. I'm running KMeleon, now, through Proxomitron, Kerio as my firewall, and NAT at the gateway. Nice layered approach, without going overboard. I would love to be running Tiny, for the app layer features, but it won't run on NT, and I have no reason whatsoever to upgrade the OS just to accomodate a firewall, albeit an enhanced one that's very good with these exotic exploits.
I would only add that I fully agree; the leaktests generally require the running of an untrusted app, and if it proves anything, what it proves most emphatically is that "if an app can run on your system, or you can be coerced to run it, without first having been verified in some way for trust, you're dead in the ater and all bets are off." That's a point we have to reinforce again and again in people's minds. You can have all the nifty security software on earth, but if you don't practice good general computer hygene, and good system and app configuration, you're more vulnerabnle, not less vulnerable, because you have a nice shot of false security coursing through you.
A well documented leak test is by all means a favor to the community; one we dealt with, though, was so poorly documented or explained that we ended up reverse engineering the damn thing to get a "documentable" test out of it. Turned out it was precisely what we thought it was, a DLL injection routine. Using that reverse engineered, recompiled leak test, we were able to do some great tests on Kerio and Tiny and a few other apps... but, standing alone, it was pretty much useless for anything except creating a general, abstract sense of fear, uncertainty and doubt. Perhaps that helps explain some of that latent frustration I feel when I see a few of these things ...
In a more positive sense, I recall a firewall killer app that worked against some versions of Kerio, and it was, in fact, pretty transparent... and served to help remind us anything running on the local system can be terminated... that doesn't discredit Kerio, by the way, just keeps us on our toes, and makes a good case for that "AlwaysSecure" registry flag, if you're really paranoid, or just reminds us to be vigilant, overall...
Which, in the end, is why I feel we do need open discussion of vulnerabilities, demonstrations, and assistance tweaking our configurations and rules, overall. But we need them in the spirit of finding solutions, not in the spirit of simply exposing problems. If anything, by the way, my original post was a challenge, meant to goad more good code hacks out there to take a positive role in improving the state of security consciousness, and improving our configurations and software. Building, not tearing down. Like all things, we have to tear down before we can build... but let's never just stop at the end of the razing... that's time to start the "raising".
--
Semper Eadem
There struts Hamlet, there is Lear,That's Ophelia, that Cordelia;Yet they, should the last scene be there,The great stage curtain about to drop,If worthy their prominent part in the play,Do not break up their lines to weep. | |
|
