ghost16825
Use security metrics
Premium
join:2003-08-26
2 edits | reply to Lilla1
These leaktests aka scaretests are pure crap
Smells like it ...that's because it is |
PCAudit : dll injection in explorer to port 80 again - Solution: Make sure explorer.exe doesn't have any internet access whatsoever. DNS Cache Client service does not need to be enabled.
AWFT : - test 1 - tricky business almost hangs itself fails to do anything
test 2 - though the web browser to default site (remote port 80) or your choice of site
test 3 - through explorer.exe again, choice of site
test 4 - through browser
test 5 - through browser
test 6 - through browser
Thermite - IE only through port 80 firewall sees it
Copycat - did nothing
Mbtest - crashed itself
Wallbreaker test 1 - IE through.. let me guess port 80 again
test 2 - port 80
test 3 - port 80
(Kerio detects all traffic in IE no matter what)
DNSTest - Sounds like bullshit at it's absolute finest. Tried with DNS Cache disabled. Sent DNS requests to my DNS server. Watch out everyone! Now that's what I call a leak!
Ghost - through IE port 80 again. Kerio picks up IE activity of course.
---------------------------------------------------
Summary:
Kerio sees all this activity really, because they all use the web browser for the dirty work.
explorer.exe should almost never need internet access
DNS Client Service is not necessary, there is very little to gain by using it.
Log, log, log non-standard port ranges/rare remote ports in your browser if you're paranoid. eg. Anything to XXX.XXX.XXX:666 should ring alarm bells.
Accept that anything to remote port 80 is to a web server for a legitimate reason most of the time.
Don't forget that this is all done through a web browser not anything else. Patch all your IE holes if you use it as a web browser.
DNSTest is perhaps the most misleading one of them all. Someone tell me that it isn't ridiculous. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
1 edit | The hole in IE was built-in, any program can proxy their communications through IE just like software proxy. This is the huge security hole in IE that Microsoft has not fixed in years, and why IE is only permitted to windows update/office update/microsoft sites in general on my computer.
As I've said before Microsoft Security is an oxymoron, their own browser was listed as a security risk by CERT recently also, and people were suggested to use alternative browsers. IE in general is a security risk, if it wasn't for their use of windows/office update, and access to Microsoft beta software I would not be using IE at all, along with it being completely blocked.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
paranoidxe
Premium
join:2002-03-29
Ogden, UT
| Funny...Kerio passed PCAudit just fine on this machine.
Thermite looks like it locally creates the file instead of remotely.
Copycat failed to connect to put c:\exploited.txt on my machine using Kerio 2.1.5..so yet another inaccurate claim.
Wallbreaker fails too if internet explorer is not already setup to use port 80 and allowed access.
PCAudit2 failed as well, I denied it access easily..again when Internet Explorer is NOT setup to access port 80.
I think the Test is pretty bogus myself..the "exploits" it uses seems to only "exploit" the port that is already open on most computers anyway..Port 80.
--
"Its better to look stupid for 5 minutes and ask a question, than to be stupid for the rest of your life."4g63.20m.com (textsource.org) |
|
Lilla1
join:2002-04-22
Fall City, WA
| reply to BlitzenZeus
Thank you BlitenZeus for your posts, informative and helpful as always. And thanks again (I cannot say it enough) for the GREAT BZ ruleset you have given us.
Thank you to Ghost, and gkweb for your excellent posts. It's always good to read both sides of an issue. Those tests did scare me pretty good, and reading Ghost's post has quieted my fears about my trusted Kerio 2.15 with BZ ruleset.
I appreciate the discussion in this thread. It has helped me to understand a bit more about security. I am thinking now more about the concept of taking a layered approach to security. The role of the firewall layer vs. the role of the browser layer. This is a something I need to learn more about.
BlitenZeus, I read with interest the limited use you make of IE, and I am now thinking that I might at least consider the idea of adding a 2nd browser.
Which alternate browser would you guys recommend, Opera, Mozilla FireFox, other? I would prefer one that is free.
When people say their IE6 is fully patched, does that mean something beyond Microsoft Critical Updates? So far that is all that I do.
Thanks to all,
Lilla, BZ ruleset groupie  |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
1 edit | Opera is not free, unless you don't mind an adbar you can easily block through Kerio. Otherwise there are open source browsers like Mozilla, and Firefox. Mozilla is a suite with a e-mail client, etc... Firefox is just a pure browser, but its considered beta if you really care. I prefer Firefox, and its been working great for me, however its a bit different so it will take a little bit to get used to from IE.
IE has always had unpatched exploits for it going around, I don't consider it safe for common use unless your willing to disable most, if not all of its features in the name of security. When you restrict too many settings you can't visit many legit websites, but with programs like Firefox you don't have to worry about all of these security exploits trying to install things behind your back so you can leave features enabled without worry. You just need IE for sites that require IE for their proprietary technologies like ActiveX(HacktiveX), and Visual Basic Scripting which are the source of most of their exploits. Basically Windows Update, Office Update, etc...
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
