Discussion:
Newbie help - security??
(too old to reply)
p***@never.here
2012-06-02 10:00:30 UTC
Permalink
I'm dipping my toe into the world of Linux. Nothing dramatic. I've
just set up Ubuntu 12.04 on a spare machine. So far, so good.

Using wine to run a couple of windows programs I can't or don't want
to do without but apart from that everything I want appears to be
available for linux.

We are told Linux is less susceptible to internet nasties but as I use
internet banking is there a minimum level of security (firewall, AV) I
should install? As a firewall, Firestarter looks a possibility. Is it?
Any other thoughts appreciated.

tia.

--
Pete
Alex Potter
2012-06-02 14:31:55 UTC
Permalink
Post by p***@never.here
We are told Linux is less susceptible to internet nasties but as I use
internet banking is there a minimum level of security (firewall, AV) I
should install? As a firewall, Firestarter looks a possibility. Is it?
Any other thoughts appreciated.
I live behind a NAT router, have used linux, almost exclusively, for at
least 10 years and run no firewalls on any of my machines.

I do run AV on the mail server, but that's for the benefit of those
members of my family still using windows boxen.

Iptables, the linux packet filter, is usually installed by default, and
there are a number of scripts available to make configuring it easier.
firestarter being one of them.

Unless you're ultra-paranoid, and if you live behind a NAT router, I
wouldn't bother.
--
Alex
p***@never.here
2012-06-03 11:55:29 UTC
Permalink
On Sat, 02 Jun 2012 15:31:55 +0100, Alex Potter
Post by Alex Potter
Post by p***@never.here
We are told Linux is less susceptible to internet nasties but as I use
internet banking is there a minimum level of security (firewall, AV) I
should install? As a firewall, Firestarter looks a possibility. Is it?
Any other thoughts appreciated.
I live behind a NAT router, have used linux, almost exclusively, for at
least 10 years and run no firewalls on any of my machines.
I do run AV on the mail server, but that's for the benefit of those
members of my family still using windows boxen.
Iptables, the linux packet filter, is usually installed by default, and
there are a number of scripts available to make configuring it easier.
firestarter being one of them.
Unless you're ultra-paranoid, and if you live behind a NAT router, I
wouldn't bother.
Thanks for the reply Alex. I've done a search on "NAT router" and I'm
just getting more and more confused. I'm probably missing something
obvious.

Is it h/w, s/w? If h/w is it related to the Netgear WNR2000 router I'm
using? If s/w, is it installed as part of ubuntu? Is it related to
iptables or something I need to install seperately?

Sorry if these are really basic questions but any help appreciated.
--
Pete
DaveG
2012-06-03 12:26:36 UTC
Permalink
Post by p***@never.here
Thanks for the reply Alex. I've done a search on "NAT router" and I'm
just getting more and more confused. I'm probably missing something
obvious.
Is it h/w, s/w? If h/w is it related to the Netgear WNR2000 router I'm
using? If s/w, is it installed as part of ubuntu? Is it related to
iptables or something I need to install seperately?
Sorry if these are really basic questions but any help appreciated.
NAT = Network Address Translation.

If you are using a router bewteen your computer and/or network and the VM
cable modem, then you almost certainly behind a NAT.

If you check your IP address (ifconfig at a command line), you are most
likely set up for 192.168.x.x. which is a non-routable "local" address
therefore is being "translated" in your router to the assigned VM IP
address which is a "live" network facing address, probably something like
80.x.x.x where 80 might be 81,82,83 or something else :-)
--
DaveG
Lifetime member of the National Trust
6 years and counting.
p***@never.here
2012-06-03 19:40:43 UTC
Permalink
Post by DaveG
Post by p***@never.here
Thanks for the reply Alex. I've done a search on "NAT router" and I'm
just getting more and more confused. I'm probably missing something
obvious.
Is it h/w, s/w? If h/w is it related to the Netgear WNR2000 router I'm
using? If s/w, is it installed as part of ubuntu? Is it related to
iptables or something I need to install seperately?
Sorry if these are really basic questions but any help appreciated.
NAT = Network Address Translation.
If you are using a router bewteen your computer and/or network and the VM
cable modem, then you almost certainly behind a NAT.
If you check your IP address (ifconfig at a command line), you are most
likely set up for 192.168.x.x. which is a non-routable "local" address
therefore is being "translated" in your router to the assigned VM IP
address which is a "live" network facing address, probably something like
80.x.x.x where 80 might be 81,82,83 or something else :-)
Thanks Dave. Looks as jf I am in that case.

VM IP 82.44.xx.xx

Local IP 192.168.x.x
--
Pete
AV3
2012-06-02 14:36:46 UTC
Permalink
Post by p***@never.here
I'm dipping my toe into the world of Linux. Nothing dramatic. I've
just set up Ubuntu 12.04 on a spare machine. So far, so good.
Using wine to run a couple of windows programs I can't or don't want
to do without but apart from that everything I want appears to be
available for linux.
We are told Linux is less susceptible to internet nasties but as I use
internet banking is there a minimum level of security (firewall, AV) I
should install? As a firewall, Firestarter looks a possibility. Is it?
Any other thoughts appreciated.
tia.
Most Linux users agree that the available security programs are a waste
of time. bandwidth, hard disk space, and money. They can't protect you
from the as yet unknown and there is nothing known that is a threat. You
yourself are your best security guarantee, always being on guard against
clever, convincing Trojan horses, which are the only form of malware
known to penetrate Linux security, i. e., only with the gullible consent
of the password owner.
--
++====+=====+=====+=====+=====+====+====+=====+=====+=====+=====+====++
||Arnold VICTOR, New York City, i. e., <***@Wearthlink.net> ||
||Arnoldo VIKTORO, Nov-jorkurbo, t. e., <***@Wearthlink.net> ||
||Remove capital letters from e-mail address for correct address/ ||
|| Forigu majusklajn literojn el e-poŝta adreso por ĝusta adreso ||
++====+=====+=====+=====+=====+====+====+=====+=====+=====+=====+====++
Alex Potter
2012-06-02 15:14:40 UTC
Permalink
Post by AV3
Most Linux users agree that the available security programs are a waste
of time. bandwidth, hard disk space, and money. They can't protect you
from the as yet unknown and there is nothing known that is a threat. You
yourself are your best security guarantee, always being on guard against
clever, convincing Trojan horses, which are the only form of malware
known to penetrate Linux security, i. e., only with the gullible consent
of the password owner.
+1
--
Alex
ldwilliams
2012-06-02 21:16:05 UTC
Permalink
Post by AV3
Most Linux users agree that the available security programs are a waste
of time. bandwidth, hard disk space, and money. They can't protect you
from the as yet unknown and there is nothing known that is a threat.
You yourself are your best security guarantee, always being on guard
against clever, convincing Trojan horses, which are the only form of
malware known to penetrate Linux security, i. e., only with the
gullible consent of the password owner.
+1
Someone uses Google Plus
LOL
Alex Potter
2012-06-02 21:57:31 UTC
Permalink
Post by ldwilliams
Someone uses Google Plus
"+1" pre-dates google by many a year...
--
Alex
Tom Gardner
2012-06-02 23:41:38 UTC
Permalink
Post by AV3
Post by p***@never.here
I'm dipping my toe into the world of Linux. Nothing dramatic. I've
just set up Ubuntu 12.04 on a spare machine. So far, so good.
Using wine to run a couple of windows programs I can't or don't want
to do without but apart from that everything I want appears to be
available for linux.
We are told Linux is less susceptible to internet nasties but as I use
internet banking is there a minimum level of security (firewall, AV) I
should install? As a firewall, Firestarter looks a possibility. Is it?
Any other thoughts appreciated.
tia.
Most Linux users agree that the available security programs are a waste
of time. bandwidth, hard disk space, and money. They can't protect you
from the as yet unknown and there is nothing known that is a threat. You
yourself are your best security guarantee, always being on guard against
clever, convincing Trojan horses, which are the only form of malware
known to penetrate Linux security, i. e., only with the gullible consent
of the password owner.
There are, I believe, JavaScript attack vectors that target
the browser's operation. These are inherently agnostic as to
the o/s that is running the browser, and a pig to spot since
they don't modify anything on the hard disk.

Some claim that the upcoming HTML5 offers new scope for
such attacks, particularly in w.r.t. DDoS attacks. IMHO
that remains to be proven or disproven.
AV3
2012-06-03 02:03:23 UTC
Permalink
Post by Tom Gardner
Post by AV3
...
Most Linux users agree that the available security programs are a waste
of time. bandwidth, hard disk space, and money. They can't protect you
from the as yet unknown and there is nothing known that is a threat. You
yourself are your best security guarantee, always being on guard against
clever, convincing Trojan horses, which are the only form of malware
known to penetrate Linux security, i. e., only with the gullible consent
of the password owner.
There are, I believe, JavaScript attack vectors that target
the browser's operation. These are inherently agnostic as to
the o/s that is running the browser, and a pig to spot since
they don't modify anything on the hard disk.
Some claim that the upcoming HTML5 offers new scope for
such attacks, particularly in w.r.t. DDoS attacks. IMHO
that remains to be proven or disproven.
Do any available security programs currently protect against any of
these potential threats? If not, I refer you to my advice in the
paragraph quoted above. Of course, if any of these threats materializes,
my advice will be outdated, but not until then. And only then may
appropriate security programs possibly appear.
--
++====+=====+=====+=====+=====+====+====+=====+=====+=====+=====+====++
||Arnold VICTOR, New York City, i. e., <***@Wearthlink.net> ||
||Arnoldo VIKTORO, Nov-jorkurbo, t. e., <***@Wearthlink.net> ||
||Remove capital letters from e-mail address for correct address/ ||
|| Forigu majusklajn literojn el e-poŝta adreso por ĝusta adreso ||
++====+=====+=====+=====+=====+====+====+=====+=====+=====+=====+====++
Tom Gardner
2012-06-03 07:43:31 UTC
Permalink
Post by AV3
Post by Tom Gardner
Post by AV3
...
Most Linux users agree that the available security programs are a waste
of time. bandwidth, hard disk space, and money. They can't protect you
from the as yet unknown and there is nothing known that is a threat. You
yourself are your best security guarantee, always being on guard against
clever, convincing Trojan horses, which are the only form of malware
known to penetrate Linux security, i. e., only with the gullible consent
of the password owner.
There are, I believe, JavaScript attack vectors that target
the browser's operation. These are inherently agnostic as to
the o/s that is running the browser, and a pig to spot since
they don't modify anything on the hard disk.
Some claim that the upcoming HTML5 offers new scope for
such attacks, particularly in w.r.t. DDoS attacks. IMHO
that remains to be proven or disproven.
Do any available security programs currently protect against any of
these potential threats? If not, I refer you to my advice in the
paragraph quoted above. Of course, if any of these threats materializes,
my advice will be outdated, but not until then. And only then may
appropriate security programs possibly appear.
Yes, the threats exist.

I'd forgotten that they also affect
Acrobat Reader, and didn't realise Skype was also vulnerable.

Consider the following as 5 minutes indicative research, rather
than anything comprehensive nor definitive. I'm sure more could
found with relatively little effort.

http://catless.ncl.ac.uk/Risks/26.59.html#subj17.1
http://catless.ncl.ac.uk/Risks/26.87.html#subj10.1
http://catless.ncl.ac.uk/Risks/25.58.html#subj17.1
http://catless.ncl.ac.uk/Risks/26.59.html#subj9.1
p***@never.here
2012-06-03 11:59:47 UTC
Permalink
On Sun, 03 Jun 2012 00:41:38 +0100, Tom Gardner
Post by Tom Gardner
Post by AV3
Post by p***@never.here
I'm dipping my toe into the world of Linux. Nothing dramatic. I've
just set up Ubuntu 12.04 on a spare machine. So far, so good.
Using wine to run a couple of windows programs I can't or don't want
to do without but apart from that everything I want appears to be
available for linux.
We are told Linux is less susceptible to internet nasties but as I use
internet banking is there a minimum level of security (firewall, AV) I
should install? As a firewall, Firestarter looks a possibility. Is it?
Any other thoughts appreciated.
tia.
Most Linux users agree that the available security programs are a waste
of time. bandwidth, hard disk space, and money. They can't protect you
from the as yet unknown and there is nothing known that is a threat. You
yourself are your best security guarantee, always being on guard against
clever, convincing Trojan horses, which are the only form of malware
known to penetrate Linux security, i. e., only with the gullible consent
of the password owner.
There are, I believe, JavaScript attack vectors that target
the browser's operation. These are inherently agnostic as to
the o/s that is running the browser, and a pig to spot since
they don't modify anything on the hard disk.
Some claim that the upcoming HTML5 offers new scope for
such attacks, particularly in w.r.t. DDoS attacks. IMHO
that remains to be proven or disproven.
Thanks for the reply Tom. I'm using FF 12. Will the "noscript" add-on
help to protect against this type of attack?
--
Pete
Tom Gardner
2012-06-03 12:10:13 UTC
Permalink
Post by p***@never.here
On Sun, 03 Jun 2012 00:41:38 +0100, Tom Gardner
Post by Tom Gardner
Post by AV3
Post by p***@never.here
I'm dipping my toe into the world of Linux. Nothing dramatic. I've
just set up Ubuntu 12.04 on a spare machine. So far, so good.
Using wine to run a couple of windows programs I can't or don't want
to do without but apart from that everything I want appears to be
available for linux.
We are told Linux is less susceptible to internet nasties but as I use
internet banking is there a minimum level of security (firewall, AV) I
should install? As a firewall, Firestarter looks a possibility. Is it?
Any other thoughts appreciated.
tia.
Most Linux users agree that the available security programs are a waste
of time. bandwidth, hard disk space, and money. They can't protect you
from the as yet unknown and there is nothing known that is a threat. You
yourself are your best security guarantee, always being on guard against
clever, convincing Trojan horses, which are the only form of malware
known to penetrate Linux security, i. e., only with the gullible consent
of the password owner.
There are, I believe, JavaScript attack vectors that target
the browser's operation. These are inherently agnostic as to
the o/s that is running the browser, and a pig to spot since
they don't modify anything on the hard disk.
Some claim that the upcoming HTML5 offers new scope for
such attacks, particularly in w.r.t. DDoS attacks. IMHO
that remains to be proven or disproven.
Thanks for the reply Tom. I'm using FF 12. Will the "noscript" add-on
help to protect against this type of attack?
I presume so, but it does also protect you against many useful sites :(
If those sites themselves serve up attacks, which isn't unknown,
then naturally it can't help.

Nonetheless I do use NoScript, partly as a way of seeing what sites are
trying to link together.

Ghostery is also fun for the same reasons, and BetterPrivacy
hits the "super cookies".
p***@never.here
2012-06-03 12:31:18 UTC
Permalink
On Sun, 03 Jun 2012 13:10:13 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
On Sun, 03 Jun 2012 00:41:38 +0100, Tom Gardner
Post by Tom Gardner
Post by AV3
Post by p***@never.here
I'm dipping my toe into the world of Linux. Nothing dramatic. I've
just set up Ubuntu 12.04 on a spare machine. So far, so good.
Using wine to run a couple of windows programs I can't or don't want
to do without but apart from that everything I want appears to be
available for linux.
We are told Linux is less susceptible to internet nasties but as I use
internet banking is there a minimum level of security (firewall, AV) I
should install? As a firewall, Firestarter looks a possibility. Is it?
Any other thoughts appreciated.
tia.
Most Linux users agree that the available security programs are a waste
of time. bandwidth, hard disk space, and money. They can't protect you
from the as yet unknown and there is nothing known that is a threat. You
yourself are your best security guarantee, always being on guard against
clever, convincing Trojan horses, which are the only form of malware
known to penetrate Linux security, i. e., only with the gullible consent
of the password owner.
There are, I believe, JavaScript attack vectors that target
the browser's operation. These are inherently agnostic as to
the o/s that is running the browser, and a pig to spot since
they don't modify anything on the hard disk.
Some claim that the upcoming HTML5 offers new scope for
such attacks, particularly in w.r.t. DDoS attacks. IMHO
that remains to be proven or disproven.
Thanks for the reply Tom. I'm using FF 12. Will the "noscript" add-on
help to protect against this type of attack?
I presume so, but it does also protect you against many useful sites :(
But you can allow individual sites on a temporary or permanent basis.
Post by Tom Gardner
If those sites themselves serve up attacks, which isn't unknown,
then naturally it can't help.
True. One of the things I do, as I mentioned up top, was online
banking. If sites like Barclays get compromised and start attacking
their customers they have far bigger problems than me. If the worst
comes to the worst I can always reinstall from scratch again :)
Post by Tom Gardner
Nonetheless I do use NoScript, partly as a way of seeing what sites are
trying to link together.
Ghostery is also fun for the same reasons, and BetterPrivacy
hits the "super cookies".
Thanks. I'll have a look at them.
--
Pete
Tom Gardner
2012-06-03 13:01:25 UTC
Permalink
Post by p***@never.here
Post by Tom Gardner
Post by p***@never.here
Post by Tom Gardner
There are, I believe, JavaScript attack vectors that target
the browser's operation. These are inherently agnostic as to
the o/s that is running the browser, and a pig to spot since
they don't modify anything on the hard disk.
Some claim that the upcoming HTML5 offers new scope for
such attacks, particularly in w.r.t. DDoS attacks. IMHO
that remains to be proven or disproven.
Thanks for the reply Tom. I'm using FF 12. Will the "noscript" add-on
help to protect against this type of attack?
I presume so, but it does also protect you against many useful sites :(
But you can allow individual sites on a temporary or permanent basis.
Just so.
Post by p***@never.here
Post by Tom Gardner
If those sites themselves serve up attacks, which isn't unknown,
then naturally it can't help.
True. One of the things I do, as I mentioned up top, was online
banking. If sites like Barclays get compromised and start attacking
their customers they have far bigger problems than me. If the worst
comes to the worst I can always reinstall from scratch again :)
Best way for that kind of site is to have a "live CD" of, say,
ubuntu, on a USB stick, and then to boot from that. You are
guaranteed to *always* get:
- a pristine o/s and browser
- no viruses/trojans
- no keyboard sniffers
to the standard demanded by the factory's manufacturing quality
assurance!

It will protect you against persistent problems such as
http://catless.ncl.ac.uk/Risks/26.87.html#subj10.1

It won't protect you against problems in the boot/bios, but
the only thing that will deal with that is TPM/Palladium,
which has other deleterious effects.

Halfway house is to boot the live CD in a virtual machine,
which is what I do.
p***@never.here
2012-06-03 20:03:25 UTC
Permalink
On Sun, 03 Jun 2012 14:01:25 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
Post by Tom Gardner
Post by p***@never.here
Post by Tom Gardner
There are, I believe, JavaScript attack vectors that target
the browser's operation. These are inherently agnostic as to
the o/s that is running the browser, and a pig to spot since
they don't modify anything on the hard disk.
Some claim that the upcoming HTML5 offers new scope for
such attacks, particularly in w.r.t. DDoS attacks. IMHO
that remains to be proven or disproven.
Thanks for the reply Tom. I'm using FF 12. Will the "noscript" add-on
help to protect against this type of attack?
I presume so, but it does also protect you against many useful sites :(
But you can allow individual sites on a temporary or permanent basis.
Just so.
Post by p***@never.here
Post by Tom Gardner
If those sites themselves serve up attacks, which isn't unknown,
then naturally it can't help.
True. One of the things I do, as I mentioned up top, was online
banking. If sites like Barclays get compromised and start attacking
their customers they have far bigger problems than me. If the worst
comes to the worst I can always reinstall from scratch again :)
Best way for that kind of site is to have a "live CD" of, say,
ubuntu, on a USB stick, and then to boot from that. You are
- a pristine o/s and browser
- no viruses/trojans
- no keyboard sniffers
to the standard demanded by the factory's manufacturing quality
assurance!
It will protect you against persistent problems such as
http://catless.ncl.ac.uk/Risks/26.87.html#subj10.1
It won't protect you against problems in the boot/bios, but
the only thing that will deal with that is TPM/Palladium,
which has other deleterious effects.
Halfway house is to boot the live CD in a virtual machine,
which is what I do.
Interesting that you feel the need to go to that extreme when
using Linux. As I assume you are?

I've never felt the need to do that all the time I've been using
online banking while using Win XP or 7. Never been aware of
any problem although I did run Kaspersky IS, Ad-aware etc.

Are you being over cautious or is linux that insecure? Should I stay
with Windows?
--
Pete
DaveG
2012-06-03 21:12:13 UTC
Permalink
Post by p***@never.here
Are you being over cautious or is linux that insecure? Should I stay
with Windows?
yes, no and no :-)
--
DaveG
Lifetime member of the National Trust
6 years and counting.
p***@never.here
2012-06-04 10:32:32 UTC
Permalink
Post by DaveG
Post by p***@never.here
Are you being over cautious or is linux that insecure? Should I stay
with Windows?
yes, no and no :-)
Thanks for the reassurance Dave.
--
Pete
Tom Gardner
2012-06-03 22:16:46 UTC
Permalink
Post by p***@never.here
On Sun, 03 Jun 2012 14:01:25 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
Post by Tom Gardner
Post by p***@never.here
Post by Tom Gardner
There are, I believe, JavaScript attack vectors that target
the browser's operation. These are inherently agnostic as to
the o/s that is running the browser, and a pig to spot since
they don't modify anything on the hard disk.
Some claim that the upcoming HTML5 offers new scope for
such attacks, particularly in w.r.t. DDoS attacks. IMHO
that remains to be proven or disproven.
Thanks for the reply Tom. I'm using FF 12. Will the "noscript" add-on
help to protect against this type of attack?
I presume so, but it does also protect you against many useful sites :(
But you can allow individual sites on a temporary or permanent basis.
Just so.
Post by p***@never.here
Post by Tom Gardner
If those sites themselves serve up attacks, which isn't unknown,
then naturally it can't help.
True. One of the things I do, as I mentioned up top, was online
banking. If sites like Barclays get compromised and start attacking
their customers they have far bigger problems than me. If the worst
comes to the worst I can always reinstall from scratch again :)
Best way for that kind of site is to have a "live CD" of, say,
ubuntu, on a USB stick, and then to boot from that. You are
- a pristine o/s and browser
- no viruses/trojans
- no keyboard sniffers
to the standard demanded by the factory's manufacturing quality
assurance!
It will protect you against persistent problems such as
http://catless.ncl.ac.uk/Risks/26.87.html#subj10.1
It won't protect you against problems in the boot/bios, but
the only thing that will deal with that is TPM/Palladium,
which has other deleterious effects.
Halfway house is to boot the live CD in a virtual machine,
which is what I do.
Interesting that you feel the need to go to that extreme when
using Linux. As I assume you are?
I am doing that, but I don't feel it is extreme since
it is quick, easy and simple:
- 75s wall-clock time enables me to boot ubuntu
from an iso in a virtual machine *and* open
firefox and connect to the default web page
- it takes maybe 30s to boot my normal firefox in my
o/s
so it is effectively a painless way of removing a
notable set of attack vectors.

Quite an easy decision, really.
Post by p***@never.here
I've never felt the need to do that all the time I've been using
online banking while using Win XP or 7. Never been aware of
any problem although I did run Kaspersky IS, Ad-aware etc.
What makes you think you would have noticed any problems?
Post by p***@never.here
Are you being over cautious
Possibly, but it is painless, so I haven't lost
anything significant (nor money :)

I look both ways before I cross the road even
though I expect that cars would stop before they
hit me. Why? Because it is a simple easy precaution
that could avoid a very nasty rare outcome.
Post by p***@never.here
or is linux that insecure?
No.

The consensus is that there is no intrinsic
security difference between open source software
and proprietary closed source software.

In practice the bad guys are extremely
pragmatic and focus their attacks on the majority
system. On the desktop that is windows, in the
mobile arena that is android (which is a layer
on top of a linux kernel).
Post by p***@never.here
Should I stay with Windows?
That's your choice. Windows is a good gaming
platform, but everything else is easier and
cheaper with linux!

My daughters windows laptop had a hard drive
blow up. Microsoft refused to let me reinstall
the o/s even though I had the o/s and product key,
saying it was Samsung's problem, Samsung said
it was Microsofts responsibility, but they could
do it for £70+disk. It took 90 mins on the phone
to find that out.

It took me 40mins to install ubuntu for free, and
add 60mins for a full system security update.

Full Windows updates seem to take around 24 hours.

Guess which I chose. Not difficult, really.
AV3
2012-06-03 22:25:58 UTC
Permalink
Post by Tom Gardner
Post by p***@never.here
On Sun, 03 Jun 2012 14:01:25 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
Post by Tom Gardner
Post by p***@never.here
Post by Tom Gardner
There are, I believe, JavaScript attack vectors that target
the browser's operation. These are inherently agnostic as to
the o/s that is running the browser, and a pig to spot since
they don't modify anything on the hard disk.
Some claim that the upcoming HTML5 offers new scope for
such attacks, particularly in w.r.t. DDoS attacks. IMHO
that remains to be proven or disproven.
Thanks for the reply Tom. I'm using FF 12. Will the "noscript" add-on
help to protect against this type of attack?
I presume so, but it does also protect you against many useful sites :(
But you can allow individual sites on a temporary or permanent basis.
Just so.
Post by p***@never.here
Post by Tom Gardner
If those sites themselves serve up attacks, which isn't unknown,
then naturally it can't help.
True. One of the things I do, as I mentioned up top, was online
banking. If sites like Barclays get compromised and start attacking
their customers they have far bigger problems than me. If the worst
comes to the worst I can always reinstall from scratch again :)
Best way for that kind of site is to have a "live CD" of, say,
ubuntu, on a USB stick, and then to boot from that. You are
- a pristine o/s and browser
- no viruses/trojans
- no keyboard sniffers
to the standard demanded by the factory's manufacturing quality
assurance!
It will protect you against persistent problems such as
http://catless.ncl.ac.uk/Risks/26.87.html#subj10.1
It won't protect you against problems in the boot/bios, but
the only thing that will deal with that is TPM/Palladium,
which has other deleterious effects.
Halfway house is to boot the live CD in a virtual machine,
which is what I do.
Interesting that you feel the need to go to that extreme when
using Linux. As I assume you are?
I am doing that, but I don't feel it is extreme since
- 75s wall-clock time enables me to boot ubuntu
from an iso in a virtual machine *and* open
firefox and connect to the default web page
- it takes maybe 30s to boot my normal firefox in my
o/s
so it is effectively a painless way of removing a
notable set of attack vectors.
Quite an easy decision, really.
Post by p***@never.here
I've never felt the need to do that all the time I've been using
online banking while using Win XP or 7. Never been aware of
any problem although I did run Kaspersky IS, Ad-aware etc.
What makes you think you would have noticed any problems?
Post by p***@never.here
Are you being over cautious
Possibly, but it is painless, so I haven't lost
anything significant (nor money :)
I look both ways before I cross the road even
though I expect that cars would stop before they
hit me. Why? Because it is a simple easy precaution
that could avoid a very nasty rare outcome.
Post by p***@never.here
or is linux that insecure?
No.
The consensus is that there is no intrinsic
security difference between open source software
and proprietary closed source software.
In practice the bad guys are extremely
pragmatic and focus their attacks on the majority
system. On the desktop that is windows, in the
mobile arena that is android (which is a layer
on top of a linux kernel).
Post by p***@never.here
Should I stay with Windows?
That's your choice. Windows is a good gaming
platform, but everything else is easier and
cheaper with linux!
My daughters windows laptop had a hard drive
blow up. Microsoft refused to let me reinstall
the o/s even though I had the o/s and product key,
saying it was Samsung's problem, Samsung said
it was Microsofts responsibility, but they could
do it for £70+disk. It took 90 mins on the phone
to find that out.
It took me 40mins to install ubuntu for free, and
add 60mins for a full system security update.
Full Windows updates seem to take around 24 hours.
Guess which I chose. Not difficult, really.
I can't quarrel with any cost-free, sufficiently speedy measures you are
comfortable taking, and they are now explained, for those others, who
feel a need for them. But the OP question was about the need for
anti-malware software. Is there any such program that now protects
against the threats you perceive?
--
++====+=====+=====+=====+=====+====+====+=====+=====+=====+=====+====++
||Arnold VICTOR, New York City, i. e., <***@Wearthlink.net> ||
||Arnoldo VIKTORO, Nov-jorkurbo, t. e., <***@Wearthlink.net> ||
||Remove capital letters from e-mail address for correct address/ ||
|| Forigu majusklajn literojn el e-poŝta adreso por ĝusta adreso ||
++====+=====+=====+=====+=====+====+====+=====+=====+=====+=====+====++
Tom Gardner
2012-06-03 22:35:53 UTC
Permalink
Post by AV3
I can't quarrel
I'm sure others will!
Post by AV3
with any cost-free, sufficiently speedy measures you are
comfortable taking, and they are now explained, for those others, who
feel a need for them. But the OP question was about the need for
anti-malware software. Is there any such program that now protects
against the threats you perceive?
For some threats there are protective measures that can be taken.

For other threats there aren't any current solutions (e.g.
in-browser non-persistent memory-based attacks).

For a few threats there are no solutions on the horizon (e.g dns
cache poisoning, some keyloggers, reflashed bioses) except
maybe TPM/Palladium.

It isn't a black-and-white situation, there are infinite
shades of gray. That's true for all o/s and browsers.

Security is always a cost-vs-risk equation.
AV3
2012-06-04 00:25:59 UTC
Permalink
Post by Tom Gardner
Post by AV3
I can't quarrel
I'm sure others will!
Post by AV3
with any cost-free, sufficiently speedy measures you are
comfortable taking, and they are now explained, for those others, who
feel a need for them. But the OP question was about the need for
anti-malware software. Is there any such program that now protects
against the threats you perceive?
For some threats there are protective measures that can be taken.
For other threats there aren't any current solutions (e.g.
in-browser non-persistent memory-based attacks).
For a few threats there are no solutions on the horizon (e.g dns
cache poisoning, some keyloggers, reflashed bioses) except
maybe TPM/Palladium.
It isn't a black-and-white situation, there are infinite
shades of gray. That's true for all o/s and browsers.
Security is always a cost-vs-risk equation.
I appreciate that you have raised cogent issues and recommended measures
to be taken. In my original message to the OP I neglected this field.
But I take it from your reply above that you recommend installing no
currently existing anti-malware software. I hope we agree on that point.


Please raise the alarm here, should some new measures become recommendable.
--
++====+=====+=====+=====+=====+====+====+=====+=====+=====+=====+====++
||Arnold VICTOR, New York City, i. e., <***@Wearthlink.net> ||
||Arnoldo VIKTORO, Nov-jorkurbo, t. e., <***@Wearthlink.net> ||
||Remove capital letters from e-mail address for correct address/ ||
|| Forigu majusklajn literojn el e-poŝta adreso por ĝusta adreso ||
++====+=====+=====+=====+=====+====+====+=====+=====+=====+=====+====++
p***@never.here
2012-06-04 10:24:34 UTC
Permalink
On Sun, 03 Jun 2012 23:16:46 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
Post by Tom Gardner
Halfway house is to boot the live CD in a virtual machine,
which is what I do.
Interesting that you feel the need to go to that extreme when
using Linux. As I assume you are?
I am doing that, but I don't feel it is extreme since
- 75s wall-clock time enables me to boot ubuntu
from an iso in a virtual machine *and* open
firefox and connect to the default web page
- it takes maybe 30s to boot my normal firefox in my
o/s
so it is effectively a painless way of removing a
notable set of attack vectors.
Quite an easy decision, really.
Thanks for explaining...
Post by Tom Gardner
Post by p***@never.here
I've never felt the need to do that all the time I've been using
online banking while using Win XP or 7. Never been aware of
any problem although I did run Kaspersky IS, Ad-aware etc.
What makes you think you would have noticed any problems?
I'm referring to online banking here when I say I haven't noticed any
problems. The problems I'd expect to notice would be unexpected items
on current and CC accounts. Maybe I'm lucky but it hasn't happened
yet.
Post by Tom Gardner
Post by p***@never.here
Are you being over cautious
Possibly, but it is painless, so I haven't lost
anything significant (nor money :)
I look both ways before I cross the road even
though I expect that cars would stop before they
hit me.
Learned at my mother's knee :-) Not sure the analogy quite works
though.
Post by Tom Gardner
Why? Because it is a simple easy precaution
that could avoid a very nasty rare outcome.
Can't argue.
Post by Tom Gardner
Post by p***@never.here
or is linux that insecure?
No.
The consensus is that there is no intrinsic
security difference between open source software
and proprietary closed source software.
In practice the bad guys are extremely
pragmatic and focus their attacks on the majority
system. On the desktop that is windows, in the
mobile arena that is android (which is a layer
on top of a linux kernel).
Alex Potter in his initial answer to my query said

"Unless you're ultra-paranoid, and if you live behind a NAT router, I
wouldn't bother."

Do you agrre with this, if not is there a basic level of security you
would recommend?
Post by Tom Gardner
Post by p***@never.here
Should I stay with Windows?
That's your choice. Windows is a good gaming
platform, but everything else is easier and
cheaper with linux!
Don't do gaming so linux appears to do all I need.
Post by Tom Gardner
My daughters windows laptop had a hard drive
blow up. Microsoft refused to let me reinstall
the o/s even though I had the o/s and product key,
saying it was Samsung's problem, Samsung said
it was Microsofts responsibility, but they could
do it for £70+disk. It took 90 mins on the phone
to find that out.
The only time that happened to me was when I had to replace a
motherboard on a system. Using Win XP, at the time, which didn't like
the change and refused to activate but in that case a phone call to M$
explaining the change and the conseqences soon got it activated again.
Post by Tom Gardner
It took me 40mins to install ubuntu for free, and
add 60mins for a full system security update.
Agreed
Post by Tom Gardner
Full Windows updates seem to take around 24 hours.
Maybe on dial up, not sure about BB, even VM BB :-)
Post by Tom Gardner
Guess which I chose. Not difficult, really.
Again agreed
--
Pete
Tom Gardner
2012-06-04 11:07:48 UTC
Permalink
Post by p***@never.here
On Sun, 03 Jun 2012 23:16:46 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
I've never felt the need to do that all the time I've been using
online banking while using Win XP or 7. Never been aware of
any problem although I did run Kaspersky IS, Ad-aware etc.
What makes you think you would have noticed any problems?
I'm referring to online banking here when I say I haven't noticed any
problems. The problems I'd expect to notice would be unexpected items
on current and CC accounts. Maybe I'm lucky but it hasn't happened
yet.
Ignorance is bliss. Consider
http://www.schneier.com/blog/archives/2011/08/new_bank-fraud.html

The German Federal Criminal Police (the “Bundeskriminalamt”
or BKA for short) recently warned consumers about a new
Windows malware strain... <snip>
When the unwitting user views his account balance, the malware
modifies the amounts displayed in his browser... <snip>
Post by p***@never.here
Alex Potter in his initial answer to my query said
"Unless you're ultra-paranoid, and if you live behind a NAT router, I
wouldn't bother."
Do you agrre with this, if not is there a basic level of security you
would recommend?
The risk-reward choice is yours to make, not mine.
I've given pointers to documented cases that demonstrate
that a NAT router is not sufficient for security.
Post by p***@never.here
Post by Tom Gardner
My daughters windows laptop had a hard drive
blow up. Microsoft refused to let me reinstall
the o/s even though I had the o/s and product key,
saying it was Samsung's problem, Samsung said
it was Microsofts responsibility, but they could
do it for £70+disk. It took 90 mins on the phone
to find that out.
The only time that happened to me was when I had to replace a
motherboard on a system. Using Win XP, at the time, which didn't like
the change and refused to activate but in that case a phone call to M$
explaining the change and the conseqences soon got it activated again.
I was gobsmacked by MS's ability to actively push a
paying customer away from their products!
Post by p***@never.here
Post by Tom Gardner
It took me 40mins to install ubuntu for free, and
add 60mins for a full system security update.
Agreed
Post by Tom Gardner
Full Windows updates seem to take around 24 hours.
Maybe on dial up, not sure about BB, even VM BB :-)
Oh, the download time is << 24 hours. The problem,
for an old system such as winxp, is after installation:
- update, go away while it is chuntering away
for an unknown time
- come back, find it has finished
- reboot
- go away during post-reboot initialisation,
because that too will take an unknown time
- come back, find it has finished
- do another update, rinse and repeat for 24 hours!
p***@never.here
2012-06-04 11:40:09 UTC
Permalink
On Mon, 04 Jun 2012 12:07:48 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
On Sun, 03 Jun 2012 23:16:46 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
I've never felt the need to do that all the time I've been using
online banking while using Win XP or 7. Never been aware of
any problem although I did run Kaspersky IS, Ad-aware etc.
What makes you think you would have noticed any problems?
I'm referring to online banking here when I say I haven't noticed any
problems. The problems I'd expect to notice would be unexpected items
on current and CC accounts. Maybe I'm lucky but it hasn't happened
yet.
Ignorance is bliss.
Where ignorance is bliss, 'tis folly to be wise
Post by Tom Gardner
Consider
http://www.schneier.com/blog/archives/2011/08/new_bank-fraud.html
The German Federal Criminal Police (the “Bundeskriminalamt”
or BKA for short) recently warned consumers about a new
Windows malware strain... <snip>
When the unwitting user views his account balance, the malware
modifies the amounts displayed in his browser... <snip>
Thanks for the link and the warning, It does say it is windows malware
but if I ever log into my account and receive a message to that effect
I'll contact my bank before doing anything stupid.

Would never have thought to search for links like this. Have you made
a study of inernet security or are you involved professionally in the
business.
Post by Tom Gardner
Post by p***@never.here
Alex Potter in his initial answer to my query said
"Unless you're ultra-paranoid, and if you live behind a NAT router, I
wouldn't bother."
Do you agree with this, if not is there a basic level of security you
would recommend?
Any comments on this Tom?





--
Pete
Tom Gardner
2012-06-04 17:05:44 UTC
Permalink
Post by p***@never.here
On Mon, 04 Jun 2012 12:07:48 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
On Sun, 03 Jun 2012 23:16:46 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
I've never felt the need to do that all the time I've been using
online banking while using Win XP or 7. Never been aware of
any problem although I did run Kaspersky IS, Ad-aware etc.
What makes you think you would have noticed any problems?
I'm referring to online banking here when I say I haven't noticed any
problems. The problems I'd expect to notice would be unexpected items
on current and CC accounts. Maybe I'm lucky but it hasn't happened
yet.
Ignorance is bliss.
Where ignorance is bliss, 'tis folly to be wise
Post by Tom Gardner
Consider
http://www.schneier.com/blog/archives/2011/08/new_bank-fraud.html
The German Federal Criminal Police (the “Bundeskriminalamt”
or BKA for short) recently warned consumers about a new
Windows malware strain...<snip>
When the unwitting user views his account balance, the malware
modifies the amounts displayed in his browser...<snip>
Thanks for the link and the warning, It does say it is windows malware
but if I ever log into my account and receive a message to that effect
I'll contact my bank before doing anything stupid.
Would never have thought to search for links like this. Have you made
a study of inernet security or are you involved professionally in the
business.
I'm an engineer that's been around those that are deeply
involved, and I keep a weather eye open, that's all.

Schneier is worth reading, so is the comp.risks usenet
group archived at http://catless.ncl.ac.uk/Risks

Both are low volume and have a high signal-to-noise ratio,
which is rare.
Post by p***@never.here
Post by Tom Gardner
Post by p***@never.here
Alex Potter in his initial answer to my query said
"Unless you're ultra-paranoid, and if you live behind a NAT router, I
wouldn't bother."
Do you agree with this, if not is there a basic level of security you
would recommend?
Any comments on this Tom?
No comments, but I've let people know what I do.
(Linux + NAT firewall/router + VM/ISO, all with
non-obvious passwords)
That cost vs risk-avoidance benefit is appropriate for me.

Security is more than tools, more than technology, more
than process. It is all of those plus it is a mentality.
Tom Gardner
2012-06-04 17:30:11 UTC
Permalink
And today's man-in-the-browser trojan banker attack is ...
<pause for drum roll>...

http://www.theregister.co.uk/2012/06/04/small_banking_trojan/
http://www.csis.dk/en/csis/news/3566
p***@never.here
2012-06-04 20:14:09 UTC
Permalink
On Mon, 04 Jun 2012 18:05:44 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
On Mon, 04 Jun 2012 12:07:48 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
On Sun, 03 Jun 2012 23:16:46 +0100, Tom Gardner
Post by Tom Gardner
Post by p***@never.here
I've never felt the need to do that all the time I've been using
online banking while using Win XP or 7. Never been aware of
any problem although I did run Kaspersky IS, Ad-aware etc.
What makes you think you would have noticed any problems?
I'm referring to online banking here when I say I haven't noticed any
problems. The problems I'd expect to notice would be unexpected items
on current and CC accounts. Maybe I'm lucky but it hasn't happened
yet.
Ignorance is bliss.
Where ignorance is bliss, 'tis folly to be wise
Post by Tom Gardner
Consider
http://www.schneier.com/blog/archives/2011/08/new_bank-fraud.html
The German Federal Criminal Police (the “Bundeskriminalamt”
or BKA for short) recently warned consumers about a new
Windows malware strain...<snip>
When the unwitting user views his account balance, the malware
modifies the amounts displayed in his browser...<snip>
Thanks for the link and the warning, It does say it is windows malware
but if I ever log into my account and receive a message to that effect
I'll contact my bank before doing anything stupid.
Would never have thought to search for links like this. Have you made
a study of inernet security or are you involved professionally in the
business.
I'm an engineer that's been around those that are deeply
involved, and I keep a weather eye open, that's all.
Schneier is worth reading, so is the comp.risks usenet
group archived at http://catless.ncl.ac.uk/Risks
Both are low volume and have a high signal-to-noise ratio,
which is rare.
Post by p***@never.here
Post by Tom Gardner
Post by p***@never.here
Alex Potter in his initial answer to my query said
"Unless you're ultra-paranoid, and if you live behind a NAT router, I
wouldn't bother."
Do you agree with this, if not is there a basic level of security you
would recommend?
Any comments on this Tom?
No comments, but I've let people know what I do.
(Linux + NAT firewall/router + VM/ISO, all with
non-obvious passwords)
That cost vs risk-avoidance benefit is appropriate for me.
Security is more than tools, more than technology, more
than process. It is all of those plus it is a mentality.
Thanks for all the replies to my queries. Lots to think about.
--
Pete
Loading...