How do you keep safe?


Go to solution Solved by coolguy80,

Recommended Posts

+BudMan

"but it won't help a compromised system from sending and receiving traffic."

 

This is such flawed logic :argh:

 

The word you should be keyed in on here is "compromised"  So you executed code, or were exploited in some manner so code ran on your machine in such a way to compromise it..  But you think some other code on the box is going to prevent it from talking on the network??

 

Beside the complete PITA aspect of having to auth all outbound connections any process tries to make for the user.. Which has no clue what to allow and not to allow.. Have seen dhcp client denied, etc.

 

Now if you want to run some sort of IDS on the host to examine outbound traffic to allow or deny or warn, ok..  But again  "compromised" -- why can the bad software not just disable or trick the good software into allowing such traffic.  The box is compromised - your security has failed already in the fact that is was compromised, yet some software you are running on that same compromised is going to save the day?? :rolleyes:  I am sure company X selling each copy of their software at $50 a pop wants you to go that route ;)

 

If you are worried about such traffic I would suggest you again at your borders of trust and hostile run IDS, IPS to look at traffic - look for bad stuff and block it at the edge where that compromised box has no control over if that packet leaves the network or not.

 

It makes more sense to control the flow of traffic both in and out of your trusted network at the border of that network.. Not on every single device on said network, that is a administration nightmare..

 

As to receiving traffic.. Again this can be done at the border, it is very simple to block traffic both to and from known bad IP blocks.  So can not talk to command and control even of the ports used to communicate are allowed.  Dns filtering of bad fqdn is quite easy to deploy,  again this is best done at the border of the network where compromised devices don't have the ability to mess with the rules like they could do on a box they have owned, no matter the OS on said box.

Link to post
Share on other sites
+John Teacake

"but it won't help a compromised system from sending and receiving traffic."

 

This is such flawed logic :argh:

 

The word you should be keyed in on here is "compromised"  So you executed code, or were exploited in some manner so code ran on your machine in such a way to compromise it..  But you think some other code on the box is going to prevent it from talking on the network??

 

Beside the complete PITA aspect of having to auth all outbound connections any process tries to make for the user.. Which has no clue what to allow and not to allow.. Have seen dhcp client denied, etc.

 

Now if you want to run some sort of IDS on the host to examine outbound traffic to allow or deny or warn, ok..  But again  "compromised" -- why can the bad software not just disable or trick the good software into allowing such traffic.  The box is compromised - your security has failed already in the fact that is was compromised, yet some software you are running on that same compromised is going to save the day?? :rolleyes:  I am sure company X selling each copy of their software at $50 a pop wants you to go that route ;)

 

If you are worried about such traffic I would suggest you again at your borders of trust and hostile run IDS, IPS to look at traffic - look for bad stuff and block it at the edge where that compromised box has no control over if that packet leaves the network or not.

 

It makes more sense to control the flow of traffic both in and out of your trusted network at the border of that network.. Not on every single device on said network, that is a administration nightmare..

 

As to receiving traffic.. Again this can be done at the border, it is very simple to block traffic both to and from known bad IP blocks.  So can not talk to command and control even of the ports used to communicate are allowed.  Dns filtering of bad fqdn is quite easy to deploy,  again this is best done at the border of the network where compromised devices don't have the ability to mess with the rules like they could do on a box they have owned, no matter the OS on said box.

 

 

As always BRILLIANT post ... As a side note. Two Home Broadband Connections. Connected up a Cisco router and both within literally less than 10 minutes had people trying to login with SSH....Checked the IP's ... China!! I am going to email the authority's (And I mean high level people here) and actually ask what they are doing to curb these, I am just generally curious as to what they do. They must know about it.....

Link to post
Share on other sites
+BudMan

What is so funny is I just read that china has made some changes to lock down vpn protocols outbound from china.. I would assume in attempt to control users from there from circumvention of the great firewall ;)  SSH is the most basic way to tunnel traffic and circumvent any sort attempt to limit where you can go.

 

http://techcrunch.com/2015/01/23/china-vpn-crackdown/

 

So how does it makes sense that yeah if you log hits to your ssh server, the VAST majority of traffic is from china IPs ;)  Every time I put up a honey pot, pretty much every attempt is china ;)

Link to post
Share on other sites
simplezz

"but it won't help a compromised system from sending and receiving traffic."

 

This is such flawed logic :argh:

 

The word you should be keyed in on here is "compromised"  So you executed code, or were exploited in some manner so code ran on your machine in such a way to compromise it..  But you think some other code on the box is going to prevent it from talking on the network??

A driver level firewall that intercepts all outgoing traffic can prevent most trojans, keyloggers, and other nasties from stealing your data, propagating, etc. It's unlikely that initial malware could interdict said firewall.

You have to remember that bots and remote prototocols are very common in relation to malware these days. Often a bootstrap trojan will download additional software and update itself. Without that facility, it greatly reduces the severity of such attacks.

If you're using Windows, an outgoing firewall is essential.

  • Like 1
Link to post
Share on other sites
+BudMan

^ whatever..  I just don't feel like beating this dead horse at the moment..

 

You just keeping telling yourself that your safe because you run software X..  And that software Y that you let exe on your box can not doing anything to software X ;)

 

Better plan is not run software X in the first place if you ask me!  Just Saying!

  • Like 2
Link to post
Share on other sites
simplezz

You just keeping telling yourself that your safe because you run software X..  And that software Y that you let exe on your box can not doing anything to software X ;)

I think you misunderstand me. A firewall is a failsafe, not a licence to disregard common sense. Just the same way an Antivirus is no guarantee that running an untrusted program won't bork your system.

 

Better plan is not run software X in the first place if you ask me!  Just Saying!

OFC. And that's why Linux is far safer. Software is obtained through peer-reviewed repositories rather than random websites. You're much more likely to encounter a trojan at some point running Windows. Therefore, it's a good idea to block unauthorised outgoing traffic by default assuming you don't want your data stolen or your machine turned into a zombie/bot doing the bidding of some hacker. And don't think this is mere hyperbole, I've seen it happen myself.
  • Like 1
Link to post
Share on other sites
xxxxxx.xxxxxx

To keep myself safe online i generally use;

 

  • Anonymous VPN
  • Tor Network
  • GnuPG
  • dmcrypt/LUKS and eCryptfs
  • iptables
  • Properly configured NAT
  • I don't run services or leave ports open if i don't require them at that moment in time
  • Common sense approach to downloading/surfing implementing counter measures where required
  • Primary e-mail account only given to those who i REQUIRE to have it (brutal SpamAssassin)
  • Secondary e-mail account for website registrations etc to avoid the usual phishing, scams, unwanted attachments etc.

That is pretty much it, haven't had a problem for a good few years now. :)

 

Paranoid, maybe... but it works for me  :shiftyninja:

Link to post
Share on other sites
sc302

I think you misunderstand me. A firewall is a failsafe, not a licence to disregard common sense. Just the same way an Antivirus is no guarantee that running an untrusted program won't bork your system.

 

OFC. And that's why Linux is far safer. Software is obtained through peer-reviewed repositories rather than random websites. You're much more likely to encounter a trojan at some point running Windows. Therefore, it's a good idea to block unauthorised outgoing traffic by default assuming you don't want your data stolen or your machine turned into a zombie/bot doing the bidding of some hacker. And don't think this is mere hyperbole, I've seen it happen myself.

So you think running a software firewall will stop a compromised system from communicating out...I have some news for you, a compromised system is just that...what makes you think that a piece of software is going to stop a computer from communicating?  At best it will alert you, at worst it won't tell you anything and communicate out anyway.  This did happen to me a few years ago with a 0 day worm, the software firewall detected that chrome was going out to a china site, then it changed to ie, then it changed to firefox, then it changed to explorer, then it changed to itunes.  Nothing the software firewall could do, other than shut down all communications, would stop this thing from communicating out, the firewall logs and sniffer logs proved that.  Somebody asked me how do I know for sure that it was a virus communicating, showed them the logs...unbelievable they said...All software firewalls do is use resources on the machine and perhaps protect you from really poorly executed malware.

Link to post
Share on other sites
simplezz

So you think running a software firewall will stop a compromised system from communicating out...I have some news for you, a compromised system is just that...what makes you think that a piece of software is going to stop a computer from communicating?

Because a decent personal firewall (as apposed to a network firewall) will operate at the kernel level registering itself as a packet filter. All subsequent traffic will run through its callback routines permitting or refusing traffic based on some kind of ruleset that the PC user can modify in realtime. This negates most malware or trojan activities.

 

At best it will alert you, at worst it won't tell you anything and communicate out anyway.

Then you clearly don't know how a personal firewall works. This doesn't include Windows' built in firewall because it's extremely limited.

 

This did happen to me a few years ago with a 0 day worm, the software firewall detected that chrome was going out to a china site, then it changed to ie, then it changed to firefox, then it changed to explorer, then it changed to itunes.  Nothing the software firewall could do, other than shut down all communications, would stop this thing from communicating out, the firewall logs and sniffer logs proved that.

A lot of personal firewalls also checksum the programs that a ruleset allows network access to. So if another program is modifying them it should automatically detect and block that. It's not perfect, but it can stop most threats.

 

Somebody asked me how do I know for sure that it was a virus communicating, showed them the logs...unbelievable they said...All software firewalls do is use resources on the machine and perhaps protect you from really poorly executed malware.

I suggest you have a read of This.

Unlike network firewalls, many personal firewalls are able to control network traffic allowed to programs on the firewalled computer. When an application attempts an outbound connection, the firewall may block it if blacklisted, or ask the user whether to blacklist it if it is not yet known. This protects against malware implemented as an executable program. Personal firewalls may also provide some level of intrusion detection, allowing the software to terminate or block connectivity where it suspects an intrusion is being attempted.

  • Like 1
Link to post
Share on other sites
Aergan

CIDR blocking most of APNIC works quite well.

Link to post
Share on other sites
sc302

Because a decent personal firewall (as apposed to a network firewall) will operate at the kernel level registering itself as a packet filter. All subsequent traffic will run through its callback routines permitting or refusing traffic based on some kind of ruleset that the PC user can modify in realtime. This negates most malware or trojan activities.

 

Then you clearly don't know how a personal firewall works. This doesn't include Windows' built in firewall because it's extremely limited.

 

A lot of personal firewalls also checksum the programs that a ruleset allows network access to. So if another program is modifying them it should automatically detect and block that. It's not perfect, but it can stop most threats.

 

I suggest you have a read of This.

I guess you have never seen malware/worms hide themselves as other applications before (using the legitimate application to run, the application itself was perfectly fine and not compromised as shown by many different submissions to virus total and other sites...the system however was compromised and spread to other systems).  I stand behind stating that once a system is compromised, all software on the system is compromised...even the software firewall.  I will agree that the windows firewall isn't anything really special nor would it give you any information as to what application is running and communicating the instant that something does communicate. 0 day is 0 day, no definitions (even checksums) will protect against them.

Link to post
Share on other sites
simplezz

I guess you have never seen malware/worms hide themselves as other applications before.

Any decent personal firewall worth its salt will notice that. As I said, ruleset entries usually store a checksum of the target executable. If something tries to inject itself or masquerade as another program, it should be detected. Note we're talking about a Windows PC here, not Linux. Linux doesn't suffer from such problems so a router level NAT firewall is usually sufficient to protect yourself.

I stand behind stating that once a system is compromised, all software on the system is compromised...even the software firewall.

That's simply wrong. While malware can be sophisticted, it's not omnipotent. It's limited by its original programming and the fact it can't account for all security software out there. I'd say a personal firewall will block the majority of malware out there.

I will agree that the windows firewall isn't anything really special.

As far as I'm aware, it doesn't allow the user to authorise or deny traffic automatically. One has to manually configure it. For that reason, it doesn't make a good application level firewall.
Link to post
Share on other sites
sc302

I beg to differ, mainly because I have seen it in a live environment and spent weeks with symantec and microsoft on the phone to diagnose.  You can think or believe what you want.  Microsoft eventually released a repair definition in security essentials two weeks after the site was infected (first one to release a definition, others followed suit shortly there after).  You may have heard of it, maybe you haven't, but it was dubbed Morto.

 

 

http://www.enigmasoftware.com/wormwin32mortoa-removal/

 

While it is a simple enough piece of malware to remove, finding it was very difficult, protecting a computer that had 3389 open and weak passwords was also difficult and it was also difficult to protect computers that had the rule to allow all traffic from trusted computers enabled.  When it still was a zero day/at the time, many different softwares were used, symantec endpoint protection, eset smart security, zone alarm firewall, comodo firewall (far better than zone alarm as it was detecting traffic to remote sites but could not block it), vipre, trend micro, and a bevy of other sotfwares to try to thwart this infection prior to the definition or any documentation being released on how to remove this.   BTW, this did not show up in the combofix log nor was it in the otl log....yeah this was a bitch

Link to post
Share on other sites
+BudMan

So sc302, guess you in a beat the dead horse mood..

 

"once a system is compromised, all software on the system is compromised"

 

This is fact!!

 

Here is another tidbit.. Users are Users - guess what happens when Firewall X asks the user if ok if Y uses the network.. ;)  You have 2 most common, they allow the bad code or they block the good code..

 

Software firewalls do another thing other than suck up resources, they generate support calls from uses on why they can not play their game.. Or video chat with their friend, etc..

 

If you get paid from support tickets then by all means - install a software firewall ;)

  • Like 1
Link to post
Share on other sites
sc302

Software firewalls, stopping users from doing what they want since 2002. Really, the greatest invention to give people a false sense of security since the tin foil hat.

Link to post
Share on other sites
  • 1 year later...
imort
On 22.01.2015 at 3:39 AM, Art_X said:

I have heard about IDS scripts and such but having to look through log files every day to see if "something" happened it not that appealing to me, and I often hear the excuse "well if you don't vist bad sites you should be fine!", but then how do you know if a site is back, sites are always being hijacked and code added, how can you tell if a site that was good yesterday is still good today?

 

I am not writing this to flame or bait about which system is better, I am writing it in the hope that people can help me to understand Linux better so that I can trust it for my day to day needs :)

1

I can found that the same rules can be applied both for Windows and Linux: keep it updated, use common sense and be careful :)

 

I'm running no antivirus on my Windows computer for years and do a quick check every few month.

Never ever get any problems with that :)

 

Can't recommend the same my friends and relatives of course :(

 

If we're talking about some home PC it will be enough.

But if we need to talk about some office servers that's another story :)

 

  • Like 1
Link to post
Share on other sites
Gotenks98
On 1/21/2015 at 4:46 PM, Max Norris said:

Just like every other OS. Keep it up to date, regular backups, and a healthy dose of common sense. For the home user, that malware doesn't wind up on your system by magic, it's either via an exploit (IE keeping your system up to date) or user error (IE, no dumbassery allowed.) A few basic rules have kept all of my systems (Windows, BSD and Linux) malware free for a good number of years now, no babysitting software required. If you run public facing servers, obviously that's a whole different ballgame.

That is pretty much what I do. Unless you had something on your system like teamviewer there would be no reason or way for hackers just to get to your system especially on Linux. They would first have to have a reason to target you then an exploit to get into your system.

Link to post
Share on other sites
Boo Berry

Arch + virtual machines work pretty well for me.

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By zikalify
      Tails OS 4.15 released with updated Tor Browser
      by Paul Hill



      Tails OS 4.15 has been released today bringing with it updates for the Tor Browser, the Linux kernel and fixes for several issues including USB tethering not working with devices running iOS 14 or later. Luckily, there are no new issues introduced with this version of the privacy-oriented OS but it’s still affected by long-standing issues.

      According to the release notes, there are no new major changes in this update outside of updated software. The only new feature is that you now have the option to press “Don’t Show Again’ on the security notification that pops up when you attempt to run Tails on a virtual machine.

      This update does come with several critical software patches for things like the Tor Browser which is now on version 10.0.9 (based on Firefox 78.7), Thunderbird has been bumped to 78.6.0, and the Linux kernel now sits on version 5.9.15 bringing support for newer hardware. The new kernel update also addresses a bug that prevented iOS 14 devices from being used for tethering.

      To install Tails 4.15, you’ll either need to follow the guide to setting up a Tails USB to perform a clean install or you can upgrade an existing Tails install. When you’ve booted up your Tails 4.2 or above USB and connected to the internet, you will be offered the upgrade. If you choose to update, the new version will download and begin to install. If you would like to see what’s planned in future updates, check out the Tails roadmap.

    • By Copernic
      WinLock 8.46
      by Razvan Serea



      WinLock ensures that only authorized people can access sensitive information on your computer. With WinLock you can control how long others can use your computer. It runs from the system tray and requires a password to gain access to the available settings. It loads automatically with Windows and allows you to add an optional startup message, provide audio notification, and set the time limit. Once that limit is reached, Windows is summarily shut down. You can toggle the timer on and off from the tray. When enabled, there is no way around it without the proper password.
      WinLock also allows to disable Windows hot keys (such as Alt-Ctrl-Del, Alt-Tab, Ctrl-Esc, etc.), lock Windows desktop, customize Start menu, hide Start button and Switch bar, and much more...

      Block Windows and Lock Files features allow to block virtually any application or any part of it (window, popup message, dialog box), Explorer Windows (My Computer, Recycle Bin etc.), and lock selected files. Restricted sites feature filters Internet content and prohibits access to questionable websites.

      WinLock is available in two editions: Standard and Professional. WinLock Professional offers all features of the WinLock, plus several advanced security capabilities of interest to the professional users. The advanced features of the Professional edition are:

      Support for multi-user environment Internet Explorer restrictions Google Chrome restrictions Search through website for prohibited keywords Guest password USB key authentication Webcam snapshots Flexible removable drive restrictions WinLock 8.46 changelog:

      Disable pinned apps. Apply settings option. Disable right-click in Start menu. Disble F10 key. Microsoft Edge restrictions. Disable Timeline. Full support for unicode websites. Support for Edge 88 and Tor 10. Download: WinLock 8.46 | WinLock Pro 8.46 | ~10.0 MB (Shareware)
      Links: WinLock Home Page | WinLock Pro Screenshot

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By Usama Jawad96
      Microsoft Edge will now let you know if your password is compromised
      by Usama Jawad

      Yesterday, Microsoft announced a bunch of new features coming to its Edge browser, including sidebar search, history sync, and more. Another nifty capability coming to the browser is Password Monitor, which alerts you if you are using unsafe credentials. The service began rolling out to Insiders back in June 2020 and is now being made available to the general public in Edge 88. Microsoft has detailed the feature in a dedicated blog post.

      Password Monitor is the outcome of collaboration between the Edge product team and a former Microsoft Research incubation group called the "Cryptography and Privacy Research Group". The underlying technology is based on homomorphic encryption and is built on top of the Microsoft SEAL homomorphic encryption library.

      Simply stated, Password Monitor contacts a server periodically and verifies that the credentials you have saved in Edge are not present in a database of breached credentials. If they are, the user is immediately alerted and asked to change them. It is important to note that neither Microsoft nor any other third-party can see your credentials, with the technology also secure against man-in-the-middle attacks so a malicious actor cannot hijack your password during transit between your browser and the server.

      Microsoft has also modified its SEAL library to ensure multi-platform support on various architectures including ARM, x86, and Mac, and it is also compatible with low-end devices. The firm has described the principles of homomorphic encryption in its blog post as well for our more cybersecurity-savvy readers. Microsoft has emphasized that the process consumes minimal network bandwidth, optimizes CPU utilization, and that the Password Monitor service is capable of handling a "large number" of client requests.

      Password Monitor will be made available to Edge users on a rolling basis so it will not be immediately visible to everyone. You can head over to the dedicated supported page to find out how to enable it.

    • By News Staff
      Cybersecurity: The Beginner's Guide ($23.99 Value) free offer ends today
      by Steven Parker

      Claim your complimentary eBook (worth $23.99) for free, before the offer expires on 01/19.



      It's not a secret that there is a huge talent gap in the cybersecurity industry.

      Everyone is talking about it including the prestigious Forbes Magazine, Tech Republic, CSO Online, DarkReading, and SC Magazine, among many others. Additionally, Fortune CEO's like Satya Nadella, McAfee's CEO Chris Young, Cisco's CIO Colin Seward along with organizations like ISSA, research firms like Gartner too shine light on it from time to time.



      This book put together all the possible information with regards to cybersecurity, why you should choose it, the need for cyber security and how can you be part of it and fill the cybersecurity talent gap bit by bit. Starting with the essential understanding of security and its needs, we will move to security domain changes and how artificial intelligence and machine learning are helping to secure systems. Later, this book will walk you through all the skills and tools that everyone who wants to work as security personal need to be aware of. Then, this book will teach readers how to think like an attacker and explore some advanced security methodologies. Lastly, this book will deep dive into how to build practice labs, explore real-world use cases and get acquainted with various cybersecurity certifications.

      By the end of this book, readers will be well-versed with the security domain and will be capable of making the right choices in the cybersecurity field.

      This free offer expires on Jan 19.

      How to get it
      Please ensure you read the terms and conditions to claim this offer. Complete and verifiable information is required in order to receive this free offer. If you have previously made use of these free offers, you will not need to re-register. While supplies last!

      >> Cybersecurity: The Beginner's Guide ($23.99 Value) - free download <<
      Offered by Packt Publishing, view their other free resources. Expires 01/19/20.

      Not for you?
      That's OK, there are other free eBooks on offer you can check out here, but be aware that these are all time-limited offers. If you are uncomfortable sharing your details with a third-party sponsor, we understand. Check out the Neowin Store for our preferred partners.



      Home Gym Giveaway | Ultimate Gaming Giveaway (feat. PlayStation 5 & Xbox Series X) Ivacy VPN - 5 year subscription for just $1 per month NordVPN - 2 year subscription at up to 68% off Private Internet Access VPN - subscriptions at up to 71% off Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Disable Sponsored posts · Neowin Deals · Free eBooks · Neowin Store

      Disclosure: A valid email address is required to fulfill your request. Complete and verifiable information is required in order to receive this offer. By submitting a request, your information is subject to TradePub.com's Privacy Policy.

    • By zikalify
      Google to limit Chrome sync API following audit
      by Paul Hill



      Google has announced that it will be limiting access to private Chrome APIs that enable features such as Chrome sync and Click to Call so that only its browsers can use them. The decision follows an audit by the company which uncovered that third-party Chromium-based browsers were using the APIs.

      The web giant said that users of some third-party browsers were able to sign in to their Google Account and store and retrieve their Chrome sync data in their third-party browser. The data they could access includes bookmarks and presumably passwords. Google isn’t happy this is happening and has said that the APIs that enable these features will be restricted from March 15, 2021.

      For users that have already accessed these features, their data will still be available in their Google Account and will continue to be stored locally in their third-party browser. To continue using the restricted features, users will have no other option than to switch to Google Chrome or Chromium.

      Google Chrome’s Engineering Director Jochen Eisinger who authored the post did not share which browsers were using these APIs but Chromium has become an extraordinarily popular choice to build browsers on top of. Microsoft’s Edge, Opera, Vivaldi and Brave are some popular web browsers that are built atop of Chromium but they each have their independent syncing services.