Practicing Safe Computing

Digerati · #1 (**permalink**) 03-05-2007, 04:58 PM

Quote:

i feel that in terms of security and popups and such it is pretty darn good compared to IE

I am not trying to stir up arguments over which is better, and I am not accusing anyone of fear mongering or Microsoft bashing. The above statement from this thread just reminded me of many heated discussions I have had with several recognized IT security experts, other colleagues and many experienced users who INSISTED everyone must switch to Firefox because Internet Explorer was so unsafe and Firefox was so much more secure.

I was able to stop every one of those heated discussions dead in their tracks by asking the following simple question of those pundits:

"How many of you STOPPED being infected and compromised when you switched to Firefox?"

My point? Virtually EVERY exploitable vulnerability in Internet Explorer, Windows, or even Firefox (which has several too) can ONLY be exploited by bad guys if the user fails to consistently practice safe computing in a disciplined manner. Yes, there are rare cases of an exploitable vulnerability even in a fully protected system. But, there are so many factors and unusual circumstances that must line up precisely to expose it, and then exploit it, that it is not worth the time or effort for the bad guy. Bad guys go for the easy pickings, and move on.

What does practice safe computing mean? It means,

You keep your systems:
- Patched (SP2 for XP) and updated, including critical updates, current versions (such as IE7), and the latest signature/definition files,
- Scanned with current anti-malware (anti-virus, anti-spyware, anti-Trojan, etc.) scanners,
- Blocked with a current firewall, spam blocker, and pop-up blocker,
You never open attachments or downloads without scanning for malware first,
You never click on links in spam to "unsubscribe from this list", and
You stay away from sites your grandmother would disapprove of (porn, illegal P2P, gambling, etc.).

If you switch to Firefox or another alternative browser, can you stop practicing safe computing? Of course not.

If you follow the above steps, the chances of your system being compromised are reduced to near zero, regardless if you use Firefox, Opera, IE, Safari, or something else.

Of course, even the Mozilla Firefox developers admit that no browser is 100% safe. Bad guys are discovering, and attempting to exploit, new found vulnerabilities in alternative browsers too. And as the alternatives to IE become more popular, bad guys will continue to turn more of their focus on them.

So the fact remains, if you connect to the Internet, you will encounter risks. Everyone must be diligent and responsible "netizens" by practicing safe computing.

If you are unsure, or don't know how to accomplish those practice safe computing tasks, ask. If you do know how, teach!

Finally, let's be certain to place blame where it belongs; on the bad guys!

Kaistar · #2 (**permalink**) 04-05-2007, 03:51 PM

oops. sorry man Dig. din't mean to overstep any boundaries and such. was just my opinion when i compared IE6 and FF.

and thanks for your informative post. appreciate it sincerely.

once again, my apologies if i said something provocative.

Digerati · #3 (**permalink**) 04-05-2007, 04:45 PM

Quote:

din't mean to overstep any boundaries and such.

What boundries? You made it clear it was your opinion, AND you made a point to say you have limited experience with IE7. I say to you "Thanks" for providing a segue for me to step up on my soapbox!

provocative: serving or tending to provoke, excite, or stimulate; stimulating discussion or exciting controversy

Kaistar · #4 (**permalink**) 05-05-2007, 12:45 PM

haha. alrighto.

anyways, i think the mods/admins should sitcky or pin up this thread. it's simple and it'll help people avoid alot of troubles. while i learned more through common sense, people new to the cyberworld might not know better and i'm sure what you wrote up there can save them from alot of potholes.

VopThis · #5 (**permalink**) 06-05-2007, 06:25 PM

My concern with IE has always been that ActiveX is a significant transmission vehicle for "drive-by downloads" (imbedded scripting at rogue site entry points). And, SpyBot lists over 16K of bad ActiveX components which are easily avoidable if you use IE only when necessary. Since the main online scanning tools are mostly ActiveX based that continues to support the ongoing vulnerability and predominant use of IE:

[14K hits] http://www.google.ca/search?hl=en&q=...=Google+Search

I don't treat IE and FireFox as either/or - I tend to use them both, but IE significantly less and often together at the same time. If you ever run into problems using IE, you would be glad to have a browser based upon different technology (non-ActiveX based browser).

People need to pre-qualify the sites/links that they intend to visit, but most don't have any appropriate means or will to do so. Accordingly, it is VERY advisable to use a tool like 'siteadvisor', 'linkscanner', 'sitehound', etc. Unfortunately, I don't see these tools in wide use as reflected in the HijackThis LOGS that I see. The HABITS, perceived risks, and practice of safe computing is often too inconvenient and just not seemingly worth the bother. All that available and attractive free (risk-based) content often puts caution to the wind - and the bad guys are counting on it.

Digerati · #6 (**permalink**) 06-05-2007, 11:09 PM

Again, the intent of this thread is NOT to turn this into a debate over which browser is better! Nor was it intended to provide an avenue to monger fear into nearly .6 billion IE users!

I will say again,

Quote:

Virtually EVERY exploitable vulnerability in Internet Explorer, Windows, or even Firefox (which has several too) can ONLY be exploited by bad guys if the user fails to consistently practice safe computing in a disciplined manner.

As the first "hit" in your Google search suggests, and as stated in my very first step in the list above:

Quote:

...keep your systems...updated, including current versions (such as IE7)

Microsoft has taken great measures to address ActiveX controls (and many other security issues) in Internet Explorer 7. Yes, IE7 is still IE, so ActiveX concerns are still valid, but IE7 warns you before running new ActiveX controls, something IE6 did not. But, the browser of choice is not the point of this thread.

It matters not what browser you use! All of the steps included in practicing safe computing are totally independent of the browser used. You cannot cease performing any of those steps simply because you change to an alternative browser.

The purpose of this thread is to educate folks. Not instill fear. It is simply ludicrous to suggest, as you have done, that just because one uses IE instead of FF, he or she will become a victim of a drive-by download, which will exploit some vulnerability, that will result in their system being compromised!

That is NOT true, folks! If that were the case, then virtually all .6 billion Windows users in this world would be using compromised computers (assuming they still worked at all) and that is not the case. Yes, it is true that FF is less vulnerable to some types of vulnerabilities, but the fact remains, folks, getting a drive-by download is like downloading spyware in a cookie - it means NOTHING unless the bad guy can then some how gain control of that code, use that code to exploit some OTHER vulnerability in Windows (most often an UNPATCHED vulnerability) or your security defenses, that will then some how compromise your system, and/or get past your AV, AS, and your firewall.

Education is the key, and that is the purpose of this thread.

Quote:

The HABITS, perceived risks, and practice of safe computing is often too inconvenient and just not seemingly worth the bother. All that available and attractive free (risk-based) content often puts caution to the wind - and the bad guys are counting on it.

That's a cop out! Some folks think buckling their seat belts is inconvenient, but not wearing one is still stupid! Yes, setting up your security defense does take too much work and is inconvenient. But once setup, updates and scans can be scheduled to run automatically, with little or no user involvement thereafter. Just as seat belts allow a driver to keep, or quickly regain, control in an accident, thus minimizing hitting and hurting others, so too does practicing safe computing protect our fellow Internet (and network) users from our systems infecting theirs. In other words, it is our responsibility to keep our systems from becoming a danger to others - convenient or not.

You are right, however, when you say bad guys are counting on finding users who fail to practice safe computing - my point all along. As I noted, they go for the easy pickings.

As a Beta tester for Firetrust Sitehound (and MailWasher Pro), I agree those type tools have merit and Sitehound is excellent at detecting phishing and other malicious sites. It is particularly great for those of us that actively fight bad guys because it provides so much information. But IE7 has an excellent Phishing Filter which is quite capable, does not consume any toolbar or system/notification tray space, and is free.

For more information on Drive-by downloads with IE7, see here.

Now please, let's not drive this thread off-topic. It is not a discussion about browsers.

Kaistar · #7 (**permalink**) 07-05-2007, 12:36 PM

yo Vop n Dig, i'd like to hear more about sitehound and such if you don't mind? and one more question, is there a low resource consuming AV program that auto scans for downloads? i think Norton had it but if i remember correctly it slowed down the PC for the duration of the scan.

Digerati · #8 (**permalink**) 07-05-2007, 01:22 PM

You can check out Sitehound over at Firetrust. It has a fully functional 30-day trial option you can download and try out. Unlike some other trial packages - most notably the new ZoneAlarm 7 Free - Sitehound completely uninstalls if you elect to not keep it. If you want a program where you can be actively involved in helping fight the bad guys, and at the same time, learn about how it is done, Sitehound is a good option. It provides lots of information.

If you currently use IE7, then check out the Phishing Filter as it does much of the same thing, but is less intrusive on your desktop and may be better for those that do not want to be that much involved. It is important to note that neither program will allow you surf the net haphazardly - you still have to buckle-up and keep your hands on the wheel!

I use AVG Pro for my AV scanner. The free version is just as effective as a scanner, but the Pro gives you much better scheduling options, and more information about suspicious activity.

I leave my systems on 24/7/365 so every night, AVG checks for updates, then scans. Same with my anti-spyware scanner. In this way, when I get up in the morning, I get my scan reports and my systems are ready for a day's work.

Note that most experts would say it is better to allow your systems to scan when the computers are not in use. This ensure the fewest number of programs are running, and the fewest number of open files. If you are using your computer while scanning, the scanners will skip many files, and have to compete for resources.

Note too that every scanner will have an adverse affect while scanning. That should be expected as there is intense hard drive activity. But certainly Norton has been known to affect performance more than others, but at all times, not just during scanning. To be fair, I hear the latest version is better.

paulthomasno6 · #9 (**permalink**) 07-05-2007, 01:43 PM

I learned the hard way that going unprotected on the internet is as stupid as going naked to the supermarket. You'll attract plenty of attention, all of the wrong sort.
In my case my machine was taken over by another modem and used for international calls. I got off lightly with a $600 phone bill. That $600 was racked up in just one week.
I've been using BlackICE from ISS ever since. It's not free, but it's good protection.
http://blackice.iss.net/demo.php

Digerati · #10 (**permalink**) 07-05-2007, 01:58 PM

Quote:

I got off lightly with a $600 phone bill. That $600 was racked up in just one week.

Yeah, I have heard of much worse. The problem is, it is extremely difficult to prove you are innocent so you get stuck.

You illustrate an excellent point however, one I failed to mention

- many folks assume only "constant on", that is, only broadband users have to worry about badguys taking over their computer since they use dial-up. They just don't think their computer's can, or will, be hijacked and turned into bots or zombies of the badguys. Not so as seen here. Broadband and dial-up users alike can be compromised.

BTW, Paul, you should check the credit bureaus to ensure someone has not taken out a credit card with your stolen identity. Not all ID theives use stolen PI (personal information) to rip you off. Some use it because they need credit - they even pay the bills! Or they use your ID to get a job.