Yes, a website can exploit holes in a browser and place a shell on the computer giving it total access to passwords, installing root kits, etc. The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).tips for Secure Browsing
- Always use the most current version of your browser.
- Check for the “lock” icon on the status bar that shows that you are on a secured web site. Also check that the URL begins with “https” in the location bar when making transactions online.
- In the Tools menu of Firefox, Tools > Options… > Privacy, you can clear your information with one click of a button. This is especially useful when using a computer in a public location.
- Perform transactions (like shopping or submitting personal information) at sites that are well established and that are familiar to you. If you’re not familiar with a site, make sure that the site has a privacy policy and information about the site’s security measures.
- Remember Browsers keep a sandbox for each opened page. Nowadays, a malicious site can take complete control over your computer and look at, modify or destroy anything on your computer!
NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.
NoScript’s unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality…
You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon (look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.
Watch the “Block scripts in Firefox” video by cnet.
Watch the “Block scripts in Firefox” video by cnet.
Staying safe has never been so easy!
Experts will agree: Firefox is really safer with NoScript!
Experts will agree: Firefox is really safer with NoScript!
These details are subjected to a windows machine (So, if you don’t like windows then you should skip this block)An Example of Why Running as an Admin Is Bad
Some nasty malware works only because the user browsing the Web is an administrator. A good example is a recent variation of the Bagle/Beagle worm named W32.Beagle.AV@mm. I would recommend you read up on what the worm does once it is invited onto a computer system. Symantec has a good write-up athttp://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html. I say invited because the malware is not taking advantage of a coding or design defect. It is using simple human error to execute.Among the many things this malware does, all of which require admin rights, are:
- Creating files in the system32 directory.
- Terminating various processes.
- Disabling the Windows Firewall.
- Downloading and writing files to the system32 directory.
- Deletes registry values in HKLM.
All these fail if the user running the e-mail client is not an administrator.So wouldn’t it be useful (read: safer) if you could browse the Web, read e-mail, and so on as a non-admin, even though you need to perform your normal daily tasks as an admin? Luckily, Windows XP and Windows Server 2003 and later support this capability using restricted tokens.The DropMyRights Application
DropMyRights is a very simple application to help users who must run as an administrator run applications in a much-safer context—that of a non-administrator. It does this by taking the current user’s token, removing various privileges and SIDs from the token, and then using that token to start another process, such as Internet Explorer or Outlook. This tool works just as well with Mozilla’s Firefox, Eudora, or Lotus Notes e-mail. Go to its site to know how to install it.
Chrome, at this time, is the most secure browser that exists in windows, because of the sandboxing techniques it uses which add up to the security.A good description of this sandbox is here: http://dev.chromium.org/developers/design-documents/sandbox
The general idea is that a malicious website will have to use two separate exploits to achieve code execution on your pc: The first one exploiting the browser, the second exploiting the sanbox. This has been proven a very hard thing to do – it has not be done ever.
Internet Explorer 9 is advertised as having a sandbox, but security researchers agree that it is not properly implemented and have demonstrated successful attacks against it.
There are numerous technologies you can use. It all depends on your OS and how far you want to go.
On Windows, the easiest is to use Sandboxie to sandbox your browser. On Linux/BSD you could setup a chroot or jail to run the browser from.
Another choice is to set up a virtual machine using Vmware, KVM , Xen, VirtualBox or Parallels and run a browser in there. This will require you to install a full OS, but will give you an extra level of isolation.
you can also try
Browser SandBox at spoon.net.
See this video, you can never be 100% sure that you are safe, so be careful, don’t open links you don’t know where they go or don’t trust the sites.
NSA (National Security Agency) of United States published a document indicating “Best Practices” for user security on the internet:http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf (link contains detail for a MAC user also)
No comments:
Post a Comment