lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Re: January 15 is Personal Firewall Day,help
	the cause

Hi Jim,

Am Sam, den 17.01.2004 schrieb Jim Race um 19:20:
> Since the ping-pong game is far past 21 points...

:-)

> How safe would you consider:
> 
> A WinXP box with all current patches

There is no such thing as a WinXP box with all current patches :-) Since
installing all patches that Microsoft makes available still doesn't mean
every critical bug is fixed you should find out as much as possible
about the unfixed bugs. For example there is still a URL spoofing bug in
the Internet Explorer 6 which hasn't been fixed for more than 2 months.
I am pretty sure there are lots more. The dilemma is that MS doesn't
seem to think full-disclosure is the way to go...

Knowing about the unfixed bugs is as important as installing all the
patches that are available.

Consider using alternative software in the meantime, thus replace IE6
with Mozilla and so on.

> A properly configured HW firewall

This is pretty good. I don't like hardware firewalls since those are
less flexible than say a barebone Unix/Linux firewall, but this is
probably the most effective end user protection in front of Windows XP
boxes. Be careful though. Inside a hardware router some kind of software
is running (most often based on Linux :-)) and it can contain bugs too.
>From time to time there are firmware updates available from your
firewall vendor. Inform yourself about this by checking the vendors
website.

> ICF enabled, web services ONLY enabled and all ICMP requests disabled

You have to find out if there are any known vulnerabilities to the
services you use and if yes, how to fix them. It's a pity pivX took
their list offline. Instead they are promoting personal firewalls now in
association with MS...

> Apache (latest) installed with no add'l modules (static pages only)

Be sure to keep it patched. Static pages are good (no possibility of
injecting parameters). Check whether the cgi-bin directory is accessible
from the outside! (shouldn't be by default)

> NOT running Outlook or OE

Very good ;-) This is probably the most important measure :-)

> Mozilla with Java and JS disabled in email

If you want to protect your privacy then disable HTML displaying in your
mail client and forbid the loading of external content from within a
displayed mail.

> An "admin" who knows not to run attachments

:-)

> No add'l (hated) SW firewalls

A personal firewall is not bad. It's an addition. But it's not the cure.
If you are sure the intended users of the machine know what to do with
all the interactions that are required to run a personal firewall then
install one. It will be hard to configure your hardware router so that
it stops specific processes from connecting _to_ the Internet (in
contrast to _from_). A personal firewall can be of much use here, taken
the users know to use it.

> No AV stuff running, except when scanning known executables

Some AV software should be running at all times. There are usable
products available for free, personal use only of course. Have a look at
antivir.de.

Be sure to get rid of adware too. Use Adaware or Spybot regularly.

> I am of course, asking for a "friend".

Probably the most important thing when running Windows XP: none of the
users should work as administrator or any other account with those
rights. Windows XP Home creates only users with administrative rights by
default. Be sure to tweak this behaviour. Users should always work with
minimal rights, just as much as they need to perform their tasks. It's
not that you don't trust the users, but any malware initiated inside
their user session will run with their rights!

And last but certainly not least: make regular backups.

Additional measures: Have some sort of bootable live CD available. There
are a lot of Linux based live CD available on the Internet which contain
f-prot and lots of recovery and diagnostic tools. It's very handy to
have one of those lying around.

cheers,
Tobias

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ