Security eye opener

[griffinspc]

I stumbled across this and found it interesting if not a little scary. Check it out and run the tests. Running IE5.5 SP2 with Innoculate and the latest free version of Zone Alarm did no good.

I downloaded "SurfinGuardPro 5.6Beta", their latest, after looking up the article in the PC World archives for their take on it.

I'm going to install it and run it for awhile and thought I'd pass the test page on to you since I know some of you are as security conscious as I am.
http://www.finjan.com/mcrc/test.cfm

------------------
"Don't know where I'm goin but there's no sense being late"

[Kleinkramer]

Thanks for the heads up, Griff.

Being paranoid myself, I'm pretty well protected against these things:

ActiveX and Java are set to 'prompt' in NIS, the Windows Scripting Host has been uninstalled, ans Mshta.exe, Shscrap.dll, Wscript.exe, C.script.exe, and Scrrun.dll have been renamed to *.old.

And I'm running NAV with the script blocking component. NIS, the Cleaner, BoClean, and Startup Monitor..

I like to think I've got it pretty much covered...

Tony

[kenlinzee]

i rarely run Windoze but for a few minutes a day, i spend most my time booted to Linux, and without root access in Linux a hacker is a lost puppy...

besides whats a hacker gonna do?, steal my mp3s or family photos?, hahaha hehehe

anything crucial is burned to CD-R and then removed from my harddrive...

Got /root???

[WhitPhil]

Some of their "exploits" can be controlled by IE or application options.
BUT, like everything else, you still need to be aware of the meaning, when a warning comes up.

Java Applet - UNSelect Install on Demand in Tools > Internet Options > Advanced

Activex Control - Tools > Internet Options > Security > {Zone} > Custom Level > UNselect (or prompt) "Run Activex controls & plugins"

Email Attachments - Extensions are changed if you are running ZoneAlarm

Scrap Object - In Word, Tools > Internet Options > Select "Macro Virus Protection".

Direct downloads - Yes, an EXE will definitely get you
The scripts and be intercepted by a utility program like Script Sentry. Which also catches HTA, REG, SHS and some other extensions that are just as dangerous.

[This message has been edited by WhitPhil (edited 02-02-2002).]

[Airhead]

Originally posted by WhitPhil:

Email Attachments - Extensions are changed if you are running ZoneAlarm...

Scrap Object - In Word, Tools > Internet Options > Select "Macro Virus Protection".

WhitPhil (or anyone) - could you please explain what is meant here by extensions being changed in Zone Alarm.

In Word, I don't find an Internet Options in Tools. I do have Options in Tools, but can't find "Macro Virus Protection." Can you describe further where to look? (Could be I am just a bit blind!)

[IMM]

Didn't get me - I'm glad to say. I write some filters for others against this kind of stuff and often cruise 'unsavory sites' looking for malicious code.

[lukeg]

Airhead, see below;
ZoneAlarm Mailsafe will quarantine mail attachments and changes their extension.
The conversions are: .ADE to .ZL0, .ADP to .ZL1
.BAS to .ZL2, .BAT to .ZL3, .CHM to .ZL4, .CMD to .ZL5, .COM to
.ZL6, .CPL to .ZL7, .CRT to .ZL8, .EXE to .ZL9, .HLP to .ZLA,
.HTA to .ZLB, .INF to .ZLC, .INS to .ZLD, .ISP to .ZLE, .JS to Z0,
.JSE to .ZLF, .LNK to .ZLG, .MDB to .ZLH, .MDE to .ZLI, .MSC to
.ZLJ, .MSI to .ZLK, .MSP to .ZLL, .MST to .ZLM, .PCD to .ZLN,
.PIF to .ZLO, .REG to .ZLP, .SCR to .ZLQ, .SCT to .ZLR, .SHS to
.ZLS, .URL/.ASP to .ZLT, .VB to .Z1, .VBE to .ZLU, .VBS to .ZLV,
.WSC to .ZLW, .WSF to .ZLX, .WSH to .ZLY

[lukeg]

Signed or unsigned Java Applets or *.js files, that attempt to do anything other than that specified in the Microsoft VM-java permission will not be allowed, the default setting of high (that is provided by the default medium setting internet security setting) provides very limited access to your system without prompting, basically to the URL codebase, unsigned can run in the "sandbox" (thus download without prompting) but not have access to "protected scratch space", any little tricks like reading/writing/deleting users files will result in prompting for signed and disabled if not signed.

Signed ActiveX objects will always be prompted to download, once downloaded (if you silly enough) then scripting of it will occur if it is signed as safe (but as just said it must be signed and downloaded first).

ActiveX controls and plugins (objects) already stored on your computer will run without prompting, however they must be downloaded first and rules are- not signed NOT DOWNLOADED in first place, signed you will recieve a Prompt and verification of Signature status.

*.vbs files will always initate a prompt before downloading, (just as *.exe, scr, etc, etc, will).

Install on demand is safe to leave on.

This is probably why the Chaos Computer club-(CCC) http://berlin.ccc.de
are now into encryption and camping out and Cult Dead Cows-(cDc) http://www.cultdeadcow.com
are trying to promote there "back orifice" as a useful utility along with helping the FBI hack things?...

n.b. I am running IE 5.01 SP2 (all critical updates and patches).

[This message has been edited by lukeg (edited 02-03-2002).]

[This message has been edited by lukeg (edited 02-03-2002).]

[StevenPeterYevchak]

lukeg - "Install on demand is safe to leave on." ??

Really? Maybe I mis-understood that. Are you saying that is true if you've got your other settings the way you have them, or if you're running SurfinGuard, or what?

One of the leading causes of people winding up with things like CC is the fact that they were running their browser with 'Enable Install on Demand' CHECKED (which is the default setting in 'Advanced' tab of Tools/Internet Options).

Did I just miss the whole thing here? Pete

------------------
Compaq 7110US,1.3GHz Athlon,256MB RAM,WinMe, IE5.5,Opera6.01. Mod@ http://yahoo-sucks.hypermart.net/cgi.../ikonboard.cgi & http://pub24.ezboard.com/bsecureyesecurity

[WhitPhil]

Originally posted by Airhead:
In Word, I don't find an Internet Options in Tools. I do have Options in Tools, but can't find "Macro Virus Protection."

Word: Sorry. Got carried away with the IE options. In Word97, under Tools > Options > General Tab, is "Macro Virus Protection".

ZA: lukeg has listed all the extensions. ZA does not quarantine files with these extensions. It just renames them. Thus, if it sees an email with a file called NEATPGM.exe, it will rename the attachment to NEATPGM.ZL9.
You do need the option set in ZA, Security button, "Enable MailSafe".

Install on Demand?
UNSELECT it. If not, you will get apps "sneaking" into your PC without your knowledge. Comet Cursor is a great example.
When you UNselect it, you get a "Security Warning" telling you something is attempting to install itself, and you can choose whether to carry on or not.

"Signed ActiveX objects will always be prompted to download":
Only if you have the Security option set to PROMPT for "Download signed ActiveX controls".

"ActiveX controls and plugins (objects)...you will recieve a Prompt..."
Again, only if you have the option set to PROMPT.

As for JS files being able to have "limited access" to your PC, try the following.

Under \Windows\Samples\WSH is a file called Registry.js.
Double click on it. It will add, then delete, keys from your registry.

[This message has been edited by WhitPhil (edited 02-03-2002).]

[griffinspc]

Interesting discussion. I kind of suspected it as we all in the past, have offered different opinions. It can be confusing because if you haven't downloaded and installed some MS security patches then you have a different level of risk than a person who has and Netscape offers different concerns altogether.

Also, ZA does offer other protections as well as Black Ice, Tiny, etc., but complete protection doesn't exist.

Just move your security slider to High in IE and you can't even access Windows Update to download the security patches. Use programs like Napster and you have other worries.

Like most of you I have most everything set for high security but I'm going to try SurfinGuard just for kicks and see what might get through.

------------------
"Don't know where I'm goin but there's no sense being late"

[sparky472]

I disabled AcitvX controls in IE5.5, but now on a lot of pages, including the home page my browser is set to, I get an annoying message saying, that activex controls are disbled, blah, blah, some items on this page may not appear correctly, etc. Is there any way to get rid of this, aside from enabling activex controls?

[Kleinkramer]

I don't think so.

I'm running Norton Internet Security which allows you to block selected content on selected web pages, and that way you don't get the warnings while active content is still being blocked where it needs to be.

I don't think you can disable the messages in Windows, though.

[WhitPhil]

Set the option to Prompt instead of disabling it
or
Place the site URL into the trusted zone where activex can be enabled

[lukeg]

StevenPeterYevchak, yes I leave install on demand on and leave my internet security setting on medium (the default setting).

WhitPhil, I am going to see if comet curser can sneek in. If it does I will take your advice. Also the *"quarantine" disagreement is probably due to the fact that a friend told me it does and he uses it so I presume his does, he also said that when he goes to this *folder it renames them back. Also it was a copy and paste job from this site; http://filext.com/z.htm
see .ZL?
also whitphil, I thought I explained that *.js files download without prompting but will be forced to run in the "sandbox" this is entirely different from running from your desktop or the location "Windows\Samples\WSH" (registry.js), I like the code in the file it is fun, although poorly written (just see below), but when in the "sandbox" it cannot do this stuff
Luke.


var vbOKCancel = 1;
var vbInformation = 64;
var vbCancel = 2;

var L_Welcome_MsgBox_Message_Text = "This script demonstrates how to create and delete registry keys.";
var L_Welcome_MsgBox_Title_Text = "Windows Scripting Host Sample";
Welcome();


// ********************************************************************************
// *
// * Registry related methods.
// *

var WSHShell = WScript.CreateObject("WScript.Shell");

WSHShell.Popup("Create key HKCU\\MyRegKey with value 'Top level key'");
WSHShell.RegWrite("HKCU\\MyRegKey\\", "Top level key");

WSHShell.Popup("Create key HKCU\\MyRegKey\\Entry with value 'Second level key'");
WSHShell.RegWrite("HKCU\\MyRegKey\\Entry\\", "Second level key");

WSHShell.Popup("Set value HKCU\\MyRegKey\\Value to REG_SZ 1");
WSHShell.RegWrite("HKCU\\MyRegKey\\Value", 1);

WSHShell.Popup("Set value HKCU\\MyRegKey\\Entry to REG_DWORD 2");
WSHShell.RegWrite("HKCU\\MyRegKey\\Entry", 2, "REG_DWORD");

WSHShell.Popup("Set value HKCU\\MyRegKey\\Entry\\Value1 to REG_BINARY 3");
WSHShell.RegWrite("HKCU\\MyRegKey\\Entry\\Value1", 3, "REG_BINARY");

WSHShell.Popup("Delete value HKCU\\MyRegKey\\Entry\\Value1");
WSHShell.RegDelete("HKCU\\MyRegKey\\Entry\\Value1");

WSHShell.Popup("Delete key HKCU\\MyRegKey\\Entry");
WSHShell.RegDelete("HKCU\\MyRegKey\\Entry\\");

WSHShell.Popup("Delete key HKCU\\MyRegKey");
WSHShell.RegDelete("HKCU\\MyRegKey\\");

//////////////////////////////////////////////////////////////////////////////////
//
// Welcome
//
function Welcome() {
var WSHShell = WScript.CreateObject("WScript.Shell");
var intDoIt;

intDoIt = WSHShell.Popup(L_Welcome_MsgBox_Message_Text,
0,
L_Welcome_MsgBox_Title_Text,
vbOKCancel + vbInformation );
if (intDoIt == vbCancel) {
WScript.Quit();
}
}


[This message has been edited by lukeg (edited 02-04-2002).]