[dba-SQLServer] Windows Secrets: The Sorry Tale of the (un)Secure Sockets Layer

Hans-Christian Andersen ha at phulse.com
Mon Sep 19 04:19:21 CDT 2011


Regarding locking down the hosts file on Windows, if I'm not mistaken, by
default it should already be set to read-only and require admin privileges.
But, even if you set it to read-only, if you have mistakenly given a
malicious attacker admin privileges (or they have found some other hole in
which to escalate their privileges), wouldn't it be rather trivial for them
to add code to remove the read-only lock from the file? In fact, since this
is the default in Windows, I would imagine attackers probably already
factoring RO into their code.

Francisco has the right idea in the sense that a very safe environment would
be to have a virtual machine set up to boot a live CD of your favorite
flavour of Linux (or Windows, if possible?) from a virtual drive in your VM,
so that the environment is completely clean and that you know that anything
you have done within that instance of the VM is discarded when you shut it
down. In fact, if you are really paranoid, don't run it through a VM but
from the bare metal of a machine. Then, before surfing, install NoScript and
run a full update of Firefox. It takes a little while to get the environment
prepared, but it might be all worth it if you are doing online banking. It's
what I do.

But, regarding this specific issue with Komodo, DigiNotar (and more, it
appears), it's probably worth looking into managing what certificates you
have within your trusted root store and consider removing ones that you
don't feel comfortable having your computer trust implicitly. (
http://technet.microsoft.com/en-us/library/cc754841.aspx ) There are far too
many in there, which kind of wrecks havoc with the whole chain of trust, in
my opinion.



Hans-Christian




On 18 September 2011 16:09, Francisco Tapia <fhtapia at gmail.com> wrote:

>  Another thing you can attempt is to setup a Linux virtual machine
> that would prevent hackers from reaching your personal data directly.
> I really won't surf the net on Internet explorer (any version). I only
> use Firefox with noscript and on a Linux machine helps to obfuscate as
> much direct contact as possible...
>
> Sent from my mobile
>
> On Sep 18, 2011, at 1:25 PM, Alan Lawhon <lawhonac at hiwaay.net> wrote:
>
> > Mark:
> >
> > I have a hardware router, (the "Zoom X5" Model 5654 ADSL supplied by my
> > ISP), AVG Internet Security, (including AVG firewall and all the other
> > features that come with the AVG Internet Security Suite), along with
> > AnteSpam email filtering provided by my ISP.  (I don't know this for
> sure,
> > but I think there might be a hardware firewall implemented in my router
> > which blocks any "bad stuff" before it gets to my browser.  If that's the
> > case, then I actually have two [separate] firewalls protecting me.)  I
> also
> > have automatic updates enabled for Windows Update.  (I suppose all this
> > makes me very "security conscious" with my PC.)  In addition, I'm very
> > careful about downloading "ActiveX" components - most of the time I
> refuse
> > them when I'm prompted.  Not sure if that's "smart" or not, but I'm being
> > ultra cautious about downloads.
> >
> > I recall getting some type of virus from an email attachment that I
> > foolishly clicked on many years ago.  Getting that virus (or whatever it
> > was) was a nightmare getting off of my system.  That experience greatly
> > intensified my security awareness.
> >
> > I have gone ahead and changed my Hosts file to read only.  With all the
> > other security I have implemented, setting the Hosts file to RO may be
> > overkill, but the harder I make it for a hacker to get into my computer,
> the
> > better.  I hope the odds of me being the victim of a hacker are [at
> least]
> > 99:1 against.
> >
> > Alan C. Lawhon
> >
> > -----Original Message-----
> > From: dba-sqlserver-bounces at databaseadvisors.com
> > [mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of Mark
> Breen
> > Sent: Sunday, September 18, 2011 10:19 AM
> > To: Discussion concerning MS SQL Server
> > Subject: Re: [dba-SQLServer] Windows Secrets: The Sorry Tale of the
> > (un)Secure Sockets Layer
> >
> > Hello Stuart
> >
> > Is this your command on your shortcut
> >
> > C:\Windows\system32\notepad.exe C:\Windows\System32\drivers\etc\hosts
> >
> > Me too.
> >
> > Hello Alan,
> >
> > you could do that, but my opinion is that if someone gets to your hosts
> file
> > and wants to change it you have so many problems that your hosts file
> being
> > RO is not going to make a difference anyway.  I would suggest instead to
> run
> > like hell.
> >
> > Mark
> >
> >
> > On 17 September 2011 22:18, Stuart McLachlan <stuart at lexacorp.com.pg>
> wrote:
> >
> >> As a general rule, an RO hosts file makes sense. Very few people ever
> need
> >> special entries
> >> in it.
> >>
> >> OTOH, I have a shortcut to mine in a folder on my desktop because I edit
> > it
> >> quite often,
> >>
> >> --
> >> Stuart
> >>
> >> On 17 Sep 2011 at 10:39, Alan Lawhon wrote:
> >>
> >>>
> >>> http://windowssecrets.com/top-story/the-sorry-tale-of-the-unsecure-soc
> >>> kets-l ayer/
> >>>
> >>>   http://tinyurl.com/3z9awxj
> >>>
> >>>
> >>>
> >>> This is a follow-up article to the story concerning corrupted root
> >>> certificates which I posted last week.  Microsoft issued an
> >>> out-of-cycle security patch to eliminate the source of the phony
> >>> certificates, (i.e. DigiNotar), and remove the threat to users of
> >>> Internet Explorer and other browsers.
> >>>
> >>> Since > than 99 percent of the potential "victims" of this security
> >>> breach were located over in Iran, Woody Leonhard seems to be implying
> >>> that this may be a case of the Government of Iran eavesdropping on its
> >>> citizens; thus there is little (if any) chance of this breach
> >>> adversely affecting users outside of Iran - like us.  Still, his
> >>> analysis of the "lax process" by which root certificates are issued is
> >>> illuminating.
> >>>
> >>> At the end of his article, Woody recommends that users consider
> >>> modifying their "Hosts" file (to read only) in order to "lock" their
> >>> system and prevent man-in-the-middle attacks and other
> >>> security-related vulnerabilities.  Before I modify a system file, I
> >>> want to check with the experts on here.  Are most of you in agreement
> >>> that changing your "Hosts" file (to read only) is a good idea?  (I
> >>> wonder why Microsoft doesn't make the "Hosts" file read only by
> >>> default?)
> >>>
> >>> Alan C. Lawhon
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> dba-SQLServer mailing list
> >>> dba-SQLServer at databaseadvisors.com
> >>> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> >>> http://www.databaseadvisors.com
> >>>
> >>>
> >>
> >>
> >>
> >> _______________________________________________
> >> dba-SQLServer mailing list
> >> dba-SQLServer at databaseadvisors.com
> >> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> >> http://www.databaseadvisors.com
> >>
> >>
> > _______________________________________________
> > dba-SQLServer mailing list
> > dba-SQLServer at databaseadvisors.com
> > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> > http://www.databaseadvisors.com
> >
> > _______________________________________________
> > dba-SQLServer mailing list
> > dba-SQLServer at databaseadvisors.com
> > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> > http://www.databaseadvisors.com
> >
> _______________________________________________
> dba-SQLServer mailing list
> dba-SQLServer at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> http://www.databaseadvisors.com
>
>



More information about the dba-SQLServer mailing list