jwcolby
jwcolby at colbyconsulting.com
Mon Sep 19 05:45:18 CDT 2011
I run firefox and my email programs inside of a sandbox called DropMyRights. Nothing can install without my intentionally going to a version not under the sandbox. And what does run only has regular user privileges. John W. Colby www.ColbyConsulting.com On 9/19/2011 5:19 AM, Hans-Christian Andersen wrote: > Regarding locking down the hosts file on Windows, if I'm not mistaken, by > default it should already be set to read-only and require admin privileges. > But, even if you set it to read-only, if you have mistakenly given a > malicious attacker admin privileges (or they have found some other hole in > which to escalate their privileges), wouldn't it be rather trivial for them > to add code to remove the read-only lock from the file? In fact, since this > is the default in Windows, I would imagine attackers probably already > factoring RO into their code. > > Francisco has the right idea in the sense that a very safe environment would > be to have a virtual machine set up to boot a live CD of your favorite > flavour of Linux (or Windows, if possible?) from a virtual drive in your VM, > so that the environment is completely clean and that you know that anything > you have done within that instance of the VM is discarded when you shut it > down. In fact, if you are really paranoid, don't run it through a VM but > from the bare metal of a machine. Then, before surfing, install NoScript and > run a full update of Firefox. It takes a little while to get the environment > prepared, but it might be all worth it if you are doing online banking. It's > what I do. > > But, regarding this specific issue with Komodo, DigiNotar (and more, it > appears), it's probably worth looking into managing what certificates you > have within your trusted root store and consider removing ones that you > don't feel comfortable having your computer trust implicitly. ( > http://technet.microsoft.com/en-us/library/cc754841.aspx ) There are far too > many in there, which kind of wrecks havoc with the whole chain of trust, in > my opinion. > > > > Hans-Christian > > > > > On 18 September 2011 16:09, Francisco Tapia<fhtapia at gmail.com> wrote: > >> Another thing you can attempt is to setup a Linux virtual machine >> that would prevent hackers from reaching your personal data directly. >> I really won't surf the net on Internet explorer (any version). I only >> use Firefox with noscript and on a Linux machine helps to obfuscate as >> much direct contact as possible... >> >> Sent from my mobile >> >> On Sep 18, 2011, at 1:25 PM, Alan Lawhon<lawhonac at hiwaay.net> wrote: >> >>> Mark: >>> >>> I have a hardware router, (the "Zoom X5" Model 5654 ADSL supplied by my >>> ISP), AVG Internet Security, (including AVG firewall and all the other >>> features that come with the AVG Internet Security Suite), along with >>> AnteSpam email filtering provided by my ISP. (I don't know this for >> sure, >>> but I think there might be a hardware firewall implemented in my router >>> which blocks any "bad stuff" before it gets to my browser. If that's the >>> case, then I actually have two [separate] firewalls protecting me.) I >> also >>> have automatic updates enabled for Windows Update. (I suppose all this >>> makes me very "security conscious" with my PC.) In addition, I'm very >>> careful about downloading "ActiveX" components - most of the time I >> refuse >>> them when I'm prompted. Not sure if that's "smart" or not, but I'm being >>> ultra cautious about downloads. >>> >>> I recall getting some type of virus from an email attachment that I >>> foolishly clicked on many years ago. Getting that virus (or whatever it >>> was) was a nightmare getting off of my system. That experience greatly >>> intensified my security awareness. >>> >>> I have gone ahead and changed my Hosts file to read only. With all the >>> other security I have implemented, setting the Hosts file to RO may be >>> overkill, but the harder I make it for a hacker to get into my computer, >> the >>> better. I hope the odds of me being the victim of a hacker are [at >> least] >>> 99:1 against. >>> >>> Alan C. Lawhon >>> >>> -----Original Message----- >>> From: dba-sqlserver-bounces at databaseadvisors.com >>> [mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of Mark >> Breen >>> Sent: Sunday, September 18, 2011 10:19 AM >>> To: Discussion concerning MS SQL Server >>> Subject: Re: [dba-SQLServer] Windows Secrets: The Sorry Tale of the >>> (un)Secure Sockets Layer >>> >>> Hello Stuart >>> >>> Is this your command on your shortcut >>> >>> C:\Windows\system32\notepad.exe C:\Windows\System32\drivers\etc\hosts >>> >>> Me too. >>> >>> Hello Alan, >>> >>> you could do that, but my opinion is that if someone gets to your hosts >> file >>> and wants to change it you have so many problems that your hosts file >> being >>> RO is not going to make a difference anyway. I would suggest instead to >> run >>> like hell. >>> >>> Mark >>> >>> >>> On 17 September 2011 22:18, Stuart McLachlan<stuart at lexacorp.com.pg> >> wrote: >>> >>>> As a general rule, an RO hosts file makes sense. Very few people ever >> need >>>> special entries >>>> in it. >>>> >>>> OTOH, I have a shortcut to mine in a folder on my desktop because I edit >>> it >>>> quite often, >>>> >>>> -- >>>> Stuart >>>> >>>> On 17 Sep 2011 at 10:39, Alan Lawhon wrote: >>>> >>>>> >>>>> http://windowssecrets.com/top-story/the-sorry-tale-of-the-unsecure-soc >>>>> kets-l ayer/ >>>>> >>>>> http://tinyurl.com/3z9awxj >>>>> >>>>> >>>>> >>>>> This is a follow-up article to the story concerning corrupted root >>>>> certificates which I posted last week. Microsoft issued an >>>>> out-of-cycle security patch to eliminate the source of the phony >>>>> certificates, (i.e. DigiNotar), and remove the threat to users of >>>>> Internet Explorer and other browsers. >>>>> >>>>> Since> than 99 percent of the potential "victims" of this security >>>>> breach were located over in Iran, Woody Leonhard seems to be implying >>>>> that this may be a case of the Government of Iran eavesdropping on its >>>>> citizens; thus there is little (if any) chance of this breach >>>>> adversely affecting users outside of Iran - like us. Still, his >>>>> analysis of the "lax process" by which root certificates are issued is >>>>> illuminating. >>>>> >>>>> At the end of his article, Woody recommends that users consider >>>>> modifying their "Hosts" file (to read only) in order to "lock" their >>>>> system and prevent man-in-the-middle attacks and other >>>>> security-related vulnerabilities. Before I modify a system file, I >>>>> want to check with the experts on here. Are most of you in agreement >>>>> that changing your "Hosts" file (to read only) is a good idea? (I >>>>> wonder why Microsoft doesn't make the "Hosts" file read only by >>>>> default?) >>>>> >>>>> Alan C. Lawhon >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> dba-SQLServer mailing list >>>>> dba-SQLServer at databaseadvisors.com >>>>> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >>>>> http://www.databaseadvisors.com >>>>> >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> dba-SQLServer mailing list >>>> dba-SQLServer at databaseadvisors.com >>>> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >>>> http://www.databaseadvisors.com >>>> >>>> >>> _______________________________________________ >>> dba-SQLServer mailing list >>> dba-SQLServer at databaseadvisors.com >>> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >>> http://www.databaseadvisors.com >>> >>> _______________________________________________ >>> dba-SQLServer mailing list >>> dba-SQLServer at databaseadvisors.com >>> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >>> http://www.databaseadvisors.com >>> >> _______________________________________________ >> dba-SQLServer mailing list >> dba-SQLServer at databaseadvisors.com >> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >> http://www.databaseadvisors.com >> >> > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > >