#################################################################

The World Wide Web Security FAQ

#################################################################


Web surfing feels both safe and anonymous.
It's not. Active content, such as ActiveX controls and Java applets,
introduces the possibility that Web browsing will introduce viruses or other malicious software into the user's system.
Active content also has implications for the network administrator,
insofar as Web browsers provide a pathway for malicious software to bypass the firewall system and enter the local area network.

Even without active content, the very act of browsing leaves an electronic record
of the user's surfing history, from which unscrupulous individuals can reconstruct
a very accurate profile of the user's tastes and habits.

- http://www.w3.org/Security/faq/www-security-faq.html

Securing against Denial of Service attacks
- http://www.w3.org/Security/faq/wwwsf6.html

Client Side Security
- http://www.w3.org/Security/faq/wwwsf2.html

------------

Introduction to Web Browser Privacy & Security:
- https://netfiles.uiuc.edu/ehowes/www/btw/br...r-sec-intro.htm

------------

Setting up Internet Explorer Security zones:
- http://www.microsoft.com/windows/ie/using/...tup.asp#activex


Cookies Information:
- http://mrcorp.infosecwriters.com/contribs/cookie.htm

http://www.bluetack.co.uk/forums/index.php...hp?showforum=10


Great page on JAVASCRIPT ;
http://www.tom-cat.com/javascript.html


Adding sites\servers to the Internet Explorer Restricted Zone
http://www.mvps.org/winhelp2002/restricted.htm


Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm


Understanding security zones

Internet Explorer divides your Internet world into zones, so that you can assign a Web site to a zone with a suitable security level.

You can tell which zone the current Web page is in by looking at the right side of the Internet Explorer status bar. Whenever you attempt to open or download content from the Web, Internet Explorer checks the security settings for that Web site's zone.

There are four zones:




In addition, any files already on your local computer are assumed to be very safe, so minimal security settings are assigned to them. You cannot assign a folder or drive on your computer to a security zone.

You can change the security level for a zone; for example, you might want to change the security setting for your Local intranet zone to Low. Or, you can customize the settings within a zone. You can also customize settings for a zone by importing a privacy settings file from a certificate authority.



With features in HTML Help, you can run executable programs from a help (.chm) file.
The Shortcut command is used to run an executable program that is external to the Help file.
The WinHelp command is used to run Winhlp32.exe to display a Winhelp (.hlp) file.
This article describes how to restrict the Help files that are allowed to use the Shortcut and WinHelp commands.

http://support.microsoft.com/?kbid=810687


ActiveX :
-even with code signing- is fundamentally insecure.
Turn off all ActiveX support (download & scripting)
in your browser on the Internet security zone and in Outlook and Outlook Express-
and see if it fundamentally degrades your Internet experience.

Why ActiveX is insecure
ActiveX controls are just Windows programs downloaded from Web sites
and run from inside your PC.
The browser verifies the "digital signature" of the program to ensure
that it has not been modified since it was written,
but can not verify that the control has good intentions -it,
and you, have to trust the developers.


Each scripting language (JavaScript, VBScript, JScript)
has it's own syntactical rules, and you should normally not worry about them.

We can also consider Java and Flash Action Script as such scripting languages
(although they are precompiled instead of being interpreted on the fly,
but this difference is of no importance here),
because they are too executed on the client side.

All these languages were designed to be 'secure' in the means that they cannot
(rather SHOULD not) read or write files from the user's machine, execute local commands, etc.

The sad thing is that exploits are continuously found, which explore bugs in the scripting system,
alowing anything from slight annoyances (like opening all your CD trays at once)
to serious security breaches
(full read/write/execute access to the victim's machine).

That's why common sense dictates that we browse with scripting turned off
(no matter what browser we use).

Besides exploits, which are unnormal behaviour of the scripting system,
it's normal behaviour has some uncanny features too.

Being integrated with your browser, JavaScript for example knows WHAT kind of browser it is, what is your OS, your screen resolution, color-depth, browser history and even the contents of your clipboard!
You may think that this is okay, since it's executed only on your machine, but it's not.

have a look at your information at these sites:

http://privacy.net/analyze/
http://www.gemal.dk/browserspy/
http://www.elfqrin.com/binfo.shtml
http://www.interlacken.com/tricks/exec/tri...k02/egyprop.asp

Qualys Browser Checkup
http://browsercheck.qualys.com/

List of personal privacy and browser security tests:
https://netfiles.uiuc.edu/ehowes/www/info17.htm


Someone may decide to include in the page's source an image tag, and the image source they provide is in fact a masqueraded SERVER-SIDE script, which, when your browser blindly goes to download that image, will receive the reffering URL.

Or they can make the page periodically check (while it is active) if there's something new in the clipboard and send it to their server.

Do you copy and paste your passwords?


Also believe it or not, a hacker could probably crack your typical password
in minutes using a variety of readily available software programs.

Thwart their efforts by choosing your password wisely.
Think up creative combos that you'll easily remember.

Here are some tips to creating a solid password:

Use a password that is at least six characters long.
The more characters your password contains, the more difficult it can be to figure out.
Use a password that is easy for you to remember
(so you don't have to write it down), but difficult for others to guess.
For example, use your college town and graduation year or your favorite movie and lucky number.
Use a combination of upper and lowercase letters, punctuation and numbers.
Choose two short words that have nothing in common and combine them with punctuation or numerals, like "moss9desk" or "fast!carpet."
Use a familiar phrase but substitute zeroes for "o"s, or ones for "i"s.
Use an acronym by choosing a line from a song and using the first letter of each word
Use different passwords for each account.
Change your password regularly.

Avoid vulnerable passwords using these guidelines:

Do not use names or numbers easily associated with you,
such as your birth date or nickname.
Don't use a username or login name as your password too.
Don't use the word "password."
Don't use other information easily obtained about you.
This includes license plate numbers, telephone numbers,
social security numbers, or the name of the street you live on.

Keeping Your Password Safe When you've picked a hard-to-hack password,
be sure to keep it as secure as possible.

Don't email your password to anyone (ever!) and if someone calls you asking for your password, don't tell them.

One common way hackers have tried to obtain passwords in the past is by calling or emailing, claiming they are from an ISP and need your password.
Beware of social engineering tricks such as these.
Most ISPs will inform you in their contract or on their website that they will NEVER ask for your password.

Secrets to the best passwords here

"When you create a password, substitute a number where a letter would appear.
Some examples:
scuba becomes 5cu8a
water becomes w4t3r
icecream becomes 1c3cr34m"

arachnophobia : Ar@k_n0ph061a
the longer the password the better and the longer it takes to crack.

Passwords vs Public Key Cryptography for encryption
- http://www.articsoft.com/encryption.htm

new computerworld security page:
- http://www.computerworld.com/securitytopic...ecurity/report/


--------------------------------------------------------------

HOW to run Windows ME well :

[Win ME users need all the help they can get ]

http://www.burzurq.com/forum/trevtweak.html




--------------------------------------------------------------

Show Hidden File Extensions

By default in Windows, Windows Explorer and other Microsoft applications do not show the extension of files
if the extension is "known" to the operating system.
This is potentially dangerous with the many viruses that are distributed today with a so-called "double extension";
e.g., a file named foo.jpg.exe.
This is an executable file because of the .exe extension.
If extensions are hidden, however, the user will only see the name foo.jpg and might open this, mistaking it for a JPEG file.

many viruses and trojans can use double extensions to trick people into running a file.

To display file extensions:
go to start--> settings--> control panel-->folder options--> view--> show hidden files

or if you hate my instructions try these:





---------------------------------------------------------------------


- NET SEND on Windows
- http://www.chebucto.ns.ca/~rakerman/trojan...port-table.html

There has been a ongoing spammer problem with them abusing windows NET SEND to send spam to open computers.
This will pop up a window on a Windows machine, using the Messenger Service
(note this is different from Windows or MSN Messenger, it's a low-level service built-in to the Windows operating system).

The recent messages are making it past the usual NetBIOS filters (ports 137-139, port 445)
because in Windows 2000 and XP, the Messenger Service now works using RPC.
A lookup is done on port 135 (epmap, DCE [RPC] endpoint resolution).
That tells what high-numbered port the Messenger Service is listening on.
The best way to stop this is to permanently disable the Messenger Service.
You may also want to block port 135.
I have also included information about Microsoft Distributed COM (DCOM), which uses port 135.


---------------------------------------------------------------------

Encryption and Security-related Resources

A very basic introduction guide into cyptography products..
Wriitten way back in 1998 but interesting information nevertheless...;
Good cryptography is an excellent and necessary tool for almost anyone.
Many good cryptographic products are available commercially, as shareware, or free.
However, there are also extremely bad cryptographic products which not only fail to provide security,
but also contribute to the many misconceptions and misunderstandings surrounding cryptography and security.

- http://www.interhack.net/people/cmcurtin/s...ke-oil-faq.html


Some cryptographic experts feel that already 1024-bit keys are too weak for certain kinds of sensitive data, like root certificates of an organization's certificate authority or PKI infrastructure.
Consider the leaps and bounds with which technology is progressing.
Moore's law states that processing speed will double every 18 months.
If this law continues to hold true, it won't be long before we see Pentium VI 8-GHz machines on the market, thereby increasing the odds of implementing high-speed number crunchers -- perhaps within three to four years.

- PGP FAQ
- http://www.pgpi.org/
- http://www.cs.auckland.ac.nz/~pgut001/links.html
- http://www.jetico.com/
- http://www.scramdisk.clara.net/
- http://www.echeque.com/kong/kong.htm

-NetAction's Guide to Using Encryption Software
- http://www.netaction.org/encrypt/guide.txt

----------------------------------------------------------------

easynet Nederland Virusblock Statistics (May 12)
- http://basic.wirehub.nl/viruscount.html
(continuosly updated list of detected email viruses)

Setting up a secure computer and alternatives to evidence eliminator;
(try Window Washer,Eraser and Mru Blaster instead)

- http://evidence-eliminator-sucks.com/eesuc...alsecurity.html


----------------------------------------------------------------------

MALWARE:
also read the bluetack spywaresucks guide:
http://www.bluetack.co.uk/forums/index.php...hp?showtopic=76

**Read THIS ! page on why personal firewalls are absolutely useless if you accidentally/purposely install malicious software or MALware;
if you install malware on your system, your system is lost, regardless of what kind of protection software you install.
So dont install every untrusted software.Better to be safe than sorry.
if you have important data on your system, dont use it on the internet as no malware detection software nor personal firewall will change that, ever .
there are some technical solutions ranging from using non-priveledged accounts to real secure operating systems
(like the militaries) but all of those solutions are currently not mainstream,
cost a lot of time and money

Various kinds of possible Malware exploits:

Hidden manipulation
Parameter tampering
Cookie poisoning
Stealth commanding
Forceful browsing
Backdoors and debug options
Third-party misconfiguration
Cross-site scripting
Buffer overflow
Published vulnerabilities

- read THIS page on what malware is capable of doing to you


List of MALWARE control utilities....
Online Virus Scanners
Sandbox Utilities & Script Defense
Email Protection
Standalone Removal Tools
AV Boot Disks
Other
- http://www.staff.uiuc.edu/~ehowes/soft3.htm

Reverse Engineering Malware:
- http://mrcorp.infosecwriters.com/Reverse_Engineer.htm

Malware exploits Include;

Exploit.Applet.ActiveXComponent
- Exploits a security breach in MS Internet Explorer and Outlook - (com.ms.activeX.ActiveXComponent security vulnerability).

This security flaw gives remote scripts and HTML pages access to any ActiveX control, which is installed on a victim's computer.
The remote script can gain full control of a victim's computer, including the ability to read and write files on hard disks.

An ActiveX control is one of several types of programs that web sites can invoke on your computer.

Unlike the scripts and applets which are delivered by websites,Active X controls are programs already inside your computer automatically installed by other programs such as Acrobat Reader ,Macromedia`s Flash Movie Player ,and the Google search toolbar to name a few.

Malware: Evolution : 06/09/02

------------------------------------------------------------------------------------------

Uninstalling the MS Java VM

http://209.133.47.200/~merijn/uninstmsjava.html

The Microsoft Java Virtual Machine (MS Java VM) handles Java applets on web pages, compiling and executing them.
Currently Microsoft no longer supports the MS Java VM, and preinstalled machines with Windows XP and Service Pack 1a (SP1a) come without it.

Older machines still have the MS Java VM.

The Sun Microsystems Java VM is a replacement for the now obsolete MS Java VM. Instructions on replacing the MS Java VM with the Sun Java VM are as follows:

Click Start, Run and enter:

RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall


Click Yes to confirm the uninstall, and restart your system when it's complete.


Delete the following if they are still present:
The folder c:\windows\java
c:\windows\inf\java.pnf
c:\windows\system32\jview.exe
c:\windows\system32\wjview.exe


Click Start, Run and enter regedit to start the Registry Editor.
Browse to the following keys, highlight and delete them:
HKEY_LOCAL_MACHINE\Software\Microsoft\Java VM
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM
* For Windows NT4 and Windows 2000, replace c:\windows with c:\winnt.
* For Windows 95, 98, 98SE and ME, replace c:\windows\system32 with c:\windows\system.

You can now download the Sun Java VM from here:


http://www.java.com/



-----------------------------------------------------------------

JavaScript - Danger or Paranoia?

Many internet users keep JavaScript disabled for everything in their browsers. The fear of this widely used internet programming language results mostly from the discovery of security holes in browsers and e-mail clients, especially Microsoft Internet Explorer and Outlook. In fact, the first thing Microsoft will advise when a new security hole is discovered is "disable active scripting in your Internet Security settings". Although this is certainly one method of controlling what a hostile script might do until the next browser patch or update is issued, it makes far more sense to understand what scripting can and cannot do. While the vulnerabilities are especially a risk in programs where patches and updates are not applied, the threat is persistent in every program since new vulnerabilities have yet to be discovered. Still, it takes a wide-open, unprotected system plus your authorized permission before JavaScript can allow anything damaging to enter your computer through your browser.

One way to begin understanding how JavaScript behaves is know how it is used. JavaScript can control the appearance and content of the web browser, open new windows and display HTML dynamically, open links to new sites, pop up dialog boxes, click forward and back through the user's browser history, and set and read cookies. In addition, JavaScript can interact with Java applets and with browser plug-ins. Although some of the scripted behavior, for example pop-up ads, unnecessary cookies and/or information gathering such as referers (transmission of your last visited address), is undesirable and downright unwanted, much more is there to simply enhance the appearance and performance of the sites you visit. By disabling JavaScript you will miss the entire web experience as it is designed to be seen, and you will lose all interactivity from mouseover effects to form input and everything in between.

Yes, scripts can get nosey - they can look for your browser version, look for your IP address, look for your cookies, and record the referer address; but there are better ways to control this than entirely disabling JavaScript. Consider this, too... in knowing your browser version you will be shown a page that is designed specifically for you, as the coding and display elements are different for each one. Your IP address is no secret anyway since you can't even get past your ISP and connect to the Internet without one; and in order for you to use the Internet at all, information must be able to find its way back to your computer. Besides, it is going to take more than disabling JavaScript to keep your IP address a secret from everyone. As for cookies, banner ads, pop-up windows, referers and the like, they are more effectively controlled with a cookie/content filter that will allow you to accept what you want while discarding everything else.

If completely hiding your IP address from the world is that important to you, anonymizer services are available - some are free, some charge small monthly fees. An anonymizer is used as a proxy, or a "middle man", to mask your IP address between you and the rest of the Internet. For obvious reasons, though, you might still need to disable this proxy in order to connect to certain sites (for example online banking). And keep in mind that anonymizer services cannot guarantee anonymity 100%. Also keep in mind that you are not anonymous from them - they cache a trail of every site you visit. It is far better to avoid the sites where you feel an anonymizer might be needed.




But what about intrusions into your computer?

Fact:
JavaScript cannot read or write local files and cannot open network connections except within the confines of browser capabilities... and you are in control of setting those rules!



JavaScript alone is not a threat. The threat comes when JavaScript is used to execute some "other action" such as placing hostile active content in the form of an ActiveX Control, Java Class file, or some other executable content on your computer. These are little programs, much like plug-ins, that are downloaded to your computer in order to allow a certain event to take place such as auto-installing a program or update, or running some visual or interactive effect. They should ALL be signed - proof of who they say they are, like a digital certificate you might use for your own e-mail. They should always come from the site you are visiting and they should always be forced with browser settings to ask for permission before they come in - they won't get in if you say "no".

If your guard is down, though, something nasty can get in, but this has nothing to do with whether you have JavaScript enabled or not ...a trojan - the most aggressive of all intruders. Trojans are disguised as innocent programs and most often arrive hidden inside e-mail attachments or programs that are downloaded from the Internet. They are mentioned here only because you need to know, and we repeat - they can get into your computer whether you have JavaScript enabled or not! Your best defense here is to always use a virus and trojan scanner along with a good, reliable firewall ...and of course, don't allow anything to execute on your computer without your permission.

Remember... permission must be authorized by you before JavaScript can allow anything damaging to enter your computer through your browser.

Basic JavaScript Rules
You are safe to keep JavaScript enabled as long as you use precautions, and the following precautions should be taken even if you do choose to disable all scripting. These guidelines should be followed by all Windows users whether you are connected to a network or not:

Specifically for JavaScript and active content:
Never, ever, enable JavaScript for e-mail or e-mail attachments. While JavaScript may be fine for internet browsing, it can be dangerous when enabled for e-mail. See How to disable JavaScript in e-mail programs for step-by-step instructions.


Never allow your e-mail client to "View Attachment Inline" ...unless you are sure it arrived from a trusted sender.


Never open e-mail attachments from strangers. Period.


Never allow a downloaded application or any downloaded executable content to launch on its own, and be especially careful of downloading files that end in exe, bat, vbs, and com.


Never accept and run an "ActiveX Control" or "Java Class" unless it comes signed and from a trusted site. It is best to force your browser to prompt you for permission. If you are using Internet Explorer, these settings are located under Control Panel - Internet Options - Security - Internet , Custom Level. Mozilla, Opera, and Netscape users are prompted by default.


Disable "Install on Demand" if you are using Internet Explorer so your browser will be forced to prompt you if additional components are needed in order to display certain content. This setting is located under Control Panel - Internet Options - Advanced.


Never visit untrusted sites. If you do, be extremely cautious.


Use a good bi-directional firewall that will monitor all incoming and outgoing traffic and will alert you for access permission if such traffic is detected. It also has the ability to hide your presence from intruders by completely blocking access to the ports that are used for the transfer of information. Select the highest security level for your internet zone and set all programs to prompt you for access - even those you use frequently. When in doubt, deny access of a program until you know for sure its identity.


Use a virus scanner (anti-virus), keep the virus data files current (check for updates at least once a week), enable the "Heuristics" or "Bloodhound" feature (for detection of virus-like activity of yet-to-be discovered viruses), and set it to scan all downloads and e-mail attachments - before they are opened. Let it quarantine and destroy anything suspicious. If it has settings for scanning ActiveX Controls and Java Classes for potentially harmful content, use that too. For even greater protection and a wider range of configuration options, combine the use of a virus scanner with a Trojan scanner.


Visit BrowserSpy, a testing site that shows you what information can be gathered from your visits to web sites. Switch JavaScript on/off and compare each set of results. This will give you a better idea of what JavaScript is capable of doing, and it will also show you its limitations.

####################################################

Prevent Browser Hijacking

####################################################


By Mike Healan
March 23, 2004


If you've ever been infected with a browser hijacker, you know what an infuriating situation it is. For all intents and purposes, your $3,000 computer is converted into a source of revenue for some fly-by-night web site unable to generate legitimate web traffic. Once installed, it usually takes an expert to remove a browser hijacker effectively.

If you've gone through this before, you never, ever want it to happen again. So, how do you prevent being hijacked? This is surprisingly easy.


Dump MSIE
First and most simply, stop using Internet Explorer. If you use either Mozilla, Firefox or Opera, you are immune to all known and future browser hijackers.

You are immune not because current hijackers are written to exploit Internet Explorer. It is because these other browsers do not allow access to Windows the way Internet Explorer does. MSIE has all sorts of security flaws that allow malicious web sites to slip past security and run arbitrary code. This is what happened to you if you've ever been infected with a hijacker.

The other browsers have their flaws but even if someone did manage to compromise them, what could they do then? The answer is: "not much". The Mozilla and Opera browsers are user-level applications; they have very limited access to Windows. At most, they might delete some of their own files and force you to reinstall them.

Apply the same question to Internet Explorer and you can do just about anything you want. Microsoft has integrated Internet Explorer as part of Windows. Because of this, Internet Explorer is a system-level application and can do just about anything.

If you have to use MSIE

Switching browsers is the easy answer. For some people, that is not an option for various reasons. Internet Explorer can be made reasonably safe without locking down every useful function, but it requires some third-party software.

The most important thing is to update your browser and operating system. Go to WindowsUpdates and install the latest version of Internet Explorer (currently MSIE 6 Service Pack 1), then go back and install any security patches that are available. Also install any service packs and patches for Windows itself. This one action will save you from the overwhelming majority of browser hijackers.

After you've done that, replace Microsoft Java VM with Sun Java. You can download that from http://www.java.com/. There are several hijackers that exploit flaws in Microsoft Java VM. Sun's Java is more secure and more up to date. Make certain, in Java's options, that Sun Java JRE is set to work with Internet Explorer.

Open Internet Options from the Windows control panel and click the "Security" tab. Highlight the "Internet" icon and then click "Custom Level". Choose "Medium" from the drop-down box at the bottom, then click the "Reset" button. Click ok, then click "Custom Level" again.

Set your options just as I have listed below:

.NET Framework-reliant components

Run components not signed with Authenticode (Disable)
Run components signed with Authenticode (Prompt)

ActiveX controls and plug-ins

Download signed ActiveX controls (Prompt)
Download unsigned ActiveX controls (Disable)
Initialize and script ActiveX controls not marked as safe (Disable)
Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
Script ActiveX controls marked safe for scripting (Prompt)

Miscellaneous

Access data sources across domains (Disable)
Drag and drop or copy and paste files (Prompt)
Installation of desktop items (Prompt)
Launching programs and files in an IFRAME (Prompt)
Navigate sub-frames across different domains (Prompt)
Software channel permissions (High safety)
Userdata persistance (Disable)

Scripting

Allow paste operations via script (Prompt)
Scripting of Java applets (Prompt)

Next, you need to run a registry script called IE-SPYADS. This script will place an enormous number of web sites known to be abusive into Internet Explorer's "Restricted Zone". Any site in that list will be unable to run javascripts, java applets, set or read cookies or use ActiveX scripting. You still will be able to visit those sites but they will be very limited in what they can do.

Be aware that MSIE has many security flaws that will allow a clever site designer to bypass security settings, even if their site is in the restricted zone. More must still be done.

Now you need to install SpywareBlaster. ActiveX programs need to use a CLSID (identifier number) before Windows will execute them. SpywareBlaster stops certain ActiveX CLSIDs from working by setting a "kill bit" in the Windows registry. This will stop ActiveX drive-by installations from programs that use those numbers, as well as preventing software already installed from running if they use that CLSID.

As a final safeguard, install a program called Browser Hijack Blaster. This program will watch for alterations to the home page, default page and search page as well as watching for Browser Helper Objects being installed. If it detects a change, it immediately will pop up a warning and ask if you wish to allow the change.

Be very careful about installing programs. By far the most common source of malware infection comes from third party bundles. Grokster, for instance, will install a dozen or more unwanted programs.

Finally, you also should disable the preview pane if you use Outlook or Outlook Express. Simply by highlighting an email while the preview pane is active, even to delete it, you could activate any scripting in that email. Visit TomCoyote's site for instructions on doing that.

Follow the steps above and it will be very unlikely that you ever will be hijacked again. Periodically scan your system with antispyware and antivirus software. I recommend Spybot S&D for antispyware and Nod32 for antivirus.

##############################################################################