Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause
From: Jim Race (caferace_at_well.com)
To: firstname.lastname@example.org Date: Sat, 17 Jan 2004 14:03:29 -0800
Tobias Weisserth wrote:
> There is no such thing as a WinXP box with all current patches :-) Since
> installing all patches that Microsoft makes available still doesn't mean
> every critical bug is fixed you should find out as much as possible
> about the unfixed bugs. For example there is still a URL spoofing bug in
> the Internet Explorer 6 which hasn't been fixed for more than 2 months.
> I am pretty sure there are lots more. The dilemma is that MS doesn't
> seem to think full-disclosure is the way to go...
All that aside, using existing patches and NOT using software with known
vulns such as IE. There are unfortunately a select few sites where IE is
required. Those are dwindling, and more importantly can usually be
The sad part is, I *have* to keep a functional current version of IE on
the system, if only for testing reasons. It would be nice if there was a
very simple way to disable its integrated functions easily when not in use.
> Consider using alternative software in the meantime, thus replace IE6
> with Mozilla and so on.
Of course. Many of the stock Windows components are removed or replaced.
Notepad is a classic example, replaced by Textpad. Cygwin (with a lower
case "w", ahem) is used for its toys and cross training. Putty for
Telnet, stuff like that.
> You have to find out if there are any known vulnerabilities to the
> services you use and if yes, how to fix them. It's a pity pivX took
> their list offline. Instead they are promoting personal firewalls now in
> association with MS...
PivX's original list (or its content) lives on, just in a different
> Be sure to keep it patched. Static pages are good (no possibility of
> injecting parameters). Check whether the cgi-bin directory is accessible
> from the outside! (shouldn't be by default)
Again, of course. It has a properly tweaked httpd.conf, and while I do
keep a cgi-bin directory accessible and readable it has nothing of
consequence in it. More of a nose-tweak if anything.
>>Mozilla with Java and JS disabled in email
> If you want to protect your privacy then disable HTML displaying in your
> mail client and forbid the loading of external content from within a
> displayed mail.
HTML rendering is disabled, as well as remote images. Pop-ups are toast,
and images only loaded from orig server in browsing. Bayesian Junk
filters enabled and well trained.
> A personal firewall is not bad. It's an addition. But it's not the cure.
> If you are sure the intended users of the machine know what to do with
> all the interactions that are required to run a personal firewall then
> install one. It will be hard to configure your hardware router so that
> it stops specific processes from connecting _to_ the Internet (in
> contrast to _from_). A personal firewall can be of much use here, taken
> the users know to use it.
Perhaps, but they're annoying as hell. It's a risk I'll accept. As a
single user machine it has outbound connections manually monitored, and
no (known) rogue software.
> Some AV software should be running at all times.
Why? SA runs on the (remote) mail server, stripping all executables and
classic MS hangers on (scr, com, bat, etc....) as well as tagging Virus
and filtering those in Moz.
> There are usable
> products available for free, personal use only of course. Have a look at
F-Prot, and others tried.
> Be sure to get rid of adware too. Use Adaware or Spybot regularly.
Ad-aware run *very* occasionally. Executable binaries almost always go
through MD5 checksum vetting before install. No browser plug-ins allowed.
> Additional measures: Have some sort of bootable live CD available. There
> are a lot of Linux based live CD available on the Internet which contain
> f-prot and lots of recovery and diagnostic tools. It's very handy to
> have one of those lying around.
I keep a copy of Knoppix handy and updated. I may try out something else
Thanks... gives me something more to chew on.
Obviously, this is FAR from your average Windows users box. I'm quite
aware of threats and have even discovered a few myself.
Our resident Grandma posting made *me* realize that not having to
reformat often (because of this same awareness, never) is a good thing.
Full-Disclosure - We believe in it.