How dangerous can a website be? Using firefox with something like NoScript enabled protects a pc from any sort of javascript attack or something similar? Is it better to use a virtual machine to browse potentially unsafe websites or is that also not enough?
Edited by Rafael
on
Reason: Initial post
Even with scripts blocked, be careful if you see a new browser tab or instance you don't recall creating. It looks like you have been logged out from a site, but it's actually a fake version (rnyspace.com for example) and then they steal your password. Storing password in the browser fixes this by getting the habit of not typing passwords everywhere, but the password manager itself needs a password then to avoid storing them unencrypted.
Even if you are not running an internet browser, a badly configured firewall can pose a threat. Close anything that you are not going to use, especially incoming transmissions. Do not open up SSH against the internet with a weak password unless you want to get hacked badly.
Microsoft Office documents can also contain malware, because of the ability to run VB-script inside of them.
Do not use a Windows administrator account when browsing the internet. Linux is safer for beginners by not having administrator privileges by default. Arch derivatives of Linux are even safer by being kept up to date with the latest patches. I have never experienced any badly written code being pushed to Manjaro despite having the latest versions of everything.
Uninstall any browser extensions that you don't recall installing. Especially if it's called "super awesome something" without really explaining what it does.
Keep bookmarks to the official sites for downloading software. Never use the download sites or the Windows store, where fake versions are almost guaranteed to have keyloggers. If you don't need the latest version all the time, keep an external SSD with all your downloaded installers. A virus is more likely to be detected by a virus scan if it was downloaded a year ago. Don't do this with your internet browser, because it has to be up to date.
Block scripts in e-mails too. Even remote content like images can be used to send back information. When you see an image with some long hashed name, it can contain your e-mail address and confirm that you open junk mail to the spammers. Then you get more spam with targeted attacks.
If you use Windows, use a sandboxed browser or create a virtual machine yourself and install a security oriented Linux distribution inside. Oracle's Virtual box actually saved me from Ransomware once, so I just closed the virtual machine without saving the virtual drive's content.
If you have files that you would pay ransom money to get back, burn CDs regularly with projects you are done with. This can both free up disc space for your new projects and save it from ransomware.
If you have a web camera, NSA (and criminal hackers) can use back-doors in your motherboard to enable the camera and microphone while the computer appears to be turned off. Either unplug it or tape it over when not in use.
The UAE and Saudi Arabia bought a virus from Israel that could hack into phones without requiring any user interaction and then they could just screen grab conversations from any program no matter how much encryption the assassinated journalist used. Create your own symmetrical encryption algorithm (to avoid being cracked quickly in batches with other users of the same algorithm) with many moving XOR layers, shuffling, huge ciphers, et cetera. Around one second per megabyte is okay resistance in case that your method has a flaw that can be reversed. Record a long video in the dark with lots of random noise, compress the video together with some garbage photos you haven't shared with anyone, use the compressed video as a random seed together with many layers on top of each other for generating the key (might take an hour or so on a powerful computer), add a pseudo-random generator feeding from the input in case of any predictable parts of the input data, add another layer of randomness from hardware instructions, shred the seed files by overwriting them with random data (don't just delete the pointer to the data), give your friend a copy of the key in advance. Then you can encrypt your message using the key, save it on a USB memory stick and send it from a computer that has direct internet access.
If having work files on your computer (customer data, source code, patents...) you might need a separate computer for accessing the internet to keep your work computer clean. Or you just use up to date Arch Linux with all incoming connections blocked and avoid downloading anything you don't trust.
Even if you are not running an internet browser, a badly configured firewall can pose a threat. Close anything that you are not going to use, especially incoming transmissions. Do not open up SSH against the internet with a weak password unless you want to get hacked badly.
Microsoft Office documents can also contain malware, because of the ability to run VB-script inside of them.
Do not use a Windows administrator account when browsing the internet. Linux is safer for beginners by not having administrator privileges by default. Arch derivatives of Linux are even safer by being kept up to date with the latest patches. I have never experienced any badly written code being pushed to Manjaro despite having the latest versions of everything.
Uninstall any browser extensions that you don't recall installing. Especially if it's called "super awesome something" without really explaining what it does.
Keep bookmarks to the official sites for downloading software. Never use the download sites or the Windows store, where fake versions are almost guaranteed to have keyloggers. If you don't need the latest version all the time, keep an external SSD with all your downloaded installers. A virus is more likely to be detected by a virus scan if it was downloaded a year ago. Don't do this with your internet browser, because it has to be up to date.
Block scripts in e-mails too. Even remote content like images can be used to send back information. When you see an image with some long hashed name, it can contain your e-mail address and confirm that you open junk mail to the spammers. Then you get more spam with targeted attacks.
If you use Windows, use a sandboxed browser or create a virtual machine yourself and install a security oriented Linux distribution inside. Oracle's Virtual box actually saved me from Ransomware once, so I just closed the virtual machine without saving the virtual drive's content.
If you have files that you would pay ransom money to get back, burn CDs regularly with projects you are done with. This can both free up disc space for your new projects and save it from ransomware.
If you have a web camera, NSA (and criminal hackers) can use back-doors in your motherboard to enable the camera and microphone while the computer appears to be turned off. Either unplug it or tape it over when not in use.
The UAE and Saudi Arabia bought a virus from Israel that could hack into phones without requiring any user interaction and then they could just screen grab conversations from any program no matter how much encryption the assassinated journalist used. Create your own symmetrical encryption algorithm (to avoid being cracked quickly in batches with other users of the same algorithm) with many moving XOR layers, shuffling, huge ciphers, et cetera. Around one second per megabyte is okay resistance in case that your method has a flaw that can be reversed. Record a long video in the dark with lots of random noise, compress the video together with some garbage photos you haven't shared with anyone, use the compressed video as a random seed together with many layers on top of each other for generating the key (might take an hour or so on a powerful computer), add a pseudo-random generator feeding from the input in case of any predictable parts of the input data, add another layer of randomness from hardware instructions, shred the seed files by overwriting them with random data (don't just delete the pointer to the data), give your friend a copy of the key in advance. Then you can encrypt your message using the key, save it on a USB memory stick and send it from a computer that has direct internet access.
If having work files on your computer (customer data, source code, patents...) you might need a separate computer for accessing the internet to keep your work computer clean. Or you just use up to date Arch Linux with all incoming connections blocked and avoid downloading anything you don't trust.
Edited by Dawoodoz
on
In computer security there is concept of zero-day - exploitable bug that is not yet patched. These zero-days are found everywhere - in browsers, in operating system, in virtual machines. So regardless of what kind of software you use (Windows, macOS, Chrome, Firefox) - you might get hacked without you knowing it. So if you are completely paranoid - you cannot trust your computer and software. Most safe way keeping your data is on separate machine. There's simply no other way if you must be sure your data is safe.
That said - doing basic reasonable things will prevent you get exploited in most cases:
1) Run adblocker. Ads are very common point where zero-day malware is distributed
2) Do not run random binaries downloaded from internet (especially when somebody asks you). Download software only from official websites. Malware is often distributed through various piracy sites for games and software, because it's targeting kids, who just download & run anything.
3) Do not run programs that listens on network connection that is exposed to internet. Often programs have bugs or weak passwords that can get exploited. This means you should NOT forward ports on your router, and you should DISABLE uPnP protocol on router. Or enable firewall (if you trust your OS firewall). If you need to connect from outside to your home PC, then make software listen only in local machine or network, and setup VPN that you can connect. If you do not wish to setup your own VPN, I can recommend Tailscale. But be careful about other commercial VPN providers, then are not always trustworthy.
4) Keep your OS and software that accesses internet (browsers, discord, games) up to date, upgrade to latest version.
5) Using VM can help as extra layer of security. But it is an extra overhead. And can be extra attack vector. So be sure you really want to use it and understand implications.
Blocking scripts may help, but that will make many internet websites useless. And zero-days exists without help of javascript. They can exploit browser's html or css parsing too. So just understand noscript won't prevent everything.
Do not create custom encryption algorithms that Dawoodz is suggesting. Unless you are expert in cryptoanalysis and can prove they are safe (which not many people can do). That is pure paranoia.
That said - doing basic reasonable things will prevent you get exploited in most cases:
1) Run adblocker. Ads are very common point where zero-day malware is distributed
2) Do not run random binaries downloaded from internet (especially when somebody asks you). Download software only from official websites. Malware is often distributed through various piracy sites for games and software, because it's targeting kids, who just download & run anything.
3) Do not run programs that listens on network connection that is exposed to internet. Often programs have bugs or weak passwords that can get exploited. This means you should NOT forward ports on your router, and you should DISABLE uPnP protocol on router. Or enable firewall (if you trust your OS firewall). If you need to connect from outside to your home PC, then make software listen only in local machine or network, and setup VPN that you can connect. If you do not wish to setup your own VPN, I can recommend Tailscale. But be careful about other commercial VPN providers, then are not always trustworthy.
4) Keep your OS and software that accesses internet (browsers, discord, games) up to date, upgrade to latest version.
5) Using VM can help as extra layer of security. But it is an extra overhead. And can be extra attack vector. So be sure you really want to use it and understand implications.
Blocking scripts may help, but that will make many internet websites useless. And zero-days exists without help of javascript. They can exploit browser's html or css parsing too. So just understand noscript won't prevent everything.
Do not create custom encryption algorithms that Dawoodz is suggesting. Unless you are expert in cryptoanalysis and can prove they are safe (which not many people can do). That is pure paranoia.
Edited by Mārtiņš Možeiko
on
mmozeiko
Unless you are expert in cryptoanalysis and can prove they are safe (which not many people can do). That is pure paranoia.
One should of course not try to write your own RSA (epsilon = 1 and other beginner mistakes in key generation).
HTTPS still uses asymmetrical encryption (for exchanging symmetrical keys) that was never claimed safe to begin with and quickly cracked using 1990s computers by exploiting 32-bit entropy in the key generation based on a timer. RSA only protects against 99.8% of attacks in the most recent paper testing it. When taught at the University, they just said "we don't know if there's a simple way to break it". Technically it's illegal for Swedish Universities to even teach RSA/elliptic encryption due to not being based on scientific evidence.
Bitwise-exclusive-or however is proven safe if the same key is not used twice in the same or multiple messages (sending 5MB requires a 5MB single use key). The math is easy for anyone to understand. If key bit Kn is perfectly random (not from a pseudo-random generator) so that it gives 50% 0 and 50% 1 independent of correlation with previous bits, exactly 50% of each side in the histogram is swapped to the other side. When probabilities p + q = 1, you know that both Kn = 0 and Kn = 1 gives p * 0.5 + q * 0.5 = 0.5. That's why Russian spies only got caught once they started reusing long symmetrical keys, so that guessing one message correct exposed the other message using the same key. If they had 128GB memory cards during the cold war, their messages might have never been decrypted remotely.
Edited by Dawoodoz
on
mmozeiko
2) Do not run random binaries downloaded from internet (especially when somebody asks you). Download software only from official websites. Malware is often distributed through various piracy sites for games and software, because it's targeting kids, who just download & run anything.
3) Do not run programs that listens on network connection that is exposed to internet. Often programs have bugs or weak passwords that can get exploited. This means you should NOT forward ports on your router, and you should DISABLE uPnP protocol on router. Or enable firewall (if you trust your OS firewall). If you need to connect from outside to your home PC, then make software listen only in local machine or network, and setup VPN that you can connect. If you do not wish to setup your own VPN, I can recommend Tailscale. But be careful about other commercial VPN providers, then are not always trustworthy.
also be aware of what might be a executable, for example a screen saver in windows is a exe program opening a full screen window.
Which incidentally is how some scammers try and phish for youtube accounts pretending to be an company asking for an ad.
Edited by ratchetfreak
on
Honestly, if you run a modern operating system, use strong and unique passwords, run an ad blocker, are vigilant about phishing attacks when logging into websites or filling out personal info, don't run executables from websites that aren't well-known to be trustworthy, and back up your important data regularly, you will be about as safe as any individual computer user can realistically expect or care to be. Keeping internet-connected software up to date helps too. If you're worried about exotic and unusual attack vectors, then you're looking in the wrong places imho. Phishing, password cracking, and downloaded malware account for easily 99% of online security threats an individual user will experience. Also don't mind dawoodoz, he has a tendency to go on long unhinged rants about topics he doesn't understand very well.
Edited by Miles
on
Thanks all for answering,
I'm still wondering though, is it technically possible for a website to transfer a file to a pc without the user knowledge and execute it? Say, even if that sort of thing can happen just for a while before the browser finds out about it. Can that realistically happen?
For using windows, setting up a non admin account and using it to browse the internet would be enough to stop the virus infection in that case?
I'm still wondering though, is it technically possible for a website to transfer a file to a pc without the user knowledge and execute it? Say, even if that sort of thing can happen just for a while before the browser finds out about it. Can that realistically happen?
For using windows, setting up a non admin account and using it to browse the internet would be enough to stop the virus infection in that case?
Normally it should not be possible for website to do that. Except if there are unpatched bugs in browser that's being exploited by javascript, html or css code on website. Or same situation with OS bugs that browser might trigger.
Admin account prevents some things, but not everything. Even with non-admin user account in case of crypto-ransomware it will be able to encrypt all your user account files, and in case you have network shares - all the files writeable by your user account on network drive (which have happened multiple times in large companies).
Admin account prevents some things, but not everything. Even with non-admin user account in case of crypto-ransomware it will be able to encrypt all your user account files, and in case you have network shares - all the files writeable by your user account on network drive (which have happened multiple times in large companies).
Edited by Mārtiņš Možeiko
on
Grid
Thanks all for answering,
I'm still wondering though, is it technically possible for a website to transfer a file to a pc without the user knowledge and execute it? Say, even if that sort of thing can happen just for a while before the browser finds out about it. Can that realistically happen?
For using windows, setting up a non admin account and using it to browse the internet would be enough to stop the virus infection in that case?
On Windows, you always have to block ActiveX, which executes a native binary directly in the browser. To run malicious native Windows code from any sketchy website is an intended "feature" not a bug. Shows that Microsoft really do know their stuff about security.
A company making one of your programs could go bankrupt, be bought by criminals and used to send malware via updates. Skype started showing ads for illegal drugs after Microsoft bought it.
There's also a lot of games on Steam containing US army spyware. These always go undetected by mainstream antivirus of course, because they have a hidden license saying that they may steal any information from your computer, which they won't show you or anything. Then their servers get hacked of course and leaks your data. Games on GoG don't have this malware problem.
Edited by Dawoodoz
on
Worrying about ActiveX is pretty much irrelevant nowadays. Only browser that supports is old Internet Explorer. Any other browser, including Edge, does not support it. Also default settings for ActiveX in Internet Explorer makes it to ask whether to run or not run it. So even if you use IE, you'll see prompt to run ActiveX, which you can simply deny.
mmozeiko
Worrying about ActiveX is pretty much irrelevant nowadays. Only browser that supports is old Internet Explorer. Any other browser, including Edge, does not support it. Also default settings for ActiveX in Internet Explorer makes it to ask whether to run or not run it. So even if you use IE, you'll see prompt to run ActiveX, which you can simply deny.
Yes. Denying is easy, for us that understand what ActiveX is. Some people have no idea and sites can be persuasive using scams. Some people use Windows 95 to browse the internet because their computer is still working and they might have legacy hardware or custom database systems that are very expensive to buy new.
Edited by Dawoodoz
on
What about java, is it safe to have it installed?
Games that open servers like don't starve together can leave ports open and is that dangerous?
Or games like league of legends that puts a bunch of people together but has a centralized server, can players somehow attack each other using the connection between them that the game creates?
Games that open servers like don't starve together can leave ports open and is that dangerous?
Or games like league of legends that puts a bunch of people together but has a centralized server, can players somehow attack each other using the connection between them that the game creates?
Grid
What about java, is it safe to have it installed?
Games that open servers like don't starve together can leave ports open and is that dangerous?
Or games like league of legends that puts a bunch of people together but has a centralized server, can players somehow attack each other using the connection between them that the game creates?
Having the Java virtual machine installed
Anyone with so much access to your system that it can launch applications using Java have probably already stolen all your files. It's a program that launches other programs and doesn't do much on its own besides being updated. Think of Java like a passive library.
Executing other people's Java programs
The Java Virtual Machine is used to just-in-time compile byte-code into executable binaries. It does its best to prevent low level assembly hacks from being generated, but because a program still needs to access the file system, you should not run Java programs from sources you don't trust. On Android, this is a bit better by having privileges on top of NSA's Security Enhanced Linux (each program as its own user account), but there are many ways for viruses to access the internet, access files and such by abusing inter-process communication of insecure Android services that already have those privileges indirectly. An old exploit was to request a web resource to send back data in the URL address itself.
Giving out your own Java programs
The Java byte-code has the names of functions in plain text format and the files are easy to reverse engineer even if obfuscated. Anyone can just open the Java archive by changing the extension to zip and opening the modules in human readable form. Mostly suitable for open-source and in-house business development.
Online games
A game that heavily depends on low latency will likely expose IP addresses directly to other players which is combined with an educated guess of your local username from the name in the game. What's really dangerous is to download cracks or modifications with the whole game's binary bundled (which can include trojans), so stick to the original binaries. Automatically downloaded modifications usually aren't allowed to include binaries, yet scripts engines (save a file meant for debug logging, then use the wrong extension, confuse error checking using nesting and escape folder by adding ..) and image parsers (mostly just causing a crash) can have holes in the security.
Edited by Dawoodoz
on
You should treat java programs the same way you would treat any other executable. Only run them from sources you have good reason to trust. Merely having the JVM installed won't make a difference to security one way or another.
Online games that connect players directly need to send players' IP addresses to each other. But there's not much anyone can do with just your IP address, unless you've badly misconfigured your local network. They can use it to guess roughly what country or state you're in, if you're not using a VPN, but realistically that's about it. Keep in mind every website you ever visit also knows your IP address, so it's not as if this is unique to games. And you can always just change your IP address.
The game itself can have security vulnerabilities of course, as can any other software that connects to the internet, but to my knowledge, online games are an uncommon attack vector in practice.
Online games that connect players directly need to send players' IP addresses to each other. But there's not much anyone can do with just your IP address, unless you've badly misconfigured your local network. They can use it to guess roughly what country or state you're in, if you're not using a VPN, but realistically that's about it. Keep in mind every website you ever visit also knows your IP address, so it's not as if this is unique to games. And you can always just change your IP address.
The game itself can have security vulnerabilities of course, as can any other software that connects to the internet, but to my knowledge, online games are an uncommon attack vector in practice.
But there's not much anyone can do with just your IP address, unless you've badly misconfigured your local network.
Sorry to insist on this, but can you elaborate on what would be a badly misconfigured local network?
Also, let's say another user also connected to your internet has a compromised device, does that mean the attacker can have full access to all pcs connected to this network?