Suggestions you can think of?

Talk about internet security, computer security, personal security, your social security number...
HN3
Posts: 1
Joined: Fri Apr 06, 2012 6:18 pm

Suggestions you can think of?

Post by HN3 »

Firefox:
[*]
  • Cookies off
    Ghostery
    Betterprivacy
    Noscript + ABE
    Adblock plus (ALL subscription filters)
    Useragent switcher (spoofed OS and browser signature)
    Meta redirects off (web dev extension)
    Referrals off (web dev extension)
OS:

Router = DD-WRT
[*]
  • TOR + Vidalia
    Hostfiles blacklist (winhelp2002.mvps.org/hosts.htm)
    Sandboxed/VM/jailed executables (Sandboxie + VMware)
    No administrator/root privileges
    Spoofed MAC address (immunity for fingerprints)
    ALL ports blocks except 80:443:53
    Disabled IPv6
IRL:
[*]
  • Tinfoil hat
    Faraday caged office
    All cables wrapped in aluminum foil (anti van eek)


What is missing here? Any suggestions or advice to make security setup more robust?
Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Suggestions you can think of?

Post by Tom T. »

HN3 wrote:Firefox:
[*]
  • Cookies off
    Ghostery
    Betterprivacy
    Noscript + ABE
    Adblock plus (ALL subscription filters)
    Useragent switcher (spoofed OS and browser signature)
    Meta redirects off (web dev extension)
    Referrals off (web dev extension)
RequestPolicy. Wouldn't browse without it. Dovetails with NS beautifully.
RefControl More privacy enhancement; simple GUI and defaults.
Certificate Patrol
JSView, if you want to peek under the hood, even at the names of the dozens or hundreds of scripts that can load under a single Allowed (or Temp-) site or source.

You do know that NoScript also offers Meta redirect control? NS Options > Advanced > Untrusted > check Forbid META etc.
Also Options> Notifications: Show message about blocked META....

Don't you need cookies enabled at some sites for them to work? Your online bank, say?
OS:

Router = DD-WRT
[*]
  • TOR + Vidalia
    Hostfiles blacklist (winhelp2002.mvps.org/hosts.htm)
    Sandboxed/VM/jailed executables (Sandboxie + VMware)
    No administrator/root privileges
    Spoofed MAC address (immunity for fingerprints)
    ALL ports blocks except 80:443:53
    Disabled IPv6
What adjustments are recommended to the most popular HOSTS services, including that one (which I too use).

Disable Universal Plug and Play in the router admin interface.
Disable remote administration (from the Web), unless you really need to access your router's admin GUI from a hotel room somewhere.
Require an HTTPS connection to the router interface, especially if it has wireless capability.
If there is a "Firewall" or similar page in the router GUI, check all there: Block anonymous Net requests, filter IDENT, filter Multicast -- unless you somehow need these.
Disable passthoughs of IPSEC, PPTP, and L2TP -- again, unless you use one of these.

Disable SSID broadcast, although some cast (ha!) doubt on how much that really accomplishes.
Of course, crypto-strength password *to access router*, and, if a wireless connection, crypto-strength key. (AT LEAST 15-20 characters, u/l case, digits, keyboard chars @#$%^&**( etc, NO words found in a dictionary, or close variants thereof.

Be aware that sometimes, alternate ports are used.
But add the ABE rule given by Giorgio there.
IRL:Tinfoil hat
Wouldn't be without it: Image
Faraday caged office
All cables wrapped in aluminum foil (anti van eek)[/list]
If a three-letter agency wants you badly enough, they'll get you -- via your ISP, implanting a key-logger while you're not there, etc. ;)

May come back and edit/add things at other times, as they occur to me. Enough for now.
Cheers. Image
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Suggestions you can think of?

Post by Tom T. »

You have nothing under "OS".
Since you're using UA switcher, IDK what your real OS is. But:

Enable DEP/Nx/NoExecute bit.

Consider disabling unneeded and/or dangerous Windows services, or equivalent on other systems.
Saves RAM and CPU, too.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Suggestions you can think of?

Post by Thrawn »

I would add the HTTPS Finder addon, which probes for HTTPS support on all URLs you visit and can automatically swap you over to HTTPS.

A good companion to Certificate Patrol is Perspectives. It means contacting notary servers, though, which theoretically could allow those notaries to harvest your browsing habits.

I don't know whether the SSL Blacklist addon can be tweaked to make it work on modern Firefox versions, but it may be worth checking out. It's not available from addons.mozilla.org, though.

Secure Login addon allows you to save passwords in your browser with less risk of malicious websites extracting them. In fact, it has JavaScript protection that might make it safer than typing passwords in manually.

Since you're obviously looking for maximum security, don't forget to crank up NoScript's ABE configuration. Something like:

Site *
Accept from SELF++
Anon

You can also use a workaround to apply both Anonymize and Sandbox actions; place one of them in the SYSTEM ruleset, and the other in the USER ruleset.

Maybe also (above the first one)

Site .cn .ru (and whichever other TLDs you distrust)
Deny
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Suggestions you can think of?

Post by Tom T. »

Thrawn wrote:I would add the HTTPS Finder addon, which probes for HTTPS support on all URLs you visit and can automatically swap you over to HTTPS.
And don't forget NoScript's own Options > Advanced > HTTPS, which not only forces HTTPS on sites (you must list them), but also forces encryption for all cookies sent by an HTTPS site. Some careless HTTPS sites, even banks, were sending insecure login and other cookies. :o
I don't know whether the SSL Blacklist addon can be tweaked to make it work on modern Firefox versions, but it may be worth checking out. It's not available from addons.mozilla.org, though.
... keeping in mind that AMO is making some attempts at revoking add-ons found to be unsafe, and that they discourage getting add-ons from other than their own site -- FWIW only.
Secure Login addon allows you to save passwords in your browser with less risk of malicious websites extracting them. In fact, it has JavaScript protection that might make it safer than typing passwords in manually.
Storing passwords in a browser is inherently more dangerous. Password Safe is a free, open-source, pw management system with encryption by world-class cryptographer Bruce Schneier, and can be run even from a flash drive, leaving no traces on the host machine if you are visiting friends, traveling, etc. It can be installed on your HD, of course. A single pw file, which can be easily backed up to flash, CD, whatever, is opened with one master password, the only one you'll ever need to remember. Also performs auto-browse to site, auto-type and login; space for "challenge questions", PINs, etc., and includes a built-in random pw generator, configurable as to length, alphanumeric/keyboard characters/hex, etc., etc. Check it out. Been using it for years and would never use anything else. When my HD died, I installed PWS on the new one, imported my backup pw file from the flash drive, and was good to go in a minute or two.
Since you're obviously looking for maximum security, don't forget to crank up NoScript's ABE configuration. Something like: <snip>
And consider this ABE rule against router NAT pinning attacks.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Suggestions you can think of?

Post by Thrawn »

Tom T. wrote:
Thrawn wrote:I would add the HTTPS Finder addon, which probes for HTTPS support on all URLs you visit and can automatically swap you over to HTTPS.
And don't forget NoScript's own Options > Advanced > HTTPS, which not only forces HTTPS on sites (you must list them), but also forces encryption for all cookies sent by an HTTPS site. Some careless HTTPS sites, even banks, were sending insecure login and other cookies. :o
Yes, NoScript can automatically secure cookies, and I use it, and I'm not sure why it's disabled by default - although my wife has noticed that it can break Facebook in some situations (where NoScript was enforcing HTTPS on facebook, but preferences on Facebook weren't yet set to 'Always HTTPS'; somehow, some requests lost their cookies). Actually, HTTPS Finder has that feature too :)
Tom T. wrote:Storing passwords in a browser is inherently more dangerous. Password Safe is a free, open-source, pw management system with encryption by world-class cryptographer Bruce Schneier...Check it out. Been using it for years and would never use anything else. When my HD died, I installed PWS on the new one, imported my backup pw file from the flash drive, and was good to go in a minute or two.
I use KeePass, which from the sound of things is similar (including being portable). I tried LastPass, but I found it a bit clunky, and it seemed over-eager to update multiple passwords at once (besides having privacy/trust issues; do you trust the cloud provider, or not?). Is Password Safe cross-platform? KeePass is Windows-only, but it works well with Wine.

I also came across VTZilla recently, which adds an option to your download menu, so alongside 'Open With' and 'Save As', you can 'Submit to VirusTotal'. 44 antivirus scanners in the cloud, including all of the big names...seems to me that it's a great idea for guarding the front door (things you deliberately download) while all of the back doors are locked by NoScript and RequestPolicy.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Suggestions you can think of?

Post by Tom T. »

Thrawn wrote:
Tom T. wrote:And don't forget NoScript's own Options > Advanced > HTTPS, which not only forces HTTPS on sites (you must list them), but also forces encryption for all cookies sent by an HTTPS site. Some careless HTTPS sites, even banks, were sending insecure login and other cookies. :o
Yes, NoScript can automatically secure cookies, and I use it, and I'm not sure why it's disabled by default....
IIRC, the checkbox for "Enable Automatic Secure Cookies Management (NS Advanced > Force HTTPS > Cookies) is indeed default-checked. It's just that neither field is populated by default. Users enter their own sites -- perhaps to avoid breaking pages as in the scenario you mentioned.

What is definitely disabled by default is "Forbid active web content unless it comes from a secure (HTTPS) connection". .. with good reason, as most of the (http) sites we use every day require *some* active content. I can see this being used in, say, a separate "banking-only" (etc.) profile, while using one's default profile for all other use.

AFAIK, Giorgio is not planning to auto-probe for HTTPS support at what are normally HTTP sites. It does seem like it's getting a bit beyond NS's main goals, so if a separate add-on does that very well, then ... very well. :) As mentioned, the issue came up when (scandalously) some banks were using insecure cookies on encrypted sessions, and the insecure login pages described. The HTTPS feature started in (IIRC) 2008, probably well before HTTPS Finder was released? -- but reiterated as important when the Firesheep attack came out.
Giorgio Maone wrote:if a website which handles passwords or other sensitive bits doesn’t enforce HTTPS encryption all over its domain, rather than just on login pages like many do (including Facebook and other popular social networks), your data can be easily sniffed and reused by malicious third parties. Furthermore, under specific circumstances (e.g. when you use a TOR), a MITM attacks can silently redirect you to a fake HTTP version of the site, and there’s not much a web site can do about this without client’s help, other than consistently using HTTPS-only cookies.
<snip>
Of course not all the web sites like to have HTTPS pushed down their throats, so you should pick only those already supporting HTTPS, and still may expect a tiny few of them to misbehave. However your online banking, your webmail and the aforementioned addons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now.
Thrawn wrote: - Is Password Safe cross-platform? KeePass is Windows-only, but it works well with Wine.
PWS has native versions for both Windows and *nix (the latter is still in Beta), and has a Java version for Mac, IIRC.
The Win version on a flash drive cam be plugged into any Windows machine (travel, visiting family or friends, etc.), regardless of Windows version. (well, probably not 3.1 or 95.) It also will import your KeePass file. ;) (and support import/export in text, XML, CSV)
Thrawn wrote:I also came across VTZilla recently, which adds an option to your download menu, so alongside 'Open With' and 'Save As', you can 'Submit to VirusTotal'. 44 antivirus scanners in the cloud, including all of the big names...seems to me that it's a great idea for guarding the front door (things you deliberately download) while all of the back doors are locked by NoScript and RequestPolicy.
Very interesting! Is it official AMO add-on? Any leakage of privacy regarding "intercepting" the d/l, vs. the user privately testing it with VT?
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Suggestions you can think of?

Post by Thrawn »

VTZilla is on AMO, currently in Experimental status. Not sure about privacy implications...although VirusTotal is fairly well known, so I doubt that they're doing too much tracking. Their privacy policy sounds OK; IP addresses etc can be used anonymously for statistics, otherwise they're only interested in the files that you submit.

Theoretically VirusTotal insists that it is not intended to replace antivirus products, since it only scans files/URLs on-demand. However, in the case where you're confident that the backdoors are closed by other means (like NoScript), it seems to me like VT is ideal.

I haven't found much use for allowing active content only via HTTPS connections (but then again, I don't use Tor). It's an interesting idea, but I don't think that HTTPS is supported on enough sites to make it feasible. If I were keen to make that distinction, I'd just configure the menu to use full addresses for whitelisting, ensuring that the HTTP version of a site is default-denied even if I allow the HTTPS version.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Suggestions you can think of?

Post by Thrawn »

As Tom T mentioned, the OP's operating system is unknown/uncertain, but if on Windows, you could look at KeyScrambler. It installs a new keyboard driver that encrypts your keystrokes, and a Firefox addon that decrypts them inside the browser. The free version is available for FIrefox/Flock and IE; the paid versions are available for an impressive list of other applications. Should defeat most software-based keyloggers.

If on Linux, you could look into SELinux or AppArmor profiles, but I guess VMWare and Sandboxie will do the job...
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Suggestions you can think of?

Post by Tom T. »

Thrawn wrote:As Tom T mentioned, the OP's operating system is unknown/uncertain, but if on Windows, you could look at KeyScrambler. It installs a new keyboard driver that encrypts your keystrokes, and a Firefox addon that decrypts them inside the browser. .... Should defeat most software-based keyloggers.
Seems that this new driver could also be subverted by the right malware, now that the add-on is known ... :?
Or malware could read them inside Firefox, once in the clear?

Some use movable on-screen keyboards for really paranoid stuff. IDK how effective they are; never looked into them.
I'd rather use all of our lockdowns to prevent the KL getting installed in the first place. ;)
And hw keyloggers - ouch. But usually, only alphabet-soup agencies do this. :)
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Suggestions you can think of?

Post by Thrawn »

Tom T. wrote:
Thrawn wrote: - Is Password Safe cross-platform? KeePass is Windows-only, but it works well with Wine.
PWS has native versions for both Windows and *nix (the latter is still in Beta), and has a Java version for Mac, IIRC.
The Win version on a flash drive cam be plugged into any Windows machine (travel, visiting family or friends, etc.), regardless of Windows version. (well, probably not 3.1 or 95.) It also will import your KeePass file. ;) (and support import/export in text, XML, CSV)
OK, so I've searched for the differences between Bruce Schneier's Password Safe and KeePass Password Safe, and it sounds like they're cryptographically pretty similar. However, KeePass 2.x is not very portable, relying on the .NET framework. I use KeePass 1.x, which doesn't have this problem; runs fine in Wine, or there is KeePassX for *nix, similarly somewhat beta. I might decide to swap over to Password Safe at some point, if KeePass 1.x just doesn't cut it any more (eg if it goes out of support and critical bugfixes aren't provided). In the meantime, if it ain't broke...

Thanks for the heads-up on Password Safe :). Even if I didn't object on principle to depending on .NET, it would be a real pain in practice, so I'm glad I'll never be forced to migrate to KeePass 2.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Suggestions you can think of?

Post by Tom T. »

Thrawn wrote:OK, so I've searched for the differences between Bruce Schneier's Password Safe and KeePass Password Safe, and it sounds like they're cryptographically pretty similar. However, KeePass 2.x is not very portable, relying on the .NET framework. <snip>
Yikes!

The MS Patch Tuesday updates for May (8 May 2012) included two bulletins addressing .NET. One bulletin listed two separate Critical (remote code execution) flaws, and the other listed one Critical and one DOS flaw.

If you search for all .NET bulletins, the search tool breaks them down by version. V4.0 had 13 bulletins, keeping in mind that one bulletin may address multiple issues. You can go though all of the other versions, should you like. ;)

This machine didn't come with .NET, and it was never added. A machine bought a little later came with it. I removed it.
I've never missed it. Bulky, bloated, and apparently unnecessary except for certain specific applications. (Online games?) If a dev requires it, I don't want her product.

Password Safe is almost totally self-contained. As you know from other conversation, I've deleted about 90% of the WINDOWS folder (and other cuts elsewhere), yet PWS is unaffected. So apparently, any dependencies are on the very core OS libraries themselves, and not on additional components such as .NET.

Side note to GµårÐïåñ: During the search of MS Security Bulletins, *lots* of sites showed in "Recently Blocked". ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Suggestions you can think of?

Post by GµårÐïåñ »

Tom T. wrote:Side note to GµårÐïåñ: During the search of MS Security Bulletins, *lots* of sites showed in "Recently Blocked". ;)
No doubt, but seeing what I recently blocked in a menu serves me no purpose, because I know I blocked them recently, since I did it. Don't need to see it :)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Suggestions you can think of?

Post by Tom T. »

GµårÐïåñ wrote:
Tom T. wrote:Side note to GµårÐïåñ: During the search of MS Security Bulletins, *lots* of sites showed in "Recently Blocked". ;)
No doubt, but seeing what I recently blocked in a menu serves me no purpose, because I know I blocked them recently, since I did it.
No, you didn't. It happened transparently because you chose to "Apply to whitelisted", but you don't know when or if it happened, because you had no way to know that the site would call these additional objects until you open the menu (assuming you've not been to that site before).

I don't understand why you're so opposed to the "Sticky Recent-Block" idea (which is where this should have been posted), because as you yourself said,
I was surprised Giorgio even took his precious time to implement it.
My best guess would be that he took his precious time to implement it because he thought it would be useful to many users, even if GµårÐïåñ was not one of them. ;)

I don't object to RFEs that benefit some users, but don't benefit me, so long as they don't harm me. Where is the harm to you in having a feature that you think you'll never use, but causes you no harm?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Suggestions you can think of?

Post by GµårÐïåñ »

Fact is that I don't care the request was made, I have either allowed it, which means I don't mind it being accessed when it shows up or untrusted it, which means no matter how many times it shows up, its not going to do squat, so either way I am covered. I don't need to see each time the request is made to know I have already made a decision on it one way or another. I have no doubt that Giorgio placated the many who asked for reasons that made sense to him, but me not finding it useful is neither a dig at Giorgio or anyone who uses it and finds it useful, just doesn't serve a purpose for ME, and I didn't imply otherwise, did I? If I want to TA something I have previously decided to untrust, then I find it under untrusted menu, I TA it and move on, or if it has a placeholder, just click that, it automatically TA it and when I am done, goes back to the way I had decided in the past, overall, no adverse affect to my browsing behavior. I run a tight ship but understanding the extent of each vector helps mitigate the paranoia and wasted time effect that comes with the constant, is it? isn't it? did it? didn't it? so on. But as I have always maintained, to each their own.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Post Reply