Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   What can a malicious website do? (http://www.velocityreviews.com/forums/t305752-what-can-a-malicious-website-do.html)

Edw. Peach 08-21-2004 12:05 PM

What can a malicious website do?
 
I am not a computer geek and have just a basic understanding of what
goes on under the hood. I am curious just what a malicious web site
can do to one's computer? How are they able to run programs and
change settings so easily?

I'm guessing that they find ways in that are part of the normal
routine of interacting with a web site, like for instance use controls
that allow normal interaction (maybe sound, or animation that runs)
and then piggy backs a program of their own, or something like that?

Why aren't they ways of disabling any exe files other than the
absolutely necessary ones from running? There must be other ways a
user can protect him/her self from invasive intrusions by such sites.

So, somehow these sites gain access to a person's settings, and
changes them? I still don't understand why there aren't more controls
on such access.

If anybody knows of a web site (a safe one...LOL) that describes some
of these actions, I'd be very interested in reading it.

Thanks

Thund3rstruck_n0i 08-21-2004 03:25 PM

Re: What can a malicious website do?
 
Edw. Peach spilled my beer when they jumped on the table and proclaimed in
<69eei0tckjdki0qi05jhcumh7epo46aju1@4ax.com>

> I am not a computer geek and have just a basic understanding of what
> goes on under the hood. I am curious just what a malicious web site
> can do to one's computer? How are they able to run programs and
> change settings so easily?


It's either the security settings on the browser, or some exploit for that
browser(<cough>IE><cough> :) )

> I'm guessing that they find ways in that are part of the normal
> routine of interacting with a web site, like for instance use controls
> that allow normal interaction (maybe sound, or animation that runs)
> and then piggy backs a program of their own, or something like that?


Close. There are, supposedly, ways to do things, and install things using
javascript/.vbs scripting. Someone setting up a site can easily hide those
in it.

> Why aren't they ways of disabling any exe files other than the
> absolutely necessary ones from running? There must be other ways a
> user can protect him/her self from invasive intrusions by such sites.


Well, they're not .exe or .com fimes so...

Basically, when I ran Windows, I did not use IE. (Mozilla and Netscape in
my case) I know others have changed their security settings to not allow
these things to run as easily.

> So, somehow these sites gain access to a person's settings, and
> changes them? I still don't understand why there aren't more controls
> on such access.
>
> If anybody knows of a web site (a safe one...LOL) that describes some
> of these actions, I'd be very interested in reading it.


I'll try to hunt one up...but you might take a walk through Cert.org's
site...

NOI


Kleeb 08-21-2004 06:46 PM

Re: What can a malicious website do?
 
On 2004-08-21, Edw Peach <bogus_addie@yahoo.com> schrieb :
> I am not a computer geek and have just a basic understanding of what
> goes on under the hood. I am curious just what a malicious web site
> can do to one's computer? How are they able to run programs and


I wonder if so many rogue sites would be so successful in 'attacking'
un-modified IE users if said users ran as something other than computer
'Administrator' ?

Maybe someone more familiar with Windows' built-in security with regard to
user access could answer this one for me ? Or can IE (for example) be
manipulated easily regardless of access level ?

Cordially,

Kleeb.

Felix Tiede 08-21-2004 09:20 PM

Re: What can a malicious website do?
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kleeb wrote:
| On 2004-08-21, Edw Peach <bogus_addie@yahoo.com> schrieb :
|
|>I am not a computer geek and have just a basic understanding of what
|>goes on under the hood. I am curious just what a malicious web site
|>can do to one's computer? How are they able to run programs and
|
|
| I wonder if so many rogue sites would be so successful in 'attacking'
| un-modified IE users if said users ran as something other than computer
| 'Administrator' ?
|
| Maybe someone more familiar with Windows' built-in security with regard to
| user access could answer this one for me ? Or can IE (for example) be
| manipulated easily regardless of access level ?
|
| Cordially,
|
| Kleeb.
I'm not deep in Windows' security...
If a site is 'attacking' a non-Administrator user, it should at least not be
able to shut down system services like an antivirus program.

What they still could do is to use a buffer overflow in one of the running
services, gaining Administrator privileges almost without user interaction.
This depends on the interaction settings of the service:
A service without an open port and without "desktop communication" (I don't
know how this is called in english, in German it's "Datenaustausch mit
Desktop") is harder to attack than those which have these things.

However, this depends on the ability to store arbitrary code in the victims
RAM, but AFAIK that can be done relatively simple from within IE...
Disabling features like js/vbs and ActiveX will make that task harder to
accomplish, but not impossible.
But it's also not impossible from within Mozilla...

To be more specific about your last question:
I've heard of ways to work around IEs security levels, but I don't know if
this is still actual or if there has been a patch for that.
Having this in mind the only way to have greatest possible security with IE
is to deactivate every active feature in every zone to reduce the risk of
being infected by a buffer overflow.

Long story short:
A malicious website would have a hard task to shut down your virus scanner,
if you're surfing not as 'Administrator', but it's still not impossible to
corrupt your system. And once it's running with Administrator privileges
your virus scanner will be defunct very fast...


Greetings,
Felix
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBJ7yrDH+mFzdSOa0RAjiAAJ9VGV0t7zo1rwGBtG5DPU xtdHAobgCfTGs1
Cy7j9MIegZvDtua1JXWymJ0=
=je6X
-----END PGP SIGNATURE-----

lurker 08-21-2004 10:08 PM

Re: What can a malicious website do?
 
Felix Tiede wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kleeb wrote:
> | On 2004-08-21, Edw Peach <bogus_addie@yahoo.com> schrieb :
> | I wonder if so many rogue sites would be so successful in 'attacking'
> | un-modified IE users if said users ran as something other than computer
> | 'Administrator' ?


> Long story short:
> A malicious website would have a hard task to shut down your virus scanner,
> if you're surfing not as 'Administrator', but it's still not impossible to
> corrupt your system. And once it's running with Administrator privileges
> your virus scanner will be defunct very fast...


You are assuming that system files are the only important thing on a computer.
If you login as a limited user and an IE exploit wipes your documents (that you
just so happened to have forgotten to backup), it would have done no damage to
the system, yet be devastating to you, the user. One could easily reinstall
windows, since a convenient "backup" of windows itself is usually available
with every new machine you purchase from a computer store on their install or
restore CDs but some people don't backup their documents at all and could lose
a lot of work if something were to wipe that.

One way to keep your documents safe from potential IE exploits wiping them is to
designate separate limited user accounts for separate tasks. Such as one
account for document creation and editing, and the other account for browsing
the web. With that setup, if something hijacks your IE and tries stuff, it
wouldn't be able to accomplish much, nor would it be able to wipe your
documents (unless it used another local privilege escalation security hole to
pull it off, or unless you set your permissions on your other account to allow
another user to modify/delete files from it) and cleaning any malware that
installed under the web browsing account would be as easy as deleting the web
browsing account entirely and creating a new limited user account compared to
what would have to be done if that said IE exploit had full admin privileges
and wiped all your important stuff (that you forgot to backup).

Felix Tiede 08-21-2004 10:28 PM

Re: What can a malicious website do?
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

lurker wrote:
| Felix Tiede wrote:
|
|
|>-----BEGIN PGP SIGNED MESSAGE-----
|>Hash: SHA1
|>
|>Kleeb wrote:
|>| On 2004-08-21, Edw Peach <bogus_addie@yahoo.com> schrieb :
|>| I wonder if so many rogue sites would be so successful in 'attacking'
|>| un-modified IE users if said users ran as something other than computer
|>| 'Administrator' ?
|
|
|>Long story short:
|>A malicious website would have a hard task to shut down your virus scanner,
|>if you're surfing not as 'Administrator', but it's still not impossible to
|>corrupt your system. And once it's running with Administrator privileges
|>your virus scanner will be defunct very fast...
|
|
| You are assuming that system files are the only important thing on a
computer.
| If you login as a limited user and an IE exploit wipes your documents
(that you
| just so happened to have forgotten to backup), it would have done no damage to
| the system, yet be devastating to you, the user. One could easily reinstall
| windows, since a convenient "backup" of windows itself is usually available
| with every new machine you purchase from a computer store on their install or
| restore CDs but some people don't backup their documents at all and could lose
| a lot of work if something were to wipe that.
|
| One way to keep your documents safe from potential IE exploits wiping them
is to
| designate separate limited user accounts for separate tasks. Such as one
| account for document creation and editing, and the other account for browsing
| the web. With that setup, if something hijacks your IE and tries stuff, it
| wouldn't be able to accomplish much, nor would it be able to wipe your
| documents (unless it used another local privilege escalation security hole to
| pull it off, or unless you set your permissions on your other account to allow
| another user to modify/delete files from it) and cleaning any malware that
| installed under the web browsing account would be as easy as deleting the web
| browsing account entirely and creating a new limited user account compared to
| what would have to be done if that said IE exploit had full admin privileges
| and wiped all your important stuff (that you forgot to backup).

You're completely right about that. Yes, I didn't mention that user files
could be corrupted.

But sometimes I think that those users who are ignorant to backup their
files could do well with a "hard lesson". They'll never forget to make
regular backups, wont they?

I think not making backups because "I'm not using my working account to surf
the net" is not so good...
And there's another point: I can think of more times I needed the net while
I'm working on something than of those when I surfed the net just for fun.
It would be a PIA to change accounts only to look up a certain phrase for
your current work, wouldn't it?

No, I don't think using multiple accounts would suit me and I don't know
many people who think otherwise. IMHO the only way to keep your valuable
files secure is to make backups.

Greetings,
Felix
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBJ8ydDH+mFzdSOa0RAu1vAJ9UYFHELjzStd5Wt3MZE7 P04cH0xgCfav4a
bz4GeVgpmg2emZKXFyOG1GQ=
=KQLq
-----END PGP SIGNATURE-----

Kleeb 08-21-2004 11:03 PM

Re: What can a malicious website do?
 
On 2004-08-21, Felix Tiede <tiede@pc-tiede.de> schrieb :
>
> Long story short:
> A malicious website would have a hard task to shut down your virus scanner,
> if you're surfing not as 'Administrator', but it's still not impossible to
> corrupt your system. And once it's running with Administrator privileges
> your virus scanner will be defunct very fast...


Thanks very much Felix for the info there.

Cordially,

Kleeb.

lurker 08-21-2004 11:43 PM

Re: What can a malicious website do?
 
Felix Tiede wrote:

> lurker wrote:
> | Felix Tiede wrote:
> |>
> |>Kleeb wrote:
> |>| On 2004-08-21, Edw Peach <bogus_addie@yahoo.com> schrieb :
> |>| I wonder if so many rogue sites would be so successful in 'attacking'
> |>| un-modified IE users if said users ran as something other than computer
> |>| 'Administrator' ?
> |
> |
> |>Long story short:
> |>A malicious website would have a hard task to shut down your virus scanner,
> |>if you're surfing not as 'Administrator', but it's still not impossible to
> |>corrupt your system. And once it's running with Administrator privileges
> |>your virus scanner will be defunct very fast...
> |
> |
> | You are assuming that system files are the only important thing on a
> computer.
> | If you login as a limited user and an IE exploit wipes your documents
> (that you
> | just so happened to have forgotten to backup), it would have done no damage
> | to
> | the system, yet be devastating to you, the user. One could easily reinstall
> | windows, since a convenient "backup" of windows itself is usually available
> | with every new machine you purchase from a computer store on their install
> | or restore CDs but some people don't backup their documents at all and could
> | lose a lot of work if something were to wipe that.
> |
> | One way to keep your documents safe from potential IE exploits wiping them
> is to
> | designate separate limited user accounts for separate tasks. Such as one
> | account for document creation and editing, and the other account for
> | browsing
> | the web. With that setup, if something hijacks your IE and tries stuff, it
> | wouldn't be able to accomplish much, nor would it be able to wipe your
> | documents (unless it used another local privilege escalation security hole
> | to pull it off, or unless you set your permissions on your other account to
> | allow another user to modify/delete files from it) and cleaning any malware
> | that installed under the web browsing account would be as easy as deleting
> | the web browsing account entirely and creating a new limited user account
> | compared to what would have to be done if that said IE exploit had full
> | admin privileges and wiped all your important stuff (that you forgot to
> | backup).
>
> You're completely right about that. Yes, I didn't mention that user files
> could be corrupted.
>
> But sometimes I think that those users who are ignorant to backup their
> files could do well with a "hard lesson". They'll never forget to make
> regular backups, wont they?
>
> I think not making backups because "I'm not using my working account to surf
> the net" is not so good...
> And there's another point: I can think of more times I needed the net while
> I'm working on something than of those when I surfed the net just for fun.
> It would be a PIA to change accounts only to look up a certain phrase for
> your current work, wouldn't it?
>
> No, I don't think using multiple accounts would suit me and I don't know
> many people who think otherwise. IMHO the only way to keep your valuable
> files secure is to make backups.


Well, no one said you had to use the accounts separately from each other. Both
windows and linux offer the ability to run a program within another user
account without logging out of the currently logged in user account. So one
could run a web browser in another account and if something happens, its damage
would be limited to its own account while still allowing you to easily refer
back to the other program you had running in another account the same way you
would with any normally loaded program, even allowing copying/pasting between
them. I am not sure on windows, but in linux with KDE, you can even set
application shortcuts for specific apps to automatically load in a different
user account when clicked. The app would load like normal except it would only
be able to access what that other user account can access unless you set file
permissions to allow it more access to other things.


All times are GMT. The time now is 09:35 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.