[Dshield] little experiment

Henry Hertz Hobbit hhhobbit at comcast.net
Tue Mar 1 15:33:13 GMT 2005


On Mon, 2005-02-28 at 19:03, Neil Richardson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> Johannes B. Ullrich wrote:
> 
> | http://www.amihacked.com is the URL. Let me know if it works or
> | where it breaks. One of the goals is also to make some of the
> | dshield information a bit more accessible. We already have the 'are
> |  you hacked' banner, but its a bit limited when it comes to the
> | next step ("Why is the banner flashing at me?").
> |
> | thanks for any feedback.
> 
> 
> Hi.  The page "conditionally" worked for me: the main page displayed
> all the correct information (didn't think about Java returning the
> NAT'ed address; my heart got a little workout when I saw my NAT
> address on the page..  :-)  , but then I had a browser crash when I
> tried to do the port scan.  I restarted the browser and was able to
> get port scan, but when I tried to go back to the main page, my
> browser crashed again.

Your NAT'd address can ALSO show up in email BTW.

> ~   Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5)
> Gecko/20041107 Firefox/1.0
> ~   Windows 2000, SP4 and patches
> 
> The second crash might be related to the first--I hadn't rebooted
> inbetween crashes.  But the first crash was strange: I had just
> restarted my computer this morning, so I don't think it's residue from
> another site.
> 
> If I'm the only one having crash problems, feel free to ignore me.  :-)

No, I don't think we can do that.  We need to find out WHY it crashed. 
I advise the following security settings for your your Mozilla / Firefox
Browsers and Thunderbird (where appropriate).  Here are my settings. 
How you modify them from here is UP TO YOU.

Privacy & Security
  Cookies
    Allow cookies based on privacy settings (SELECTED, View - High)
    Accept for current session only (SELECTED)
  Images
    Image Acceptance Policy
      Accept all images (SELECTED)
      Do not load remote images in Mail and Newsgroup messages (CHECKED)
    Animated images should loop
      As many times as the image specifies (SELECTED)
  Popup Windows
    Block unrequested popup windows (CHECKED)
      { add the ones you want with Allowed Sites }
    Display an icon in the Navigator status bar (CHECKED)
  Forms
    Save form data from web pages ... (UNCHECKED)
  Passwords
    Password Manager
      Remember Passwords (UNCHECKED)
    Encrypting versus Obscuring
      Use encryption when storing sensitive data (CHECKED)
  Enigmail
    { I am using the defaults with no ill effect }
  Master Passwords
    Master Password Timeout
    [ Mozilla will ask for your master password ]
      The first time it is needed (SELECTED - if at home, not paranoid)
      Every time it is needed (SELECTED - if you are paranoid)
      If it has not been used for (SELECTED)
        xx minutes  (15 or 30 are reasonable at work, 60 at home)
    { NOW THAT YOU HAVE ALL THIS, you can go back and turn on password }
    { remembering if you want it }
Advanced
  Enable Java (UNCHECKED)
  { it should remain unchecked until you need it then turn off! }
  Scripts & Plug-ins
    Enable JavaScript for
      Navigator (CHECKED)
      Mail & Newsgroups (UNCHECKED)
    Allow scripts to:
      Move or resize existing windows (CHECKED)
      Change Images (CHECKED)
      { ALL OTHERS UNCHECKED }
  Software Installation
    Manage Software Installations and Updates
      Enable software installation (UNCHECKED)
    Update Notifications
      Check for updates (YOUR CALL)
        monthly (SELECTED)

I can't see it on Linux, but if you are using it on Windows, do NOT make
Firefox, Mozilla, or Thunderbird memory resident.  Put up with the time
lag for it to open.  Are you really so impatient that three to seven
extra seconds are going to kill you?

I do NOT like the JavaScript settings.  Blocking cookies is NOT what is
desperately needed for Firefox / Mozilla, although it is helpful.  What
is needed is the equivalent of IE's Restricted Sites list.  There are
sites out there that have been downloading Trojans for years with total
impunity.  What we need is the equivalent of the restricted sites that
will not allow the sites that are in it (wildcarded by NAME.TLD some
times) where they can NOT run JavaScript, or any plugins.  This holds
especially true for Java, Flash Player, and Shockwave Players.  I asked
at Mozillazine about doing this and they had no interest in it.  I told
them to go to the following site to help them realize that some of our
net neighbors are NOT polite:

http://www.mostannoyingwebpage.com

In the immortal words of Rumpole of the Bailey, the penny never dropped.

Try those settings and see if it makes any difference.  They won't stop
www.annoyingwebpage.com though - the only thing that will stop them is 
making that blocked list and putting them in it, Turning JavaScript
completely off, or blocking them entirely in a blocking hosts file.  The
latter is NOT an option in most corporate settings!

HHH
-- 
Key Name:  "Henry Hertz Hobbit"
Key fingerprint = 924E BE61 1ACF B87A DCA9 009E E74C 183D 0164 F7D5




More information about the list mailing list