Re: Phishing and Malware Protection
MCBastos wrote: > Interviewed by CNN on 30/01/2013 14:35, Rob told the world: >> MCBastos wrote: >>> So... >>> Antivirus: missed it >>> Other antivirus: about 75% chance of missing it. >>> Google Safe Browsing: missed it >>> ISP spam filter: flagged it as spam, but did nothing else. Not that it >>> helps much, since this particular filter has a high rate of false >>> positives. One of the myriad reasons I'm migrating to another ISP... >>> Seamonkey spam filter: missed it (probably because it had my full name) >> >> Filtering proxy looking at file type: would probably have caught it. >> Software restriction policy at computer (AppLocker): would have caught it. >> Operating as a nonprivileged user: would most likely have made the >> malware fail to install in system directories. > > Sure, those are fine tools, but some of them are not practical for most > home users or small business. I mean, AppLocker is an Enterprise-level > tool, and how many homes do you know that have *any kind* of proxy? Not > to mention notebooks that connect to public wi-fi? > > And even so, you qualified your claims with "probably" and "likely". As > I said, there are no absolute guarantees. There are no magical silver > bullets that will kill *all* attacks, surely, with zero false positives. > > Every security tool must achieve a balance between the security it > offers and its shortcomings. In the case of the Firefox blacklist, the > choice between real-time blacklist checks and batch-downloaded updates > has to consider the following: > > - Pro real-time checks: somewhat elevated security > - con: privacy concerns, increased latency The reason I mention those three other methods is that I prefer methods that work by fixed yes/no checks over methods that use dynamically updated patterns and blacklists. A rule that prevents driveby downloads is better than a virus scanner or site blacklist, in my opinion. Sure it requires effort to implement those things, that is why almost nobody is doing it. But then, don't complain when you are hacked. I am not in the Windows software development business, but seeing that current security products already scan for viruses in internet download streams, either by pushing a proxy inbetween or by watching all TCP streams, it should be trivial to add a feature that just blocks any executable download for users that are not designated as administrators. That should be much more effective than scanning for malware. When our users are on public WiFi, they can only setup a VPN to the company network and access the internet using the standard security in place. This also prevents wiretapping of the activities of the user. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Interviewed by CNN on 30/01/2013 14:35, Rob told the world: > MCBastos wrote: >> So... >> Antivirus: missed it >> Other antivirus: about 75% chance of missing it. >> Google Safe Browsing: missed it >> ISP spam filter: flagged it as spam, but did nothing else. Not that it >> helps much, since this particular filter has a high rate of false >> positives. One of the myriad reasons I'm migrating to another ISP... >> Seamonkey spam filter: missed it (probably because it had my full name) > > Filtering proxy looking at file type: would probably have caught it. > Software restriction policy at computer (AppLocker): would have caught it. > Operating as a nonprivileged user: would most likely have made the > malware fail to install in system directories. Sure, those are fine tools, but some of them are not practical for most home users or small business. I mean, AppLocker is an Enterprise-level tool, and how many homes do you know that have *any kind* of proxy? Not to mention notebooks that connect to public wi-fi? And even so, you qualified your claims with "probably" and "likely". As I said, there are no absolute guarantees. There are no magical silver bullets that will kill *all* attacks, surely, with zero false positives. Every security tool must achieve a balance between the security it offers and its shortcomings. In the case of the Firefox blacklist, the choice between real-time blacklist checks and batch-downloaded updates has to consider the following: - Pro real-time checks: somewhat elevated security - con: privacy concerns, increased latency -- MCBastos This message has been protected with the 2ROT13 algorithm. Unauthorized use will be prosecuted under the DMCA. -=-=- ... Sent from my Odyssey2. * Added by TagZilla 0.7a1 running on Seamonkey 2.15 * Get it at http://xsidebar.mozdev.org/modifiedmailnews.html#tagzilla ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
MCBastos wrote: > So... > Antivirus: missed it > Other antivirus: about 75% chance of missing it. > Google Safe Browsing: missed it > ISP spam filter: flagged it as spam, but did nothing else. Not that it > helps much, since this particular filter has a high rate of false > positives. One of the myriad reasons I'm migrating to another ISP... > Seamonkey spam filter: missed it (probably because it had my full name) Filtering proxy looking at file type: would probably have caught it. Software restriction policy at computer (AppLocker): would have caught it. Operating as a nonprivileged user: would most likely have made the malware fail to install in system directories. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Interviewed by CNN on 30/01/2013 06:57, Daniel told the world: > So I could still be visiting phishing sites because my database could, > in part, be a week out of date!! There's no guarantees of a complete database anywhere. For instance: I have just received a phishing e-mail, trying to induce me to download and open some sort of malware. I found it mildly interesting (as scams go) because they actually included my full name, instead of sending a generic message. Not that's hard to buy lists of e-mails with full user names... Anyway, I decided to amuse myself giving it a check. First thing: copied the link to GetLinkInfo.com to see what they could tell about it. Not much, it turned out -- even the Google Safe Browsing check gave the website a clean bill of health. (Apparently the site -- some sort of Chinese name in a .com domain -- is an image host, and the malware distributor uploaded the crap as if it were an image) Next step: check the malware itself. Yes, I know what I'm doing, I routinely have to disinfect virus-possessed computers from clients, I know how to keep from actually running a file. So I disabled plugins and Javascript and very carefully opened the link. Turns out it it was a .cpl file, which is a big red flag for malware. Anyway, my antivirus didn't complain. I uploaded it to Jotti.com and Virustotal.com, and it got only about 25% hits, suggesting that it's pretty new. So... Antivirus: missed it Other antivirus: about 75% chance of missing it. Google Safe Browsing: missed it ISP spam filter: flagged it as spam, but did nothing else. Not that it helps much, since this particular filter has a high rate of false positives. One of the myriad reasons I'm migrating to another ISP... Seamonkey spam filter: missed it (probably because it had my full name) So there are no guarantees, you have to keep a sharp eye anyway. Automated tools (antivirus, antispam, website black lists and such) help by essentially cutting down on the volume of mail you have to actually read and analyse. They won't ever get everything. -- MCBastos This message has been protected with the 2ROT13 algorithm. Unauthorized use will be prosecuted under the DMCA. -=-=- ... Sent from my Bugatti Veyron. * Added by TagZilla 0.7a1 running on Seamonkey 2.15 * Get it at http://xsidebar.mozdev.org/modifiedmailnews.html#tagzilla ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Daniel wrote: >> It is the same with virus scanners. That is why it is always better >> to setup the system in such a way that software cannot be installed >> or run as downloaded by the logged-in user. Use a separate account >> for surfing and for administering the system (installing software). > > or use Linux and *don't* run it as Root! Actually, Windows provides more and better mechanisms to guard the non-admin user against unwilling execution of malware than Linux does. The problem is that some of the mechanisms are not enabled by default, and others are enabled but are often turned off by users because they are considered too invasive. The only real advantages a Linux user has over a Windows user are the smaller number of Linux systems and hence less attraction from people who want to break in, and the lack of standardization which makes it difficult to develop portable applications (both for hackers and for normal software developers). ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Rob wrote: Yes. That is how it always is. You can never get total protection from a system like this. Even with a system that queries an online server, you have the problem that you may visit a site that is not yet known to serve malware, so the server says "OK" and you get infected anyway. It is the same with virus scanners. That is why it is always better to setup the system in such a way that software cannot be installed or run as downloaded by the logged-in user. Use a separate account for surfing and for administering the system (installing software). Antivirus publishers nowadays try to defeat the malware writers by incorporating heuristic algorithms that are supposed to recognize patterns even if the malware doesn't precisely match a known specimen. The downside of that, as we've seen here, is a certain percentage of false positives -- legitimate programs that are flagged because they kinda sorta look like malware. -- War doesn't determine who's right, just who's left. -- Paul B. Gallagher ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Rob wrote: Daniel wrote: MCBastos wrote: Interviewed by CNN on 29/01/2013 10:47, Daniel told the world: Rob wrote: Ray_Net wrote: 2. A firefox guy is complaining about lag when accessing web pages .. could this feature slow firefox. This is not very likely. The feature works by downloading a list of infected sites at a certain interval, then storing this list in a local file. The file is then consulted during browsing. So there is no extra query to a single server that has to reply before a page is shown, like in some competing system. Hey, Rob, in your first para, you say that a list is downloaded, so in your second para, you *must be wrong* when you state there is "no extra query to a single server that has to reply". Of course, this extra wait time will depend on how often SM has to download the list of infected sites, daily, weekly, whatever. No, you missed the rest of the sentence: "...that has to reply before a page is shown." What Rob meant is that Firefox won't stop loading the page you want to visit while checking a particular server to see if that page is clean. Instead, it has a previously-downloaded blacklist of problem sites. So, e.g. Yesterday SM downloaded a list. The site I am now visiting was not on that list, however this site may have been added to the list overnight, so I've been phished/spammed/whatever, even though I was doing the right thing!! Some protection, maybe, but not total!! Yes. That is how it always is. You can never get total protection from a system like this. Even with a system that queries an online server, you have the problem that you may visit a site that is not yet known to serve malware, so the server says "OK" and you get infected anyway. It is the same with virus scanners. That is why it is always better to setup the system in such a way that software cannot be installed or run as downloaded by the logged-in user. Use a separate account for surfing and for administering the system (installing software). or use Linux and *don't* run it as Root! -- Daniel ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Daniel wrote: > MCBastos wrote: >> Interviewed by CNN on 29/01/2013 10:47, Daniel told the world: >>> Rob wrote: Ray_Net wrote: > 2. A firefox guy is complaining about lag when accessing web pages .. > could this feature slow firefox. This is not very likely. The feature works by downloading a list of infected sites at a certain interval, then storing this list in a local file. The file is then consulted during browsing. So there is no extra query to a single server that has to reply before a page is shown, like in some competing system. >>> >>> Hey, Rob, in your first para, you say that a list is downloaded, so in >>> your second para, you *must be wrong* when you state there is "no extra >>> query to a single server that has to reply". >>> >>> Of course, this extra wait time will depend on how often SM has to >>> download the list of infected sites, daily, weekly, whatever. >> >> No, you missed the rest of the sentence: "...that has to reply before a >> page is shown." >> >> What Rob meant is that Firefox won't stop loading the page you want to >> visit while checking a particular server to see if that page is clean. >> Instead, it has a previously-downloaded blacklist of problem sites. > > So, e.g. Yesterday SM downloaded a list. The site I am now visiting was > not on that list, however this site may have been added to the list > overnight, so I've been phished/spammed/whatever, even though I was > doing the right thing!! > > Some protection, maybe, but not total!! Yes. That is how it always is. You can never get total protection from a system like this. Even with a system that queries an online server, you have the problem that you may visit a site that is not yet known to serve malware, so the server says "OK" and you get infected anyway. It is the same with virus scanners. That is why it is always better to setup the system in such a way that software cannot be installed or run as downloaded by the logged-in user. Use a separate account for surfing and for administering the system (installing software). ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Philip Chee wrote: On Tue, 29 Jan 2013 23:47:18 +1100, Daniel wrote: Rob wrote: Ray_Net wrote: 2. A firefox guy is complaining about lag when accessing web pages .. could this feature slow firefox. This is not very likely. The feature works by downloading a list of infected sites at a certain interval, then storing this list in a local file. The file is then consulted during browsing. So there is no extra query to a single server that has to reply before a page is shown, like in some competing system. Hey, Rob, in your first para, you say that a list is downloaded, so in your second para, you *must be wrong* when you state there is "no extra query to a single server that has to reply". Of course, this extra wait time will depend on how often SM has to download the list of infected sites, daily, weekly, whatever. The Gecko backend downloads the phishing and malware data in "chunks" at a low priority. I think it takes up to a week for the complete tables to be downloaded. After that, any updates are also download in chunks. So I could still be visiting phishing sites because my database could, in part, be a week out of date!! Back in the Triassic when the safe browsing code was still a separate Google Safe Browsing extension, there was code to do online lookups if the local copies of the databases didn't have information on a particular URL, but that functionality was removed a long time ago. Phil -- Daniel ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
MCBastos wrote: Interviewed by CNN on 29/01/2013 10:47, Daniel told the world: Rob wrote: Ray_Net wrote: 2. A firefox guy is complaining about lag when accessing web pages .. could this feature slow firefox. This is not very likely. The feature works by downloading a list of infected sites at a certain interval, then storing this list in a local file. The file is then consulted during browsing. So there is no extra query to a single server that has to reply before a page is shown, like in some competing system. Hey, Rob, in your first para, you say that a list is downloaded, so in your second para, you *must be wrong* when you state there is "no extra query to a single server that has to reply". Of course, this extra wait time will depend on how often SM has to download the list of infected sites, daily, weekly, whatever. No, you missed the rest of the sentence: "...that has to reply before a page is shown." What Rob meant is that Firefox won't stop loading the page you want to visit while checking a particular server to see if that page is clean. Instead, it has a previously-downloaded blacklist of problem sites. So, e.g. Yesterday SM downloaded a list. The site I am now visiting was not on that list, however this site may have been added to the list overnight, so I've been phished/spammed/whatever, even though I was doing the right thing!! Some protection, maybe, but not total!! -- Daniel ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
On Tue, 29 Jan 2013 23:47:18 +1100, Daniel wrote: > Rob wrote: >> Ray_Net wrote: >>> 2. A firefox guy is complaining about lag when accessing web pages .. >>> could this feature slow firefox. >> >> This is not very likely. The feature works by downloading a list >> of infected sites at a certain interval, then storing this list >> in a local file. The file is then consulted during browsing. >> >> So there is no extra query to a single server that has to reply before >> a page is shown, like in some competing system. > > Hey, Rob, in your first para, you say that a list is downloaded, so in > your second para, you *must be wrong* when you state there is "no extra > query to a single server that has to reply". > > Of course, this extra wait time will depend on how often SM has to > download the list of infected sites, daily, weekly, whatever. The Gecko backend downloads the phishing and malware data in "chunks" at a low priority. I think it takes up to a week for the complete tables to be downloaded. After that, any updates are also download in chunks. Back in the Triassic when the safe browsing code was still a separate Google Safe Browsing extension, there was code to do online lookups if the local copies of the databases didn't have information on a particular URL, but that functionality was removed a long time ago. Phil -- Philip Chee , http://flashblock.mozdev.org/ http://xsidebar.mozdev.org Guard us from the she-wolf and the wolf, and guard us from the thief, oh Night, and so be good for us to pass. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Daniel wrote: > Rob wrote: >> Ray_Net wrote: >>> 2. A firefox guy is complaining about lag when accessing web pages .. >>> could this feature slow firefox. >> >> This is not very likely. The feature works by downloading a list >> of infected sites at a certain interval, then storing this list >> in a local file. The file is then consulted during browsing. >> >> So there is no extra query to a single server that has to reply before >> a page is shown, like in some competing system. > > Hey, Rob, in your first para, you say that a list is downloaded, so in > your second para, you *must be wrong* when you state there is "no extra > query to a single server that has to reply". > > Of course, this extra wait time will depend on how often SM has to > download the list of infected sites, daily, weekly, whatever. No. There is no extra wait time. The download proceeds in the background while you are working on your computer, not at the time you click a link. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Interviewed by CNN on 29/01/2013 10:47, Daniel told the world: > Rob wrote: >> Ray_Net wrote: >>> 2. A firefox guy is complaining about lag when accessing web pages .. >>> could this feature slow firefox. >> >> This is not very likely. The feature works by downloading a list >> of infected sites at a certain interval, then storing this list >> in a local file. The file is then consulted during browsing. >> >> So there is no extra query to a single server that has to reply before >> a page is shown, like in some competing system. > > Hey, Rob, in your first para, you say that a list is downloaded, so in > your second para, you *must be wrong* when you state there is "no extra > query to a single server that has to reply". > > Of course, this extra wait time will depend on how often SM has to > download the list of infected sites, daily, weekly, whatever. No, you missed the rest of the sentence: "...that has to reply before a page is shown." What Rob meant is that Firefox won't stop loading the page you want to visit while checking a particular server to see if that page is clean. Instead, it has a previously-downloaded blacklist of problem sites. -- MCBastos This message has been protected with the 2ROT13 algorithm. Unauthorized use will be prosecuted under the DMCA. -=-=- ... Sent from my BBC Micro. * Added by TagZilla 0.7a1 running on Seamonkey 2.15 * Get it at http://xsidebar.mozdev.org/modifiedmailnews.html#tagzilla ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Rob wrote: Ray_Net wrote: 2. A firefox guy is complaining about lag when accessing web pages .. could this feature slow firefox. This is not very likely. The feature works by downloading a list of infected sites at a certain interval, then storing this list in a local file. The file is then consulted during browsing. So there is no extra query to a single server that has to reply before a page is shown, like in some competing system. Hey, Rob, in your first para, you say that a list is downloaded, so in your second para, you *must be wrong* when you state there is "no extra query to a single server that has to reply". Of course, this extra wait time will depend on how often SM has to download the list of infected sites, daily, weekly, whatever. -- Daniel ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Ray_Net wrote: > 2. A firefox guy is complaining about lag when accessing web pages .. > could this feature slow firefox. This is not very likely. The feature works by downloading a list of infected sites at a certain interval, then storing this list in a local file. The file is then consulted during browsing. So there is no extra query to a single server that has to reply before a page is shown, like in some competing system. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
WaltS wrote: Ray_Net wrote: I read here http://www.mozilla.org/en-US/firefox/phishing-protection/ Firefox 3 or later contains built-in Phishing and Malware Protection to help keep you safe online. The questions are: 1. Would this feature also implemented in SM ? 2. A firefox guy is complaining about lag when accessing web pages .. could this feature slow firefox. Upon investigation of Firefox and SeaMonkey. I do not see the "Warn me when sites try to install add-ons", "Block reported attack sites", or "Block reported web forgeries", under Security preferences, or any corresponding "browser.safebrowsing" preferences in about:config in SeaMonkey 2.15.1. Firefox has these prefs. SeaMonkey does not. browser.safebrowsing.enabled browser.safebrowsing.malware.enabled They probably would not slow down Firefox. You might look at Edit | Preferences | Advanced | Software Installation. The first option is [ ] Allow websites to install add-ons and updates and if you click "Allowed websites," it opens the Permissions tab of the Data Manager. From there, you can specify that a particular site does or does not have permission to install software. So that's a start. Philip Chee obviously knows more than I about this. -- War doesn't determine who's right, just who's left. -- Paul B. Gallagher ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
On Tue, 29 Jan 2013 01:02:16 +0100, Ray_Net wrote: > I read here http://www.mozilla.org/en-US/firefox/phishing-protection/ > > Firefox 3 or later contains built-in Phishing and Malware Protection to > help keep you safe online. > > The questions are: > 1. Would this feature also implemented in SM ? I have a fully working patch in: Bug 477718 - Implement Phishing Protection (a.k.a. Safe Browsing) support in SeaMonkey <https://bugzilla.mozilla.org/show_bug.cgi?id=477718> Currently undergoing reviews. Phil -- Philip Chee , http://flashblock.mozdev.org/ http://xsidebar.mozdev.org Guard us from the she-wolf and the wolf, and guard us from the thief, oh Night, and so be good for us to pass. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Ray_Net wrote: > I read here http://www.mozilla.org/en-US/firefox/phishing-protection/ > > Firefox 3 or later contains built-in Phishing and Malware Protection to > help keep you safe online. > > The questions are: > 1. Would this feature also implemented in SM ? > 2. A firefox guy is complaining about lag when accessing web pages .. > could this feature slow firefox. Upon investigation of Firefox and SeaMonkey. I do not see the "Warn me when sites try to install add-ons", "Block reported attack sites", or "Block reported web forgeries", under Security preferences, or any corresponding "browser.safebrowsing" preferences in about:config in SeaMonkey 2.15.1. Firefox has these prefs. SeaMonkey does not. browser.safebrowsing.enabled browser.safebrowsing.malware.enabled They probably would not slow down Firefox. -- Fedora 17 (64-bit) KDE 4.9.4 SeaMonkey Release ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Phishing and Malware Protection
Ray_Net wrote: I read here http://www.mozilla.org/en-US/firefox/phishing-protection/ Firefox 3 or later contains built-in Phishing and Malware Protection to help keep you safe online. The questions are: 1. Would this feature also implemented in SM ? 2. A firefox guy is complaining about lag when accessing web pages .. could this feature slow firefox. Should be in the later versions. -- Phillip M. Jones, C.E.T. "If it's Fixed, Don't Break it" http://www.phillipmjones.netmailto:pjones...@comcast.net ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Phishing and Malware Protection
I read here http://www.mozilla.org/en-US/firefox/phishing-protection/ Firefox 3 or later contains built-in Phishing and Malware Protection to help keep you safe online. The questions are: 1. Would this feature also implemented in SM ? 2. A firefox guy is complaining about lag when accessing web pages .. could this feature slow firefox. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey