Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Secure Your Home Computer


{LANG_NAVORIGIN} Enterprise Security Home Office
By: TomCat Internet Solutions, 03/06/2005



Careful when Executing Files


Never allow a downloaded application or any downloaded executable content to launch on its own, and be especially careful of downloading files that end in exe, bat, vbs, and com.

ActiveX and Java Class


Never accept and run an "ActiveX Control" or "Java Class" unless it comes signed and from a trusted site. It is best to force your browser to prompt you for permission. Not only could you be granting permission for the installation of something malicious, you could become a victim of browser hijacking. If you are using Internet Explorer, these settings are located under Control Panel - Internet Options - Security - Internet , Custom Level. Mozilla, Opera, and Netscape users are prompted by default.

Browser Hijacking


Your browser's default start and search pages are changed by malicious web sites and/or software. This most commonly affects users of Microsoft Internet Explorer usually through the download and installation of ActiveX controls and plug-ins on browsers where the options for "download" and "run" are set to "enable" through your Internet settings. This is either executed through some action of your own - a mouse click or a click on a link - while browsing the site, or by simply visiting a site - code is executed upon loading a page for you to view. Sometimes Internet shortcuts are also added to your Favorites folder without your permission.


Install on Demand


Disable "Install on Demand" if you are using Internet Explorer so your browser will be forced to prompt you if additional components are needed in order to display certain content. This setting is located under Control Panel - Internet Options - Advanced.


Careful with JavaScript


While JavaScript may be fine for internet browsing, it can be dangerous when enabled for e-mail. Many internet users keep JavaScript disabled for everything in their browsers. The fear of this widely used internet programming language results mostly from the discovery of security holes in browsers and e-mail clients, especially Microsoft Internet Explorer and Outlook. In fact, the first thing Microsoft will advise when a new security hole is discovered is "disable active scripting in your Internet Security settings". Although this is certainly one method of controlling what a hostile script might do until the next browser patch or update is issued, it makes far more sense to understand what scripting can and cannot do. While the vulnerabilities are especially a risk in programs where patches and updates are not applied, the threat is persistent in every program since new vulnerabilities have yet to be discovered. Still, it takes a wide-open, unprotected system plus your authorized permission before JavaScript can allow anything damaging to enter your computer through your browser.

One way to begin understanding how JavaScript behaves is know how it is used. JavaScript can control the appearance and content of the web browser, open new windows and display HTML dynamically, open links to new sites, pop up dialog boxes, click forward and back through the user's browser history, and set and read cookies. In addition, JavaScript can interact with Java applets and with browser plug-ins. Although some of the scripted behavior, for example pop-up ads, unnecessary cookies and/or information gathering such as referers (transmission of your last visited address), is undesirable and downright unwanted, much more is there to simply enhance the appearance and performance of the sites you visit. By disabling JavaScript you will miss the entire web experience as it is designed to be seen, and you will lose all interactivity from mouseover effects to form input and everything in between.

Yes, scripts can get nosey - they can look for your browser version, look for your IP address, look for your cookies, and record the referer address; but there are better ways to control this than entirely disabling JavaScript. Consider this, too... in knowing your browser version you will be shown a page that is designed specifically for you, as the coding and display elements are different for each one. Your IP address is no secret anyway since you can't even get past your ISP and connect to the Internet without one; and in order for you to use the Internet at all, information must be able to find its way back to your computer. Besides, it is going to take more than disabling JavaScript to keep your IP address a secret from everyone. As for cookies, banner ads, pop-up windows, referers and the like, they are more effectively controlled with a cookie/content filter that will allow you to accept what you want while discarding everything else.

If completely hiding your IP address from the world is that important to you, anonymizer services are available - some are free, some charge small monthly fees. An anonymizer is used as a proxy, or a "middle man", to mask your IP address between you and the rest of the Internet. For obvious reasons, though, you might still need to disable this proxy in order to connect to certain sites (for example online banking). And keep in mind that anonymizer services cannot guarantee anonymity 100%. Also keep in mind that you are not anonymous from them - they cache a trail of every site you visit. It is far better to avoid the sites where you feel an anonymizer might be needed.

But what about intrusions into your computer?
Fact: JavaScript cannot read or write local files and cannot open network connections except within the confines of browser capabilities... and you are in control of setting those rules!

JavaScript alone is not a threat. The threat comes when JavaScript is used to execute some "other action" such as placing hostile active content in the form of an ActiveX Control, Java Class file, or some other executable content on your computer. These are little programs, much like plug-ins, that are downloaded to your computer in order to allow a certain event to take place such as auto-installing a program or update, or running some visual or interactive effect. They should ALL be signed - proof of who they say they are, like a digital certificate you might use for your own e-mail. They should always come from the site you are visiting and they should always be forced with browser settings to ask for permission before they come in - they won't get in if you say "no".

If your guard is down, though, something nasty can get in, but this has nothing to do with whether you have JavaScript enabled or not ...a trojan - the most aggressive of all intruders. Trojans are disguised as innocent programs and most often arrive hidden inside e-mail attachments or programs that are downloaded from the Internet. They are mentioned here only because you need to know, and we repeat - they can get into your computer whether you have JavaScript enabled or not! Your best defense here is to always use a virus and trojan scanner along with a good, reliable firewall ...and of course, don't allow anything to execute on your computer without your permission. Remember... permission must be authorized by you before JavaScript can allow anything damaging to enter your computer through your browser.















E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
14551 Views
4.18/5 Rating
17 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact