Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Cyber Security Awareness Month - Day 5 - Sites you should stay away from SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 5 - Sites you should stay away from

As we wander down this path that is Cyber Security Awareness month it reinforces that on one hand the Internet is a source of an unimaginable wealth of  information and knowledge and on the other hand is a scary place where evil lurks in dark corners.  The question for the day is how can you explore the Internet while avoiding nasty sites.

As a security practitioner I am often taken off the beaten path of the Internet to do research, so it is important that I have some help avoiding nefarious sites. Here are a few tools that  I use:

  • I use Firefox and the Web-of-Trust add-on to help me identify potentially naughty sites.  Web of Trust adds colored circles after all links, green for good, yellow for questionable, and red for bad.  McAfee SiteAdvisor and other products do very similar things.
  •  I use OpenDNS and utilize the Web Content Filtering capability to provide a layer of protection.

 If you have other tips on how to avoid nasty sites, please feel free to comment below or contact us via our contact form.

 Update from the contact form:

There are a number of websites that can be used to verify the reputation and safety of websites:

Locking down the host file is also an alternative.  The MVPs hosts project provides a good method to avoid ads and some troublesome sites.

If you still run Windows XP or earlier and must run as an administrator there is an intriguing way to browse the web as a non-administrator

 

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

294 Posts
ISC Handler
I am a firm believer of prevention being better than cure.

Whenever I'm recommending security for home users, I recommend the following as a minimun on top of the standard AV and firewalls etc:

K9 Web Protection from Bluecoat (www.k9webprotection.com) - highly recommended (very low profile and extremely quick). I did put my parents on the OpenDNS filter once, but as their ISP used dynamic IP's which refreshed quite quickly, the filter became redundant because it bases the filter profile on the IP address you're using.


AVG Link scanner - This tool actually scans sites within a search result for malware rather than rely on a database of "user experience"

Using a modifed hosts file via Spybot and Hostman also helps.

Alban
Anonymous
I run Firefox with adblocker and noscript. I also run spybot search and destroy and symantec AV.

All in all, it's a pretty client safe setup!
Anonymous
amilroy, to solve the OpenDNS issue with quickly rotating dynamic addresses you just need to install the OpenDNS updater on one of their computers. It will keep OpenDNS up to date.
Rick

294 Posts
ISC Handler
Comments through the contact page are recommending Firefox plug-ins like NoScript, AdBlock Plus, FlashBlock. Personally I use NoScript, but when I have subjected my non-computer literate relatives to it it rapidly becomes a case of "Allow all from..." repetitively. Perhaps I just need to be more patient explaining.
Rick

294 Posts
ISC Handler
i'll take a pass on opendns... they hijack dns requests that return a nxdomain.
Anonymous
@joeblow; Yes, OpenDNS hijacks nxdomain. It's how they pay for the free service, and they're up-front about it. That would be a real pain to me and you investigating networking and connectivity issues and general internet things. But it's fine for my mother or my kids. I'm a qualified fan of OpenDNS and have my iptables firewall ensure that *all* the kids' DNS requests go there via DNAT regardless of how the individual systems are (mis)configured.
Hal

50 Posts

For my part, a while ago I started using Immunet, which is a cloud-based AV (yeah, right!!) Their solution co-exists with other AV's, mine is Avast. (Not the best, I know, but it's free)

The reason I mention it, is that recently Immunet blocked two nasties on my system and I thought that was really good, since it was seemingly coming from my browser.

And I use Firefox with noscript, but that does not end all threats. Don't forget to mention no-admin-rights on the browser.

If only FF could run with low integrity level...
Hal
17 Posts
There are huge caveats with a "sites to stay away from" methodology - namely, you're in fact teaching that there are sites that can be trusted.

Obviously, this is patently false. q.v. any adstream injection, the SeattleSeahawks, CNN, whatever - none of these were "sites to avoid".

As for defense-in-depth - combination of Firefox+noscript and/or SandboxIE.
Steven

42 Posts
@Steven: While most of us will agree that no sites can be really trusted, there are clearly some sites that should be avoided as they contain known bad content (for some definition of "bad content")

I also use K9 on my kids' machines, and OpenDNS for the home network (with the OpenDNS updater). Also using Avast for AV duties.
Steven
10 Posts
My home network is set up to require web browsing via a proxy server (Squid), and I automatically update the proxy's domain block list from malwaredomains.com

At the client end, FireFox + NoScript.
John Hardin

62 Posts
My husband works from home so I made him install Noscript. Since he has to Allow every site he goes to for work or pleasure he doesn't see how that is protecting him. What can I tell him so he doesn't act on his threat to set Noscript to allow everything?

Thanks for all the excellent advice.
Julia

3 Posts
You can't tell him anything really... except teach him to be an IT security expert. NoScript, imo, is one of those tools that is great for us IT security types, but useless for regular people. You're much better off going with a URL/site/malware domain filtering solution, and layering in additional security tools (HIPS, AV).
Shawn

29 Posts
My home network has Kaspersky HIPS & AV on all workstations, OpenDNS, Windows Live Family Safety, and I run a OSSIM box that collects logs from all the machines and syslogs from the firewall as well as IDS/IPS and regular vulnerability scanning. Am I paranoid? Yes. Is my fmaily protected? Yes.
I just wish I had the resources to roll a solution like that out at work.
RobM

14 Posts

Sign Up for Free or Log In to start participating in the conversation!