1 |
Lindsay Haisley (Mon, 21 Mar 2011 11:11:52 -0500): |
2 |
> I'm putting this in a separate thread because IMHO it has nothing to do |
3 |
> with any problems I'm having, but with desktop security in general. |
4 |
> |
5 |
> On Mon, 2011-03-21 at 09:57 +0100, Roman Zilka wrote: |
6 |
> > The third suggestion is probably the most important one: being NAT'd |
7 |
> > and being behind any iptables configuration (that allows for operations |
8 |
> > such as sending mail and browsing the web) doesn't make your PC |
9 |
> > invulnerable or anything near that. In other words, active break-in |
10 |
> > attempts via open ports is by far not the only option hackers have. |
11 |
> |
12 |
> So give me an example, Roman, assuming one's firewall is intact and |
13 |
> functioning as designed. The only such class of possible exploits I can |
14 |
> think of is the possibility of importing a virus, trojan, worm, etc. via |
15 |
> email, or possibly via a web script. Linux viruses propagated via email |
16 |
> are scarcer than hen's teeth, and an exploit imported thusly which would |
17 |
> leverage a vulnerability in a specific problem kernel is almost |
18 |
> certainly rare enough to be considered nonexistent in the wild as a |
19 |
> practical matter. Please cite specific viruses/trojans, and if you can, |
20 |
> reported cases of such exploits. In other words, don't blow smoke at me |
21 |
> or throw out generalized assertions without citing evidence to support |
22 |
> them. |
23 |
|
24 |
Yes, the firewall being 95% of all the defense necessary is an outdated |
25 |
story (ignoring social engineering now). Take a web browser: it's so |
26 |
complex with so many things in it that could be abused by a malicious |
27 |
website (that perhaps didn't even want to do bad stuff, but got hacked |
28 |
yesterday)... Donnie Berkholz mentioned a few. The most common browser |
29 |
plugins - Flash and Acrobat - and their security holes are considered |
30 |
one of the greatest threats to a desktop user. As long as you browse |
31 |
the web, you're exposed and the firewall will let it all through, of |
32 |
course, because you do want to browse the web. As a result of a |
33 |
security hole abuse, your PC may get infected with a well-hidden |
34 |
keylogger and/or backdoor which doesn't have to wait for a connection |
35 |
from the outside (because the firewall would prevent that). |
36 |
|
37 |
Apart from that, you may once in a while get tempted to open a piece of |
38 |
spam which just happens to look so legitimate. And this item happened |
39 |
to contain a 1x1 pixel white image which abused a hole in libmng which |
40 |
you'd always ignored, because you just never view mng files. |
41 |
|
42 |
Of course, it's not just the browser and mail client that deals with |
43 |
something coming from the Internet. |
44 |
|
45 |
DNSSEC is also on the table nowadays. No firewall will protect you from |
46 |
spoofed DNS replies that will lead your browser to a malicious site. |
47 |
|
48 |
Also, you mentioned earlier that you access various VPNs. I don't know |
49 |
much about VPNs, and topologies and configurations may clearly vary |
50 |
broadly, but I suppose there can be a setting such that your PC will |
51 |
get exposed to direct traffic from the VPN peers. NAT or not NAT. |
52 |
|
53 |
There's a gargantuan mass of data on these and more issues lying around |
54 |
the web. Google will give you more reading on the topic. |
55 |
|
56 |
-rz |