Web Page Safety ?

[hellosailor]

After getting infected by some realy nasty malware that someone had loaded on an innoculous web site I visited...I've doubled the guards and set phasers to kill.

And that means the Cruisersforum web pages are generating warning messages now, apparently because they (or the ads on them) are using scripts, or plug-ins, or other usually innocent technologies that can and do sometimes carry malware--even if the webmasters have no idea of it.

I get prompted with:

"Do you want to allows software such as scripts and Active-X plugins to run?"

And the inevitable "do you want to run Adobe Flashplayer?" which is a known long-time carrier of malware, watch how often Adobe patches it nowadays to try playing whack-a-mole with the bad guys.

So I put this question out to the owners and webmaster: WHY?

WHY DO RUN THIS STUFF? The pages appear to load and run just fine when it is blocked, so why not make a firm habit of simply not using this code, so you simply can't pass on a malware problem? And, so your pages will load without triggering security dialogues, for those of us who are now running in high security mode?

Give it a thought, set your own browser to high security settings, and watch what happens. You don't need that stuff, we don't need that stuff, why don't we make sure that everyone checks their weapons at the door?

[Chief Engineer]

It will probably disappear...but cruisers forum has ads on in for windows registry scan

I would off to cut the bollocks off of the guys that come up with this stuff....

Maybe stoning with infected laptops.

[hellosailor]

It isn't just an odd page here or there, but 10/10 and growing.

This page didn't ask me about Flash, but it did generate another script warning, again. Needs scripts? To do...What?? Apparently nothing that stops the page from rendering, or replies being posted, or notifications being sent.

As George Carlin said, "TOO MUCH STUFF!"

Years ago some of us almost started a group to chase down the folks who put out the malware, but we got all bogged down in whether the uniforms would have to be leather, or spandex. You know, superheros can't shop at The Gap.<G>

[Serenity_]

"Ads by Google" is a script

I doubt you or anyone will be able to get the owner to take off the ads, it creates revenue for this site which helps keep it going.

What browser do you use?

[maxingout]

Are the Apple computers susceptible to this malware problem?

[colemj]

Quote:

Originally Posted by maxingout

Are the Apple computers susceptible to this malware problem?

They are "susceptible" in theory but not in practice. Unless you are running Windows on the Mac. Active x controls are windows only. Other script kiddy stuff endemic and prolific on the web cannot get around the basic Unix architecture of the Mac operating system. I have no problems on this site and no ads anywhere using ad blocker software on the Mac. I operate the computer right out of the box without any additional setup or security software and have never had a security issue.

Mark

[osirissail]

Shhh! don't tell anybody, but TaoJones put me onto "AdBlock Plus" Install it into your Mozilla if you are using it and all that stuff is history. Things load faster and don't hang up when Adverts try to load scripts. Don't tell anybody, though, because the forum is paid for by the Advert's.

[hellosailor]

"have never had a security issue." YET. Bear in mind that security issues for the Mac and other UNIX versions are documented and happen regularly, and the major security organizations (including SAN and CERT) say they are no more secure than Windows. The Mac is simply an unpopular computer, compared to the PC, and as such fewer people target attacks looking for it. That does not make it safe, except to say fewer folks are out gunning for you.

Accodring to apple's own support pages:
Java for Mac OS X 10.6 Update 2

"About Java for Mac OS X 10.6 Update 2
Java for Mac OS X 10.6 Update 2 delivers improved compatibility, security, and reliability by updating Java SE 6 to 1.6.0_20."

Would Apple say they released an update that improves security, if there wasn't a security problem to start with?

I've also been "quite" secure on the PC platform, for years, but this time something found a way to get in, through Sun Java I think, despite the fact that I run unusually high security settings.

Getting the unneccessary active technologies off web pages makes us all more secure, on all platforms. Whether they are necessary here (i.e. generating revenue) or not, I don't know.

[mintyspilot]

Although I run desktop Linux rather than Windows I use Firefox and AdBlock Plus. Being in the software industry I am aghast that ActiveX has not been killed off yet as it is the single biggest route for infecting Windows machines.

There ARE some simple things you can do to minimise your chances of infection.

1) Do not use Internet Explorer (IE). If you must use it, use the latest version. If you can, avoid all Microsoft technologies that utilise ActiveX and that includes MS-Messenger..

2) No browser is totally safe, but FireFox and Opera are "less unsafe" than IE

3) On Firefox, always use an advert blocker. AdBlock Pro is good.

4) Consider using Firefox's "no script" add on as well. This is simple to do

5) Most windows machines automatically run in "Administrator" mode - consider creating a different Windows user who only has "guest" privileges and use that instead. This removes the ability to install software through a "drive-by download". You can use the "standard" user for adding or removing software.

6) If all you use the machine for is email, surfing and writing office documents then consider moving to Linux. Ubuntu is "mac-like" and SUSE or PCLinuxOS are more "Windows-like". Try it on some old kit if you have a spare machine. In general, Linux needs less resources than Windows and will run well on older kit.

Anti-virus and anti-malware programs are typically about 60%-80% effective so something will always get through them no matter what you do. The points above will help you avoid getting infected, but are no guarantee of total success.

On the family PC (running XP) I removed the Internet Explorer icon from the desktop, installed Firefox, replaced Outlook Express with Thunderbird and disabled Messenger. With a few other tweaks it took the girls 4 years to infect the PC.

[hellosailor]

"4) Consider using Firefox's "no script" add on as well. "
Add-on? Funny thing, MSIE has offered that as an internal security setting for years now.<G> I think since at least v.6. Mine is set to prompt rather than simply disable, so I know a web page is trying to run one.
Until and unless HTML5 can get established as a standard...MSIE really has been the defacto standard since HTML3.2 was obsoleted. Every browser has been different, and even though MSIE is down to something like a 65% market share, it still is the 800# gorilla in the room, which is why I stick to it.

Couple of years ago I was trying to complete a form (related to a background security check with a selected vendor who was providing security services) and got a security warning from MSIE6.x. Their tech support--at a security vendor--said "Oh, that's a known bug in MSIE, just disable the blah blah blah". MSIE is easy to slam, MS hasn't always been a stellar example. But in that case, I was also able to confirm that the error was an invalid security certificate fro the vendor. Who denied it vehemently--but the certificate issuer confirmed it was revoked and invalid. Not an MSIE problem.

MSIE, Windows, never been perfect. But not always the problem. It is indeed quite possible to still put up a web page (in HTML3.2 even) and have everything run just fine--without all the glitz and dangers.

Right now, "this" web page shows some 3400 lines of code when viewed in source mode. At a casual read, I only see Javascript being invoked, but I could easily have missed something else in 3400 lines.

[RainDog]

Quote:

Originally Posted by maxingout

Are the Apple computers susceptible to this malware problem?

Yes. All computers (and cell phones) are vulnerable to Mal-ware. Luckily the vendors do a good job of staying ahead of the curve. If you are not regularly installing the latest patches, you are vulnerable.

If you stay up to date with you patches and do not click on questionable links, you should be pretty safe.

Even if you are using a Mac, make sure you are regularly installing the latest security updates.

[mintyspilot]

Quote:

Originally Posted by hellosailor

"4) Consider using Firefox's "no script" add on as well. "
Add-on? Funny thing, MSIE has offered that as an internal security setting for years now.<G>

Firefox gives a lot of options for disabling scripts as internal settings too, but noscript offers an even better option.

Of course, the best security is not to go where the danger is in the first place. Music sharing websites offering "cracked" or illegal downloads are usually rife with "drive-by downloads"

As I pointed out above, the biggest security enhancement in Windows is to use a limited account rather than the Administrator account that 99% of people actually do use. Macs and Linux boxes are "more secure" (note the quotes!!!) because their default is to force the user into a limited account thus removing the ability to install software.

[colemj]

Quote:

Originally Posted by mintyspilot

Macs and Linux boxes are "more secure" (note the quotes!!!) because their default is to force the user into a limited account thus removing the ability to install software.

This isn't really true. The default account for a user is an administrator account that certainly has the ability to install software, as well as control all aspects of the system. The difference over windows is that software cannot be installed without involving the user in the installation. The user will see, facilitate and agree to any software being installed.

The argument that there isn't any malware for macs because they aren't as popular is silly. There are a lot of mal-writers out there who would love the notoriety and "fame" of getting past that gate. Also, there are 94 million macs out there in use ( NumberÂ*ofÂ*MACÂ*Users | Number Of | How Many ). Spammers, malware and bot writers would be nuts to ignore putting these extra processors to work for them and to "market" to this size of a community of spam virgins.
Even if the argument was true, wouldn't that make the mac a better platform for safety, if only because it purposefully isn't targeted as much?

The reality is it is not easy to get malware on unix-based systems. In fact, it is difficult. Even through flash. If linux or macos became the most popular system overnight, malware would dramatically drop - perhaps so much as to be economically unsustainable.

Mark

[hellosailor]

"The argument that there isn't any malware for macs because they aren't as popular is silly. "
I think you misread something, Mark. I don't think any of us said that. Macs aren't as popular as PCs, so folks who want to harvest, say, a hundred thousand VISA account numbers will be more successful if they target PCs rather than Macs. And as a result of that--most of the malware authors target PCs. Attacking PCs rather than Macs is simply a better return on their investment (their time).
This is totally valid, and it is the same reason that firemen in major US cities usually drive a "beater" to work. That's a car which runs, and usually runs well, but looks ugly as all sin and no one in their right mind would want to steal one. Park a nice shiny popular car outside a fire house all day--and it gets stolen, because the thieves know there's no one watching it when the fire trucks go out. Thieves ain't all stupid.

As to administrative accounts and user access...I think you folks are ignoring the fact that "Windows" is not an operating system. There are two Windows OSes currently supported, Windows Vista (NT6.0) and Windows7 (NT 6.1) for the non-server market. On both of these there is a new encumbrance called UAC, User Account Control, and setting up the default account as administrator is no longer encouraged or needed.

I know, things are different in XP. Well, that's a ten year old OS now, you might as well compare it to whatever Apple was running a decade ago, before they cut over to Unix with a Mac shell.

REGARDLESS of the OS, internet safety and security is enhanced when active technologies and unknown scripts simply aren't used and don't need to run. And they usually don't need to be used, other than for convenience and glitz. Might as well add ten coats of varnish over the brightwork while we're at it. (Pretty, but high maintenance.)

[barnakiel]

Quote:

Originally Posted by hellosailor

... And that means the Cruisersforum web pages are generating warning messages now, apparently because they (or the ads on them) are using scripts, or plug-ins, or other usually innocent technologies that can and do sometimes carry malware--even if the webmasters have no idea of it...

... (Java?) scripts and Active-X plugins to run...

... Adobe Flashplayer ...

WHY DO RUN THIS STUFF?

Hi,

I design and run web sites / blogs / etc for cruisers / sailors / travelers and from this perspective I can tell you that:

1) it is not Cruisersforum pages that generate the messages, it is your browser, and your browser is probably wrong,

2) java, javascript, flash, etc., are not malware, unless they are designed to do just that, which is not likely in case of Cruisersforum,

3) the stuff is run to make the best use of the medium (the Internet and the digital word), unless proven otherwise.

With this attitude I can imagine you do not use Google, Gmail, Facebook, Youtube to name a few, as these are truly loaded with the same stuff (java (s), flash, active-X, cookies, php, mysqul, ajax, appache, windows, microsoft, internet, oughaourrrrrrr ;-).

In normal situation (with the firewall up and anti-vir ticking) it is very, very difficult to get any harm.

But I do agree with you that some of Adobe stuff is crap and I would ask every designer or admin to avoid it. Why make pages that demand from the viewer to use a specific commercial extras, if we can get the same effects in a lighter package and for free?

barnie