How do you protect yourself from web surfing vulnerabilities?

For example, browser vulnerabilites, drive-by downloads, zero-day exploits in Flash, maliciously-crafted PDFs, etc.

My current approach, while virtually bulletproof, is also extremely resource heavy. I have to reserve 4 GB of RAM (70% of which is unused most of the time) just for Firefox.

 

well at the rare cases where i need to visit malicious sites, I'd do it on a virtual machine or sandboxed browser, that way it will only infect the sandbox or garbage vm, for questionable files i upload them first to be scanned here ( Jotti's malware scan) provided it's a small file.


aside from those adblock, no script on firefox and just microsoft's security essentials running on my machine

 

List of stuff I use to keep my laptop safe on the Wolrd Wide Web:
Keeping everything up to date, checking daily for new drivers and programs.
EMET3.5 hooked on pretty much every process that can take it without crashing. (I'm looking at you, DROPBOX ) with as much options on as the process can take.
Very strict windows firewalll rules.
Windows Defender(MSE) as AV with update interval set to 2 hours with task sceduler. + Full scan every night when my laptop is doing nothing anyways.
UAC on max setting.
Not running with admin rights/account by default.
Noscript, Ghostery, Bitdefender Trafficlight on 64bit firefox.
Norton DNS.
MBAM/CCE/Emisoft Emergency Kit for on-demand scanning.
Keeping Windows 8 up to date.
Virtual Machine for questionable things with the exact same setup inside.

The last time I ran into a zero-day was trojan Vundo around 2007 which Avira was able to detect back in those days but not remove. I ran into a driveby download not so long ago though and MSE stopped it nicely.
I'm currently looking to bring some sort of sandboxing in the mix but I'm not sure yet how. If you'd let me anywere near sandboxing I'd sandbox every single process I'd come accross

I guess my setup is a little low on zero day protection and exploits, All I have to reduce that risk is EMET basically, and UAC/LUA if I'm lucky, and me only allowing scripts to run on websites I trust. But I haven't run into any trouble yet.
I'm interested, what is your current approach?

~Aeny

 

That's nonsense. Other than running your machine in a secure configuration (meaning, UAC at max settings in Windows 7), and staying up-to-date with security updates for OS and applications, there is absolutely no need to do anything special, beyond perhaps a basic free anti-virus application.

As an aside, all those things you mentioned, while possible in theory, are, in practice, mostly myths. Given the above measures, the probability of getting hit with a zero-day exploit is so tiny as to be negligible. Anything else is pretty much under the control of the user. Just install those security updates. Practically all viruses that people get hit with have simply been installed by the user.

 

Then it was not a zero-day exploit.

There are no "driveby downloads". None of the existing browsers allow them.

You do understand that both IE and Chrome, at least, run sandboxed in their standard configuration, right? I'm not sure about FireFox, but I would be surprised if the same wasn't true for it as well.

 

I run Ubuntu 12.04.1/Firefox/Ad Block Plus/NoScript and keep everything up to date.
Also Java Run time is not installed

 

If you have info that is so sensitive and valuable on the machine, you better off use another computer on a separate network.

 

Correct on both counts, (I stretched the terms a bit because otherwise I would have NEVER run into anything like that for reasons stated in this topic), I am very sorry spreading such misinformation.
I understand both IE and Chrome have sandboxing, It seems Firefox is working on getting one. However, sandboxes can be broken out of too (but VERY unlikely).
Please do correct me if I'm wrong.

Hm, nothing sensitive on my machines.

~Aeny

 

I see no reason to over stress if there are no sensitive info, I haven't heard malware/virus cooking hardware for last 10 years...
Doing a image recovery/windows reinstall probably is less work compare to being paranoid about "protections" imo. (Yes, clicking "allow" every 2 sec drive me crazy.)

 

Strangely I don't have to click yes/allow every 2 seconds. The only thing that prompts me is UAC about twice a day. What prompts are you talking about? I just like working with security related products provided they don't make my laptop feel slow. If you want to call a little extra security paranoid or over stressing that is entirely up to you. I do agree my config is overkill though. And since OP doesn't say what his config is I can't judge on that.

Just to clarify: I nowhere stated that OP should copy my config. But if OP is worried he may take look into EMET.
~Aeny

 

Zero day exploits aren't that rare. For example, the latest version of Java at this time, Java 7 Update 11, has a zero-day exploit which has been known pretty much since the day it was released 2 weeks ago. Update 11 was released to fix another zero-day exploit in Update 10, but only fixed the symptoms rather than the root cause, leaving other vectors of attack open. On top of that, Oracle is taking their sweet time in providing a fix this time.

Adobe has had such debacles in the past with regards to Reader and Flash Player too - anytime you deal with third-party plugins, you're subjecting yourself to a lot of risk, even if your OS and browser are secure.

 

No, you need to be careful to understand what it is you are talking about. What you discuss above are vulnerabilities, what I was referring to are exploits. How many people do you know that have been hit with an exploit to the above vulnerabilities? This is what I was talking about. I repeat: The probability of being hit by a zero-day exploit is astronomically small. It hardly happens ever.

P.S.: Oh, and pretty much the only protection at all against such exploits is proper low-level OS security. In that respect (w.r.t. zero-day exploits), any kinds of anti-this-or-that software people seemingly love to jam into their systems are just about as close to useless as they come. UAC alone is probably worth more than any number of "security" packages that you would even be able to cram into your PC.

 

I use no script myself...seems to have worked so far.

 

I use nothing...seems to have worked so far for me, too. Over more than ten years, and several PCs.

 

So you have UAC turned off, Windows Firewall off, Defender off, DEP off? and no 3rd party programs related to security? What is 'nothing'?

~Aeny

 

It shouldn't be resource heavy.
If worried about browsing based threats, use free Sandboxie to contain all browsing.
Firefox isn't using sandbox features like IE or Chrome but add-ons like an adblocker and especially Noscript can block the occassional drive-by downloads.
Take a look also at the Microsoft program Enhanced Mitigation Experience Tool/EMET link, it offers several methods to harden your OS and programs.
Do you use Returnil atm or something similar?

 

Should be obvious from the context. Nobody in his right mind who knows the first thing about Windows security would turn off UAC, Windows Firewall, or DEP. Why in all the world would I do this in a sane mind? So it's MSE only, using IE, mostly, rarely Chrome. No Firefox here.

 

Okay, relax, I've never seen a question kill someone . Just wondering about the exact config you were running. I'm pretty sure that (stock) setup and some common sense can keep you safe :thumbsup:.

~Aeny

 

I do all of my web browsing in Firefox running inside a Linux VM. At first I assigned 2 GB of RAM to the VM, but found that I was hitting swap frequently enough to be annoying. 3 GB was better, but I was still hitting swap occasionally.

As for why Firefox, it's mostly because of extensions. I have yet to find a Chrome mouse gesture extension that's as powerful as FireGestures...

 

I'd say putting in my credit card info to buy something is sensitive enough, let alone having a keylogger capture my emails and other logins. Only a fool would run with no protections nowadays, but it doesn't take much to protect yourself. Having a credit card stolen, or your ID stolen, or work info, etc. is plenty sensitive. As far as clicking "allow"? I get prompted maybe 1-3 times a day with several hours of use on my main workstation. Something's wrong with your setup.

I just run MSE/Windows Defender and MalwareBytes Pro along with the standard Windows firewall, DEP, UAC, etc. etc. myself... and negligible resources are consumed. I work as a game dev, doing 3d modeling, coding, sculpting, texture painting, and more... and I'm calling it negligible. I just can't help but boggle when people say "Oh, an antivirus/malware will slow me down too much, oh, UAC is annoying...".

 

Mostly, common sense. Avoiding sites that give things away for free that shouldn't be free, and the dark underbelly of the Internet.

Secondarily, keeping mostly up-to-date. I prefer to give the final approval for updates myself rather than auto-update, since sometimes the latest update is worse than the old one, but am generally pretty close to the latest version.

Thirdly, having a router firewall, and behind that, MSE and Windows Firewall. The latter two I do occasionally disable to avoid conflicts with software, but are on most of the time. The goal, of course, is that nothing gets further than the router's firewall that isn't supposed to.

Oh, and also keeping different passwords for sites in which I care about the security (if it's a forum I signed up for once, who cares?), and generally keeping them as strong as the site allows. Nevertheless, there are far too many sites that limit you to 16 or 20 letter passwords. IIRC Amazon is one of the 20-letter ones - I had a terrible time with my password there until I realized it was silently truncating it to 20 letters. And really, I'd rather have a longer password on a site like Amazon.

Finally, I don't back up my data onto cloud services. The non-sensitive stuff wouldn't be a big deal. But I don't trust them enough to dump all of My Documents onto the cloud. In addition to the possibility of a cloud provider being hacked, some of them (such as DropBox) have back doors intentionally built in so that they or governments can access your data if they get suspicious. I don't have anything that could get me thrown in the slammer, but that doesn't mean that everyone with access to that back door is trustworthy, or that someone who isn't supposed to have access to that back door won't get access to it some day. Really, this means I probably shouldn't GMail everything I do, but I got too used to GMail years ago, and at least they don't have everything in My Documents.

Despite UAC's theoretical benefits, I still can't believe in its practical value. In all the time that I've used Vista and Seven (the latter primarily at work), I've yet to receive a UAC prompt asking about something that I didn't want to happen - it's always been asking "Cancel or Allow?" about something that I really did want to happen. So practically, it's been just like it's depicted in the Apple ads. But rather than buying an overpriced Mac, I've simply either disabled UAC whenever possible, or stuck with XP.

A few simple changes would make UAC a lot more tolerable. The most obvious is a "remember this choice" option. If I have a program that I always want to run as admin, and it always is triggering a UAC prompt, then I'd be just fine with trading a tiny bit of security for not having to confirm every time that yes, I do actually want to run this program that I start up 25 times a week. Just because it was made before Windows Vista existed doesn't mean I don't need to use it. Instead, I either turn off UAC whenever possible, or run XP instead. Since 80% or more of the time I see a UAC prompt, it's for a program that I run often, this would do an awful lot to reduce alert fatigue and make me inclined to put up with it the rest of the time.

VirtualStore is another security-minded feature that's more trouble than it's worth for me. I get why it protects C:\Windows. But since I actually do mess with program files on purpose, it's a pain for C:\Program Files. Thus, I've taken more and more to simply installing software somewhere other than C:\Program Files and thus avoiding VirtualStore.

I run as an admin since I tend to be installing software and doing other admin-y activities very often. I could probably get by as a regular user, but since I'm not running into any problems as-is, I see little reason to switch and annoy myself more. I've also always been an admin at work... but again, it's been situations where I likely would've been calling someone up in IT every other day or more if I wasn't.

---------

But of course, my practices are not in line with what security experts would recommend (aside from for the passwords), and are not adviseable for the general populace (let alone those who get viruses semi-regularly as-is). I've studied how these exploits work, and have done some projects in coursework that take advantage of vulnerabilities... but I'd rather go for a "good enough" balance than a "gold standard" balance that had a lot of overhead. Kinda like I'd rather take a train from DC to New York than take a plane and have to put up with the hassle of all the security at airports.