D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Secure web browsing with live distro

 

On Thursday 05 July 2007 13:21, Simon Waters wrote:
> Tom Potts wrote:
> > My ADSL router doesn't allow control from the WAN side (unless I tell it
> > which restricted IP's can.) - so the only way to control it is from the
> > internal network. If they've got access my password could take 400million
> > years to crack and still be useless.
>
> Since I was discussing Javascript that runs inside the network, the WAN
> interface restriction is irrelevant, because this is precisely what is
> being bypassed.
>
> If you allow Javascript, you better be sure that anything with a web
> interface for configuration on your network has a password that isn't
> the default for that device.
>
> I suspect we need to stop Javascript from accessing other websites (or
IIRC javascript should be by default restricted to the originating domain - ie 
anything from offsite.org should not be able to access anywhere.onsite so 
visiting anywhere out of the LAN should not be able to access anywhere within 
the LAN. Should! 
> place someother restriction on this), to stop this class of problems.
> I'm surprised the spammers haven't hit on this one more for other
> purposes, but they are having more fun sending fake greeting cards this
> week.
>
> > Now where did I write that down..or is it an office wide generic so
> > you have to change everthing every week?
>
> It really doesn't matter - as long as it is not the default. I agree
> there are fundamental issues with relying on passwords, but that said a
> default password has almost no security value at all (possibly negative
> value since it stops legitimate access but the bad guys all have lists
> of default passwords), a badly chosen password is far superior to a
> default password.
I feel that if these devices are of any real importance then they should be 
set up or configured in a way that means the password is irrelevant.
A borked browser should not be able to even try to gain control and if 
something does a lot of lights should start flashing and alarms go off.

Its nice to be able to configure your work router or firewall from home or 
anywhere on the network but you can set yourself up to do it in a way that 
largely prevents unauthorised access: DMZ's, subnets, restricted IP's, dial 
back, encryption etc.
And never through a windows box cos it might have been compromised!
But theres no reason why an unauthorised intruder should even be able to find 
it.
Tom te tom te tom


-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html