internet forensicks

[darkweb4]

----- Message Forwarded on Fri, 21 May 2004 15:22:37 -0500
-----
From: "darkweb4" <darkweb4 at gbronline.com>
To: Kendrick-LUG <kulua at linux2themax.com>
Subject: Re: internet forensicks

> I use mozilla for most but there are some sites that
> require ie :/     I  have made all nessasary updates
> including the byte code update and  cwshredder etc..  I
> was just hoping to be able to scan the incoming  pages for
> various things before it gets to my systems behind the 
> firewall.  rather then have 2 firewalls.
 
Then adapting your squid settings or updating your hosts
file may be an effective move towards your goal.  This will
help block the sites that attempt the browser hijacks in the
first place.  If these blocking rules (either by squid or by
the hosts file) are kept up they will protect your browser. 

For instance, you block 
www.baddy-mean-site-full-of-horny-slu7s-that-hyjack-my-brows
er.com.
 Now, wether or not you try to go to that site by choice, or
by blind link in the future, your browser will default to
127.0.0.1 or maybe a safe page, or a local splashpage saying
"you've been saved brother luser!!"  Your browser will not
download any of the code, good or bad, on that site.  So, it
won't be able to hijack your browser, because you've stopped
the attempt (with squid or hosts) before it started.

Now if those sites that you have to use IE in are bank sites
or commercial sites or hobby sites and they contain code
that is hijacking your browser; I would imediatly change
banks, stop buying stuff from them, or change hobbies.   I
would suggest that if you use IE to read an untruested or
untested site that you scan for malware imediatly, just as
if you'd opened a fille from an unknown 3rd party.   Yes,
this sound paranoid, but malware is begaining to become this
much of a problem.  Otherwise, I would use your alternative
browser, and don't browse suspicious looking sites in
windows.  Remember, www.bankusa.com is probably
good....www.naked-girls-on-a-cracker.com is probably not.