Computer help forum: Site Risk Question

In addition, what you really need to watch out for are third party advertising systems. Someone might compromise the ad server that is linked to on a Facebook page, and make it serve up rigged ads designed to hit people with drive-by style infections. This is why I tend to say it is not safe to use IE for anything more than isolated sites which absolutely require Internet Explorer to work, and you cannot find a single other site on the whole of the Internet that offers this particular content/service. There are so many third party elements to different websites these days, that any would-be ne'er do well would have a half dozen different avenues of attack at least.

For that matter, I wouldn't even trust something like Firefox without the NoScript extension. Chrome has NotScript which is maybe 75-80% of NoScript, but Chrome (last I checked) still lacks the one critical element of allowing the extension to interrupt the browser's rendering engine and basically block some bit of the page from actually loading. That is pretty much the failing of every other web browser out there. NotScript for Chrome will basically cause the page to be reloaded after it's loaded the first time, then strip out all the scripts, but by then it could already be too late.

I will say that it is far less likely anything bad will happen on well respected sites, but again you have to understand that there are a lot of things going on behind the scenes which are not under the direct control of the company behind that website. Looking at my NoScript listing just for these forum pages, Cnet has scripts being loaded from Google, Twitter, crowdscience.com, gigya.com, and scorecardresearch.com not counting the three separate domains under the CNet/CBS aegis. So by coming to Cnet's website here, without something like NoScript to block those scripts from loading, you are trusting at least 5 different companies, probably without even knowing it. Google probably does a pretty good job keeping its systems secure, but I've never heard of crowdscience.com, gigya.com, or scorecardresearch.com myself, so how do I know how seriously they take their security? For all I know, any one of those domains could have been compromised months ago, and they don't have anyone on staff who knows enough to spot the telltale signs. It's something you need to keep in mind along with everything else. Especially since most people are under the mistaken impression that their AV program or firewall program will protect them from this sort of threat.

Thank you for the info. Along that same line of question, is it possible to embed malicious programs or scripts into image, audio or video files and then upload them to these sites? Common sense tells me the sites should have safeguards against that, but sometimes common sense seems lacking these days. Also in your opinion what protection is the most effective?

That's the short answer.

Some years ago embedding viruses into images in emails was a common occurrence, and I assume that was also possible in malicious web sites, or as Jimmy says, in 3rd party advertising. Example discussion in the link below about 'the vulnerability';
http://mybroadband.co.za/vb/showthread.php/102131-Trojan-embedded-in-a-JPEG

I haven't heard of malware embedded into video or audio files, but I am not prepared to say it can't happen. However, disguising a virus file as a video is common. As an example, you get offered a link in Facebook to the "latest video of {whatever}". You click the link and instead of seeing a video you see a web site with a blank video display and malware has been installed.

Jimmy's NoScript Firefox browser protection is what I use. I know he has others as well, but I also use AdBlockPlus, and WOT in Firefox. I don't use Internet Explorer except on the odd occasion when required. Then I am extremely cautious.

Mark

It is possible, and for a brief period a few years back people were distributing boobytrapped WMV files since MS made it possible to embed scripts into the file. The idea was to make it possible to do something like a DVD menu, some kind of basic interactive content, but MS got a little more than they bargained for, just like with Autorun.

"Another bothersome and worrying trend is for popular mail sites such as Yahoo and Hotmail to be hacked. Happened to me only a few days ago. Someone got into the mail from both India and Japan. Yahoo picked up on it right away and denied access. But, It meant I had to spend time putting additional security measures in place.
I don't keep anything sensitive on my mail server and neither should you. I gather these hackers are after your mail list so they can try to hack that. Frustrating!!"

How did you know? I don't have my own mail server, but I also didn't have an ISP when I first got back to computing after a lengthy illness so I used both the school's and a friend's. At the time, that precluded having my own email address so I went for both Hotmail and Yahoo (Gmail didn't exist at the time.) All of these things have now changed but I still use both Hotmail and Yahoo. So how could you tell if "Someone got into the mail...?"