I messed up

[KGIII]

I meant some kind of an infostealer that pulls out cookie sessions and maybe passwords from the browsers

The answer is again pretty easy. Don't install anything like that. Stick to reputable software from reputable sources and you have very, very good odds of never coming in contact with malware. That and your browser is sandboxed these days. So, there would need to be a whole chain of exploits for this sort of stuff to be something that keeps me up at night.

(No, you're not going to be hit with malware from visiting 'dodgy' sites. Not these days and it's even less likely with Linux.)

The permissions system helps keep you safe. You first need the password to set the executable bit and you must have permission to do so. This sort of stuff helps a great deal at keeping you secure. You just have to use those tools to your advantage.

I usually spend some time researching before installing anything - and I install all sorts of stupid stuff.

If I've installed something without a lot of background information, I tend to let it run for a while while watching for strange behavior and I'll also take a look at what's happening on the network to see if it's calling home or making any unusual requests.

But, I don't really worry too much about it most of the time. I only put that much effort in when I have a reason to do so.

Your best security tool is in between your ears.

Your worst security tool is sitting in your seat.

We are our own worst enemies, I suppose. Still, be cognizant and prudent in your computational decisions. Being alert is likely to be your best asset. You should be able to (reasonably) understand everything your computer is doing. If it's doing something you don't recognize, find out what it is doing.

For example...

Look in your running processes list and make sure you can identify all of them, for example. If you see a running process that you don't understand, look it up online. Odds are that it's a harmless background process (or similar) but look it up and confirm that.

Assuming I'm home, I don't have much to worry about regarding that evil maid. I do lock my devices if the house is going to be empty. I don't worry about my guests too much 'cause they don't know anything about Linux.

 

[Trynna3]

(No, you're not going to be hit with malware from visiting 'dodgy' sites. Not these days and it's even less likely with Linux.)

Right, I am aware of my limitations in knowledge, still being a standard user, how about the XSS exploit? Still possible on the web? Not that I was commenting under random blogs, but I am just aware of this, heard about it last year, a malicious code injected into the comment box and when the person posted their comment, a malware pulled out some info sending it to the hacker.
New exploits are being found every day and for me it is hard to predict what is possible and what isn't in the cyber world.
That sandboxing within browsers sounds promising. I have heard this for Brave, not sure whether other browsers have it. Edge came with a new feature of malware recognition and stops people getting affected by scareware, the notorious browser hijacking stuff.

 

[KGIII]

how about the XSS exploit? Still possible on the web?

It's possible but isn't going to harm your computer. That's a website hack. That one is pretty solved by sanitizing your inputs.

New exploits are being found every day and for me it is hard to predict what is possible and what isn't in the cyber world.

While true, you'll need a whole chain of exploits and user interaction to compromise your device these days.

(Windows is also quite secure these days. Not that I'm suggesting it.)

That sandboxing within browsers sounds promising.

All the major browsers are, to some extent, sandboxed these days. Firefox is a bit different in that trusted code isn't sandboxed but untrusted code is sandboxed.

 

[Trynna3]

It's possible but isn't going to harm your computer. That's a website hack. That one is pretty solved by sanitizing your inputs.

Harming a computer is one thing, having my logins and data sent to wherever is another, and both bother me as risks. What do you mean by sanitising inputs?

 

[KGIII]

What do you mean by sanitising inputs?

If you run a website that has places where a user can enter data, be sure to strip out any unnecessary symbols that might count as syntax. It's something a developer does to a site, not something you do on the user end of things. That's how you prevent XSS attacks. You strip out things like brackets so that your site isn't exploited.

 

[Trynna3]

If you run a website that has places where a user can enter data, be sure to strip out any unnecessary symbols that might count as syntax. It's something a developer does to a site, not something you do on the user end of things. That's how you prevent XSS attacks. You strip out things like brackets so that your site isn't exploited.

I see. It isn't me who runs the site, it is the comments section that other websites have and users by entering their comments launched some kind of info stealer in their browsers or something when commenting on affected blog.

 

[KGIII]

I see. It isn't me who runs the site, it is the comments section that other websites have and users by entering their comments launched some kind of info stealer in their browsers or something when commenting on affected blog.

Pretty much - but your browser can/does do something to help. At least the major browsers do. They use something called a content security policy that makes XSS attacks much harder to pull off. They haven't really been a major problem for a while now.

Some of the more obscure browsers don't do anything at all which is yet another reason for web developers to sanitize their inputs. That should be something ingrained in you, if you're a web dev. It's something you should automatically do. I think there are even various libraries that will do it for you.