thanks! I didn't take the time to setup Mist but my understanding is that Mist is especially vulnerable because it's bundled with a wallet and used for browsing DAPPS which always require the JSON API to be enabled.
It's not since Mist (and Metamask) injects the web3 object into the page, no jSON-API is used. It also displays a confirmation dialog each time a transaction is generated. If setting up Mist too much trouble to try this, you can always try Metamask https://metamask.io/