Wikileak documents show Governments couldn`t penetrate Comodo Internet Security

https://forums.comodo.com/news-anno...trate-comodo-internet-security-t106848.0.html

What do you think about ? ( I didn't read the wikileak links ). No useless flames or fanboys comments please.

 

The title is misleading and very much an exaggeration. It applies to Fin Fisher malware, created and sold by a company to specific governments and other entities. The documents don't apply to other government malware.

Exaggerations aside, I suspect a well configured HIPS will defeat a lot of government malware. Much of that malware depends on Windows allowing unknowns to execute, or at the very least, that system components such as rundll32.exe will be allowed to execute any command it's given. A security package that interferes with that assumption can stop a lot of malware, including that used by governments. That aside, it's good to see that Comodo does interfere with their crapware. Of course, the results will depend greatly on how Comodo (and other security apps) are configured. They're only as good as the rules they enforce.

 

Better is just not using Windows

 

I suspect that they can target and compromise linux almost as easily as they do Windows. In this regard, linux is where Macs used to be. Just because no one was writing malware for them, they were regarded as secure. In reality, it just wasn't profitable to target them. OTOH, Windows has been known to be vulnerable for a long time. Because it was known, all kinds of security tools have been created for Windows, some of which are very good. For most, there's no linux equivalents because no one felt that they were necessary. As far as I know, there's still no such thing as a firewall that can make rules for individual applications, just as there's no realistic way to control parent-child interactions between permitted applications. I suspect that the linux community is going to learn the hard way that they're not as secure as they think they are.

 

Not so sure. HIPS settings can make the difference, but I believe that governments use more sophisticated malwares and technique, as hardware rootkits, hardware implementations by producers, backdoors... do you remember the old Joanna Rutkowska's Blue Pill ?

 

More or less, I agree with that assessment. The NSA and their ilk certainly can. But the FBI only went after Windows users in their Freedom Hosting exploit. So avoiding Windows at least reduces risk.

Again, I agree. There is work to be done.

Well, one can run key applications as specific users, and specify iptables rules by userid. Maybe there's more. It's not been a major focus for me.

Yes, probably so

 

If the hardware or firmware is compromised before you get the equipment, it won't matter what you use. You've already lost. As for infecting the hardware or firmware after you get it, rootkits and firmware still require the executing of some form of installer, which can include the malicious use of legitimate system components. Both of these can be defeated with available tools. Zero day exploits, undocumented APIs, and designed backdoors can be another issue, but they'd have to want you pretty bad to risk using them.

 

What sort of rules do you mean?

 

Do you think that there's any sense in using the linux version of Comodo's AV to protect against this sort of government spyware?

As far as I know, it is very difficult to surreptitiously install malware on a linux system, short of Flash/java exploits which NoScript should do a good job of preventing, and using VM's limits the impact of anything. How do you think it would even be possible to infect a Linux user with Finfisher if they were the explicit target of gov't surveillance? I mean, as long as you stay away from child porn sites and the Silk Road or whatever, I don't see many possible attack vectors (short of physical access)

 

It does look like Finfisher can infect Linix. Adblock Plus and NoScript would protect. For high-risk activity, read-only LiveCDs would be prudent. Maybe anti-malware apps would help too. AppArmor and SELinux too, and iptables rules.

 

Yes, it is what I wanted to point out.

Sure, with very restricted security policies and many carefulness to give permission for new activities ( installing...). Not all and not always, I believe.

Naturally. I said about general and " absolute " effectiveness of HIPSs. Good for Comodo anyway.

 

Right, I understand and implement all of those. What I'm asking is what are some ways a government could infect someone that they were specifically after?

Obviously visiting nasty illegal sites make a drive-by-download of a trojan possible, opening email attachments or clicking on links from an email is another way, and physical access is a third. All of these are fairly easy to avoid. So if theoretically you were a government trying to infect a Linux user and couldn't use any of those methods, are you pretty much stuck or is there some other possible vector?

 

Traffic rules that can be made port, protocol, and address specific on a per-application basis.

That's the hard part, the attention to detail when creating the policy, then making certain that you and your system adhere to that policy. System components like Rundll32.exe, Svchost.exe, Cmd.exe (or Command.com) need close attention. The default rules for many firewall/HIPS bundles are far too permissive with these. A HIPS that has the ability to whitelist specific command line parameters can close that weakness. Scripts and batch files are another area that needs close attention.

I'd be worried about them gaining physical access, either directly or by paying or blackmailing someone else to do it and using a malicious USB device. Another possibility is a targeted MITM attack that utilizes an unpatched vulnerability. They collect those things.

 

Compared to modern Mac and Windows though, both of which are targeted more so and have more exploits to take advantage of in bulk, Linux and BSD are a lot better contenders. Nothing is perfect though, and yeah, if you're targeted specifically, it doesn't matter what you use. Personally, I've been moving all my proprietary OS ran machines to Linux. The ability to update all installed packages from a command is something I like. There are ways to lock a Linux machine down, even hardened kernels and distros. It's not all security through minority.

 

I'm surprised that governments haven't set up fake repositories and used MITM attacks to steer targeted linux/BSD users to them.

 

That is where the partition of trust comes into play I think. The updates MUST pass the PGP signature to be used/included for delivery. For that to take place the actual private key (full set) would need to be "taken" before you could sign the trust issue on the linux machine.

On this issue Linux smokes Windows security.

 

https://wiki.debian.org/SecureApt (that's just for Debian, I'm not sure with other distros and their other package managers and repos)

As with any OS, I stand by that the web browser is the weakest link, and that'd probably be the method for most MITM.

As mirimir said, for high level stuff, it'd be verified file hashed live cds. I'd just argue though, less your entire computing life is on a live cd, you're always going to be relying on something run from a hard drive. And if that thing with a hard drive is connected to the web, well... That's why forums like this exist.

edit

Honestly, I'm just waiting for the days they start sending drones like http://www.computerworld.com/articl...d-drones-get-x-ray-vision-through-wi-fi-.html out to addresses that have had VPN/Tor connections.

 

Firestarter was in the Mint package. I haven't used it enough to comment, but it looked promising.
2012 user manual
http://www.fs-security.com/docs.php
Policy page illustrates a bit
http://www.fs-security.com/docs/policy-page.php

 

From Snowden's releases, as you say, we know that the key vectors are physical compromise, malicious websites and spearphishing. As long as they don't know your true name and location, physical compromise is impossible (except by an associate who collaborates anonymously, I suppose). For the rest you just follow safe computing practices, using appropriate software. Government TLAs have stronger tools than your typical Russian hacker who wants your credit cards and bank accounts. But there's considerable overlap.

Well, as noted, there's physical compromise. If you think that you are a suspect, and are under direct physical observation, it's not safe to order stuff online, because it could be intercepted and backdoored. So you need to buy whatever you can on random road trips, from stores in places that you've never visited before, paying cash, and taking only whatever you can walk out with, off the floor, with no back-room delay. Then you need to maintain physical security, ideally to prevent compromise, or at least to detect it immediately. At that point, you'll want to use just LiveCDs, and store stuff encrypted in hidden-service pastebins, or whatever. And you better have a good memory.

 

If you want to see something really freaky, look up Van Eck phreaking. It's highly unlikely to be used against you unless maybe you're a Russian spy or Julian Assange, but there's no way to prevent it short of working inside of a lead box

 

People tend to forget the fact that in state-sponsored attack, malware is just a part of attack.

I know an targeted attack which didn't use malware at all, though it was not state-sponsored. In this case social-engineering was good enough to steal account info, and there's not many things victim could do because who tricked were not user, but call operator of his account.

We security guys may disregard social-engineering as most of them are trivial and can be easily avoided, however when it comes to advanced social engineering, even security expert admitted he's fooled. Attacker may disguise your boss, connections, customer, candidate for entrance, media, friend, etc. after thorough research of them, and begins malicious operation only after trust has been constructed.

Preventing physical intrusion is also not trivial unless your office has military-grade security and the level of authentication CA company have. How do you think why they have such a seemingly over-kill physical security? When you invite your friend to home or asked electrical contractor to fix something, are you monitor everything he does? Some attack can be done within minutes, or even seconds, some of Gamma Intl's tool are actually designed so.
And there're always risk of insider attack where some reports suggests many company are vulnerable. In state sponsored attack, they even may try some spies to get the job in target company.

Nobody knows current espionage technique or technology those agencies are using, all we can know is old one. It was already known in '90s that they can remotely bug or tap conversation in a room w/out putting any device, so most of the Foreign Offices in developed country implemented special equipment to office's window. Then what now they can? Info from Snoden was interesting though some of them were known before the leak, however we all know it's still a part of their work.

Finally, in state-sponsored attack 0day is not uncommon. Some attack don't need usual execution, though it depends on def of the 'execution'. You know, vulnerability in .lnk file which just displaying malicious icon caused kernel-compromise. Once attacker get kernel privilege, he can uninstall security software and in APT attacker usually knows what security software victim use besides details of system, network, human-relationship by other means.
Also firmware attack like BadUSB don't require 'usual' execution.
Stuxnet used 4 unknown vuln but it has been said such attacker keeps bunch of 0days for future use.
Also malicious update can't be completely prevented by sig checking as they can 'buy' or steal legitimate cert.

 

Linux is a different beast all together. If you want to secure a Linux based OS, you need to use the tools that are designed for it. For real security use GRSecurity, setup and learn how to use RBAC, and use Apparmor to complement it. This is a level of security you can really only get through Linux. I don't know of any proprietary OS that allows you to compile custom kernels with hardening built in. Kernel hardening + a MAC is all you need for tight security. AV's are a warning system and last line of defense. You should always be proactive in security not reactive. GRSecurity not only employs exploit mitigation (and is easy to setup with the autoconfig) but it also allows you to block all USB Devices that aren't plugged in on boot. This mitigates bad USB style attacks, as the devices is just blocked completely, the attempt is also logged so the user knows of the attempted attack.

Further don't rely on the computers firewall only. Sure set it up, deny incoming, block out going apps you don't want with something like douaneapp. That is good, but if you want real security, you should have a perimeter firewall like PFSense or Untangle. Your perimeter should be protected, setup SNORT as well on both the WAN and the LAN, so you can block and detect potential attacks. This is also where you want to run an AV. If you are going to rely on an AV, use it here, stop the malware before it can even hit the computer.

For parental control (assuming that is what parent-child interactions means) there are plenty of tools. Timekpr is one. Again you are better enforcing this stuff at the perimeter with webfilters and captive portals. You child signs in to the captive portal, at the end of 'X' number of minutes it logs them out and they can't log in for another 'X' number of hours.

Just running Linux with no modifications and saying it is more secure then Windows isn't true. Does it do somethings better? Yes. But so does Mac, and Windows at other things. Can it be compromised by an attacker? Yes. Sometimes just as easily too. Are you safer in general? Yes, as most malware isn't written for linux and because you can stick to the repos (which are signed) you are generally safer then Windows. Against a targeted attack, all three OS's are just as vulnerable unless YOU do something about it as the user.


TL ; DR: Your system is only as secure as you make it. Some systems are better out of the box then others, but without putting the work in you are not getting any real benefit running one OS over another. There may be minor benefits but nothing major that would ward off an sophisticated attack.

 

One can run pfSense as a VM, with WAN bridged to eth0/wlan0 and LAN connected to a host-only adapter. You have a perimeter firewall, which is totally portable, but it's running as a VM. How secure is that vs a separate hardware firewall? For mobile users, the alternative would be a small hardware firewall running pfSense. What would be the best device for that?

 

@x942
What you're describing makes a classic HIPS sound simple by comparison. Most people, including many linux users don't have that level of knowledge or the time needed to acquire it.

Regarding the firewall, I wasn't referring to a network firewall. I was referring to the ability to control inbound and outbound traffic for individual applications on a port, protocol, and IP address level. If I want to restrict an application's internet access to a couple of specific IP ranges and only on a specified port, what in the setup you describe can give me that control? If I want to block the next browser version from connecting to IPs that its predecessor used to call home, what is available for linux that does this? Will that setup make it impossible for the browser to bypass a local web filtering proxy? On Windows, a rule based firewall will do. This is as much about privacy as it is security.

Regarding parent-child, I was referring to the ability of an allowed application to launch another allowed application, like a browser launching a PDF reader or media player. Is there anything that can control the interaction between permitted applications on linux, like the ability to launch, be launched by, the injecting of data, etc, and allow you to specify different settings for each application?

 

And you can use Tripwire as HIDS, use Dansguardian + Squid + ClamAV for web filtering (by Urlblacklist.com) & for http scan, use ClamFS for limited real time protection (only for user dir; and even apply unofficial sigs available in some reliable sources), purge unneeded components & disable unnecessary daemons, regulary scan for rootkit by chkrootkit & rkunter which are burned in CD-R with necessary commands, besides of course strict AppArmor & iptables rules...but I think most of them except last 2 are not effective against APT as well as Snort.

Also actually the last line of defence is AppArmor as it is not designed to prevent infection but to contain or limit damage.
I don't know much about GRSecuirty but does it also block USB keyboard, as you said it can block BadUSB style attack?

Agreed.