Approaches to security - do you have one to share?

Discussion in 'other security issues & news' started by Sully, Apr 14, 2011.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    True, but usually disabling services is not overly popular here. I love to disable services, and disable as many as I possibly can, but many don't understand them and turn off services based on advice given, and then have a heck of a time figuring out what is going on. So I think that is why it isn't talked about too often here. Besides, other than a dozen or so generic services in win7, many of them need to be on if people use the default settings. I don't, I prefer to march to the beat of a different drum o_O

    Sul.
     
  2. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Hello lunarlander,
    I never heard about that but i would like to learn more. How to recognize if my system is vulnerable? Any reading you suggest about that subject? Thanks!
     
  3. I call this one the ironclad strategy...

    The OS is Windows 2000 SP4 (Update Rollup 1). It has a software firewall installed - Softperfect in this case, but there might be better ones - and the latest version of Firefox with Noscript. Hitman Pro and some other on-demand stuff is installed, to scan dubious files and in case of actual infection. Current versions of third-party tools are used for almost everything. The only real hardening involved is a) turning off autorun.inf parsing and b) patching the stupid LNK vulnerability. The whole thing sits behind a NAT router.

    The idea is that you know your OS is incurably insecure. So instead of wasting time trying to make it secure, you reduce the exposure of the built-in OS components as much as possible... Like putting iron plates on a wooden-hulled ship. Thus, ironclad.

    Surprisingly, it works pretty well. The machine in question has been set up this way for about a year, and according to a recent scan with a live CD it's still uninfected. I would not trust this setup for surfing known malicious sites, but if you know your way around the computer it can be safe enough for everyday stuff.
     
  4. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    Hi AlexC,

    When hardening a system, I try to minimize the attack surface. Some services react to input from the network. For example, the Server service, which is responsible for sharing your files ( File and Printer Sharing ) accepts input from the network. If you don't need the feature, it is best to disable the service. In order for an attack to take place, the hacker must be able to touch something that responds via the network. Then he can send malicious data and maybe cause a buffer overflow, which then executes the payload he sends.

    Some services are there but infrequently used. For example: Secondary Logon. I disable this service because I use a Limited user account for every day use, and I don't want easy access to an admin account. If a hacker gains a command prompt foothold on the pc, and you have this service running, then he can try logging on as admin all day long.

    My guiding light concept in hardening a system is "least privilege". If you don't use a feature, then disable it. If you have access to something, and your account gets hacked, the attacker also has access to that. And maybe that feature can enable him to further his attacks.

    Open services.msc, and click on each service, a short description will explain each service. You can also use blackviper.com to see if a more detailed explanation is available. Also check the service's Dependency tab, as some services are interelated. If you disable a service and some other service depends on it, then you will be deactivating the related service too.

    If a service accepts input from the network, and you don't need it, then its a candidate for disabling.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    If you want an ironclad defense pull the internet cable out :D
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    The first thing I do with a computer is disable unnecessary services. I have all unnecessary ports closed. Just didn't think to mention it.
     
  7. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Thanks. I´ll check viper.com.

    And how about closing or stealth unnecessary ports? How do you do that?
    Any other methods you use to prevent hackers to gain access to your system?

    Maybe we can follow the discution about this subject in this thread:
    https://www.wilderssecurity.com/showthread.php?t=299673
     
  8. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Basically 3 layers:
    - Sandbox the browser (Sandboxie)
    - Light virtualization (always on - except for new installs or any other occasional change)
    - Antivirus (real-time)

    Also:
    Anti-keylogger and imaging.
     
    Last edited: Jun 3, 2011
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Been experimenting with this lately.

    UAC off, logging in as Admin on win7 ultimate.

    Using Chromium as primary browser, forced to Low Integrity Level (also set temp/profile/download directories to Low Integrity as well).

    QTWeb as backup browser with same Low Integrity Level settings.

    Enable 1806 registry value for Internet Zone - set so that any file originating from internet asks if it OK to execute. This way I don't have to "unblock", but it gives me a notice/reminder. Small inconvenience.

    Enable 1806 for Intranet Zone as well, so that files originating from the LAN have same sort of prompt.

    Using Sandboxie to force browsers and media players each into thier own box. The only thing allowed to execute and have network access in each box is the respective application along with helper applications like Foxit pdf reader. This eliminates keyloggers etc, eliminates need for firewall for outbound programs, etc. Each sandbox is allowed direct access to the downloads directory, so no recover is needed. Each browser is told to download everything without question to the downloads directory, so no confusion as to where something went. Chrome automatically appends (1) to duplicate named downloaded files, so don't have to worry about "overwriting" files that might be named the same (ie. document1.txt could exist, and a different document1.txt would become document1(2).txt). The Chromium sandbox is used long term, but the QTWeb box is deleted upon closing QTWeb. Using QTWeb for online transactions as this keeps it clean of any unwanted stuff.

    Using Sandboxie to force execution of any file within the downloads directory to a box that allows any process to run, but allows no outbound network access. This allows browsers to download directly to the downloads folder, then allows me to execute downloads via Windows Explorer, all contained within this restricted sandbox. Allows testing in controlled environment. If download needs to be kept, copy it to another location or perhaps test in vmWare box.

    One more sandbox dedicated to "live testing" so that applications that might need network access are allowed to have it. No restrictions really as the box is meant to be deleted often.

    Any remaining applications that might go online and might be exploited would have thier own sandbox created for them. This keeps the main method of inbound exploits contained and restricted.

    This leaves me with only one area of real concern remaining, and that would be whether or not to trust downloaded files. While I can examine the sandbox or in vmWare to real testing, convenience says to use a scanner of some sort. For me a scanner is only needed in this situation, so real time scanning is not needed. Perhaps MBAM would be a good scanner to keep around, but what are opinions on which on-demand AV would be best used? Criteria is strict - decent results and very low on system resources. The scanner doesn't have to be perfect, if scanner finds FP that is OK to a degree, as I would upload the suspected file to Jotti then anyway to verify. This just saves the uploading step as long as one can "generally" trust the scanner. Any suggestions here?

    Critiques welcome.

    Sul.
     
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i like Hitman because it uses multiple AV engines.
    of course, sometimes i don't even bother scanning the downloaded file if i trust the source.

    you can right click a file with Hitman and have it scanned.
     
  11. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Alternatively, you can upload it to VirusTotal to be scanned with even more engines. You can try Comodo Instant Malware Analysis or another online sandbox as well.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    @ Sully

    Forgive me this very boring question. :p Is there any particular reason to use QTWeb web browser, instead of IE or even a different Chromium/Chrome install?

    I came across that name sometime ago. Never really tried it, so far.
     
  13. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    A few days ago, I noticed that when IE9 is running in SandBoxie, the sub-process-IE shows up in SysInternals ProcessExplorer as Medium integrity. Normally, IE9 spawns a sub-process-IE running as low integrity. So using when using Sandboxie, you gain a sandbox, but lose Protected Mode.
     
    Last edited: Jun 9, 2011
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yeah, I have done that but if a file is over a few mb, the time spent is annoying to do it very often, what with slow uploads. For small files it works great. I am thinking more in the lines of a super light AV with decent detection that ONLY runs on-demand, as a pre-warning sort of thing to key me in to uploading to an online scanner. Up till now I have just been examining untrusted downloads in SBIE or vmWare.

    @m00nbl00d

    I despise Firefox even though I use it once in a great while. Its a preference thing. I used to really love Opera but have been unhappy with it since it became more of a suite. Again, a preference thing. I had been using Chrome, but really don't like it as well as Chromium, once again due to preference. Maybe I am too picky ;) I used Kmeleon for a long time, and don't mind it, but it has lost my favor. I had been using QTWeb because it is pretty light and for me very responsive. I started using it as my alternate browser for online transactions and things of that nature. No uber specific and technical reasons, all just what I like or don't. I am simply smitten with Chromium. I find the interface suits me very much, and perhaps it has influenced my likes and dislikes now.

    I would be willing to bet that if that IE process escaped SBIE, it would revert to an Low IL again. I have noticed things working like that in SBIE, although I haven't watched for ILs much. Also remember that SBIE is running at a Med or High IL, so what it starts might just inherit that, not sure.

    Sul.
     
  15. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    @Sully

    In most tests taken by enthusiasts that simply consist in right click and scan a giant malware collection inside a folder, MBAM and SAS never got good results maybe because they are designed to detect mostly active malware in the system, and malware that is not already detected by most AV´s. About Hitman Pro, I´m under the impression that the scan using the “right-click” isn’t also so effective as the normal scan: seems that most times the file isn’t scanned, especially if it is a large file.

    In that kind of tests, usually Emisoft and Avira get very good results. Avira can be installed without the real-time module, but keeping the right click scan, scheduled scans and automatic updates. Emisoft doesn´t have the option to exclude the real-time module during the install, but if you choose
    the free license it will be turned-off. The right-click scan is present. About automatic updates and scheduled scans I’m not sure, since that the menu is grey-out, but they are configured to run at certain times.

    Another option is to force all your downloads to a single folder using a download manager, and in that download manager use some parameter to invoke the AV scanner. Orbit Downloader has that option. I tried to do that with Avast (more than a year ago) , but although the Eicar file was detected, it wasn´t deleted.

    Would be nice if the AV´s wouldn’t have only the option to Exclude stuff from the real-time scanner, but also have the “opposite” feature that would be to place only some designated locations under the real-time guard.

    (sorry the poor English, hope its ok enough to be understood:thumb: )
     
  16. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Malwarebytes always got good results via right-click scans for me.
     
  17. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    An approach to security I saw in an article at Scientific American was the following:
    Yet another excellent reply to those that harp on about "if you have nothing to hide, ..."

    -- Tom
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    How is that an excellent reply at all? Why would you possibly care about anonymous data that sites might be taking?

    Absolutely ridiculous. If you have nothing to hide it's just that simple -- you have nothing to hide.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sounds like mythical security to me (ability of SBIE to revert to Low-IL). You run without UAC so IE9 will never run low-IL. Why do you run without UAC?
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That's true. IE Protected Mode is enforced by UAC. I do have a place for IE9 in Sandboxie, though -> Block it. :D (Without having to block in AppLocker. Just for when I need to quickly use it for something.)
     
  21. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi Sully, when the download is an executable that I am going to run, I usually
    upload the file to Jotti and Virus Total, sometimes I also do a HMP scan that
    usually takes less than 2 minutes. I run the normal scan instead of the right
    click scan for the same reason mentioned by AlexC.
    Most of my other downloads are large videos and PDF files, for those files
    I just let SBIE do the work and never worry about it.

    Bo
     
  22. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi Hungry Man,

    The issue is not as you state, simply a matter of nothing to hide.

    So, in other words, you are ok with information being harvested about you in terms of the digital footprint you lay down such that the information can be sold - and consequently, lots of "others" know about your business, eh? Not smart at all on your part!

    If you don't care about your digital footprint - no one else cares about you - and what happens is that you eventually will become the victim of things like missing money from your bank account, identity theft, etc.

    Actually, you may be in the clear - for all we know about you - you may even already have multiple identities?

    -- Tom ;)
     
  23. pcdoctor36

    pcdoctor36 Registered Member

    Joined:
    Aug 25, 2011
    Posts:
    62
    It depends upon how married you are to your data and windows refinements. I recently got a little lazy on my imaging, ran a .exe when I shouldn't have and ... you know the rest. I was unwilling to go back to my last image, it engendered too much loss. Twelve hours later after the manual removal I am back.
     
  24. wat0114

    wat0114 Guest

    Besides imaging, I also backup al my critical data to two separate h/drives, and a USB drive. It is easy to fall behind, I've played catch up from time-to-time, but due diligence pays off in the end.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Ah I should have just used this topic to discuss my security philosophies of "kernelmode-only security."

    I believe that a security setup should not incorporate common sense. I believe a security setup should assume the user is a moron and assume that they WILL download malware. It is up to the operating system to secure it accordingly. Something like integrity levels is a great step - it assumes that the user will download and run something and it restricts it accordingly. IE9 running at low integrity ASSUMES that the program will be breached and the low integrity is their way of securing you anyways.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.