At the risk of sounding all pompous and arrogant...

Discussion in 'other security issues & news' started by Gullible Jones, Apr 14, 2012.

Thread Status:
Not open for further replies.
  1. Escalader
    Offline

    Escalader Registered Member

    The orginal post was a good one. In no way was it pompous. It made me think again.

    I have a FW from Agnitum Limited not US based. I have an AV from Eset. Again not equal in size to MS or Norton etc. So I guess I'm "guilty" of using small company products.

    Why do I have these? I have sort of overtime shrunk down to them via trying other products for both FW's and for AV's and found that I can use these and not have calling home issues or products that imbede themselves so deep in the OS that I takes me hours to remove them. They can work together and exclude each other.

    I would use the windows 2 way FW but no matter what some of the excellent threads here say it consumes too much of my time rule building which is not how I want to spend time these days.

    Trust? Well if you use the OS of a company I can't see much more trust than that. But yes I agument that with some easier more effective for me anyway tools to filter malware and control what exe's access the www.

    Keep an image backup of all logic and all data since none of this will ever be 100%
  2. Rmus
    Offline

    Rmus Exploit Analyst

    Referring to my Post #2:

    I will give an example.

    When Windows 2000 was released, I decided I needed a firewall. Not knowing anything about firewalls, I asked several knowledgeable people whose opinions I respected, and the Kerio 2 firewall was suggested. I found about the Kerio Forum at DSL Reports in those days, and I learned a lot from those people. So, I started out trusting this program based on recommendations.

    Soon, I was able to test its protection in several ways:

    1) An online port scanner showed all ports closed

    2) Kerio alerted to any incoming intrusion

    3) Once a rule was set to block w/o an alert, periodic checks of the Log confirmed this protection

    4) Kerio alerted to all outbound connection attempts; simple rules authorized those applications I permitted to connect out.

    Now, my trust went up to another level, based on my own observations (tests, review). This trust will continue until something comes along to challenge that trust.

    regards,

    -rich
  3. Rmus
    Offline

    Rmus Exploit Analyst

    Thinking about a firewall brought to mind again the OP's comment,

    Remember the Blaster Worm? It intruded via unsecured ports, so, anyone with WinXP and its firewall was protected, right? Not necessarily so, because unless the user did otherwise, by default, the firewall was not enabled prior to SP2.

    From the MS SDL blog about the vulnerability that the Conficker worm would exploit:

    MS08-067 and the SDL
    http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx
    Folowing the detection in the wild of Blaster, Microsoft issued this advisory:

    Virus alert about the Blaster worm and its variants
    http://support.microsoft.com/kb/826955
    August 11, 2003
    Thus, many innocent, unaware, trusting users of Windows were rudely suprised by the infiltration of Blaster.

    Two questions arose then: Did a user have an expectation of protection based on trusting Microsoft to secure against unwanted intrusions via unsecured ports? (ie, enable the firewall by default)

    Or was it incumbent on the users to know how Windows was configured regarding the firewall and other things, and to make these decisions themselves?

    regards,

    -rich
  4. m00nbl00d
    Offline

    m00nbl00d Registered Member

    Yes, I'm aware of all that. But, you previously .... *edit* I actually can no longer find one of your replies to user Hungry Man. It disappeared. *end of edit*

    But, anyway, in that reply of yours to him, you basically disagreed with him, when he said he wouldn't see them (security software not making use of such mitigations) fit to secure his system.

    That's why I got totally lost with your replies. I actually still don't understand what you're trying to say.

    Are you saying both Hungry Man and I are wrong? Because, everything you've quoted so far, from Microsoft and/other source, corroborate us. Or, in other words, by not making support of ASLR, any software will create holes in your system; holes that did not previously exist.

    I believe this to be what you're trying to say as well. I just believe there was some miscommunication in your replies. :doubt: You need to be a bit less cryptic with your words. :D
  5. HKEY1952
    Offline

    HKEY1952 Registered Member

    No I am not saying that both Hungry Man and You (m00nbl00d) are wrong, my information is being misinterpreted and I
    can see where, but unable to explain it understandably, however, I will try one more time briefly.

    It is correct, that Independant Software Venders should secure their code base to be compatable with Address Space
    Layout Randomization via the /DYNAMICBASE linker flag.

    It is correct, when Independant Software Venders code base is compatable with Address Space Layout Randomization,
    the Microsoft Windows Operating System and installed software are more secure.

    It is correct, when I state, when Independant Software Venders code base IS NOT configured to be compatable with
    Address Space Layout Randomization via the /DYNAMICBASE linker flag, there still remains an variety of other ways
    within the Microsoft Windows Operating System to turn the attackers data into executable code to deter the attack.

    The Microsoft Windows Operating System exists more than one defence mechanism, and Data Execution Prevention, and
    Address Space Layout Randomization, is not the heart of it, only an layer.

    One of the other basic approaches to deter the attack without Address Space Layout Randomization, is to use code
    from loaded modules to invoke system functions like VirtualAlloc or VirtualProtect which can be used to make the
    attackers data become executable while the attackers data exists in the non executable regions of memory.

    Once the attackers data becomes executable in the non executable regions of memory, exception-handling mechanisms
    within the Microsoft Windows Operating System raises an exception flag, executables are not permitted to execute in
    the non executable regions of memory, therefore, the attackers process is unhandled and the process is terminated.

    Everytime an execution occurs in the Microsoft Windows Operating System an exeception flag is raised.
    If the exception is unhandled the process will be terminated.
    If the exception is not unhandled the process will execute.


    I believe this is where the confusion comes into play:
    The fact, that without Address Space Layout Randomization, modules load at predictable addresses, however, it still
    remains possible to turn the attackers data into executable code in the non executable regions of memory to deter
    the attack. One of those possible basic ways is described in the last three paragraphs above.


    HKEY1952
  6. Escalader
    Offline

    Escalader Registered Member

    Hi Rich:

    My 1st FW love was Kerio. If it would work on windows 7 64 bit I would revert to it in a "flash" the guys who helped me here in those early days tought me everything I know (never enough!) about FW's, packets and networks. I can never thank them enough. :thumb:
  7. Escalader
    Offline

    Escalader Registered Member


    Rich:

    The sad fact i fear is that it is was incumbent on the users to know how to set up the FW. The other unsolvable issue is that with the exception of guys and gals who come here and learn about how to drive their PC's (no drivers licences) the great mass of users will NEVER learn. For them a suite is the best choice and I beg the treads forgiveness for saying that! This no learn thingy is how a market for 3rd party security products exists, IMHO.
  8. HKEY1952
    Offline

    HKEY1952 Registered Member

    As an final note on the subject from my end.

    Microsoft recommends, and is encourgening, Independant Software Venders, to take full advantage of both built-in
    security layers provided by the Microsoft Windows Operating System; Data Execution Prevention (DEP) and Address
    Space Layout Randomization (ASLR), by making program calls from their code base, linking their software to these
    built-in security features technologies.

    Microsoft recommends, and is encourging this programming practice, because both Microsoft technologies working
    together, will provide more reliable security measures globally throught the universe of the Microsoft Windows
    Operating System, for both the operating system, and the installed software that is programmically linked to both
    technologies built-in security layers and features.

    Independant Software Venders opting-in for Data Execution Prevention and Address Space Layout Randomization in their
    code base is an OPTION, an option STRONGLY recommended by Microsoft. However, not opting-in does not repudiate the
    software of the Independant Software Vender inferior, nor does it weaken the security of the operating system.

    However, not opting-in for Data Execution Prevention and Address Space Layout Randomization from the code base of
    the Independant Software Venders software, does, from the eyes of the operating system, create PROBABLE HOLES for
    attacks. The underlying technology of the operating system is the heart of that computing environments universe, for
    that computing environment. The universe of the Microsoft Windows Operating System and its technologies and security
    features are expanding, changing, and improving more every day, day by day.

    If Independant Software Venders want to ENSURE the most CURRENT reliable security measures for both THEIR software
    and the security of the CLIENTS OPERATING SYSTEM, then those Independant Software Venders MUST AND SHOULD follow the security advice RECOMMENDED by the creator and master of the operating systems universe.


    EDIT: clarity


    HKEY1952
    Last edited: Apr 16, 2012
  9. Hungry Man
    Online

    Hungry Man Registered Member

    I disagree.

    As you've stated (and quoted) when you use DEP you're still vulnerable to return attacks. ASLR is made for this.

    So if I use a program that supports DEP and ASLR an exploit may not work, but if I then run a security program that injects a non-ASLR dll into that program there could potentially be enough gadgets within that dll for further exploitation of my system.

    On the one hand you're saying that it
    and on the other you're saying
    I don't think I'm understanding you.

    It can't be both. A security products job is to secure the system. If it's not supporting ASLR it's defeating the security mechanisms of other programs. A single dll could potentially be enough for ROP.

    Can ASLR be bypassed? Yes, even with DEP. There are potential universal ASLR bypasses due to fixed areas of the address space on all operating systems, including Windows.

    Regardless of that fact it is a security developers duty to make use of the latest mitigation techniques so that their impact on the OS (in terms of attack surface) is lessened.

    I think a security program not making use of DEP or ASLR is a great way to determine if they're really serious about keeping the users system secure.

    That's as much as I've got to say on the matter though. I agree with part of your post but I don't think I'm really getting what you're trying to say.
  10. HKEY1952
    Offline

    HKEY1952 Registered Member

    You (Hungry Man) and I (HKEY1952) are basically stating the same thing(s), in two seperate objective ways.


    You're objective is ABSOLUTE security in the real world, something that is never going to happen, but something to
    strive for in regards to improving security.

    My objective is EFFECTIVE security in the real world, something that does exist, also requiring constant upgrading
    and refining to be effective against current, past, and potential future real world attacks.

    As an example:
    In regards to ABSOLUTE security in the real world, yes, it is true, Address Space Layout Randomization together with
    Data Execution Prevention, exploits have been written which are capable of bypassing the combination.

    In regards to EFFECTIVE security in the real world, although there are weaknesses in the current implementations of
    Address Space Layout Randomization together with Data Execution Prevention, the vast majority of exploits that have
    been written to date do not have such capabilities and instead strictly target applications and platforms that do
    not enable these mitigations, thus, Address Space Layout Randomization together with Data Execution Prevention,
    provides effective strong countermeasures for the types of attacks that exist in the wild of the real world despite
    weaknesses in their current implementations.

    Source: http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx


    As an example:
    In regards to ABSOLUTE security in the real world, yes, that would be the most logical decision if all the security
    implementations in the system were absolutely perfect. Installing insecure software would not be logical.

    In regards to EFFECTIVE security in the real world, there still exists countless software programs that do not take
    advantage of the security measures mentioned in this Thread, and/or, are outdated software, are software that is not
    Digitally Signed, are software that does not follow the Microsoft Windows standard programming guidelines and so on.

    Because of this array of avaliable software, effective security in the real world also requires the implamentation
    of an reliable and effective firewall and antivirus solution. Both already built into the latest versions of the
    Microsoft Windows Operating System.

    HKEY1952
  11. Rmus
    Offline

    Rmus Exploit Analyst

    Hello, Escalader,

    I remember those days! Kerodo was another Kerio user who helped a lot with understanding firewalls. I never questioned the idea that this was an innocent type of trust. I've started out that way with other products. You have to start some place, trusting something/someone.

    I have to agree, but am not happy with that fact.

    If a user looks at the WinXP Help File, it's pretty complete, and discusses the ways to enable/set up the firewall. But as you suggest, who reads the Help File?

    However, it can be argued that a company, in order to maintain the trust of its clientele, should anticipate certain things. Certainly, internet attacks via ports was not new, so why not inform that this new OS (WinXP) has a firewall that should be enabled? Or, why not just enable it and display a Pop-up directing the user on first use to the Security Center where the firewall configuration is? For example, here is what is displayed when starting IE8 for the first time:

    ie8-setup.jpg

    The firewall issue is just one example, but contributes to my longstanding lack of trust in Windows, notwithstanding the OP's having trust in Windows.

    Windows is just too complex a system with too many opportunities for compromise. As I quoted in my earlier post, Microsoft admits it should have caught the vulnerability in MS08-067 through its testing/fuzzing. How many other potential vulnerabilites haven't been caught? The LNK exploit from last year is one.

    Now, lack of trust doesn't mean abandoning a product (Windows, here). It just means that one should take nothing for granted, and needs to have protection in place in case of an unexpected intrusion. I think this is pretty much accepted by many these days. (For example, the LNK exploit was easily blocked with proper protection in place)

    regards,

    -rich
  12. Hungry Man
    Online

    Hungry Man Registered Member

    I actually think we're saying the exact same thing.

    Because:
    This was what I was trying to say from the beginning.

    edit: You are right though. I think that attempting to attain perfect security (whether or not it is possible, which is a whole separate conversation to be had) is the right way to go.
    Last edited: Apr 16, 2012
  13. HKEY1952
    Offline

    HKEY1952 Registered Member

    Well, I am glad we got this cleared up and agreed upon.

    God Bless and have an wonderful twenty four hours!

    You exist an high degree of intelligence Hungry Man, use it wisely!


    EDIT: grammer/completeness


    HKEY1952
    Last edited: Apr 16, 2012
  14. EncryptedBytes
    Offline

    EncryptedBytes Registered Member

    I agree with this statement 100%, though this goes with any OS. I challenge the readers of this post to understand the core concepts they are trying to protect instead of installing the flavor of the month in terms of 3rd party programs. (For security or otherwise) When you install 3rd party programs/scripts for all the simple functions an OS ( it Linux or Windows ) can handle on its own you are setting yourself up to be potentially vulnerable, because now you’ve introduced new code and a potentially new avenue of attack. Adobe for example. You may even create conflicts or instability within the OS.

    Before downloading 20 programs to tackle virus detection and removal, step back for a minute and perform a little analysis on your system. Where am I mainly getting infected from? What kind of virus or malware? What has been their most likely way to exploit code? Lock down/ patch/ or remove the avenues of attack manually and you just did what 19 of 20 of those programs do. I know I deviated from Hungry Man and HKEY1952's original conversation on effective security, but my coffee hasn't kicked in yet so I went with the simpler reply. :)
    Last edited: Apr 17, 2012
  15. m00nbl00d
    Offline

    m00nbl00d Registered Member

    Can you deal with compressed files in Windows, other than *.zip natively? No, you can't. Can you deal with media file formats such *.flv with Windows Media Player? No, you can't. There are more media file formats you can't play either.

    Sorry, but what you're saying doesn't reflect the reality. So yes, millions of people may need and want to use third-party software, because the operating system native functions are pretty much worthless.

    And, just because we may need a third-party application, that doesn't mean that those software developers get the right to neglect their user base security, by making it easier for cybercriminals to attack the system through applications not supporting these built-in mitigations.

    Regardless of the nature of the software in question, they should never break the built-in security. The same applies to drivers, as well. This is something that for most hardware, unless it's from Microsoft itself, you do need third-party software.

    This isn't just about security software. It's simply quite ironic that, security software developers - people who should be conscious about these matters - break the operating system built-in mitigations. Some may actualy break a lot more than this. o_O

    Which is why I do try to keep it minimal and to the really needed stuff.
  16. Hungry Man
    Online

    Hungry Man Registered Member

    I don't think he's advocating not ever using 3rd party software, moreso that users shouldn't slap on whatever they can find and especially that users need to understand that by slapping things on they're increasing attack surface and not necessarily getting any real benefits.

    So, yes, of course you should install winrar or 7zip if that's what you need. But maybe don't install both if you only need one... and don't feel like you should add on 10 other programs for no good reason.
  17. EncryptedBytes
    Offline

    EncryptedBytes Registered Member

    Perhaps I should have added the phrase “as much as possible" as HKEY1952 did. The common sense rule was implied in my post. My post was targeting those who install programs which an OS can handle effectively by itself for reasons stated. The original topic creator was enquiring how we trust the programs suggested on this website. As most of that has already been addressed, I am saying a lot of the programs mentioned on this site you do not even need. I’ve done the Picard face palm many a times reading posts where members suggest in order to “achieve security” you must pile on as many unnecessary security programs as possible. Which in my opinion is counterproductive and achieving the opposite in some cases.
  18. m00nbl00d
    Offline

    m00nbl00d Registered Member

    Yes, I understand what EncryptedBytes meant. I'm just saying that most of the times, users won't have any other option. Either they use what they want for their needs, or they won't. But, if they won't, then they won't be able to do what they wanted to do, in the first place. :argh:

    I simply named two basic uses millions of Windows users may give to the operating system/bundled apps, and that it/they can't provide the functionality to the users on it's own. Most of the times, it simply lacks the functionality, other times it's too limited. :ouch:

    -edit-

    I am, of course, not necessarily talking about security software... but, it is ironic that even these fail to support the operating system built-in security. lol
  19. m00nbl00d
    Offline

    m00nbl00d Registered Member

    I agree with you on that, don't take me wrong. :D I just expanded on it. :D
  20. Escalader
    Offline

    Escalader Registered Member


    Yes! Agreed!

    I didn't want to list all the guys who helped me with the learning threads on Kerio, OA, etc for fear of missing somebody!

    But one guy we can all agree on was Stem. Thank you Stem!

    If I ever win the loto (no ticket) I'll issue a rfq to clone kerio onto windows 7/8 and make it a free product!

    If windows 7/8 enabled their FW as a default at install time then that would FORCE the unlicenced www drivers to disable it as an in the open decision.
  21. TheWindBringeth
    Offline

    TheWindBringeth Registered Member

    It sounds as though you "trust" something after you have, and to the degree that you have, quality information about and understanding of it. To which your response might be "well of course". Unfortunately, I think most users will declare "trust" for something *without* having quality information about and understanding of it. In some cases this is simply due to ignorance. In other cases I think it is a way to rationalize proceeding without doing an adequate amount of homework so to speak.

    This, I think, is a hugely important and beneficial concept. One can lower their standards for "trust" so that they can declare "trust" for everything they use OR they can maintain high standards for "trust" and accept that in some cases they might be using something(s) they don't yet or adequately "trust". For various reasons I think the later approach is the far more appropriate one.
  22. Escalader
    Offline

    Escalader Registered Member

    Yes, this is the safest policy.

    Deny access by default and allow by exception.

    It is not the easiest and convenient approach and 1/1000000 might actually do it.

    I'm only 60% of that. :(
  23. CyberMan969
    Offline

    CyberMan969 Registered Member

    Sometimes it has nothing to do with trust. Sometimes it's the lack of knowledge shown by the end user that is the problem. I would have liked to believe that most of us nowadays are more or less aware of online threats, but often this is not the case, especially for younger kids..

    A friend of mine was recently hit by a basic trojan, (fake Police Notice ransomware) despite the fact that his PC was protected by latest Avast, and latest Comodo Internet Security with Defence+ HIPS set to Safe Mode. His son wanted to watch a basketball game online and of course when the boy was prompted to download and install a 'codec' first he did just that. Avast alone should have caught it - but it didn't so it must have been a new variant. A Defence+ alert came up and of course the kid allowed it all thinking he was just installing a codec for his game. Thankfully there was also Rollback RX installed and my friend just restored an older snapshot at next reboot, effectively undoing the malware installation.

    There is no defense against mistakes by the user. The only defense against this sort of thing is to be able to 100% undo it, and depending on the strenth of the infection itself, (and short of restoring a full backup), this can only be done by one of three ways:

    • Loading a fresh VM image of Windows at every startup. Some malware can still bypass it and infect the real system.
    • Having snapshot software installed (Comodo Time Machine, Rollback RX and a few other very similar apps). Again there are some rootkits that can infect all snapshots.
    • Using light virtualization software like Shadow Defender, Returnil, Toolwiz Time Freeze, Faronics Deep Freeze etc. I prefer Shadow Defender because it seems to be the only one that can still undo some rootkit infections that beat all its competitiors so far - and this is superb coming from a piece of code that hasn't been updated for the last two years (v1.1.0.331 is a no go for me, I still use the last known good v1.1.0.325). It does the job and in combination with a good AV and HIPS firewall it provides a reliable safety net for the OS.
    For as long as the user doesn't disregard HIPS warnings of course... At the end of the day nothing beats a good old-fashioned full backup. But light virtualization does help a lot.
    Last edited: May 7, 2012
Thread Status:
Not open for further replies.