Cloud-Client Integrity Protection (CCIP)

This is more of a theoretical inquiry and possibly a longer-term suggestion, which is why I am creating a separate thread...

...please be aware that this is being created here mostly because of a new trend that is being discussed here on Wilders, in which people are concerned about the attack surface added by their actual security software; more specifically, the cloud or definition database...

It would be comforting, definitely a plus, (and some would go as far to say necessary) to add some sort of integrity protection to the client to be able to detect if the cloud has been compromised.

Again, hear me out on this. I'm sure this sounds radical/out-of-place but this is a growing concern and it has gotten me a bit shaky and definitely thinking...

Cloud-Client Integrity Protection is a module/sub-shield that runs with the real-time protection of Webroot SecureAnywhere and is turned on by default. It regularly and efficiently checks to ensure that the data coming to and from the Webroot Threat Intelligence Network cloud is authentic and follows Webroot security conventions.

If data deviates from the norm, the client will automatically...

1. Notify Webroot security professionals with the details of the suspected compromise
2. Terminate communication to and from the cloud after event details are sent
3. Turn all the heuristics up to maximum
4. Launch a protective scan that checks all areas that the cloud interfaced with last when the breach was detected, in addition to the standard deep scan
5. Prompt the user with a RED message notifying that cloud protection has been temporarily suspended and heuristics are on maximum temporarily while Webroot addresses a potential issue with their cloud
6. When the issue is resolved, notify the user with a GREEN message telling them heuristics have been restored to their previous settings and the cloud protection has been reactivated

A lot of people are concerned about antiviruses and other security software creating attack surface themselves, after the recent issues with Norton (and their dishonesty) and Panda being hacked and the hackers claiming they "did more" than Panda admits.

Even with a cloud product like Panda or WSA where there is very little of anything stored on the local machine/client, the cloud is a massive amount of attack surface, technically speaking, if it were to be compromised. I am almost certain many of you will come back and suggest I ask the sky to hit me with lightning while making cupcakes appear in front of me; but still, this is a theoretical possibility that some people are becoming increasingly concerned about, and while very skeptical I remain, I cannot blame them.

I do however, approach this from a slightly different standpoint. Why not view this issue as an extension on self-protection modules, which protect the actual application from harm, and have been included for years now? Why not protect the cloud/database from talking to the client if a compromise is suspected. The same heuristics the program uses could be employed to do such a task.

And lastly, I of course am aware that Prevx's awesomeness combined with Webroot's large servers probably have so much security already to protect from intrusion, but this would be an additional layer that would give people peace of mind that even if the cloud was compromised and mal-definitions were served up, the clientside of Webroot would stop talking to the cloud and resort to heuristics.

Thanks for reading.

 

I understand your concerns and you have valid points, but it could be argued that traditional AVs where one has to download signatures need to ensure those update servers are also not open to attack vectors. In short, any server belonging to a security vendor that has data stored on it needs to be protected.

 

Yes I agree, just a basic principle with or without the cloud

 

All of them already use HTTPS for updates, which ensures that no on ebetween you and the server has touched the downloads.

It's not as if the servers are sitting there waiting to be hacked. They're in a database, protected, as with all servers. Any type of verification would be completely flawed unless they had multiple servers spread around with a service like perspectives verifying the payload from each is the same. They just need to step up their protection, that's all.

 

I'm just trying to bring attention that there are people abandoning any security solution that has to talk to a server (cloud or not) because they feel that they must consider the said vendor's entire database part of "their attack surface".

Panda was hacked. They strongly claim it only was an external website that had nothing to do with even their product's website, let alone their cloud. No one seems to believe them.

I fear strongly what if something like this happened to Webroot.

 

You have to filter out speculation from reality. Unless proven otherwise what you are referring to is just speculation. With "if" and "then" you don't go very far apart from construct a nice theoretical framework.

Those avoiding cloud are simply limited in their ability to accept that data storage and processing can exist in other location than your system and this does not necessarily mean more risk and less security, on the contrary.

You are obviously free not to trust or to avoid or to follow the evolution of modern security software design.

 

I'm not neccessarily the one you have to convince.

I'm trying to advocate concern of several advanced users here on Wilders that are really, really big on the "attack surface reduction theory" and take it to extremes like including AV software.

They have a point though. If a vendor's database server was compromised which is possible even if it is 0.000001% chance of happening...what's to stop the criminals from using the servers to push out mal-definitions.

I named this thread "Cloud..." since I'm suggesting this to Webroot, but the same heuristics to auto-detect vendor intrusion should apply to ANY security solution that talks to a server.

 

Do you have data that corroborates that? Or, is it only speculation on your side?

I'm OK with storing unimportant data in a cloud server... I love the word cloud... Such a lovely word for such an old technology.

You almost make it sound like the servers are in the cloud. Such a magic word. And that, due to this magic word cloud, everything is safeguarded. The data is stored in physical data storage, with Internet connectivity.

-edit-

I'm not necessarily talking about Prevx/Webroot. I'm talking about the cloud in general.

 

Again, what suggested (client protection) applies both with or without the cloud. And most client products already contains integrity procedures to check for valid signature.

But anything cannot be 100%, so you can still play with your theory as for any other related security threat

And yes, we are obvsiouly not talking about the cloud in general.

 

I'm still not seeing what is so very wrong with implementing a self-check feature that will terminate talking to the cloud if an issue is suspected/detected, or at the very least, if the vendor catches it.

 

Actually, this ends up being about the cloud, where Prevx/Webroot fit in. And, there are no theories/there is no theory.

Have you paid enough attention through the years? Hacks happen all the time; many you won't even hear about them. Do you remember Sony's (I believe it had to do with some PS3 network content, where clients got data stolen or something like that ) hack? It was not that long ago.

Another one I remember, due to late events, is Symantec's hack. There are more.

Cloud != safeguard. There are no theories. It has been put into practice for a long time. lol

Something is only a theory when someone talks about something and does nothing to show it can be done. Many have shown it can be done, repeatedly. So, what theory/ies?

 

Uhm... I think there is some confusion, here we speak about signature "pollution".

 

Well, not a confusion, so to speak... but yes, that's a whole different matter. I agree with that.
Nonetheless, that would depend on whether or not the attackers would consider it worthy enough to pollute them?

Then again, if it were me I wouldn't pollute malware signatures, at all. Why not go root? I mean, most security solutions have a service component running in the user's system, and it will be this service that will handle upgrades, for example. This service has full access.

If it were me, I wouldn't just upload fake malware signatures to clients. What for? Unless they'd want to go undetected... just in case. But, they could just repack an existing piece of malware and most antimalware apps would recognite it. So...

So, yes... "bad" signatures would be the least of my concerns. I'd be far more concerned about whatever else they would plant on my system, and getting root access by abusing the services these antimalware apps install.

Nice, an upgrade...

-edit-

This does make me wonder. Do the system clients have any safeguard against any such situation? A fake "upgrade"? lol

 

Hmmm.

"All of them already use HTTPS for updates, which ensures that no one between you and the server has touched the downloads."

1: Are you sure all of them use HTTPS for updates? Webroot 7.0 didn't, for example.
2: HTTPS is not a guarantee of security. MitM with CA breaches is something the security company can't affect, for example. Even if the TLS is solid at any given time, what stops intrusion into the server storing those definition downloads and thus modification of the definitions?

Anyway... On to OP. Practicality considerations and current status...

"It would be comforting, definitely a plus, (and some would go as far to say necessary) to add some sort of integrity protection to the client to be able to detect if the cloud has been compromised."

Already in there.

Have you ever sniffed the traffic to/from the client? Not SSL, but it's fugly. A beautiful 26-character ciphertext is the end communication channel, with some Base-16 data thrown in. Run it through a proxy and tamper with this data, and the client definitely knows it. Then it uses Offline settings if I'm not mistaken.

However, altogether, the cloud doesn't Do Stuff other than take care of the pattern matching. Client: "Hey, cloud, here's a list of what I have." Cloud: "Okay, #1 is good, #2 is unknown, and #3 is bad." So other than marking a bad file as good and creating a false negative, people can't precisely "attack" anybody through the cloud.

Also keep in mind that "Cloud" simply refers to "It's done somewhere on the internet" as opposed to "It's done by your machine only".

So really, cloud-based operation doesn't really open up an extra attack vector. Plus I doubt that the machines on the cloud are running Java or Flash or Reader and being used to surf the web, so chances are they are more secure than most peoples'.

 

Again, I am not arguing with what you all are saying.

I am simply advocating for the people that truly believe they are majorly increasing their attack surface by installing an antivirus program that communicates to a vendor's server, be it "cloud" or not.

They feel that the number of AV vendor intrusions is going to be increasing in the future, and by having an AV installed you are basically leaving the door open to fall victim to attacks that which were not even necessarily intended for you, but for the AV vendor. (e.g. anonymous hacking Panda)

 

Shifting gears a bit and talking more about the current value of Webroot's Self Protection module itself...

What can it do, besides protect against anything trying to terminate Webroot's processes? Can it protect against anything trying to tamper with the program in other ways? Moreover, can it circumvent some of the theoretical/rare malicious actions we have been discussing in this thread so far?

If indeed all it does is prevent things from terminating Webroot's processes with three different sensitivity levels, well...I'm not sure how much trust I can place in that technology or method altogether, from ANY vendor.

For what it's worth, a well respected MCC on the Microsoft Answers forum defended Microsoft Security Essentials (now also Windows Defender in Windows 8 ) when I assertively recommended that they add a self protection module to help strengthen it since it is already the most popular antivirus in the world and will therefore be widely targeted...

I don't know...

Do you agree? Disagree? Thoughts?

 

Effectively correct. Self-protection really is not meant for advanced threats at all. Can't be anyway. Once something gains administrative access to the system, it's on an equal footing at the user level. Once it gets a kernel driver installed, it's gotten even deeper. The more advanced threats these days work to get not only the kernel driver, but even deeper than that, hitting the MBR or other functions outside Windows. Removing these items from a pre-infected system literally becomes a chess/robot game of figuring out what what is protected against and circumventing it programmatically.

The only reason that security software can survive at all is based on several premises. 1: MOST (Like 99.99% or so) threats don't target it directly (focused targeting of every possible security package is prohibitive, code-wise). 2: Most threats these days don't try to get quite as deep as they could. Coding at the kernel level is not a simple thing, after all. 3: Try to stop the threat BEFORE it gets into memory and has the CPU directed at it. 4: Failing at 3, try to interdict it as best you can to keep it out of sensitive areas (At the risk of breaking it, sadly) prophylactically.

Take 2, for example... With Self Protection on Maximum, please be encouraged to try to just End Process the WRSA.exe stuff in Task Manager. Whereas something like ZeroAccess, by comparison, goes and injects a "ProcessClose" machine code command into the memory that the process is about to run through, thus making the process close itself. So they decided to make DEP so that at a hardware level, the process code memory can be marked as Read-Only. Therefore ZA got smart, hunted for this task, and UNMARKS it from R/O status so it can still inject.

It's a huge cat and mouse game, or chess game, or arms race, or whatever you want to call it, with no solid solution. There can and will never be a 100% protection short of filling your computer with cement and burying it in the bottom of a lake. But then it's not a very useful computer anymore, is it?

 

Tell me about it!

Even the other day, CCleaner completly hijacked my system! Only a reboot killed it.

If something had to be done, due to what was raised in this thread, it would have to be done at the server side - protect them better - cloud or not.

As for anyone concerned, and as I mentioned in the other thread, it's a somewhat tough call to decide whether or not to ditch their antimalware applications.

I suppose the only way for these users to be reassured, is to have a pre-made system image of only the operating system and known good applications they use, and then restore it clean each boot. Drastic?

Unfortunately, and generally speaking, security vendors do not seem to learn from each other mistakes. Sometimes, they don't even learn from their own mistakes. I may be wrong, but I believe at least a couple of these security vendors have been hit, at least twice, over time.

 

So with that in mind, are you recommending disabling Webroot's self-protection module?

If your answer is no, then what are you saying? Leave it on for grins but place more confidence in careful computing and making sure nothing untrusted gains admin rights in the first place?

 

I'm not an expert in antimalware applications, but my believe is they should have, and therefore many have, self-protection. I mean, otherwise wouldn't any mediocre programmer be able to bring them down?

 

Well, it can be inferred from my own knowledge combined with the general consensus and agreement with Koch's words that Self-Protection is better than nothing for typical users who run as admin full-time and turn UAC off...

...But the best way to protect your system AND your other layers of security is to run with standard user tokens full-time or as much as possible.

Self-Protection modules don't have anything to do with that--they more have to do with preventing malware from tampering or shutting it down. But if the malware is programed to fight this, it could indeed just become a:

You shut me down I startup again, you shut me down, I startup, down, up, down, up, etc etc.

Now that being said...I forgot that I think Webroot/Prevx is a more sophisticated than that. Their Self-Protection I believe launches a "protective scan". Joe probably can comment on the details.

So I guess it depends on what is meant by "self-protection module".

 

Exactly. Which is why self-protection should be there. Running as a standard user has nothing to do with it, IMHO. Just because something runs with the same privileges as the antimalware application, that won't necessarily mean that the antimalware application will be any weaker, if we take under consideration self-protection? (I'm leaving aside things like ZeroAccess...)

The other user mentioned the ZeroAccess rootkit (And by the way, according to Prevx/Webroot it actually forces the scanners to kill themselves using the ExitProcess().), but as always it's cat and mouse as the other user also mentioned. There will always be clever programmers that will be able to tamper with scanner's self-protection, but hopefully that will also allow security vendors to make their scanners self-protection stronger as well.

Security vendors did solve the issue with ZeroAccesss rootkit killing them. I hope...

I suppose those scenarios will depend on how great both the malware and the scanner's self-protection are...

But, if we look at it, in computer security history, how many great malware code has been out there? And, I mean truly great... Not great in the sense of being good, though.

 

So then Moonblood you are disagreeing with Rob Koch...because he's saying self-protection is worthless. He says the best way to protect the security software is:

- Least User Access

- File system privilleges

I tend to agree with him, but I disagree that self-protection is worthless. If designed well, it is a good module to have IN ADDITION to nonadminstrative daily internet usage.

This isn't really arguable. Even Prevx blogged about this in the past, saying how you can have all the security software you want but if you run full-time as an admin you are putting all your security layers, self-protection module or not, at risk.

Let's not start the LUA discussion all over again lol.

 

Well, if self-protection is worthless as he put it... then why are security vendors improving theirs against something like ZeroAccess rootkit?

For instance, take a look at this SurfRight blog article about it: -https://hitmanpro.wordpress.com/2011/07/15/zeroaccess-rootkit-strikes-back/

If, for instance, SurfRight were to follow what Mr. Rob Koch said or thinks about it, then HitmanPro would still be self-killed by now. The same would apply to other antimalware apps.

So, how can it be that self-protection is worthless? Or, am I not seeing something? lol

 

Again, I don't necessarily completely agree with his viewpoint.

I think he is referring to a specific type of self-protection but he may not be current on approaches being used right now in the security industry.

All I am agreeing with is that LUA and file access restriction is an excellent and should-be mandatory first step.