HIPS vs "Man-in-the-Middle" (MitM) malware?

IMO, a big part of how each of us views the different details of this comes back to the definitions of the terms, like Firewall, HIPS, etc, and what each feels should be integrated together and what should be freestanding. What you list wanting to see included in a HIPS, I'd call a security suite. For me, anti-exe, anti-rootkit, and behavior blocker, should be HIPS functions. Anti-exploit would be to the extent of an exploited applications ability to affect the rest of the system. IMO, the internet firewall itself should be separate and freestanding. Preventing the bypassing and evading of the firewall would the HIPS job. As for Sandbox, that term has too many meanings by itself. The data protection aspect IMO should be largely the responsibility of the OS itself and the file system, with HIPS having a supporting role.

 

agree with what you said here but also don't forget that behabiour blockers are becoming more smarts and more sensitive or more paranoid that they are protecting you in a similar or same way as hips engine maybe not in a deeper analyses but in a very smart way to protects ones system. same thing for firewall when are put or set to the max settings or application protection in real time

 

Do it yourself MITM protection

1. Apply a dual browser approach

2. Use IE for trusted banking, enable all certificate features, plus EMET warning for pinned cert's

3. Configure your firewall to allow IE browser HTTPS connections, only allowing the browser to connect to the IP's of the websites you want to access

4. Use Chrome for normal browsing (only downside is you have to use HTTP search features)


My wife shops on-line, therefore I have WSA installed (thanks to Pbust, now MBAE), because above DIY approach only works for 'static' connections (I only buy stuff from two websites), since manual configuration is to much hassle.

 

@Windows Security
Excellent advice. Thanks for sharing.

 

I use similar approach. I also run IE as Administrator to get High integrity. Processes with Medium or Low integrity shouldn't be able to access resources from IE run at High integrity. It still wouldn't prevent keylogger getting keystrokes as it would probably run at System integrity level.

 

Definitely agree !

 

I won't do any of my finances online or make online purchases. MITM attacks are not a factor in that decision. It doesn't really matter how well you've secured your end. If recent events have shown anything, it's that retailers and financial institutions can't be relied on to secure their ends. Paying bills online generally requires plastic. Unless you're buying prepaids, that usually means it's tied to a bank account. I'm done with banks and their policies of legalized theft. IMO, plastic is the equivalent of marked currency, designed to track your spending. I use cash, partly to be an irritant to that tracking process and partly to make card fraud impossible.

Government agencies and mass surveillance aside, the primary motivations for MITM attacks are financial, generally theft. For me, the problem is moot. I don't do anything financial or personally identifiable online. About the only things they could steal or forge are forum identities. AFAIC, until we get a system that doesn't rely on certificate authorities or some other centralized point of attack, I consider HTTPS broken by design and won't trust anything sensitive to it.

For those who do use the internet for financial purposes, the 2 browser idea that Windows_Security mentions is good. Myself, I wouldn't use Internet Explorer but that's largely a matter of preference and trust.

Back on the original topic, there is no single tool that can mitigate all forms of MITM attacks. Some forms of MITM attacks fall within the control of classic HIPS and are easily mitigated using one. MITM attacks that take place completely within the browser need to be fixed at the browser. Making the certificate store read only will mitigate attacks that add, alter, or replace certificates. It is a stopgap measure that will require more user interaction, like remembering to make the store writable before updating. Someone correct me if I'm wrong, but don't most browsers have options that require the user to be asked every time?

 

jmonge
I haven't done much with behavior blockers or "smart" firewall/HIPS combination products. IMO, HIPS should not be part of the attack surface. For all practical purposes, HIPS are almost part of the kernel. If the HIPS can be directly attacked or exploited, it would be game over. An internet firewall OTOH is part of the attack surface. It's the first thing in line for all internet traffic. If that firewall is also the HIPS, the package creates that path from the internet to the system core. IMO, the HIPS and internet firewall should both be self supporting and independent of each other, with nothing in common save for the OS itself. An attack against the firewall shouldn't touch the HIPS. I would have thought that some of these security software vendors would have paid attention to what can happen when an internet application is integrated with the operating system. IE6 should have driven that point home in no uncertain terms.

 

I have to disagree, all the things that I mentioned are related to HIPS. None of them are related to standard blacklisting.

But it´s a bit of a fantasy of mine, to see all this stuff in one light weight HIPS. Actually, all the things that I described (except for anti-rootkit) are already implemented by Comodo. But it´s not done in the right way IMO, making it look and feel quite bloated. And perhaps it´s not even a good idea to use an all-in-one HIPS, because if it gets bypassed, all your protection goes down the drain.

But what I wanted to point out is that if done in the right way, you can actually implement all these things into a HIPS, and still make it user friendly. I mean, you can implement it in a geeky kind of way, or you can keep things simple, perhaps even by dumbing down some features.

 

It´s not even a bad idea to use dual browsers, perhaps you could protect your banking browser with Sandboxie, because apps inside the sandbox can´t communicate with apps outside the sandbox. However, 2 and 3 are no options for me, I hate IE, and I wouldn´t know how to configure my firewall in that way. I believe Trusteer Rapport also does trick #3?

 

I've had that happen once with a security suite. It was before the term HIPS existed. The suite was a combination AV, Firewall, popup blocker, privacy protector, kitchen sink garbage disposal. On what should have been a safe Google search, I ran into a site that opened hundreds of popups (using IE6 back then). The suite couldn't close the popups fast enough. They kept grabbing the focus so I couldn't close the browser. One of the popups was apparently infected. It crashed the AV component. The firewall crashed a few seconds later followed by the PC. When I rebooted, the AV said I was infected but it couldn't remove the infection. Since that time, I've avoided interconnected security suites. Now if something crashes my firewall, the HIPS isn't affected and will restart the firewall. If the HIPS crashes, another app I use will see it and restart it as well.

I'm not familiar with Comodo so I can't advise you on how to configure it as Windows_Security describes. I do have a couple of additional thoughts on the matter. You might want to obtain the IP addresses of any financial institutions you deal with and make specific entries for them in your hosts file. Windows checks there before using DNS. Having the hosts file resolve the DNS for more sensitive sites will mitigate many DNS attacks, including MITM attacks of the DNS system.

 

Yeah, separation of certain functions is better, I agree.

It really bugs me that I haven´t been able to find a behavior blocker (and firewall) on Win 8 that I really like. I would love to see something like Neoava Guard for Win 8, of course with more features. I´m still impressed with the design of the HIPS (see link).

http://archive.cert.uni-stuttgart.de/bugtraq/2006/01/msg00139.html

 

the program is beautifull I remember those days
neovaguard and coreforce

 

@ jmonge,

Yes indeed, if he would have developed it further, it would have been almost perfect.

Btw, about your post (#27), I´ve never believed in so called "smart HIPS", HIPS isn´t meant for "average Joe" anyway, know what I mean? On the other hand, nowadays HIPS try to act smart by not alerting about signed apps, and by auto sandboxing apps. It´s interesting but can also cause problems.

One final thing what I would like to mention about Comodo: it´s asking questions (alerts) about stuff that not even a Windows OS expert would know how to answer, stuff like adding COM objects, does it even make sense to monitor this?

 

exactly

 

Yes, especially if Internet Explorer is allowed to run. They're a form of interprocess communication that can be remotely exploited.
Some background on Component Object Model
Older, but useful for information purposes. https://www.grc.com/freeware/dcom.htm

 

Great idea! I did as you suggested.

 

My fantasy app would a combination of Drivesentry and Sandboxie/Geswall.

I know you get these features in Comodo but for some reason I just dont like it . Having said that I have it installed on my son`s pc with no problems so far which means it`s a very good product.

Do all HIPS cover the same sectors and has their ever been tests to determin the various merits of each one apart from firewall tests?

 

IS Drivesentry ALIVE?

 

I used DriveSentry with GesWall: good combination, also if not too light; anyway, it didn't give the complete - or almost - control as an HIPS can give.

For Jmonge: no, as I know.

 

Yes I know, but what I meant was, that if something is too difficult to make a decision about, it´s best not to alert about it. Normally, adding COM objects can only do damage if combined with other system modifications.

 

Nope.

 

Honestly, can anyone tell me what was so good about DriveSentry? I hated the app.

 

Nobody I believe that nobody would say that it was a top security program, but it was a good combination of advanced anti-exe features and av.

 

thanks