How to protect privacy when using "community" apps?

In answer to Stem's question, my reply is a loud "NO!"

Instead, when granting a trusted application internet access, I want to learn how to configure my firewall, behavior blocker, etc, so that I am able to apply at least SOME limitations as to what that application is allowed to do -- just in case that application suddenly becomes a candidate for addition to a list of suspected BAD apps such as the list at THIS link.

For instance, I THINK I have found a way whereby System Safety Monitor can prohibit Cyberhawk from listening for key presses. As of now, I trust the CH folks (Novatix), and I understand their explanation of WHY CH "listens" for key presses. Even so, I prefer NOT to authorize this ability even though I do trust CH & want to participate in their "community."

In my opinion, a powerful behavior blocker (such as SSM or ProSecurity) offers potential for being able to at least partially limit the ability of *trusted apps* -- should they become untrustworthy for reasons unknown to their users.

I just need to learn more about HOW to configure SSM so as to move toward attaining this objective. Learning "how better to protect" was my goal in initiating this thread. I am very grateful to those who have offered helpful comments thus far, and certainly hope that there will be more of the same in days to come.

 

It still seems a matter of trust here.

 

Well if you don't want to discard this question, how about worrying that your firewall you use is bought out by another vendor and starts doing evil stuff? Heck that even occurs without any buying out. Didn't people accuse ZA of doing so? Why aren't you worrying about that?

What's the solution here, run 2 firewalls , to watch each other?

Or given that this is the firewall forum are you saying that you should trust only your personal firewall, but it is okay to run other security components you don't trust?

BTW if the product is bought over by a vendor I don't trust, I will simply uninstall it! Assuming I'm not aware that it was bought over, my firewall isn't going to make a difference.

 

Bell,

Don't you think there is something absurd about using a behavior blocker to block another behavior blocker? Not to mention not everyone runs multiple security programs of the same class! Next you would be considering running 2 AVs at the same time, so one doesn't suddenly go bad and sneak in malware.

And what if those powerful behavior blockers go bad? Do you use some other behavior blocker to restrict them?

I personally think this is the way to madness and insanity (not to mention likely system conflicts).

I presume that if some security product goes bad, you will uninstall it.

You are worried about the possibility it does harm before you realise that it is now effectively malware right?

Personally I think iwhen that happens you are dead. For most security apps, you are effectively rootkited by the security software already, and even if you are running multiple security programs, you are likely to have given that security turned malware a lot of permissions for it to run effectively.

And even if it does query you about some new action, I think it is 50-50 whether you will block it, because you might assume it's just a new feature added, unless you really don't trust it. But maybe you are more paranoid than me.

Okay, this is insane, why not simply ask cyberhawk for the ability to turn that feature off? (Also how much have your crippled CH by blocking it!) And if they don't, just don't use it!

What happens if Cyberhawk changes so that it is no longer blocked by SSM? Can you tell when that happens? I can't and I bet 99% of people here can't. And if you do realise that this has happened, are you going to go to SSM and tell them to change so they can block CH alone?

Getting involved in an arms race against malware is one thing, but doing so against your own security software takes the cake!

 

The question could arrise to any security product, even firewalls.

I have shown my concerns over ZA in other posts,

I personally will not use any firewall that gives it own applications access to the internet with hard_coded rules. I think a firewall should give the user full control over every internet access attempt made by any/all applications on the users PC.
When ever I see a post concerning a new firewall, I will install that firewall and monitor all comms made, to look for any unauthorized internet access.

Not at all,..

I personally would do the same.

 

Hi,

There's something paradoxical in an "HIPS countermeasures".
If someone buy a dog to guard his house, he will certainly not buy another bigger dog to guard the first dog!

But in all cases, i'm not agree with the Devil's Advocate affirmation: "personally, when i install and keep an HIPS or someother security program on my system, i will trust it fully".

I doubt that the majority of users are able to make a deep forensic analysis of the software, neither a simple sniffer analysis.
Systems and sofwares can be trusted...since their designers are trusted.
Unfortunately, we can't be sure in advance that human (and organizations) are trusted.

A simple example of HIPS: http://www.systembodyguard.com/
This product seems great...until the user discovers the business model: Marketing and adware!
And there is many examples that could be mentioned: a cd is trusted, and how many users infected by the sony rootkit; the same for video games, printers, keyboards, OS (Windows) etc.
Since the user take care of his privacy and data, or the corporate of its patents, it's higly recomended to avoid client/server and intrusive security solutions: an example with TrvSecurity Suite (based on Trend solutions):
http://www.trvprotect.com/
Here again they claim (Privacy menu) that they don't collect personal data; but how a normal and unknowledgeable user can verify it?

Security is a process, and more you control this process, more you're able to protect data and privacy.

That's true that some HIPS are intrusive (Cyberw. ,PrevX, BufferZone in a minor way), and as sugested by some people: just avoid these sofwares if there is any doubt.

So Bellgamin, there's many possible answers to your 2 questions.

1. File permission can be used: http://support.microsoft.com/kb/308418
The security tab is not available by default in XP, but it takes 5 minutes to add it.
Some command line can also be used like "CACLS" for instance.
Another idea is to limit the privileges of firewall.exe (like SeDebugPrivileges etc), but that could make the program less efficient.
If you wish a more easy to use solution, you can try SafeSystem: http://www.gemiscorp.com/

But perhaps the most interesting solution is to use HIPS like Viguard or Parador File protection (http://www.e-securion.com/ ) which provide configuration options about what file is allowed to be used by file A or B.

2. A secure way to protect his privacy is to use SSL VPN (free solutions are available), but this is perhaps not useful for home users.
For data protection, it's more simple:an external and encrypted hard drive, protected or not by biometric authentication access, is a good solution.
Data can also be stored and encrypted on the local hard drive: many free solutions exist.
There is an interesting and effective solution (but paid) provided by a french start up which encrypt data on the fly: http://www.primx.eu/en/

I guess that it's more easy to find the best hot spot of Hawai than the ideal security soltion

regards

 

@Kareldjag -- Thanks for the excellent suggestions. I am particularly impressed by SafeSystem -- a potentially excellent security tool for under $20! I also did a cut&paste of the M$ article you linked.

Comments in General directed at no one in particular -- The idea of "you just gotta trust them" isn't a solution, in my opinion. It is, instead, giving in.

Extract from a speech that Sir Winston Churchill gave 29 October 1941 to the boys at Harrow School --

Or, as Uncle Tennessee Ernie Ford once said...

I don't think it absurd to use one security app to keep a wary eye on another security app. Every large Police Department has an Internal Affairs Branch -- policemen watching policemen.

I believe that simple precautions CAN AND SHOULD be put in place in case a *trusted* application suddenly and secretly develops nasty habits. There have been some good suggested solutions made thus far. In my opinion "trust all & hope for the best" is NOT a solution. Indeed it might be a significant part of the problem.

 

Actually there is a saying that youi keep a little dog to wake the big dog up. More than a saying - it is a fact.

 

Hello bellgamin,

I went on the site from SafeSystem. That Software looks interesting for sure. Have you tried it yourself already? If so, what is your first impression?

 

Also, as a similar tool, has anyone tried DriveSentry?

http://www.drivesentry.com/features.htm

 

I might try it next week. The granddaughter is spending a couple of days here & wants to play computer games.

Oi vey! That Drive Sentry also looks excellent. There's a free version (slightly crippled) and a $29 version with a 60-day trial. So many possibilities. So little time.

 

Only the granddaughter wants to play computer game.

Let us know how you find Safe System.

 

This is just for "write" permissions.(If a program is allowed to write (and where) to disk)

"SafeSystem" gives more protection including the ability to block the reading of files/folders, but on a quick look I could not see the ability to allow certain programs permission to access, it is protect from all or none.

 

I had a close second look at SafeSecure's website -- especially the screenshots -- and everything I saw indicated that Stem is correct. Even so, I sent SafeSystem's proponent a support message asking about this matter.

I wonder if s/he will answer. I certainly hope so.

 

IMO Folder Guard is the best at this

 

One major problem with trying to use security software A to restrict security software B - both will implement their security measures via hooks (usermode or kernel), drivers and/or services. If you allow a product to install a driver or access physical memory, it can pretty much do anything including disabling other security software.

So if you distrust security software B, you cannot expect to be able to reliably restrict it with A. You may be able to, but if B has privileged access, it will always be possible for it to work around restrictions imposed by either Windows or other software.

 

OK, the answer is no.
So what can we do to protect our pivacy?

Wouldn't the answer in post #18 help:
https://www.wilderssecurity.com/showpost.php?p=879234&postcount=18

Encrypt your personal data.
Set access rights.
Anything else?

 

Yes, exactly.

But what if we don't distrust to such a degree, rather we trust it not to do the clearly malicious activities, but it may do something to compromise our privacy. In this case, what can we do to protect our privacy?

I think that's the gist of this thread.

 

Hello,

The answers I can suggest:

1a. Change read / write / execute rights for the application you don't want to see your personal data, although this might be tricky in Windows, especially under Admin account. Might work with Limited. Could complicate scans and such. Works in Linux.

1b. Place your data on a separate drive - usually these programs scan the system drive.

1c. Don't use programs that you distrust.

2. You cannot ever be sure that a program, installed on your machine, especially if it runs as a service, will or will not read / write / execute files or folders anywhere on your machine, encrypted or not.

To sum it up:

Don't use such programs.

Mrk

 

As stated in my previous post, there isn't much you can do other than avoiding storing personal data in the first place. You cannot reliably use one security program to limit the activities of another.

 

A) I have SystemSafetyMonitor ACTUALLY doing the following as of right now...

1) It restricts Antivir-Free from being able to pop-up its nag screen every time I update. It also prohibits Antivir-Free from activating AVGuard.

2) It protects all my security applications from termination.

3) It prohibits Cyberhawk from doing a programmed-in function of listening for key presses.

B) Further, I use yet another program to encrypt & render invisible certain folders.

@Paranoid-
Q1- Are you saying that the above configs are futile? If so, why are they working? (At least, I THINK they're working.)

Q2- Or are you merely saying that one of my security programs could *rebel* against being controlled by SSM & thereby break loose? Or.... what?

 

The second - SSM may certainly be working as you expect with your current configuration but if, say, Cyberhawk's developer decided to gain access to keypresses regardless of SSM, he could do so in a number of ways - unloading SSM's driver, clearing the hooks it sets in Windows (though it would probably be easier to clear all hooks as SDTRestore does) or even replacing the existing keyboard driver (i8402prt.sys on my system) with a custom variant.

"Normal" applications trying this would need to install a driver, gain access to physical memory, have admin access, etc but an installed security application would almost surely have all this.

Now it is highly unlikely that a legitimate developer would go down this road (considering the PR fallout that could result) but given the number of rogue "anti-spyware" applications we've seen in the past, it would be unwise to discount such a possibility in future - and it would be the easiest method to bypass any existing security mechanisms ("Yea, our SystemScrewer Protection needs to install a driver to protect ya - don't worry about Norton disappearing, we just hid it to avoid botherin' ya with silly popups...").

 

Sounds reasonable to me.

Ulp... anything that makes Norton disappear can't be all bad, can it?

But seriously -- thanks Paranoid. I pretty much understand & totally accept your comments. Shalom

 

One question:
Even if that security is as evil as described above, it is still not possible to read my encrypted folders/files. The only way it can read is when I try to decrypt them, right?

 

Assuming the encryption is properly done yes - but a rogue security application could monitor the memory of any encryption software used and have a good chance of being able to extract the plaintext during any decryption operation. So there are still no guarantees...