How would you get infected?

In a hypothetical situation, where you've ~ Snipped as per TOS ~ off a hacker, how do you see them getting in, if at all?

 

Front door with his Axe, just hacking away until he clears his path.

 

A hacker could study my web browsing habits and infect one of the websites I usually visit. It is highly unlikely that he may infect me that way, but it is the best bet because it's really hard to avoid visiting your own favourite sites. I never fall for any email deception and I don't put unknown USB flash or DVDs in my computer, and there is no open ports to the outside of my network, so the method I described seems to have at least some (slim) chance.

 

There are three ways someone gains access to your data: physical access, remote access, and surveillance/word of mouth. Are you looking for detailed strategy of how they would go about doing this (hypothetically speaking)?


How would someone access my mobile phone or tablet?
They would either have to pick-pocket me, access it while I'm indisposed (taking a shower or sleeping or out of the room), or they would have to remotely access it when I'm forced to turn on at least one or more of the radios and remove it from the metal ammunition can that I use for transport and storage. That means anything from: spoof networks, phishing sites, etc.

How would someone access my desktop or laptop?
They would either have to break into my home and safe room. Think panic room/Faraday cage with a James bond Theme. That would give them a chance to run a forensic analysis of my equipment/devices. I store all data on encrypted portable drives. Per the James Bond theme, I thought it would be amusing to house drives with fake data as well. These drives are stored within a safe. I'm not going to discuss the location nor any of the other preventative measures in place. Hypothetically speaking, let's just say this hacker would have to be pretty determined and prepared to go through a lot. But I do not discount that physical access is still possible. As for remote access to my desktop or laptop; it is possible someone could go after another device on our wireless network. I've done everything I can to mitigate the risk by disabling filing sharing and remote access services. My firewall and network skills are not completely amateur, but they are hardly worthy of a hacker's effort. I guess someone could remotely access my computer internally. As with the cell phone, It wouldn't be hard for someone to maybe attack from the internet, but I'm hoping Sandboxie and Defense + would catch anything sent my way.

How might data leak otherwise?
I'd imagine that throughout the day there are plenty of opportunities for someone to capture me on surveillance, to listen in on conversations, etc. Indirect access through websites, schools, and businesses. Problem is my name is popular, but its still a possibility. Most of the businesses were proprietary and closed shop before/during/after the recession. This leaves other institutions that I have no choice in revealing data. Schools, DMV, etc. Nothing I can do here, except hope they aren't vulnerable. Essentially they could gain access to information that would otherwise be a headache to get, but they would have to go about doing this for months and maybe years to get most of it. It might just be easier to break into my home and steal everything. Truth serum if it exists could work for easy data, but it would suck since I can not possibly remember every password I use. They are just too long and complex.

 

I can think of many possible avenues.

1. Social engineering. Binaries wouldn't work, but maybe someone could underhandedly code a malicious application, and see to it that I knew where to get the sources. I download the sources, compile, run it --> bam, compromised.

("Hey, I'm working on this new window manager with cool features, want to try it?")

2. Browser (or plugin) exploit. I use Noscript on Firefox and Scriptsafe on Chrome, and keep my system quite up to date, so this might not be so easy. Best way to do it would, again, be social engineering: instead of trying to hammer through Scriptsafe and the Chrome sandbox, find something that interests me enough that I would allow an embedded plugin or JS on a site I'd never been to before.

("Javascript is disabled in your browser. You must enable Javascript to submit your resume.")

3. Infected file. Linux PDF readers suck, but their lack of features may be a blessing in terms of attack service. Media players (VLC especially) might be more promising there, but I don't pirate stuff, and usually don't download audio/video content off unknown sites. I could see ways of getting me to do the latter though.

("Click here to download my ironic presentation on Linux desktop security!")

4. Infected peripheral. This could be very difficult to prevent. I don't allow autoruns from USB sticks, format new ones before use, and try not to plug in anything I don't trust. There are lower-level ways of compromising a machine using peripherals, but on x86 they're both unlikely and impossible to defend against - so not (yet) worth worrying about. Social engineering might again be helpful to the attacker...

("For sale: USB stick, 8 GB. May have some scratches.")

5. Go for the weakest link. I have a Windows 2000 machine on my network; any of the above could be used against that machine, followed by setting up a packet sniffer. Caution is the name of the game on Win2k, and my network topology should make packet sniffing difficult, but it might be workable nonetheless.

6. Router pwnage. I've ditched my old D-Link router in favor of an old laptop running IPFire; the system is pretty minimal, and wifi is entirely disabled, but a network attack against it might work. If I were more paranoid I would probably use something with better memory protection (maybe OpenBSD?).

...

That's all the reasonable ones I can think of for now. I don't rate any of them as very likely, but I think the social engineering ones are far more likely than e.g. network attacks. Automated stuff isn't on my radar at all, really, except for broadly targetted social engineering.

(But I can think of interesting possibilities for the latter. How about a malformed window manager theme, that tricks your WM into running arbitrary code? I bet a lot of Linux users would fall for that. )

Edit: another possibility for browser exploits is hacking a trusted site, and putting the exploit code on the hacked domain instead of in an iframe or something. This would be a lot of effort to go to, and it would probably have to rely on a JS or HTML renderer exploit (I am serious about click-to-play and plugin whitelisting). It would be hard to defend against, but I consider it highly unlikely.

Edit 2: BTW I'm assuming here that the attacker wants control of my computer(s), for purposes of identity theft, spam/botnet hijinks, or hosting illegal content. None of this needs root if done "properly."

Edit 3: image rendering vulnerabilities in PNG or JPEG libraries might offer a way in through the browser, as well as social engineering opportunities.

 

I see any and all breaches of my security in a simple manner.

1. I fall for a "trick" of some kind. Call it social engineering, or things bundled into installers or whatever. I "unwittingly" do something.

2. I visit a site and download a binary I think is safe. I execute it. My fault.

3. I am nothing more than a %. Meaning, I "happened" to be port scanned by a bot-net or hacker/cracker, and my defenses did not hold.

I don't believe in being targeted myself. Not that it doesn't happen, just that I don't see why I would be a target. There is nothing to gain. That is why I say #3 would be a % - a chance occurence. I am sure some people are targeted, but that would require motive I think.

Hijacked websites could also pose a threat. However, if I am going places I don't frequent or aren't of a more "academic or educational" nature, then I use Sandboxie. As of now, I have never had sandboxie fail me, so until it does, I won't worry about website threats.

Finally there is the off-chance that a blaster type attack takes place against unpatched machines (like mine). In this case, again, I don't have anything to lose other than the inconvenience of putting an image back on my system.

Sul.

EDIT: After years of scrutinizing my own security, I am pretty relaxed about it all now. The time I spend "repairing" a problem is going to be only a fraction of the time I might spend "preparing" for a problem that never develops anyway.

 

I agree.

1. Especially at Wilders, new software for testing is often recommended but how do we really know these programs are safe? I used to automatically think a software recommended on a security oriented forum should be safe but really, there's no way to know. Nevertheless, I think many of us are inclined to check out the "The latest (and previously unknown) and baddest anti-rootkit, try it out!" if there are many users who recommend it. I try not to "fall for it" (even if the author and software are benign).

2. Downloaded files by user/me - pretty much, this is what I fear most. How can I be certain that a renowned download site has not been tampered with, even if there is a valid self-signed signature etc.

 

If the cracker (proper term) has located your ipaddress, and even if you have very strong hardware router security, that is not enough to prevent a determined cracker from crafting a specially (partial) formed packet attack to gain entrance to your system.

-- Tom

 

Either through physical access or my own screwup, otherwise I don't foresee it happening.

 

You can think of no situation in which an attacker could break into your system outside of physical access/ social engineering?

I'm less interested in "I was tricked into running a binary", unless you have a specific system for dealing with social engineering.

More interested in a remote attacker who wants access to your system. Potentially root access.

 

Well, there's always CIPAV, which is not really detectable unless LEA doesn't tweak it every now and again. It doesn't need physical access, nor does it need to trick anyone to enter a system. You just need a hole, any hole in the system. Through legal means, you can get a warrant for an account belonging to the target, hook into it, exploit the hole and you're good to go. Hackers will just of course do it without the warrant. You can't rely on patching holes for such things, because the moment you've patched 1 hole, someone out there has already found 2 more.

 

I'm having a heck of a time infecting my setups deliberately visiting malicious links, so it's difficult to imagine any remote methods that could work just by stumbling upon them.

 

When you do this, are you using a setup per your signature?

 

True but you can defend yourself against these zero days. EMET springs to mind. Also combined with a hardened environment using LUA, UAC, SRP etc, gaining root access from remote isn't going to be that easy.

 

I would say then that you should try to think about methods that in-the-wild malware does not typically make use of.

 

As always the best practise and the higher chances goes to SOCIAL ENGINEERING
or

http://en.wikipedia.org/wiki/Trojan_Horse

 

HM: discounting social engineering, I would say in the following order:
1. Infected data files (most likely PDFs or documents, though as I mentioned earlier, WM themes would also work)
2. Network attacks against my router
3. Direct browser exploits

Infected data files would be the easiest by far, and have been used against Linux before (though not really to great effect AFAIK).

 

Agreed. Again it should be realized that in the wild malware is there for the quick and easy kills. LEA, government sponsored attackers and hackers with serious skills aren't going to rely on the "dumb bombs".

@New2security: EMET doesn't protect a whole hell of a lot that isn't already easily bypassed. Don't get me wrong, it'll do a good bit against attacks on "low hanging fruit", but it's not going to stop the "hardcores". Neither will LUA, UAC (UAC prompts get bypassed by the users themselves so often that it's practically useless) or SRP.

These tools are kind of like sandbags in a storm. They'll protect your average user against most of the low-risk waters out there. But they're not going to do jack when some government, LEA or whomever decides to send a Category 4 your way. I'm talking serious ~ Snipped as per TOS ~ here though, so don't take my comments as these tools are completely ridiculous to have. I just think there is too much faith in them and too many people play all day, tweak their setups and feel smug thinking nothing can happen.

 

I disagree about EMET. On XP, yes, I agree. A lot of what EMET does is just supplementing ASLR, or preventing ASLR bypasses. Without ASLR you're just killing legacy attacks.

So on XP, yes, you're correct.

On Windows 8, I can see it legitimately driving up the cost of attack.

 

Mandatory:-http://xkcd.com/538/-

 

Driving up the cost, of course. I completely agree that your run of the mill attacker will see EMET as a roadblock that probably isn't worth trying to run through. However, run of the mill attackers usually rely on "set it and forget it" attacks to begin with, which don't take such measures into consideration. Sponsored attackers don't worry about attack costs. They have the funds, the time, the tools and the patience, and the previously mentioned roadblocks aren't going to withstand that kind of attacker.

Another thing to consider, though it's not directly security related, is that XP is still in wide use at the very best for the next year. Windows 7 has years left to go and is in even more widespread use. Windows 8, for all its beefing up of security is still very low in usage and just barely climbing. Hackers don't even really have to worry about that OS, it isn't worth their time (yet) to try and throw everything they can at it. And, by the time it is, they'll have already done the homework before they start cooking anything up.

But, let's switch gears a moment and back off of the possible ways to break through security setups. How about we just piggyback the ISP itself and hook our claws into the network? When the source of the attack/monitoring is from the very people your connection is through, it won't matter whether you have EMET, SRP, Comodo, whomever "protecting" you. If it's done right, you're never going to know anyone is there.

I'm not trying to discredit anyone and their opinion, nor any security software. But there is just too much to consider to be able to correctly say doing such and such or not doing such and such will protect you in all cases, at all times.

 

Well, EMET could force an attacker to have to find a large information leak. If it gets ASLR working properly, they'll have to rely on one anyways. But with the other techniques like AntiROP it might make things more difficult, it might require a new vuln to make it more reliable.

Well an ISP can sniff traffic, but the most they can do to compromise a system is redirect you to a page that hosts an exploit.

I agree though with your last statement. I just think EMET will do more than just prevent legacy attacks (like on XP) on a system like 8, where it's reinforcing ASLR.

 

But you don't need an exploit if you're monitoring from ISP level. You're already in the system. Why risk your exploit being found when you can just sit back and let the data get logged (talking government tools here, I know that's wandering slightly off topic but it's still a possible entry point)?

Exploits aren't the end all, be all of compromising systems. I don't want to get too deeply into major, sponsored attacks though, I'm just throwing some realistic scenarios out there. It's obvious you don't need to really "break in" to log keystrokes and data. Heck, forget sponsored attacks, the scene I laid out earlier with CIPAV is enough, provided it stays undetected, which it likely would. You can do a lot with data, and usually it's far easier to attack/monitor the services a target uses than get your hands messy with exploits to their personal system.

 

Hard to say, not impossible, but Highly unlikely !

Ahh, well that's a better question, & Completely different

As Mman79 was saying, ISP's & Others, have/can/do use All sorts of techniques to MITM etc But unless you're a target, it's not going to happen.

Well i say, not going to happen, but due to the USA's, at least, Fat Pipes etc being Directly fed in Real Time to NSA's etc Data Centres, Hello UTAH & them being able to Read/Copy/Store/Analyise emails & other data, almost anyone "could" be on their Hard Drives etc ! That doesn't mean we should expect a knock at the door etc anytime soon though

 

The most straightforward method would be to discretely break into my apartment or workplace and attach a hardware keylogger to my computer, then pick it up after a few days and hopefully have a bunch of my log-in data captured. It's not like I examine my computer for keylogger dongles every day.