Interesting Conversation with a Hacker

Sandboxes. Not coding exploits lol

It is running. It's just running within your hacked program.

Processes can communicate with any process of the same or lower integrity. In XP they can actually communicate with processes of higher integrity, but that was patched (sorta.)

Yes, they would have to bypass mitigations in EMET.

 

Still, I affirm that true whitelist-based security mechanisms such as Anti-Executables, Software Restriction Policies, AppLocker, and even Parental Controls used for application whitelisting, offer as close to 100% protection as you're going to get from ANY security mechanism.

The catch? Inconvenience. Really only for intermediate to advanced users. And again, it doesn't protect against social engineering. If you elevate and run it, you're responsible for it.

 

what does he mean to say when he is saying:
"There is no (serious) android or iOS malware yet on the market."
Are most of the people getting crazy about is for no reason!!

And I hate when he keeps saying BUY GENUINE WINDOWS OR SWITCH TO LINUX

About shopping ... Here in India Flipkart.com Rocks!!! Cash on Delivery for every item you purchase!!

 

lol I've said this a dozen times before. This was wayyyy more true before but the malware that's been on the market has usually been POC/testing the waters stuff. The only legit malware on the android market has been some pay-per-text apps. Recently this isn't as true.

Well, I don't think you need genuine Windows (pirated works fine imo) but if security is your priority your operating system is what needs to change. The lower level security is built the better and until we start seeing hardware enforced MAC the kernel is the lowest level.

So, yes, Linux.

I think that, as an extra layer, antiexecutable is alright. But it's a pain in the ass to setup and a pain in the ass to maintain. There's heavy user interaction in every situation that counts so it's completely broken for social engineering (and no one is immune to social engineering. If you have EVER installed any 3rd party software you're vulnerable.)

Stopping malware from executing is fine... except that malware doesn't need to drop payloads as soon as it's infected a process.

Nowhere near 100% security (which isn't a thing) but not bad if you couple it with other security mechanisms like MAC.

 

MAC as in Mandatory Access Control? Isn't that part of UAC? Mandatory Integrity Control or something like that.

And again, I'm still not seeing this. If I am using a default deny SRP let's say, and a piece of malware that "doesn't need to execute" tries to borrow/infect/inject itself into a process that can do damage system-wide. Well, to interact with that process, it would have to also be a privilege escalating piece of malware because that process would require administrator privileges.

If it injected itself into something that isn't an administrative process, then I suppose it could run an exe with another application (as you describe) but that wouldn't survive a reboot. That would probably be an example of rogue application - not trying to damage the system, but trying to get your money.

And no, you are correct, no one is immune to social engineering. I'm not trying to really argue that here, but what I will say is people who use common sense and research applications before they use them are far, FAR less likely to run into an issue in that department than those that don't do so beforehand.

 

MAC is mandatory access control, an example being Integrity (MIAC) and UAC is part of that.

1) You do not require admin privileges to interact with processes. This would make browser plugins impossible.

2) That's irrelevant. When you visit a website with your browser your browser is interacting with foreign code. That code exploits the browser, the browser is now under control by the hacker.

It can then move to other processes if it likes, it can communicate/ interact with them, it can interact with the OS and exploit it, etc.

All of this would take place in memory, not the disk. It's entirely volatile and the user could shut off the computer and get rid of it.

If they're making use of privilege escalation the attacker has some serious advantages and they can probably bypass most of what you're running because whatever defense you have is running as the same rights as the malware making intercepting it way more difficult and potentially impossible (for any type of syscall filtering you need higher rights, which is why Sandboxie used Drop My Rights until it could gain higher access to the system.)

So if the only protection is AE the attacker can just sit in RAM and steal what they want during the session or they can probably do plenty of other crap to wind up on the disk.

It's an ok layer but without some kind of sandbox I don't think it's worth the hassle. Might be decent if it's integrated with a sandbox.

 

Actually thinking of my self as an individual person on internet, I consider my self as a SAFE USER. Because i am just one of them trillions!!! So i challenge the HACKER: Find me if u can!!!
I am stating this comment just because i m using COMMON SENSE when i am online!!!
I have loads of Keygens, Crack(Especially no DVD cracks for games) in my PC. And when do i usually get Virus warning? Hardly 3-4 times a Year!! So i know how i am using the computer!!!
Saying that I format my pc just once a Year. Even if it is working Good!!

 

Well like I said I religiously use sandboxie so if it did exploit my browser it would be exploiting the one in the sandbox, so have fun with that hacker.

And it sounds like what you are talking about I actually now remember reading about in the past and it is the kind described as "malware that would go away after a reboot with an SRP in place".

But with UAC and SRP combined it really hardens your system between the Mandatory Access Control combined with no execute.

I would even go as far to argue that any security setup can use sandboxes. I mean without them, a lot of people are just relying on their antivirus which is FAR worse than the people that rely on SRPs only in my opinion.

 

There was a case recently where the malicious payload initially stayed in RAM. Some Java exploit.

I think that detection methods like AV are very important. I think that sandboxes are important. I think that antiexecutable is ok, and if used properly and combined with a sandbox can make things more difficult for a hacker.

I don't think any of those on their own is great but I would put AE dead last in terms of security provided to the user.

 

I am actually learning a lot by discussion between Hungry Man & STV0726.

However, after reading about SRP & UAC etc, I have a different doubt.
Since we are discussing about browser vulnerabilities and exploit being able to sneak though process, master password etc.
So why is linux supposed to be more secure ? Browser vulnerabilities should apply there also.

I can understand about less exe etc. trojans for linux but what about these browser exploitation problems?

 

Browser vulnerabilities are definitely in Linux too. Many of the issues that you'll find on Windows you'll find on Linux (universal ASLR bypasses.)

Linux allows the user to sandbox any program/ process though with absolute highest rights (it's compiled into the kernel.)

So while your browser can be exploited the hacker is not just trapped as a user but they are trapped within the process.

There are various ways to limit programs. You have the Linux DAC SUID, Apparmor/SELinux MAC, and Chroots. Between those three you can pretty much decide every detail of what the program can/ can not do.

Finely grained sandboxes can do more than limit exploits too, they can actually stop them. If the exploit expects access to a specific file or the ability to call another process it will fail.

Privilege escalation is also harder for programs that make use of the new seccomp sandbox, which limits visible kernel attack surface. Most privilege escalation exploits are through vulnerabilities that have to do with these calls. This is not natively supported on Windows but SYS_CALL will allow it... sorta.

 

Using AV Alone nowdays is Like Fighting HIV with Panadol

 

Thanks for the explanation

 

internet is a human Right and he is saying that if you don't have exp you don't have the right to be on the net

that the same saying " if you are Old or week you don't have the right to walk in the street you could be mugged "


i don't know how such people sleep at night

 

Your compassion is admirable Ranget, and to an extent I feel the same way. However, perhaps the analogy he was shooting for was more like "if people are too feeble to safely cross the street by themselves, they shouldn't be crossing the street by themselves"? Which is to say, if someone can't comprehend and carryout out even the most basic of computing steps, perhaps they shouldn't be operating a computer without taking some lessons, recruiting someone to configure/maintain their computer, stuff like that. If you temper the message in that way, I think there might be something too it.

 

I think that's more appropriate. But I think that it shouldn't be users working to use computers, it shoudl be computers working to be more usable by people.

 

like i have said before. a strong firewall in the hands of an experienced user will keep all the rubbish out (or in rather)

 

Why you don't need a firewall by security professional Roger Grimes.

 

Please, no self-evolving computers during my lifetime! Seriously though, you do make me question something... is there any reason why the nitch can't be filled by primitive, resilient Internet appliances? I know quite a few people who would be well served by nothing more than a device that allows them to browse the web. The device wouldn't even need persistent storage, external ports, or for that matter an anti-malware subscription assuming it was robustly designed and configured in the first place. I think there is an economic disincentive to produce such devices (hardware and software and etc manufacturers want people to buy more than they need and also make room for repetitive improvements aka expenditures). However, I don't think the objective is otherwise unattainable. Is it?

 

You've just described ChromeOS.

 

Most people/experts I know would definitely disagree with you there, as I've already said.

Most experts I'm aware of consider true whitelisting approaches such as true HIPS, sandboxing, policy restriction and anti-execution to be the best security mechanisms available...and some use the 99.99%
claim tho that is a bit of a hyperbole. Of course, the pitfall/drawback is intermediate to advanced knowledge required.

-------------

In reply to firewalls:

A firewall is more imperative than the antivirus or even the OS. A solid hardware firewall paired with a software firewall such as Windows Firewall is ideal and one of the most if not THE MOST important first layers of security.

That guy is an idiot unless you've quoted him out of context OR maybe he's talking about OUTbound firewalls which is a different story altogether...

 

The website is down for the moment, but I suggest you read it later, and no he is not an idiot, lol.

 

If he's not an idiot, he's talking about 2-way firewalls (outbound). If he IS an idiot, he's coming up with some flawed, controversial logic on why he feels comfortable without a firewall. There is no in between; one or the other is true.

I don't need a firewall...
I don't need to lock my doors at night...
I don't need an immune system to fight viruses...

EDIT: I really thought you were joking. If that is a serious quote that has to be the worst piece of advice ever shared on Wilders.

 

I wouldn't lump AE in with those.

Although HIPS doesn't mean anything. It's simply host intrusion prevention. You can consider a sandbox a HIPS, a firewall a HIPS, IPS etc. It doesn't mean anything in this context.

I've already said I consider Sandbox (which is policy restriction btw) to be the best way to deal with exploits.

I don't care too much about your security expert friends, no offense. I know security researchers who agree with me, hackers who are indifferent, and at least one pen tester who flat out disagrees with me (as Brandi Candi can attest to.) My opinions are pretty much my own and they aren't entirely unfounded. I think I'm arrogant enough for it to show.

Frankly, I don't even think saying 99.99% security is hyperbole when we look at the current threat landscape for users. EMET and Sandboxie are enough to stop 99.99% of what's out there. Hell, most payloads don't expect an AE or outbound firewall so both of those will stop it too. That's nice but what if attackers suddenly decided to create malware that was directed towards those users? In the case of EMET there's a significantly higher cost of exploit. In the case of Sandboxie there's also a higher cost of exploit. Outbound firewall, yeah, sure, there's probably one there though I think there are a few really cool spoofing attacks to bypass NAT and outbound firewalls. AE? Doesn't really drive up the cost too much. Instead of going directly to the disk the malware sits in RAM for a bit.

It's like... DEP doesn't drive up exploit costs on its own. Yeah, you need to do some ROP to get around it but that isn't such a big deal and is quite common now. But DEP + ASLR actually does make things more difficult. So I can see an AE kinda playing the role of DEP and a sandbox playing the role of ASLR.

But if those programs were really securing your ocmputer it wouldn't matter whether or not hackers targetted you, the cost of exploit would still be higher. Instead an AE (at least on its own) doesn't raise the bar it jsut makes you part of a group that isn't targeted.

He's assuming you're behind NAT I think.

 

You don't need a firewall btw. Ubuntu doesn't come with one. All ports are disabled by default.