Scope of security - trick or treat?

Hi Mrk, glad you accepted the challenge, we will all learn from your 1 month experience! Here are the clarifications you asked for:

OS - you mean Windows, of course? YES, WHAT EVER YOU USE NOW

Default browsers - am I allowed Firefox? IF YOU USE FF NOW, OTHERWISE NO.
Default settings on OS - does that include Windows firewall? NO, m$ ADDED THAT AS PAST OF RIGHT WING CONSPIRACY, YOU HATE FIREWALL REMEMBER!
System updates, am I allowed? NO, THEY ARE ALWAYS SECURITY FIXES WHICH ARE NOT NEEDED
Can I use non-MS software, like OpenOffice? DO YOU USE IT NOW? IF NOT NO TRICKS
The machine needs to be stand-alone, I presume, no NAT/ICS?, YES, STAND ALONE NAKED FACING THE FULL FORCE OF THE LIBERAL INTERNET, NO routers no hips, nothing, remember you are a liberal in a liberal environment.

What should I do? Browse? Chat? Porn? DON'T CARE AS LONG AS YOU DO THESE THINGS NOW, JUST USE THE PC AS YOU NORMALLY WOULD.

 

right now I´m posting from a Win 98SE patched machine and:
-No router
-No firewall
-No AV on access, F-Prot DOS on-demand
-NetBIOS open
-Basic hardening
-Maxthom browser
-Thunderbird
-SpywareBlaster
-Superantispyware
Clean for two years and counting

Mrkvonic: do you buy online? Do you check your banking accounts online?

 

Hello,

Escalader, I like firewalls - it's one of the few things I actually like. Wherever did you get the idea that I do not like firewalls? I disagree with the whole leaktest fever, though. Firewalling should be just simple control of packets.

So, again, a clarification:

Windows XP - how far back (no SP, SP1, SP2). If SP2, then firewall is a default. Which patches am I allowed to use, then?

I was thinking along this line:
Windows XP SP2 fully patched with / without Windows firewall. This is the default and most common setting for the majority of systems out there. I will need a few days to set it up and of course inform my ISP that should they get a bot machine, realize it's part of a controlled test.

And yes, I do use mostly non-MS software in Windows environment.

BTW, if you read through my posts, you will realize that I claim that you need just a firewall and Firefox / Noscript to cover your security needs. I have written against mindlessly heaping tons of programs onto the system, without really knowing what they do.

My creed, if it can be called that - and in regard to my questions earlier - how many times this / that ... - makes the use of real-time protection redundant when following simple common-sense rules.

So I'm willing to test the asked-for setups. BTW, I can already tell you that I have Windows XP machines, fully patched, running only firewall for years. So, that might satisfy you.

But I'll try to indulge you and try no firewall here, although this goes against my own dogma. Which brings a fairly simple issue: if there are any open ports, applications / services listening on them can be accessed remotely. If there applications / services have a flaw that can be remotely exploited, the machine can be compromised. Which brings the issue of how patched the system should be.]

BTW, my ISP stealthes the most common service ports like 135-139 etc, so the test might not be the most fair, by your terms.

Lucas, yes I do a bit of online shopping and check my bank once in a while.

Mrk

 

BlueZannetti

I would firstly like to mention that while i use an AV like most, I'm not thrilled by their methods. If an Antivirus company were to somehow develop an antivirus product that contained Heuristics detection closely matching it's signature detection, then obviously updating frequency would have much less importance. But with top Heuristics detection still missing almost 50% of the time, it's not even close to signature detection and even heuristics need updating. I am going to assume that you are referring to me as one of the 'obsessing ' posters. But i will have to completely disagree with that statement because i am simply stating how an AV provides the most protection. It ain't 'Heuristics' that for sure. I always try to look at things from the worst case scenario or from the high risk/high usage person. Obviously, someone who spends minimal time surfing, only goes to a few trusted sites, checking a few emails from their mother, etc, it probably would'nt matter if they used a slow updating Antivirus. Because their usage dictates low risk of infection. Others such as myself, are high risk/high usage users who because of this usage, are more probable to encounter a situation of infection and if a signature has not been added to the database, well i for one don't like the odds of remaining 'Clean'.

I don't think you or any one else would use an AV that has a signature detection rate of 53%, would you!. I doubt it. If one was to read through the many 'HJT' security forums, and i do every day, there are 2 common themes here. First of all, many of the infected posters are using 'Norton' but obviously, market share has to be considered here. The other is that it's not like Norton is not detecting the 'Trojan', it is, but it's detecting it after the trojan has rooted itself in the system and is causing major issues. Some have to accept blame for inproper configuration settings but most have it set right with auto - updating on. So the question remains - 'How the hell did it not get detected and prevented in the first place'. There is only one answer, that is 'At point of contact, there was no signature for this malware in the database'. There is now however, and that's why it's being detected now instead of before.

So low risk users aside, i just don't see how you or anyone else can say that update frequency should not be considered important. Do you not feel less infections would occur if slow updating antiviruses made a concentrated effort to update it's databases quicker?.

I'm certainly no expert but based on how antiviruses offer their best protection, i just don't see how it can be seen as not important. With 3 different HIPS programs running and the knowledge to understand it all, then yes, i could see it.

 

I agree that common sense prevents most infections. But what´s common sense?
-Backup strategy
-Keep up to date OS and apps.
-Hardening
-Strong passwords
-Use of non-default settings
-Prefer third-party apps
-Reject unsolicited and unknown attachments
-Trust no executable/script

What happen if you, for whatever reason, fail? Nobody is perfect, one wrong choice and your system is infected or your backup is lost. So, a proper security setup will make most decisions and keep most malware out of your eyes. You only have to make minimal, yet critical, decisions. This is different than making ALL decisions. Enter layered security. An example:
-NAT/SPI router blocks all unsolicited connections and most problematic ports
-Personal firewall(with Bluetack lists) only allows limited application access to network and denies communication with known crap/ad sites. Changed, hijacked or unknown apps trying to access the network result in a prompt
-SiteAdvisor/Scandoo/Link Scanner Lite(I recommend this last one) advises me of bad sites before I reach them
-AV knocks most malware before they arrive to browser and mail client
-Firefox with NoScript only permits scripts/cookies from trusted sites.
-Thunderbird only displays plaintext mails. Links are checked with LinkScanner. Attachments are carefully checked
-Scripts and DOS executables require my approval to execute(Script Defender)
-Files sent by friends/parents/etc are scanned with local AV and Jotti/VT
-HIPS(GeSWall) keeps track of all objects, files created by isolated apps. Also it denies access to confidential folders and prevents changes to registry and system files

As you can see, I don´t have to make all the decisions

On the other hand, what can you say about:
-custom/targeted attacks
-BIOS rootkits
-privacy concerns
These three points scare people

 

When you stop to think of the potential impact of generic signatures, the numbers on these tests may be biased somewhat towards the low side, even as a retrospective measure.

I'm not talking specifically of you or anyone else. I'm speaking of a climate in which truly inconsequential differences in products are hyped as critical performance differentiators.

The problem with taking a pure worst case scenario of things is that one substantially overstates the real risk by ignoring the frequency of the event. Also keep in mind the specific scenario I was commenting on - one update every day or two vs. "many" (let's say hourly) updates per day.

That's not a problem if there are no negative unintended consequences (here I'm thinking mainly of layered collections of software that conflict with one another, but it could be product cost). If you make your application choice based on update frequency, set things to maximize that frequency, and go about your business, it's fairly transparent whether your setup updates 20 times a day or once a week. It happens in the background and is irrelevant to you.

If, on the other hand, you tend to spend hours looking at sites such as Jotti's, reanalyzing the same file dredged up from who knows where, waiting either for your favorite AV to cover it, or noting with glee that the competition has not and is therefore a fundamentally flawed product, extensively commenting on either side of this fence on the online forums, then I'd say that's an unproductive obsession and fairly ridiculous behavior. I've also seen it play out in many locales.

Of course, that's not what a retrospective test really says, does it?

I find that making inferences on how a machine was infected without having physical access to it fairly unreliable.

I'm not saying it is completely unimportant. Revisit the specific case I commented on - once every day or two vs. multiple intraday updates.

I am saying that there is a clear point of diminishing returns. Let's consider a specific case: 4 updates per day/0% zero-day coverage vs. 1 update per day/50% zero-day coverage in which each update covers all released infections - which is the preferred solution?

Assume exposure from each piece of malware is possible within 1 hour of release, as well as a coverage by a signature after 3 hours and malware released within 3 hours of an update is not covered by that update. You have to look at this in terms of infection-hours (i.e. sum of the live exposure time per piece of malware summed over all samples). I'm not about to go through the entire analysis (I used a very simple level), or the rough approximations that I made, but at 4 updates a day, you're slightly better off with the "50% heuristic" solution. Increase the update frequency to 6 times/day, and the "50% heuristic" solution is slightly worse. The 50% heuristic approach with 1 update is basically in between the 4 and 6 hr update frequency within the model I described. That's not bad, especially in view of the assumption that the pure signature approach gets a sample of the malware almost immediately and has reasonably fast turnaround. 50% coverage may look poor, but it's not.

It's in the roll of the dice. No more, no less. As for running 3 HIPS, no thanks.

Blue

 

Obviously there is a middle ground. You guys seem to be assuming that we 'liberals' are saying you don't need to do anything, but just use common sense.

Yes. Except it seems to me these days security software like HIPS don't 'make most decisions', in fact they make you make *more* decisions that few are equipped to decide! One wonders if the decisions you are forced to make are that important.

Very good theory no one will disagree. But as we know, short of some magic AI system, if you want to protect against all things, the best way is to inform the human and make him make more decisions. That is why HIPS are getting more bloated.

Even Your setup isn't that "minimal" and forces the user to make a lot of decisions. But I guess compared to the standards here yours is considered minimal.

Whether the decisions you are forced to make are the right balance of security and usability, I have no idea.

Let me show you.

Fair enough, this one is accepted to be necessary usually by even the most 'liberal' guy.

Decisions to be made

1) What firewall to use and how to set it up.
2) If using blacklists which llists to use (some are overly restrictive).
2) How to respond to the prompt

-SiteAdvisor/Scandoo/Link Scanner Lite(I recommend this last one) advises me of bad sites before I reach them

Decisions to be made

1) To trust the rating on the site or not. I have seen Siteadvisor rate perfectly innocent sites as malicious quite a few times.

-AV knocks most malware before they arrive to browser and mail client

Decisions to be made

1) What AV to use, what configuration


-Firefox with NoScript only permits scripts/cookies from trusted sites.

Decisions to be made

1) When to allow scripts if a site breaks.

-Scripts and DOS executables require my approval to execute(Script Defender)

Decision to be made

1) What scripts to run.

-HIPS(GeSWall) keeps track of all objects, files created by isolated apps.

Decsions to be made

1) Tons.

No defense exists.

No defense exists.

No defense exists.

 

Oh bye the way leave your machine on 24X7 for 31 days So other than windows sp2 firewall, you have NOTHING else right? NO AV, AMW, no other fat sofware screeners, everything left as is. You will visit your bank site, buy someting on line, play some on line games, download some music, visit a travel planning site like an airline and a rental car firm. Register on a social forum, see how that all goes. I stop short of saying visit the dark side, cos that is over the top.

 

What's the wager?

 

Hello,

Sorry to disappoint you, but I'm already doing that. I have several broadband accounts - including one that has a XP SP2 machine with default firewall on and FF / Noscript plugged into it. It's on 24/7 for close to a year.

Is anything supposed to happen?

But just for fun, I'll pay more attention to that one machine, if you like. I got other machines, but they fall under cheating, as they have either anti-virus, NAT/ICS, Linux, or similar.

So, see ya in 31 days. Although it's been 331 since ... but whatever.

Mrk

 

Try sandox/virtualization HIPS. They are the most user-friendly and provide strong protection

I´m fan of minimal setups too But I don´t think that I have to make tons of decisions

Firewall:
-Jetico for me. Really, it isn´t user friendly but I can deal with it. Comodo, Zone Alarm, LnS are the user-friendly ones. But in the end you have a point here: firewalls aren´t ready for Joe Sixpack
-PeerGuardian default lists aren´t obstructive
-Prompts: you have a point. I can deal with them but .......

LinkScanner/SiteAdvisor:
-Yes, they are prone to FP. Unless you really need to visit a certain website you can avoid it until you can establish that it´s a FP

AV:
-Common sense = informed user so you must inform yourself about what AV to choose and how to setup it. Most of them are very user-friendly

NoScript:
-A solution to trusted sites that could get hijacked is the use of temporal permissions

Local scripts:
-Only execute scripts made by me or requested by me. Also, check them in Notepad

HIPS:
-Have your really tried GeSWall or DefenseWall?

 

One note: Peerguardian2 sometimes is restrictive. Like blocking Opera's homepage. But of course it depends on the lists that you use.

MrK: Only one request for your test: download stuff . I know you say that would be the user's shot in the foot, but lets face it, people download things right? It's part of the online experience. A Windows theme for a cleaner environment, software that reads rss, or a new media player that plays everything without extra codecs, etc. People will download stuff, i do, and the arguement of safe surfer doesn't cut it most of the time, it WILL depend on the user's preferences.

And a question: i hear some sites, bad ones, do things without user intervention(not worried, note, but just a dought). The best way would be NoScript? Or do i need a sandbox still to be on the safe side? (try to make a different approach lol)

Cheers

 

Good point. Mrk should download things as usual I should not have assumed he wouldn't do that. But this is Mrks test, not yours or mine and he needs a wager ? He didn't mention it! So there isn't one.

But here are the commitments:

He has promised to run his counting questions through the forum as a poll

He runs the "unprotected" machine as he normally does, not just set it up and walk away for 31 days... we have trust in his honesty, at least I do.

His philosophy is we don't need all these fat screeners and hips etc, just
FF and windows xp sp 2 with firewall. Default settings across the board.

So in 31 days he reports back with the evidence that we need to support his thesis that these tools are part of a vast right wing conspiracy to wring money and create FUD. (Fear, Uncertainty and doubt)

If he proves his point we can all save if not money then at least cpu footprints. I for one hope he is right.

 

frankly if you have a firewall (and ideally use Opera/FF) then you are pretty safe if you stay away from porn/warez sites. I wouldn't wager anyone anything other than chances are a month protected by a firewall and good behaviour will not result in any infections.

Hell my antivirus rarely has anything to squeal about!

 

2 years ago, everyone on this forum knew that PG and it's cousins was the cure to malware and that the days of AV was doomed. Right now, it seems everyone thinks sandboxing is. I once what we will think 2 years from now.

Jetico? is that version 1 or 2? Never mind , either way, when I think of Jetico (or commodo) firewall , the first thing that comes to my mind isn't minimalist. You almost pack a HIPS in there.

So much for claim about making few and critical decisions. lol.

Yes. Geswall forces more decisions than defensewall or Sandboxie in my book.

 

Chicken.

But mrk is an advanced user, he uses linux for pete's sake, of course he will be able to protect his computer!

I don't think it settles anything unless you think you are expert as he is at computers.

 

Hello,
I'm not an expert. I have no diploma to qualify me as expert. But I love computers and I love to learn new things all the time. That's all. Linux use does not make me an expert. It makes me a geek. But that's who I am...
Mrk

 

Expert, advanced user whatever. The point is lots of people don't know as much about computers as you.

 

Just so I understand the fine print, what is a win and what is a lose in this challenge ?

If the worst happens, and Mrkvonic suffers an intrusion then will this mean he loses the challenge because his thinking is wrong ? Will this mean that his thinking was right, his practice was wrong ?

What will be the practical outcome if he wins the challenge ? Let's say on the basis of having no intrusion we can fairly define as a threat to the OS or data.

How will you package that, in such a way, that new users can be certain that their knowledge of this methodology will always be up to date ? That the services and ports they have covered today, will be the services and ports they must cover tomorrow ?

CTD

 

You are right crash dummy.

If nothing happens it just means Mrk is lucky and it doesn't apply to future threats anyway,

If something happens, he is definitely wrong.

 

Well, it just goes to show how wrong we can be, either in an overall sense or with respect to timing.

I didn't think that the days of AV's were doomed, but I did believe that classical AV's would be more stressed than they seem to be and that these types of programs would have offered a viable remedy to that stress. I expected them to have a much larger presence in the general market, either directly or through functional incorporation into suites, than they currently appear to have. I also thought that they would have evolved to be much more friendly to casual users over time. In some respects, some offerings are going the other way. My forecasts are about as good as those by a weatherman on the weather.

At some point the generalized enumerate bad approach of classical AV's may run into performance problems due to the shear size of the databases that have to employ. There certainly are ways around this part of the problem. However, the geometric rise in the appearance of new infectious malware remains, as does the question of whether this will overwhelm the malware analysts. There are approaches to assist here (i.e. F-Prot's Maximus), but the simple mathematics of the situation clearly puts a bit of burden on the vendors. Some fallout has occurred with the smaller houses, but that hasn't openly translated as yet to the larger vendors.

The critical question, then and now, is whether a broader impact occurs and when does that happen. I borrowed the plot below from a school report my son did looking at malware growth rates and updated entries to include the last year or so to make it current as of today. He used the KL database since it is probably the most comprehensive around and there was also a long line of readily available data. There are a couple of points contained therein:

• Right now malware still seems to be growing at a stable rate with the current branch now almost 2 years old. Bear in mind that the plot is logarithmic, so that growth in actual numbers is geometric.
• In the three branches shown (the breakdown is statistically valid), the doubling time has dropped from 36.0 to 29.0 to a current value of about 20.8 months. This is a fair amount of time to make plans and implement adjustments, but it also represents a fairly sizeable acceleration over the past 6 years.

Down the road, one item ultimately looming out there for HIPS developers is the Vista PatchGuard. If one develops software, is it a good idea to subvert active measures taken by the OS for protection?

My own belief - anything that automatically wipes the slate or even part of the slate clean won't fly for the average user. If it doesn't fly for the average user, or a large specific population (e.g. schools, public access PC's, businesses), it won't fly. It can get launched and garner buzz, but that's it. Sandboxes work well in machines where the usage context is aligned with what a sandbox (or virtualization) does - eliminating the footprints of the prior user. This doesn't appear to be the usage context of typical home machines, but is the context of public use machines, so there is a clear current market. Can the approach be adapted to be more in line with home PC usage? Probably. Would this adjustment gain traction in this market? I have no idea.

As for classical AV's, the dilemma is that casual users simply cannot discern good from bad, they don't have the expertise, nor will they acquire that expertise. They have to rely on someone who does - namely an AV analyst - and that need will always be present as long as unvalidated content and executables can be downloaded and run on a machine. The need will always be present, it's really just a matter of what form it will take. Given that one can make the case for AV's remaining viable, is there room for additional discrete applications to thrive? We may speak of layering, but the market seems to prefer single provider solutions. In that case, viable alternate approaches (e.g. HIPS) simply get merged with the existing AV platform - KIS is a potential example of this, as are most other suites and Norton 360.

As for HIPS, I actually think Mrkvonic's suggestion is one of the better one's I've seen. It is similar in philosophy to AntiExecutable, though somewhat less draconian and focused differently. It is also similar to an explicit suggestion I made to one HIPS vendor a while ago - minimize the pop-up issue by allowing a user to declare or certify, e.g. by a comprehensive scan for malware, their system healthy and whitelist the entire set of executables present on the machine. Does this have potential issues - sure, but they can be dealt with.

Where does it all go? I have no idea, but I do believe that users do need to keep any solution(s) they implement effective, understandable, and parsimonious.

Anyway, those are just my own thoughts at the moment.

Blue

 

HI Devil's Advocate:

This is not a pis...ing contest about who knows more or less on computers, although sometimes we are sound a bit like we are lecturing each other don't we?
I come here to learn and contribute ideas help where I can and YES issue silly challenges sometimes to make life more interesting.

Mrk says he is running his test PC under windows xp sp2, not linux. The point is not who gets what at the end bet wise. Mrk has promised to accept the conditions of the test to "prove" we don't need all these fat packages to filter reject scan what ever. His task after 31 days is to report back after the test with the proof of his theories. Why not wait til it's over and you read his results. Then as per usual we can all fire at will. I for one do not fear the test nor that he will in some way "cheat". he is an honest expert let him alone till done

 

Escalader,

The problem with this test scenario is that it really isn't what people are, or should be, guarding against - at least with respect to the proposed timescale.

Mentally this test presupposes a continual flood of challenges. That's consistent with a fair number of posts here and elsewhere which parse out vendor response times to the nanosecond and differences in scan statistics to 0.01% relative - frankly I view worrying to this level of fine structure as surreal.

If you want a real test, be prepared to carry it out for a year or two. That's the timescale that seems most appropriate based on my personal experience. The problem is not a constant flood of exposure reaching your PC, it is that single infection on a rather infrequent basis

I know. Read through the security sites and you'll note that firmware rootkits are probably crawling through the flash memory on your video card, boring a hole directly to the MBR on your HDD. That's a little too close to the science fiction aisle for me. Let's head back to nonfiction, get a grip, and deal with reality for a moment.

Some of these more, shall we say, elaborate constructs do have a valid purpose. An infrequent event should not be dismissed as a minor issue. I'm sure you'd take some measures if your hard drive could be expected to get blown away every couple of years..., OK - most of us have to actually go through that once to develop a plan. Based on what you use a PC for, that plan could be anything from simply having the install CD's/sources/serial keys/etc. at the ready in a designated location if they are needed, to a formally scheduled periodic system backup to an external HDD or other archival medium. Both approaches work quite fine but reflect somewhat different needs and desires. They're solution to the same failure in different contexts. So it is with security. Needs can run the gamut from 1 AV and maybe a router (or perhaps the other way around) to less than a handful of dedicated applications. Same goal, different needs.

Do we need all of these fat packages as you put it? Absolutely not, but most of us are better off with one or some of them, appropriately chosen. If you don't feel comfortable choosing, you'll probably err on the side of caution. The extremely risk averse may feel better with a tad heavier coverage. A few may actually need an industrial strength solution, but let's focus on the mainstream, it's where most of us reside.

Blue

 

Hello,

Just a quick example why fat packages won't work. Recently, I used CCleaner for regular temp-files cleanng maintenance. A fine program, which I trusted and used for years. But the particular build had an issue and semi-broke my winsock. Now, regardless of what security package you use - you'd allow it - and get nailed. That's the problem.

If at all, we need packages to defend us from seemingly trusted and good. The bad ones get filtered instantly. Beware the wolf in sheep's fold.

My greatest "fear" is that something good might go wrong. Not that I'll download a keygen.exe and run it.

Mrk

 

Mrk,

That's not a "and get nailed" scenario any more than getting hosed using an unfortunate beta build is. There's a real difference between malware and unfortunateware. Although I would agree with the likely rejoinder than a casual user will be hard pressed to notice that difference. In any event, it's a 30 second fix.

Blue