Scope of security - trick or treat?

Discussion in 'other security issues & news' started by Mrkvonic, Dec 1, 2006.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,

    I should have used better terminology. What I meant is that many times when a user is convinced in his actions, he will deliberately disregard logic in order to achieve his goal. Unless that user lives in a constant state of doubt or trust no one - in which case the online experience is somewhat less pleasant.

    Mrk
     
  2. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    OH!OH!

    Infected Already?.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,
    I doubt it, as this is not the test machine.
    Mrk
     
  4. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    From my point of view, malware danger is a little bit overrated, but not very. The main reason of it is that journalists are, mostly, novice users and doesn't installs security fixes and using Outlook and IE. Naturally, when they have problems with malware, new article is comes out with "AHHHH! VIRUSES!!!!! BEWARE!!!!! HACKERS WILL BLOW YOUR HARD DRIVE AND SCREW YOUR MIND!!!". Also, AV compenies spend a huge marketing budgets for new "right" articles, TV shows and "right" comparatives review in magazines and online.

    BUT! Malware is a business. With offices, staff, investors and so on. That is why it will be growing, it will be finding new exploits, producing new undetectable by AV's malware and the number of undetectables will be growing from day to day. Effectiveness of traditional AVs will be fall down, regardless of quality of heuristic and average time of virus bases update. Retrospective tests are already down't show real situation, because I see a lot of people who are asking for help with HJT logs even with KAV/NOD32 AVs working.

    Only preventive behaviour-based defense may solve the problem. That is why it is very important to create extremely easy to use and in learning curve but strong behaviour-based HIPS for novice/average users.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,
    Well, Ilya, you sure are on the right path. Simplicity is the key.
    Mrk
     
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Mrk, BlueZannetti, Ilya Rabinovich, tobacco, Devil's Advocate, Crashtest Dummy and all other interested parties,

    I'm the silly guy who issued Mrk the challenge to run "naked" under windows xp sp2 for one month to get him to anti up his own PC to test his theories.

    Blue: You want a longer test, sure why not but why not wait 31 days and say that then, have you rejected the results and learning Mrk may very well provide us? I'm sure you have not.
    I have my own "fat" packages in place in the interim and until it is proven that I don't need then they will remain fully updated active and set to aggressive mode. No one can force us to change anything. But all I can say is wait for the results. Be patient.

    Ilya: I'm not a journalist, and over the last year got 1 Trojan and BD filtered out a couple of viruses. But you are right I think the hype is real.

    tobacco, ha you seem ready to cheer a Mrk, failure, wait for his report!:D

    Mrk: Just a piece of advice during the test, wait 31 days yourself before reporting, let all the evidence accumulate. You have many PC's so to avoid confusion don't report on things going wrong with them, people will draw wrong conclusions.

    I am not trying to censure you, just say the test is underway, will report later. By the way, have you actually started yet? We need to know when the clock starts. You should post when you start, with a timestamped list of all running programs on test machine. With all these guys waiting to pounce, transparency on your part is best plan.

    Log your activity on test machine, so you can't be charged with letting it remain idle for 31 days. Remember use it email, surf as you do normally , download stuff, music, games, register on a forum, do some banking. Use test machine as your default PC. Would you be able to NOT use your other machines? If you felt you had to do something off the test machine, your reasons for that should be part of the test.

    Good luck, let us know when you start via your transparency posting. Include anything else I should be geeky enough to ask for!

    Your Celtic Friend
     
  7. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Not silly at all. Facts, even isolated ones, can trump pure speculation as long as the limits are well appreciated.
    Again, based on my personal experience, which, with large and small computers, runs for almost 35 years, I believe Mrk's thoughts are correct in general. This has included very extensive periods of running machines completely unprotected myself. Most users frequenting security sites are secured to the hilt. That's absolutely fine in my book as long as:
    • The user understands this and is therefore not surfing in a constant state of anxiety waiting for the next malware shoe to drop or the next perfect solution to come around the corner.
    • They have a solution that addresses more problems than it creates
    • They have a rough idea of the role of all the components used and therefore do not address one issue 10 times, leaving 9 other issues open.
    • They understand no solution is absolutely perfect. There is a time dependency to coverage and a user can always end up overruling the protections to their detriment.
    • One size does not fit all.
    You shouldn't look at this as proof one way or the other. It's one data point, from one client, providing a snapshot in time. As with any situation involving a statistical element, one can only speak of probabilities. In this case, there are two possible outcomes, "infected" or "not infected" where I'm using the terminology somewhat loosely.
    • If Mrk becomes "infected", all you can say is that the likelihood of infection is not zero under the conditions employed.
    • If Mrk does not become "infected" all you can say that that the likelihood of infection is not 100% under the conditions employed.
    In other words, only one of the constraint boundaries (100% infection rate or 0% infection rate) is ruled out, the other constraint boundary is not ruled in, and the large field in the middle is not addressed.

    By the way, I hope both you and Mrk do not feel I am taking either of you to task on this. It's a very useful discussion to have and I hope any lurkers are learning from it.

    Regards,

    Blue
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,

    Escalader, I have quit my job to run the test.

    Joking. I have already begun it.

    In the following month, I'll do the following on the test machine:

    Install eMule and download music / movies (70% porn). Any legal issues pertaining to this issue should be addressed to Escalader - as in the Devil made me do it.

    Do a few IM sessions with friends abroad using Skype and Gaim.

    Register to a porn site using a dedicated address that I will create for this purpose, naively thinking I'll be granted access to "high-quality" stuff.

    Download images of porn actresses (and actors ... joking) and celebs from various sites.

    Download a few short porn movies from various porn sites.

    Download a few programs that I might need and install them, e.g. IrfanView or 7-Zip.

    Install a game and play online.

    Buy a book on Amazon.

    That's it, I think.

    Now, the point of my test is NOT to make you stuff using yopur favorite programs. No.

    The point is to show you that you can ENJOY the Internet without constantly fearing violation. Life is too good to waste on worrying about alien attacks.

    After I finish the test, I'll install Spybot, Ad-Aware, Ewido, A2, SuperAntiSpyware and run full tests. Install AVG, Avast and Antivir, one at a time and run full tests. Run online tests like Panda, Trend-Micro and Kaspersky. Download BitDefender free and ClamWin and run full tests. Use UnhackMe, Icesword and Rootkit Revealer. Boot from Knoppix, Helix and Bart live CDs and inspect the machine.

    Satisfied?

    BTW, a quick teaser, do you think that I normally do things much different than what I described above? Yes, I do have machines with anti-virus and yes I do have machines with other firewalls, including Comodo, Kerio 4.2.3 and some others, but mainly for testing purposes. And pure fun of a geek who loves to play with software.

    That's the point. Use any setup you like. But because it gives you joy and fun. Not as the ultimate protection against total doom.

    If we were to live our lives with the same amount of caution we invest in computers, our lives would be:

    Backup and imaging - full life insurance + a clone somewhere.
    Anti-virus - full NBC innoculation.
    Firewall - full kevlar vest.
    Anti-phishing and anti-pharming - a lawyer and an accountant always tagging you.
    HIPS programs - a whole bunch of advisors following you around.
    Anti-spyware and anti-trojan - James Bond for bodyguard.
    Anti-rootkits - portable enema dischargers.

    Just think about it. Only the President of USA may qualify with the above. Yet, with computers, which are nothing but dumb machines that die every 4-5 years without any intervention, we pile up security like mad.

    Once you start enjoying the computers, you'll branch into more adventurous parts. You'll start tweaking the little things that make all the difference. Then you'll try Linux. And then you'll fall in love.

    All the HIPS in the world cannot compare to 5 minutes of command line in Linux.

    Mrk

    P.S. Escalader, I cannot ONLY use the test machine, as I have to work, update my website with new articles, have a daily fix of Linux and VMware, and a few more things. Not to forget the wife, who has her own games to play.
     
    Last edited: Dec 4, 2006
  9. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Just have to say Mrk - great post in a great thread.

    Love the analogies :thumb: very funny.
    Can't wait for the test period to be over and you give us the results.

    As Blue suggested, I'm lurking and learning :ninja:
     
  10. Crashtest Dummy

    Crashtest Dummy Registered Member

    Joined:
    Nov 30, 2006
    Posts:
    4
    Agreed - except:-

    I don't protect circuits with built in redundancy. I protect the integrity of my data.
     
  11. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    They do want in my PC, but I cannot let them do so. Even if They get in, they must not get back out.
     
  12. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Mrk:

    I'm more than satisfied, you plan to do more than I ever would if carrying it out!

    Sorry you had to quit your job, (joking) but I'm even sorrier I had to install a lawyer on my hard drive spindle...

    Far be it from me to stop you from your Linux fix. IBM is going that way, so you must be right!

    Enjoy the test.... seems I wasn't as silly as feared!

    Your Celtic friend

    PS to all lurkers, Blue didn't take us to task, he just has the nerve to comment, I like his comments. Maybe he should visit the same sites Mrk is with screens up! As a control we should really have another tester or 2 any takers? Or are you all just talkers? :D
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hello Mrk,

    I can predict that if your ports are closed, you won't have a problem. You might remember a discussion on this last year, and I ran for four days simulating no firewall ( I'm sure it could be 40 or 400 days with the same result):

    Firewall Test

    This, of course, relates to a firewall's inbound protection as a packet filter (outmoded definition of a firewall, I know...)

    To monitor outbound protection, a software firewall or some type of application monitoring is necessary if you are concerned that you might get infected, which you are not, and you won't, I'm sure!

    Good success with your test!

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  14. herbalist

    herbalist Guest

    Mrkvonic,
    I can agree with most of what you've said. I consider myself to be paranoid when it comes to computer security and privacy, which is why I stay with rule based software and avoid XP. I guess it depends on how you define paranoid. Where does paranoid begin and security conscious end?
    Regarding your questions:
    1, I don't know. Shut off the alerts for those long ago. Used to get 25 or more alerts for port scan daily, and that was while using dialup.
    2, Not very often, and 75% of those were false alarms.
    3, A couple times when I was installing software, SSM alerted me to its trying to add "run" or "runservice" entries I didn't expect to see with the particular type of software I was installing. Other than that, no alerts.
    4, I have seen occasional outbound connection attempts when installing or testing software. Once in a great while, Script Sentry alerts on an .hta. I don't run any other anti-whatever. Gave up on them long ago.
    That's more paranoid than I am. I update my AV scanners every couple of weeks or so.
    Only "special" software I use for this is encryption. I keep financial records in an encrypted container. Other than that, nothing changes.
    The question needs to be more specific. I use the firewall to prevent software and system components from accessing the web. My core system processes don't need internet access, and the net sure doesn't need access to them. Are you referring more to the HIPS and hook control components of firewall suites with this question or is this about the internet firewall component?
    What do you consider to be "high-level processes"? How is one supposed to answer this question? While I'm no expert, I do have a fair understanding of the processes on my system and the functions they perform, and I am still learning.
    That's terrible!! Where's the patch for this? I've got a work-around that will convert it into Pink Floyd-Echoes. :p
    Seriously, I see your point regarding "proof of concept" code. Can I assume that this primarily referrs to potential new exploits or new ways of using older ones? Someone proves that a specific attack may be possible and people get worried. The problem here is that sometimes that "proof of concept" is demonstrated as an actual attack. Remember Slammer? I try (unsuccessfully) to keep up with the new exploits and proof of concept code, and see which ones can affect my system. I almost have to. Microsoft isn't patching my OS anymore so I have to do what I can. Fortunately, (or not, depending on your point of view) much of this boils down to separating real threats from exaggeration or fiction. Example, the wmf exploit and 98. It was used as a scare tactic on 98 users when 98 wasn't vulnerable to the exploit, at least not in the form it was released. That aside, with no patches being issued, SSM is pretty much the only way I can try to offset new exploits. Time will tell how well it does at this. BTW, I liked your description of HIPS with Windows.
    That's a pretty good description of how HIPS should be used. IMO, that's pretty much the only way users have a chance of actually securing windows, or as close to securing it as is reasonably possible.

    Are you referring to the forum threads or the way security-ware is marketed in general? The marketing is definitely playing on users insecurities and lack of knowlege. Calling some of it scare tactics would be an understatement. Then again, the majority of PCs are infected with something. Depending on whose figures you use, somewhere between 66% and 91% of all PCs are infected with some kind of undesirable code. It's clear that most users haven't taken PC security seriously enough, although I don't agree with vendors using scare tactics. The best answer would be a better operating system, but Windows dominates so the problem continues.

    As for paranoia and the forum threads, a definite trend is there. One user gets told they're using too many anti-spyware apps while another wants to see how many HIPS can run on one system at the same time. Then the vendors get blamed because their HIPS is conflicting with something else on these nightmare security setups. I hate seeing posts where new or inexperienced users are told to install more than one HIPS, especially when they don't know how to configure one properly. Paranoia is installing security apps on top of security apps and not taking the time to learn and configure them properly, which leads to this point raised in the original post.
    First sentence, very generalized, says nothing of consequence.
    Second sentence, not the normal way it works, but does happen. Exploits turn up where the user doesn't expect them.
    Third sentence, basically true but does nothing to educate the user.

    I'd like to see security-ware vendors make their sites make their sites more educational for users, especially in regards to user behavior and how certain behaviors increase their risks, instead of spreading FUD. Better yet, I'd like to see every new PC direct the user to a good security site with solid advice when they first go online with it. Since that doesn't pad anyones wallet, it won't happen.

    Forum posts are another problem when choosing terms. A term that's over-simplified to one reader isn't understood by another. While an advanced user knows that malware doesn't just slip into your system, it's about impossible to explain to a new user in a forum post or 2, even with long winded posts like mine, all the ways it does get in. How do you deal with a subject like exploits and vulnerabilities without naming specific ones? If you don't name something specific, the post is of no interest to a more experienced user and doesn't contain anything that helps with configuring a piece of security-ware to deal with them. As soon as you name a specific exploit or vulnerability, you start going beyond the average users level of knowlege. The typical user has no idea what a privelege escalation or a remote code execution vulnerability is. What's the best way to say that HIPS can be used to defend against such exploits? How do you explain to an average user why something works without writing a book that bores the advanced user?
    Rick
     
    Last edited by a moderator: Dec 4, 2006
  15. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Forget closed ports (he's doing p2p right?). In fact, unless we know there is some lurker really determined to teach Mrk the error of his ways, the firewall probably won't come into play. Those simple minded worms aren't going to hurt him , fully patched as he is.

    I predict he will get hacked, by some zero day exploit through his browser, that does not utilize javascript.

    Even if he surfs only safe sites, the site will be hacked, or the adserver will be hacked, and serve him the exploit.
     
  16. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    DA,

    You do need to place that tongue firmly and publicly in cheek for the casual readers.

    I admit, parsing through many threads here would seemingly result in that being the inexorable conclusion, but let's try to maintain residence in the real world for the next 30 days or so.

    Blue
     
  17. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    While that is stated over and over again, the point everyone seems to be missing is that we are not addressing such people. Anyone who comes here and posts automatically, almost by definition takes security seriously enough.

    Well if it's merely inexperienced users you are worried about , why make a big fuss. eventually they will all become as experienced as you.

    Personally I love these posts and threads that try to define once and for all what the terms means.

    Once we know exactly what the difference between a sandbox and virtualization or behavior blocker or whatever, their strengths and weaknesses, we can go out and get one of each to provide a layered protection.

    Recently there was an even more complete. scheme posted, that made me realise as good as my security was, it still was wide open on several levels.


    You should say nothing about those. Those are rare, and not much one can specificly do about them (aside 'common sense'), details or no details. Most of the HIPS we use here, will do nothing to stop them from starting, though your ssm might notice something weird happening afterwards if you were lucky (assuming it does something that tips ssm off) or a sandbox might stop some of the damage (but will you sandbox everything?).

    There's a reason why paranoids like to talk about the threat of going to a site that has being hacked with some zero day exploit... It's the ultimate threat that you are defenseless against whether expert or beginner.

    The only possible safeguards are technological even though they work worse than AVs against malware. :)
     
  18. Crashtest Dummy

    Crashtest Dummy Registered Member

    Joined:
    Nov 30, 2006
    Posts:
    4
    The practical step I choose, is to start each days surfing on a trusted site. One that like this, alerts to new exploits and any interim solutions as they appear. It's kind of nice to see the speed at which contributors come up with solutions to exploits. I don't expect to see them regularly. When they do show up I tend to enjoy the whole process of mapping the exploit from discovery to resolution.
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,

    DA, I know you wish to heat up the debate, but that's not the point of this thread.

    1. I'm not trying to prove I'm smarter than some hacker.
    2. I'm not trying to challenge anyone into proving me wrong.

    I have simply decided to indulge Escalader, but others may benefit, as well.

    The whole idea is show that a "normal" person can enjoy the Internet with a solid mix of pleasure, fun and wise thought, without stitching his ethereal orifices with ten layers of thread against intrusions.

    P.S. Just for those who feel elated about hacking, I will not publicly reveal the IP of the tested machine - HINT it is not one of the machines I used to post ... The goal is to test a nameless computer in a world of computers and not isolate it and turn it into "rape-me-dear" target.

    P.S.S. DA, you should thank the hackers, though. Although a small fragment of the computer population, they are usually in charge of the most important revolutions that happen, for good or worse.

    After all, Linus Torwalds started the Linux project as "hacking".

    Mrk
     
  20. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    How would SandboxIE work with this? How can you bypass SandboxIE? Not that i expect it to be perfect, but still...

    MrK: i understood your preference for "The goal is to test a nameless computer in a world of computers and not isolate it and turn it into ~Snip~ target."
    For this test this is appropriate:thumb: , although i would like to see someone testing his set-up by provoking. That would be interesting too, to see how the diferent approaches would defend us.:)
     
    Last edited by a moderator: Dec 5, 2006
  21. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Hey: do you, or anyone else here, monitor bot traffic? Or IRC communications?

    Mostly out of curiosity.

    SiL
     
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,

    Someone, what's the point of provoking - ~Snip~
    That's not what the Internet was made for. If you want to provoke someone, do it in a positive, constructive way - let's say, develop an application that is better than someone else's. Destruction is hardly the way of improving anything.

    Please don't turn this into "I'm smarter than thou - I pwn you n00b" thread. If anyone wishes to see one of the participants humiliated at the end of this discussion, then we might as well quit now.

    Mrk
     
    Last edited by a moderator: Dec 5, 2006
  23. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    NO no no, you miss-understood me, or i wasn't clear. I'm not sugesting that kind of provocation (wrong word), more like a simple test against whatever you through at it. To see what problems arise from a setup or another. Take it as a friendly atack, friendly hack. Like one that i read about of a guy who wanted to test his router config, n got hacked twice (his request), lol. But he asked it, to see if he configured it right.

    Not for the test you're doing, or the point your trying to make, just another approach/test.
     
  24. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,
    Rmus already did the hack test last year. It was, to sum it up, uneventful.
    He even posted a link to his test in the thread a few posts above.
    Mrk
     
  25. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Something like this?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.