Scope of security - trick or treat?

yes lol. It could be exacty this one, because i didn't read the original. And the thread is so long . I will read it one bit at a time

 

Exploits and vulnerabilities are rare?? They're common enough that M$ made a patch day for fixing them. You've got this completely backwards. HIPS, conventional or sandbox types, are the best tools we have for addressing exploitable vulnerabilities and unknown threats. Defenseless? Not even close!

 

More on zero day vulnerabilities and defending your system.
http://www.sans.org/top20/?ref=1487#z1

 

Simply by doing something dangerous that Sandboxie or any sandbox doesn't filter. Java uses a sandbox, the last time I checked Java has had tons of vulnerabilities throughout it's career.

Granted we are not talking about exactly the same thing, but you get the idea.

Just saying you use a sandbox doesn't grant you 100% immunity.

 

Compared to the people who get infected by other means it is a drop in the bucket. Anyone here got nailed by a zero day that no-one knew of? How about someone nailed by a public one (doing so on purpose doesn't count)?

My point is that there isn't much you can do about unknown exploits and vulnerabilities by definition, if you already knew where the vulnerability was you could stop it , if not you would just be pissing in the dark, praying that your toys would.

Sure, you can reduce exposure by making smart bets on which software are likely to be vulnerable and try to mitigate some of the damage, based on history you can guess that many exploits require javascript to get off the ground so you turn them off etc etc.

But nothing is foolproof if you want to worry about exploits . you say HIPS. Who's to say there isn't some vulnerability in there that actually gets you hacked? So what's your plan against that?
Besides Anything you say, I can counter with " but what if a superhacker knows of an exploit in X"? You see?

Worrying about zero day exploits is a waste of time beyond a certain point.

And what if there is a vulnerability in HIPS , sandboxes or whatever? if you want to worry about vulnerabilities, why aren't you worrying about them? You can betcha, these HIPS created using undocumented and highly unstable matters have tons of bugs .

Well, I guess the fact that you haven't being hacked more than twice, gives you the authority to say that.

 

Correct me if i'm wrong, but the whole purpose of SandboxIE and GeSWall, etc. is to defend you in a broad way. Not a filter, but isolating anything that comes through the browser for instance. Whatever type of files.

Sure, there are vulnerabilities, possibly, that a SuperHiperHacker can pass. But MrK's point is that the SHHacker doesn't care about you, or that it's science fiction lol.

Give an example of how it would be passable without the user removing the said files from isolation. Of course how could we give one. We have to wait for another review to see if vulnerabilities are found.
Maybe a theoretical example?

 

Hello,

Two types of hacking - massive and pinpointed.

Massive hacking is the Internet noise - bots doing automated searched all the time. Something aimed at gaining quick access to massive number of machines and usually works by standard protocols / exploits.

Pinpoint hacking - something that takes effort and time, and usually of personal kind. Here you can see all kinds of software tricks. To exploit certain programs, the hacker needs to know what the victim is running, so the relation will probably be intimate. Then, there's the social side, where the victim is lured into running a supposedly trusted program / document that containing a personally crafted trojan or such.

People who hack for profit surely will not bother will the home user, because the prospects of gain versus effort involved are small. Simple financial calculation.

It's much simpler sending millions of infected emails, chat messages or whatever and wait for the dumb to click.

People who hack for glory will surely try to own the system. I mean, in the community, if you tell your pals you owned a 70-year old grandma running Windows 98 versus you owned some government site or such ...

Finally comes the vengeance. But that's no more different than finding a bunny nailed to your front door after you dump the girl because she is psychotic and wanted you to move in with her after just three weeks ...

Mrk

 

DA,
It's obvious that you just want to argue and try to see how sarcastic you can get as opposed to any useful exchange of information.
Yes, I was hacked twice, both times by someone who knew what they were doing. No, I wasn't using HIPS then. Back then, I was naive enough to believe the claims the big vendors made, the "our suite protects against all this and..." Norton in this case. The incidents were prime examples of just how ineffective conventional security suites are. This was all explained long ago. Leave it to you to pull that out of context and try to apply it to a discussion about HIPS and exploits.

Obviously. All software has weaknesses. It's unlikely that anything can stop an expert hacker. But just because one may be able to get thru your defenses doesn't mean you don't try to defend yourself. No, you obviously can't prepare against every possible exploit or attack, but you can pre-empt a lot of the damage that could be done via an exploit by limiting what each application is allowed to do or access.
"What's your plan against that?"
A system restore from external media. That is foolproof. CDs can't be altered once burnt.

The HIPS programs aren't creating undocumented bugs. That's what beta testing is for. Just like bugs in operating system and other software, they get fixed. As for their being "highly unstable", when properly configured, most are quite stable. It's when users like you stack them up 3 deep and try to see how many will run at the same time that systems get unpredictable. When you run separate HIPS apps with suites that contains HIPS or kernel hooking components of their own, instability is the result. You can't give total control of the same processes to 2 or more separate apps. Vendors aren't responsible for problems caused by this. All the better ones work as claimed. If you don't trust a particular HIPS to do the job, use a different one. If you can't figure out how to configure one to run smoothly, get a simpler one. Classic HIPS aren't for everybody.
Let me know when you want to actually discuss something of consequence as opposed to this pointless arguing you seem to enjoy. This helps no one.
Rick

 

Herb:

You are right, some just want to argue & sling opinions around and not share real knowhow that can actually help others. I wonder if a moderator could "freeze" the thread til Mrk is finished with "my" challenge?

Mrk I would like to move "your" test to "my" challenge to it's own thread limited to the challenge and your report on findings, then immediately freeze it til you are ready to report. At which time we would all enjoy positive discussion about what it means.

As far as arguing people go you can always block them but I always hestitate to do that.

Your Celtic friend

 

Hello,
I will make a new thread with results only if needs be with reference to this one.
But whatever rocks your canoe.
Mrk

 

Great:

Nobody is canoing in December in Canada, skates yes, but zero liquid water...

See yah eh

 

Looking through your history, I don't think you are the right person to accuse others of being argumentative.

It's obvious to me you just want to set yourself up as a guru and preach without getting contradicted. Any contradiction in your book is not "useful exchange of information".

Or perhaps they are prime examples of how incompetent and noob users can get hacked. How do we know the difference?

How do we know your use of SSM is the difference now?

But then again your story isn't unique, lots of members here
are noobs who got hacked or infected once (though twice seems to be a bit strange), started learning to protect themselves, and became overly paranoid.

They then start preaching to the masses you got to use X, or you will be hacked like me....

Exactly. Now tell me how worrying about zero day exploits IN GENERAL can help?

If that's your plan, why worry about other security measures? And of course there are certain forms of damage that can be done that cannot be remedied by just a backup.

Beta-testing at least the way we do it here isn't typically a audit of security bugs. Very few are qualified.

Let me know if you want to be constructive when dealing with someone who disagrees with your dogma.

For someone who has being hacked twice, you sure are arrogant in thinking you always have the right answers.

 

DA:

For now I'm going to block you off, it's getting too personal which clouds objectivity and makes good points you may otherwise make questionable.

If you are so upset with Herb why not take it offline?

 

To all,

Technical discussion and opinions are welcome. Running commentary on posters is not....nor will it continue. That's about as plain as it gets. We will let the "Scope of security" discussion continue along with this side discussion challenge or We will indeed freeze the thread.

Bubba

 

~snip....un-necessary comments....Bubba~

Going back to the original topic, personally, my AV has alerted me several times about a virus being downloaded and my firewall has logged a lot of intrusion or ping attempts on my connection. Do I think the issue is overblown about malware and imminent attacks by hackers? Perhaps to some degree, but since areas of the internet can be made to contain nefarious and sometimes system disrupting elements, a user needs to have some minimal form of protection when going online. I started to work with computers before there were PCs and viruses were used to propagate a piece of code or process to other parts of a network. Now things are more complicated and the global scope of the internet makes one "exposed" to more possible computer problems. I see a lot of new software suites that tout "complete" protection against spam, phish, viruses, spyware, network intrusions, etc. As I noted in another post, I wonder if the protection that you need to install will take more space than anything else on your computer. I haven't come across any serious system malware issue and hopefully won't in future years. But I always follow my one last rule in that I will not depend on a PC to run my life. If PCs disappear like the old manual typewriters, so be it.

 

That's good. I remember when slide rules dominated! Then came calculators and mainframes computers. Then came word processing machines, so out went typewriter. Then word perfect on PC's the rest is history.

I fear that if PC's and lans left the work place today, many offices and businesses would collapse. At home I would have use stamps again and do my income tax by hand!

What would my grandsons do if they couldn't play games?

Please don't take my PC away, I must be too sensitive to be here.... I'm going away now into the yard to eat "worms".

 

Nah... Hackers and security crackers are no problem at all...

I love them!
Without them, I would not be able to make a living!!!
Viruses are great!

I love earing people's frustration about having to secure their computers and begrudgingly having to pay up for security tools.

I gave a lecture once at a chamber of commerce in Toronto on security and some guy was really grumpy. He said, Why should I have to pay up $$$ each year just for security when all I'm doing is browsing the web and downloading e-mails

My answer was simple. People who perhaps refuse to harden the systems they use online should be held accountable for the damage caused by hackers who used that system to do bad things to others. Like spew 100,000 e-mail spam messages or infect others with remote viewers or RAT's...

The large majority of nonsense problems we experience are caused by computers not secured. When that is caused by willful neglect I get cranky! believe it or not some people "Pride" themselves in not having security! (or they're just plain stupid!)

My opinion: Stop crying about it and lock your doors!!!

 

Hello,
Maybe stupidity or money motives have nothing to do with security?
Maybe it comes down not to "pride" but different approaches to computer usage than ones you know or prefer? But if you're earning money from viruses, then perhaps your opinion is not entirely impartial.
Mrk

 

Hi Mrkvonic,
I wonder what impartial really means in the context of what I have said...
I simply state an obvious element when I point to the fact that we now have a responsibility to secure our environment regardless of what we do with the technology as long as we are "connected" and that this reality will or could negatively impacts others... I am stating that "Some" users still refuse to take those responsibilities seriously and that they are all costing the rest of us millions, not counting time, stress and frustration. I was perhaps too sarcastic about the issue but it is a frustratingly obvious issue that is not openly addressed for fear of "offending the offenders".

Making $$$ money cleaning viruses and spyware and pluggin security holes doesn't make me impartial since I am just as victimized by those as anyone else. Not counting the many times I had to provide "Technical Welfare" to those (Oh so many!) who cant deal with it and cant afford to pay for the help!!!

To be fair, I believe very strongly in making Microsoft more "Inclined" to include such technologies or at least provide an "Opt-In" function for those who may object having to use one sided security offering from the Redmond Giant. It would go a long way like the rather sizable impact including a built in firewall has had on the deployment of certain types of viruses... Imagine now having real security built into the O.S. where users have real control over content instead of obscure corporations waisting more energy obfuscating issues instead of creating real solutions...

 

Hello,
No need to imagine - it already exists.
BTW, you're looking at the problem the other way around - securing the OS instead of making OS secure.
Mrk

 

31 days of Condor - Results of Scope of Security Bet

Hello,

31 days ago or so, Escalader and I made a friendly bet. In this bet, we agreed that I would use a Windows XP SP2 machine with basic windows firewall and a normal browser to test the viability of getting infected.

This is what we agreed upon:

https://www.wilderssecurity.com/showthread.php?t=156441

------

Escalader, I have quit my job to run the test.

Joking. I have already begun it.

In the following month, I'll do the following on the test machine:

Install eMule and download music / movies (70% porn). Any legal issues pertaining to this issue should be addressed to Escalader - as in the Devil made me do it.

Do a few IM sessions with friends abroad using Skype and Gaim.

Register to a porn site using a dedicated address that I will create for this purpose, naively thinking I'll be granted access to "high-quality" stuff.

Download images of porn actresses (and actors ... joking) and celebs from various sites.

Download a few short porn movies from various porn sites.

Download a few programs that I might need and install them, e.g. IrfanView or 7-Zip.

Install a game and play online.

Buy a book on Amazon.

That's it, I think.

-----

After I finish the test, I'll install Spybot, Ad-Aware, Ewido, A2, SuperAntiSpyware and run full tests. Install AVG, Avast and Antivir, one at a time and run full tests. Run online tests like Panda, Trend-Micro and Kaspersky. Download BitDefender free and ClamWin and run full tests. Use UnhackMe, Icesword and Rootkit Revealer. Boot from Knoppix, Helix and Bart live CDs and inspect the machine.

------

That time is up.

I have the results.

A dilemma that I face is the presentation of results.

I assume that people will BELIEVE me what I present my report, because if they do not - showing empty scan logs or screenshots has no meaning. I could easily do that on a completely non-related machine.

If you do not believe me, you can stop reading and disregard all and any of my posts like cheap propaganda.

Therefore I will present my results in a simple text compilation. If someone is really craving for pictures, I will try to free some time and compile a full article-like report, but this will take me some time, because I have other, more important things to do.

Here's what I did:

Installed eMule and downloaded about 15GB of stuff. I needed codecs to watch some of the movies, so I downloaded some.

I talked with a friend using Skype and GAIM (using ICQ account) on a few occasions.

I downloaded some 50 small clips from adult sites and about 250 pictures of various personae from different sites. I also registered myself with a fresh spam mail address to one of these sites. I used Google to randomly look for the sites.

I installed Scorched3D and played and even hosted a server. I also played a few flash games.

I bought meself an Asterix comics from Amazon.

The system was on 24 hours a day with a reboot once a week or so. Browser of choice was Firefox, of course.

Two days ago and yesterday I started investigating the system. This includes multiple scans in normal and safe mode with a variety of AS / AT / AV tools mentioned above, dedicated anti-rootkit tools, including some more that are not on the list, and using Live CD tools.

The results is:

No infections.

The only downside is that my spam mail address receives about 10 emails daily offering me niagras and viagras.


I will NOT post links to the sites I frequented because they might be a TOS.


Escalader, you might think this is a right-wing conspiracy to bring you down, but this is not the case.

The conclusion? Internet is enjoyable.

Happy New Year.

Mrk

 

Hi Mrk & a Happy New Year

I don't question your integrity Mrk. I'm not sure how the individual who has just started his/her surfing career is going to benefit from this as it stands.

While you have a track record of placing the accent on the user and not 3rd party software, simply stating for the record that you have done it, doesn't offer the beginner more than they had last month - other than inspiration of course.

If you can present a simple guide to the principles you followed in securing your OS. Features such as control of Ports/Services/Scripts etc that is not only repeatable, but has the promise of being maintainable by the beginner, then you move your argument on.

If your efforts, while proven to your satisfaction, remain unaccessible/not reliably repeatable, to the beginner - then the differences between your efforts, which then remain an esoteric exercise and the probably unfathomable work of the 3rd party software engineer become less clear.

If both approaches are similarly dumbfounding to the beginner - then the automated approach is going to win isn't it ?

The software engineer will make a sale and your message of self-reliance passed by.

 

Hello,

First, I have written quite a few articles about software & security, one of which is called "Internet won't hack you if you don't provoke it" which could sum it up nicely. Link in the siggy.

Second, this was not done in order to subvert masses of beginners into running without any protection and getting infected. This was aimed at the more advanced population (re. majority of Wilders members), and as a result of healthy debate with one of the members.

This is not meant to discredit efforts of people who develop software or users who love to have tons of programs on their comps. This was meant to give an angle that not many people have.

I'm not a typical Wilders member, I think. I believe in free Internet, which means porn, p2p, gaming, sharing etc are something you should not abstain from just because somewhere someone somehow might hack you.

You can find many hardening guides on the net, but they all come down to:

No gaming, no printer, no sharing, no this, no that. In the end, it comes down to a paradox. You run Windows admin account that has no privileges. Then why don't you run a Limited Account? And if you run Limited Account, then do it properly, with an OS that actually WORKS with Limited Account.

Answer: Linux.

But for Windowsers among us, there is no need to kill and rape your system with every hack / patch / program available. This is something I've been trying to convey for a long time. And this so-called test is yet another step.

In itself, it has no great meaning. But if you read my last 500-1000 posts, you might see a trend.
Cheers,

Mrk

 

First of all Mrkvonic, thanks for your efforts.

Am i surprised by the results?. Not at all as you have the knowledge knowing that even making adjustments to a browser can prevent infections though with that minimal setup and the places you ventured to download things, sooner or later you would become infected by some of those downloads. Anyone that's ever used 'Limewire' knows that it's pretty safe to download music but alot of malware in other areas.

Not to take away from this test but at the beginning, i offered a spam post that i found on a legit product forum for Mrkvonic's test as it contained a link to a video clip which of course needed a codec to be installed to view(Zlob Trojan). I run in Bufferzone and therefore do not lock down my browser and even after closing the download window, this trojan tried getting in as my AV kept alerting me to. With Mrkvonic's locked down browser, this did not happen. But obviously, he did not go ahead and download and install the codec anyways as i did. If he had, as downloading was part of his test, infection would of taken place. It did on my system but once i clicked the 'Empty The Bufferzone' tab, all was back to normal. I think i'll stick with my setup which i've drastically cutdown but have something in place to help protect against infected downloads.

So my summation of this test is this. Just locking down one's browser can provide excellent protection even if you aren't a safe surfer and a minimal setup will/can take you a long way. But when downloading is involved pertaining to riskier sites and even my example which was found on a very legit site, some type of other security needs to be in place in addition to this minimal setup.

 

sidestepping the Linux adoption (which Im at least working on)
I too believe in a free internet in the strongest possible terms
and Ive always engaged in "risky" behavior (with the exception of IM)
slumming blackhat sites, cracks, warez, XFTP, P2P, ect.
Far worse back when I was figuring it all out, then now which is comparatively mild mannered.

But I dont necessarily agree hardening per say is abstention, sure its a component, but even before virtualization there was simply employing another box, isolating it and observing it. I think of hardening as locking down a box to acceptable behaviors, avoiding as many threat vectors as fits your current needs and changing the OS in ways that will break most malware.

Or at least it used to break vintage malware. The advances in the last year and a half with the great rise in rootkits, kernel mode malware, dll injection ect have me rethinking alot of what I used to do and quickly adopting virtualization. Inorder to continue my wicked ways

But I still "harden", proscribed scripts, no html in email, no IM, protect or remove a host of OS exe's that arent commonly employed. HIPS, security auditing, filechecking. as much rule based whitelists as possible with a little signature\behavior IDing throw in.

It will be interesting to abandon all this Windows knowledge as I fully migrate over to Linux. Im just not comfortable in my ability to know whats going on over there yet.

W2K\XP

how Ive done it in the past, but I too would be very interested in Mrkvonic's Windows proceedure