Scope of security - trick or treat?

Recap Part 1

I just thought it might be worth recapping on some of the features of this thread for any really new user who may not be sure if something amazingly advanced and for them, unachievable has happened in this thread ...... or worse, believes that they have been given permission to ignore the principles of safe-surfing. I know Mrk says this thread wasn't really aimed at the new user - but I don't see the point of aiming it entirely at the experienced one, who presumably is already amassing sufficient experience and information to have passed the stage of blind paranoia.

Having initiated the thread with what I see as a basic plea for the balanced use of security software, achieved through education and self-control, Mrk was then presented with a challenge. To run a Windows box with minimum security for 31days, while continuing act and surf as he normally does.

He has responded to the challenge by ensuring his system is fully patched , is running a basic Windows firewall and then presumably further secured his ports by the disabling of unwanted services etc. So if the service isn't running, it isn't listening at a port and vulnerable to exploitation, principally through automated attacks. I don't think he stated on which basis he was attributing permissions either globally or on a per-application basis (eg administrative or user account token).

This is where I think Mrk could have offered more for the learner that has come to this thread. Which OS are you using, how did you choose to disable services and control port activity ? was it manually, such as through services.msc or do you prefer some automated freeware such as wwdc.exe. How did you test that your ports had been secured e.g. using ShieldsUP at grc.com. Noting from time to time, such as when a new exploit is announced, or a new Service Pack introduced - some minor changes to the application of these techniques may be needed.

When it comes to monitoring outbound traffic, I think Mrk believes in the focus of preventing untrusted activity gaining a foothold in the firstplace, rather than worring too much about monitoring outbound activity, which should by default, be by trusted applications that have already been granted some level of token/permission.

 

Recap Part 2

The next concern in this test and really the biggest threat, assuming we are not worried about physical access by someone else, is what we do to ourselves through curiosity, impatience etc - through inviting a download.

If we take a look at Mrks article http://www.dedoimedo.com/computers/internet.html.

The article is fair enough, includes usual stuff about running Firefox/NoScript etc to create a secure and more flexible browsing experience than is possible than with a secured IE. Then we have the standard list of proscribed activities:-

Email: Do not open email attachments (even from friends and known contacts) unless you are sure that the content is safe.

Instant Messaging: Do not click links or download photos from strangers. Keep the programs up to date.

P2P: Use clean, unbundled software, keep it up to date. Do not download programs (executables) and cracks to programs, because you cannot be sure they are not well-crafted malware. There is a general misconception that P2P is extremely dangerous. It's partially true. Some programs are bundled with malware. Just don't use them. Second, downloading malware through P2P does not make it any different than downloading malware through a web browser. Often, the availability of programs (and dangers) is much greater through P2P than web sites.

I bring the article in, because to the casual reader of this thread, it may look at first glance, as if Mrk has, through the link in his signature, began with advising the above method of running the Windows OS on the principle of this prohibitive approach......... and then gone on to achieve for himself some shangri-la .net lifestyle in which you can all but abandon security woes and download freely without fear. To be clear I don't say that Mrk makes any grandiose claims, just that at first glance it appears there are 2 different levels of user at work here - when actually there is a consistency about his approach.

It might be useful to re-check on what's actually different and note the reality may not be such a free wheeling, Devil may care approach as a casual read may suggest. Mrks principle of a free internet is not a philosophy based on the freedom to make mistakes without consequences - it is free as in free speech, it is based on the presumption of a sense of responsibility by the user.

* Installed eMule and downloaded about 15GB of stuff. I needed codecs to watch some of the movies, so I downloaded some.

Bear in mind here that Mrk doesn't suggest that he downloaded the codecs from an on-the-fly source that may have contained the zlob virus. Codecs are freely available from reputable sources - it would have been useful to hear that this is what he had done. Mrk will presumably have then satisfied himself that the downloads he instigated were of an expected movie/music format and not overtly, or through false advertising, subvertly, a packaged executable. He may then have possibly gone on to add further security by playing the download with either a 3rd party player or used something like WMP Scripting Fix to neuter WMP and further ensure that no embedded scripts could be run. It might have been interesting to know if Mrk declined any of the downloads available to him on the basis of having some doubt about the content.

* I talked with a friend using Skype and GAIM (using ICQ account) on a few occasions.

So his IM & voice messaging was with a friend, no suggestion that he instigated or allowed any anonymous contacts either actual or the bot variety. As a result, neither is there a suggestion that there were any dodgy links to lure him astray.

* I installed Scorched3D and played and even hosted a server. I also played a few flash games.

Yet again the Scorched3D game appears to have been carefully chosen, not just some cracked rubbish he happened to come across. His browser was configured not to accept unsolicited scripts from sites, so even if he hadn't previously known of the game, he had reasonable feedom to surf until he had come across it and found a reputable source.

* I bought meself an Asterix comics from Amazon.

Well why wouldn't he - he was confident that nothing automatic could have come through his closed ports and also that he hadn't invited and run an executable that would have placed a keylogger on his machine. The rest is down to the secured nature of the online transaction and possibly using additional checks and balances, such as ensuring encrypted material isn't saved on his machine.

So to partly answer why are there all these security apps available on the market and why do so many users spend their money and cover themselves with them ?

Well, apart from anything else, the downside here is that if the system is your only system and you have no independent back-up regime, then using the above testing environment and philosphy of self-control, you really can't afford to stray too far or have an average teenager within 30ft of your machine - especially if you stand to disclose data of a personal/financial nature that could be damaging to your well being if intercepted.

As a result for the home user, It becomes more difficult to learn by trial & error. Ultimately without the extra safety-nets, then to some extent the very process of learning that Mrk advocates, becomes more threatening and the hands on experience of experimenting more difficult to achieve.

Source page for wwdc.exe http://www.firewallleaktester.com/wwdc.htm
Source page for wmpscriptingfix http://www.javacoolsoftware.com/wmpscriptingfix.html

 

Well, at least at Mrk's site, he does advise to skip the OS tweaking within Windows (go to Linux if you're of that mindset). I tend to strongly agree since you cannot always anticipate whether an "unneeded" service is "needed" by some application, occasionally with unpredictable results.

I guess my read is rather different.

With respect to XP - up to date fully patched with a default install and leave as is.

To me, the take home message for a learner might be in the form of some inferences from the reported results (which admittedly are like any single test - of limited scope):

• Let me start with a personal prejudice - perform a default install of a simple AV, especially if you feel you need to ask the question "Do I need an AV". If you're not in a position to personally disassemble and examine downloaded content to assess whether or not it is malware, this is your best route to garnering a reasonably educated opinion.
• If a user can successfully navigate the Internet for 30 days in a nominally unprotected state, should a user really feel compelled to obsess over whether their chosen AV/etc. does not immediately cover suspected malware within minutes of discovery? Short answer - no.
• As a corollary to the above, are signature updates really required every 15 minutes? I realize that there is an inexorable tradeoff involved between update frequency and risk, but I do believe that there are clear tendencies to go overboard.
• If my AV of choice now lags another in some test of detection statistics by a few percent, is that any reason to suddenly feel fundamentally exposed? Short answer - no.
• Is the perception that a user faces a constant onslaught of challenges from the Internet consistent with the results of this test? The simple answer is no, although that could probably be inferred from the general silence of most any installed AV product. As remarked by myself and others here, anecdotal infection rates probably hover in the 1 incident/(every few years) rate for most. It's not terribly frequent, but that doesn't mean it is inconsequential, not does it mean one should ignore of issue. It does mean that an ongoing state of agitation and fear is rather inappropriate.

Simple answer? It's the free market at work. Also, the landscape of challenges is fluid. Think back a couple of years - the niche market of AS applications was created by neglect/slow coverage of this segment by the main existing vendor base in Windows PC security (the AV vendors). This niche still exists because it remains a dynamic arena, but the main AV vendors have substantially generalized their products and now cover it fairly well. As each niche domain emerges, components that are valued in the market (for whatever reason - it can be real or imagined performance) do get incorporated across product lines. Lots of options are simply a result of the fluidity of malware challenges and slow implementation and consolidation of feature sets in rather complex products.

It is worthwhile to recall in providing advice here that many users remain single PC installations. Actions that could take the user offline may be only undone by external intervention - hence a caution that advice offered should be conservative and appreciate potential downside consequences - and everyone should probably have a Linux Live CD distro/Bart PE Win boot CD at the ready in the event the Windows side of the world folds up shop.

Blue

 

Hello,
eyes-open, BlueZannetti, very nice discussion! Thank you!
Mrk

 

All in all, IMHO, Mrk has met the challenge that I put to him a month ago.

I congratulate him.

The point I missed that has now been discussed well here is can "others" do it as well or do they have to be as skilled as Mrk to safely work the internet his way?

Mrk, although you did not yet publish your "proof" on this forum, I believe you when you say, all scans showed nada.

Regards

 

Hello,
I'm writing the report as we speak.
I hope to post it tomorrow.
You have cost me about 4 hours of my life.
Mrk

 

balanced against that would of course be the massive infection levels seen in client's after client's computers, Ive not been infected as far as I can tell for over 4 years. But Ive cleaned infections out of boxes so massive I found difficult to comprehend. Concurrently there has been a shift in subversion that isnt typically targeted at end users wherein zero day trojans get dropped on institutional and corporate networks.

Granted they currently have bigger fish to fry, these are weapons that are out there, if the return on investment of easily exploited boxes falls, there is too much money riding on the bot net extortion and spam markets to not upgrade. More to the point is that criminal activities are market driven themselves and a new market has just been created

if you actually enforce the immigration and hiring laws on the books the market for identities is going to expand exponentially. And into personal computers if they can.

Fear in a modern society and civilized setting is a misplaced biological response, one that all too often is played upon to manipulate. Its taken to extremes and polarizes issues. But a rational assessment of real risks and logical extension of observed phenomena within context is highly valuable in threat assessment. Nothing here places one in mortal danger and fear is inappropriate, but serious concern and real acknowledgment of current and likely future threats is a responsibility, especially given the context within which these messages appear.

 

Eyes-open made a few good points. One is that Mrk's judgement on what could be a bad download, bad game, etc. And where to look for codecs, and so on.

It can be explained to an average user though. But that user just won't get everything, or he will have different tastes/needs.

A very informative test! One can be safe if careful with downloads.

 

Mrk: I am sorry you feal that reporting is a "cost" to you.

When the test began you agreed to report, so now you will report. It was of course up to you to accept the test or not wasn't it?

Regards

 

Hello,

Escalader, I'm teasing you.

The report is ready:

http://www.dedoimedo.com/computers/report.html

Please use discretion and common sense when reading the report.
Please do not use this test as a reason for lowering your security setup; try to UNDERSTAND what the things done rather than which software TOOLS were used to achive them. The computer setup was merely a means and NOT the goal in achieving the desired results. It would have worked equally well with KIS, Outpost, RegRun, Sandboxie, or any other software.

Several posts above mine, the methodology was disserted in a very interesting and proud way by eyes-open and BlueZannetti.

Of course, further discussion is warmly welcomed.

Mrk

 

Yes, absolutely correct Blue - I've found where Mrk refers to this on a different page within his site under the heading tweaking:-

http://www.dedoimedo.com/computers/collection.html#mozTocId684596

so well spotted, assume no such tweaks.

@ Mrk - thanks

 

Very interesting

For what its worth I haven't seen a real live in the wild virus for years nor has any malware given me any trouble. My Netgear DG834 probably helps and I do like Firefox ( no scripts). I keep loading anti virus programs to see if I can find a really light one - currently running Antivir - but none of them have ever found anything other than false positives. About a month ago I loaded ProSecurity and playing with it has certainly helped me to understand a little more but so far no joy -- nothing nasty to block.

 

Read your report. Very well written. I like it. You fooled me with the tease on cost, boo to me.

It's funny, during your 31 day test I hit 2 viruses that tried to load in my system they were stopped by Bitdefender. I had walked away from my PC while logged on the my ISP yahoo email page. Not sure what that means or even why I'm telling this trivial event. If I had been following the minimal methods would not these viruses have penetrated the PC?

Here is what is probably a stupid question, if you had not had windows firewall on do you think you would have been so "clean" ?

Why are you so cavalier re tracking cookies? Do they not spy on where we go on the net and report back? If you don't scan and remove won't they accumulate and amass more and more information re you?

 

Just analyze some probable vehicles of infections:
-Worms scanning for exploits, vulnerabilities. Countermeasures:
*Patching (Windows Update) or unplugging (Harden-It, WWWDC) the holes.
*Personal firewall correctly configured.
*Keeping trusted hosts (machines inside the LAN/behind the router) clean.
*NAT/SPI router.

-Drive-by downloads. Countermeasures:
*Patching or unplugging holes.
*Immunizing = SpywareBlaster/SpyBot.
*Blacklisting IPs, domains, site restrictions = Hosts, IE SpyAD/SpywareBlaster/SpyBot.
*Third-party browser with script whitelisting = Firefox w/NoScript.
*Safe browsing.

-Mail-based malware. Countermeasures:
*Use of third-party mail client.
*Disabling preview, HTML mail and scripts.
*Distrust all attachments except those you have requested. Also, open those attachments with third-party viewers that have scripts/macros disabled and/or in virtual environments.
*Drop unsolicited links and don´t follow requested links. Instead, check them in a secure browser and/or virtual environments before opening.

-Dodgy apps. Countermeasures:
*Learning about their behaviours using Google search, asking in forums, etc.
*Testing them yourself in a secure environment. Drop apps. that install toolbars, have a problematic EULA, phone home quite often, etc.
*Downloading them from the creator´s site or reputable download sites. If provided, verify the checksums.

-P2P. Countermeasures:
*Using clean/malware-free apps.
*Don´t use P2P to download software (except certified software like Linux distros, OpenOffice, etc) and, worse yet, cracks.
*Blacklisting bad IPs = PeerGuardian.

As you can see, you can drop malware scanners and HIPS without losing security. AVs/ATs/ASs and HIPS/sandboxes add convenience and peace of mind but also create false sense of security.

Mr. Mrkvonic did:
-Use router.
-Have clean hosts inside his network.
-Use personal firewall.
-Use up to date OS and apps.
-Use third-party apps with secure settings (whitelisted scripting, disabled attachments, etc)
-Do safe browsing.
-Use trustworthy apps.
-Manage unknown/potentially dangerous files/links with caution.
-Go to known sites for codecs, extensions, add-ons, apps.

Mr. Mrkvonic didn´t:
-Leave his system without updates.
-Use default apps. and settings.
-Use P2P to download apps. and cracks.
-Follow links without minimum care.
-Download all the fancy apps. he has seen without care.
-Accept unsolicited mail.

 

Hello,

Noooooo!

In this test I:

DID NOT use router.
The computer was single test machine.
DID use Windows firewall.
DID use up to date OS and apps.
DID NOT use third-party apps with secure settings (whitelisted scripting, disabled attachments, etc) EXCEPT Firefox / Noscript.
DID NOT do safe browsing.
DID use trustworthy apps.
DID manage unknown/potentially dangerous files/links with caution.
DID go to known sites for codecs, extensions, add-ons, apps.

Likewise:

DID leave his system without updates - no updates during the test.
DID use default apps. and settings.
DID NOT use P2P to download apps. and cracks.
DID follow links without minimum care - no special attention.
DID NOT download all the fancy apps. he has seen without care - no reason to do this.
DID accept unsolicited mail - just did not read it.

Mrk

 

Hello,

Escalder, please explain this sentence: did hit 2 viruses that tried to load.

I have a hard time understanding such sentences. Viruses do not try to load by themselves. Software requires active execution - either through ascript when you load a page - the action here is the loading of the page - or by direct access to a file - the action is here you trying to manipulate files.

There's no black magic here. What did you do?

What browser?
What were you doing at that time?

As to firewall, if I were not using it, I might have to do some tweaking on some of the common service ports.

As to the cookies, who cares. Some company in South Dakota has tracked my surfing habits between 4th of March and 11th of August, in between the maintenance cycles. So? What are they going to do with that info?

BTW, the ID identifier is some string that relates to an IP or a computer, not me. No one really knows who the person behind the keyboard is - or how many they are. Your cable company knows every movies and channel you see. So? Do you see salesmen knocking on your door trying to sell you crapunkers for 9.99?

Mrk

 

Perhaps I'm wrong but I used to try to stop tracking cookies. Now I have crap cleaner in the recycle bin and just find myself automatically cleaning every so often. I can't see them doing any damage and they soon get deleted.

 

mine would just throw anyones database into a state of confusion

Japanese architecture > porn > security forum > slating a countertop > micro cogeneration > porn > cruck framing > wikipedia > obscure political philosophy > nomadic tribes of outer Mongolia > sterling engines > porn > security forum > commandline reference > repousse > weaving practices of the Turkish highlands > overclocking forum > porn > Karelian Bear Dogs > SIG PCI standards > Ceramic Kilns > ect

Id give em a nervous breakdown

I dont see the obsession about cookies either

 

Thanks for the corrections, I was trying to summarize the five pages of the thread
Your behaviours (the agreed test) have been more risky than the recommended ones which don´t imply that you would be more insecure. Also, you have "proved" that, regarding inbound, a firewall is virtually immune to all attacks except the sofisticated ones.

 

Hello,

Escalder, please explain this sentence: did hit 2 viruses that tried to load.

I have a hard time understanding such sentences. Viruses do not try to load by themselves. Software requires active execution - either through ascript when you load a page - the action here is the loading of the page - or by direct access to a file - the action is here you trying to manipulate files.

There's no black magic here. What did you do?

YES, AS I TRIED TO SAY, I DID ZIP OTHER THAN LEAVE MY PC CONNECTED TO MY ISP WHICH IN MY CASE IS THE LOCAL CABLE COMPANY. BITDEFENDER 9.0 ACTIVELY SCANS FILES AND GAVE ME 2 MESSAGES IN A ROW SAYING IT BLOCKED 2 VIRUSES AND NOT TO PANIC AS MY MACHINE WAS NOT INFECTED. I THOUGHT GOOD, THAT IS WHAT IT IS SUPPOSED TO DO.

What browser? FF 2.0
What were you doing at that time? NOT MUCH JUST WHEN I RETURNED FROM DINNER CHECKED MY WEB BASED EMAIL

 

Hi all:

I clear cookies routinely. This is not an obsession.

If a user like me who is careful (to put it mildly) and cares about spying on browser tracking I don't really think that is an obsession.

If other don't care so what? I certainly wouldn't call them non obsessive on trackers?

Hey Mrk, someone is at the door could be that salesman from SD!

 

Hello,
Sorry for being a bother, but ...
You were checking your mail and ...?
Did BitDefender warn you about ATTACHMENTS?
Or while you were reading email, yahoo tried to surreptitiously download something onto your machine?
Mrk

 

or malware blocked by the web scanner?

 

Never a bother Mrc, I'm used to you now.

I can't be 100% sure of the answers for you here since I didn't record the BD messages! But all this occurred on the web based email site.

But if I was a betting man I'd say the latter, "yahoo tried to surreptitiously download something onto your machine? " There was no reference to attachments. That I'm sure of. My ISP uses yahoo's web based mail for public domain email and I only use my PC Outlook for personal mail where BD scans ALL incoming mail and ZA scans all outgoing mail. How about that? I certainly wouldn't want to propagate parasites ( I like that word better) I put this in to stir you up!

 

Do you access Yahoo via POP3 or webmail? Do you have another POP3 account?
It seems that BD has blocked/deleted suspicious attachments.