Ten years later, Windows XP still dominates the Web

But automated attacks are the most common. The majority of users will never be faced with anything but an automated attack, and, even if protection is taken into account, it looks for easy things. The attackers aren't the ignorant ones, it's the targets that are, which is why these things are still working beautifully these days. Methods of attack are changing constantly, while protection methods and, more importantly users themselves, are at a standstill.

So, "changing it up" can work wonders, but is only temporary. So I agree with both Noone and Hungry.

 

lol, let me refresh your memory.

noone_particular doesn't patch: https://www.wilderssecurity.com/showpost.php?p=1989570&postcount=18

 

Thanks PeterPan.

I guess I make the distinction between security and playing the odds.

 

By itself, just changing your system is insufficient. Trusting any single method, application, or system "security feature" is insufficient. It's the policy and the combined package that enforces it that matters. Combined with other methods like isolated attack surfaces, default-deny policies, forms of intrusion detection, etc, it's one of the best tools. When an attacker doesn't have real access to your system, an attack on something that's supposed to be there but isn't (like specific system services) is a dead giveaway.

I did read the section on patching. Doesn't apply to my system either. MS doesn't release patches for this system any more. Hasn't in years. I can run the latest non-MS browsers if I choose to, but they break most of the extensions I like. IMO, relying on patching isn't much different than relying on an AV. With Windows, it's the equivalent of plugging individual holes in a screen door. No different with user apps, a choice between vulnerable and (hopefully) slightly less vulnerable. One hole is patched and a new feature opens 2 more. I don't see this changing anytime soon. Instead of patching and plugging all the holes, an exercise in futility, a better defense is for the holes to lead to nothing useful to an attacker.

 

It is a lot like relying on an AV. The differences is that the consequences of an AV are that a payload can execute, which is something that default deny or any other means can stop. Depending on the exploit there's a lot fewer means of stopping it.

It's a matter of the consequences.

Vulnerable systems that don't get patched are also the systems that get targeted.

I'm not saying it isn't working for you. I'm just saying that you're relying on the attackers not caring to attack you. And that's fine, but it's not great security imo.

 

I really don't get this "default deny" talk at all. Aren't all supported Microsoft OSs already on "default deny"? Users face warning(s) before allowing "things" to run or install. Without user intervention, the "default" is "to deny" - if the warning window(s) are closed without being answered, the "things" won't run or install.

 

Just running Windows is playing the odds. It will always be vulnerable, especially so without 3rd party help.

Now we're back on the same page. Default-deny is my primary means of preventing payload execution.

Exploit code is its own problem. Unless we all become expert coders and write our own error free apps, they'll always be there. This we can't control. That's why my policy includes isolating the attack surafce as much as possible. Restricting parent-child permissions and de-integrating the applications from the OS and each other are part of this. Stripping out the unnecessary (to me) and often vulnerable components and locking out those that can be used to alter the system is too. Filtering the web content with a free standing 3rd party app instead of a browser extension takes much of the risk out of the web. Starting with a clean, optimized registry every time you reboot neutralizes a lot of malware. Amazing what you can do with a boot loader.

By themselves, none of these methods are enough, but together with others I haven't mentioned, they're more than sufficient.

 

Lol, and why don't you mention everything ? Security by obscurity is so lame.

 

Hmm... so you want to find somewhere that you can obtain live malware in the wild? You could just quarantine the stuff your AV catches & save it somewhere. Or are you wanting malware that hasn't been signatured yet? Seems like you could just surf your favorite porn and snag all kinds of malware for "free". It's a catch-22. If you want to find known malware somewhere, then an AV worth a dam would catch it. But if you want unknown malware, then you can't know where to get it because it's unknown.

Really if you're serious about that, then you could surf all kinds of iffy sites in a sandbox. Download everything pretty & shiny. Click on every link. Then you could save the contents of the sandbox & run some forensics tools & read your logs to see if you successfully got yourself infected. If you were really a cowboy I suppose you could then unleash the stuff you snag onto your machine & see how it fares. You could always revert to the last known good configuration if you get owned.

Maybe I'm just not understanding what it is you want to do. But I'm intrigued! Enlighten me, please. I may want to go along for the ride.

 

Windows is making progress in that direction but it has a long way to go. Windows might intercept an installer for instance, but then allow the installer to launch child processes. It won't necessarily restrict its ability to interact with other processes.

 

What do you mean? In what way is Windows ever obscure?

 

Default-deny stops a Standard user from launching user space executables - those that don't require elevation to install in protected directories.

I've yet to see this with my setup. I'll let you know when it happens, but don't hold your breath

 

Lol no, even XP with SP3 won't allow you to run an installer in the first place without explicit permission. The process just won't start. Search on Google Images: open file security warning.

 

That was directed to this bold part of noone_particular's post:

 

Strong policy is definitely strong security. I just don't think policy is enough. Security to me is equal parts technology (ASLR, DEP, SEHOP) and policy (SRP, MIAC.)

Policy applies to any operating system. You can use the same Windows policies on Linux or OSX or Android or iOS. It's a policy.

Technology is a lot harder to port. You can't just make the Windows XP kernel support ASLR or (especially so) SEHOP.

So when you're lacking in this technology you're forced to use more restrictive policy, which has to be enforced through third party security software, which in itself is attack surface.

Not patching makes things much worse because you become a target. Worms look for users who don't patch. Malware loves an unpatched machine and depending on the exploit it really doesn't matter what you've got on there.

With a patched machine on an old outdated OS like XP you'd maybe be able to get the hacker to just go away because it's too much of a bother with all of your policy.

With an unpatched machine on an old outdated OS like XP anyone's going to get screwed pretty much regardless of what's running. If one process gets hit that's really all they need. No need for default deny to stop their payload from executing... virtualalloc() and load up your payload and that's it. This is how ROP works, virtualalloc is pretty much the go-to.

With an unpatched Windows 7, yeah, you might get a vulnerability... but it'll be harder with ASLR/ DEP/ SEHOPand even harder on 8, which breaks ROP in a lot of ways. Even if you do you could be trapped in a low integrity process like Reader, IE, or Chrome. Or another process that has to elevate and give a loud UAC warning. It's definitely not impossible, it happens. It's just a lot more difficult for the attacker and developers have a lot more technology to take advantage of.

 

I think this is only for files marked as having been downloaded from the internet.

 

True, but I don't know of a supported Microsoft OS that is vulnerable to any known vulnerabilities that could allow an infection to happen without at least one "secondary" user interaction. Even Autorun was patched: http://technet.microsoft.com/en-us/security/advisory/967940

 

Partly because I didn't think of all of them and partly because there's some I choose not to talk about. Forgot to mention the hardware and software firewalls, script protection and whitelisting, integrity checking, encryption, virtualization when I use it, etc.

That's what I said. Windows will catch the installer. It doesn't necessarily catch what the installer does if you allow it. With classic HIPS in admin mode, I get prompted for each process the installer wants to run.

There's a few differences in the definition of what many of us consider to be default-deny. The example you gave I'd call default-ask, which leaves open the door for social engineering tactics. On mine, I won't see that prompt unless I have SSM in admin mode and already allowed the initial prompt it gave. In user mode, it won't even get that far. wat0114 defined default-deny as it applies to a standard user and user space. On mine, SSM makes no such distiction.

Regarding SP3, not using it. XP-Sp2 is my newest MS operating system. It's used almost exclusively for one game and some casual browsing. SP3 breaks certain apps I like and interferes with my ability to disable certain services I don't need. I don't specifically remember which and I'm not reinstalling it to find out.

 

Uh, vulnerabilities that require no user interaction in the MS OS happen.
https://technet.microsoft.com/en-us/security/bulletin/ms11-083
http://blogs.technet.com/b/srd/archive/2011/11/08/assessing-the-exploitability-of-ms11-083.aspx

That's a fun one I like to point to when I can. Remote code execution of our payload, kernel level exploit, works at the firewall level. It's a fun one.

 

Please, make something like this: https://www.wilderssecurity.com/showpost.php?p=1992916&postcount=21085

It would really be very interesting to see your list.

Oh I see. But what you call default-deny is in fact a default-ask too.

Warnings are hidden, sure, but you know what the app is asking and you can give it a positive answer if you want. You will have to deal with several passes, but you still can allow it, so it's still an ask waiting for an answer.

 

I know they happen, but all publicly known ones of that class are patched in supported MS OSs. There is no disclosed unpatched of that class right now.

 

Yes... right now. That one was found before it was patched iirc. Duqu was in the wild exploiting 0days before the exploit was known. They're all 0days until we find them haha

 

Not exactly. Switching to admin mode requires a password. As long as SSM stays in user mode (which it is 99% of the time), the only message a user sees is "Access Denied". This morning I went to admin mode for a short time when I updated Tor and Open SSL. Beyond that, it's been in user mode for the last month or so. For anyone else, installing is impossible as is running a portable app or anything that autoruns on USB or CD. Making any change permanent on my system requires me to run about 10 steps in a specific sequence, otherwise part or all of it is gone on reboot.

Interesting, maybe, but not applicable to 99% of the systems here without major changes to both.

 

What you're saying is that you can't post your current security setup without changing it?

Are you afraid you can be a target of a direct attack simply by posting here behind Tor/an anonymous username/no personal identifiable info whatsoever?

No need to explain, yes/no is sufficient if you want. lol

 

At the rate this thread is moving, it's getting too easy to miss posts and reponses.

No. My setup would not work on the vast majority of systems being used here. A lot of it wouldn't be compatible. We're not using the same operating system.

Regarding Tor, I seldom use it. I'm connected direct which I do most of the time. I run an exit node primarily to help the network.