When is "insecure" good enough?

There seems to be a big split here between theoretical and practical minded types, when it comes to desktop security. e.g.

Take a Windows XP desktop. It has IE 8, MSE, the default XP firewall, and little else, and the user is not terribly experienced. It's not a secure system, and the chance of it getting infected is probably pretty high.

Now take a "paranoid" Windows XP desktop, of the sort typical for users here. Say it has Google Chrome, and Online Armor configured as an executable blocker; and the user is a fairly experienced computer nerd.

The second system is not really secure either, due to XP's design flaws. But what are the chances of it getting infected now? What will the chances be in five years? Ten years?

I'm betting "near zero," "near zero," and "still damn near zero" respectively. Sure, a real live blackhat could blow right through all that. What are the chances of getting on the radar of a real live blackhat? If you did, how safe would you be with a modern OS? Still not very safe, I'd think.

Quoeth our own Hungry Man, on his own blog:

Which is exactly how things were ten years ago. And probably how things will be ten years from now. And don't get me wrong, I would love for desktop OSes to be engineered well; but as long as they're made of duct tape and baling wire, why should malware authors go the extra mile, when doing so would cost them, and be of little benefit? Why should end users go the extra mile, when doing so would cost them, and be of no conceivable benefit at all?

tl;dr I would assert that individual desktop users are not high-profile targets, and therefore their chances of attracting anything other than the typical, easily blocked ITW malware are quite low.

Is this not a reasonable stance, considering the state of the software industry? If you believe otherwise, can you prove it in terms that actually apply to a typical end user?

 

Careful about partially quoting people, because you're missing quite a bit. From -http://www.insanitybit.com/2013/04/09/windows-xp-abandon-ship/

"And, again, before you go “b-b-but I tested it against real live malware!” – no – in the wild malware is pansy **** aimed at the lowest denominator. If every kid in the class gets a 0 and you get a 5 you’re not a genius, you’re just not a complete idiot. In the wild malware is crafted to target people with only an antivirus installed, with out of date software, etc – it is not hard to stay ahead of it. You can generically attack an XP system and bypass *all* of the security software above (except NoScript potentially) without having to target specific setups.

So let’s simply end any and all ‘debate’ about whether you can stay secure on XP. You can stay lucky, you can even keep the system clean just by being different enough, but you can’t stay secure.

If you don’t get that just slap yourself in the face until it sinks in."


Fact is, XP is a neon bulls-eye on a gun range in the middle of the night for everything from script kiddies to "real live blackhats". I mean, okay, so you at home have a firewall installed, you have your AV and you have this and you have that..you're still not safe. I don't need to be a real live blackhat to blow through that, not on XP. I don't care if you keep it for an old program you somehow "need". If you're a corporation, that excuse is getting old and you're just helping the now prevalent corporate hack-fests continue. If you're a home user, that excuse is 6 feet under tightly packed dirt with a granite block sitting over it. If you get some stupid trojan that siphons all your data to some Mafia go-fer in Moskow, fine, it's your issue and your sole problem. If you get recruited into a Bot-net, suddenly you're a problem for a lot of people.

So please, for your sake and the sake of others possibly, just upgrade the damned OS. If you can't afford Windows 7 still, go to Mint Linux, go to something. No current developer who is thinking clearly is developing with XP in mind, and they're not supporting XP. If they are, then they are also part of the problem.

My two pennies.

 

It really depends on the kinds of threats you are likely to encounter. Let's say you are behind a router, you are visiting same 5 sites every day and you are not downloading anything, you are not putting any DVD or USB stick in your computer, and so on (I know this is a bit extreme, but it is an example). Even if you use WinXP SP2 the probability of infecting your computer is extremely low (note that it is not zero, because one of the 5 sites could become infected one day).
Now remove the router from the mix. Now you could be infected by an attack on one of the open ports, so you will need a firewall (the one from Windows would be enough).
Now let's say you want to insert any USB or DVD. You will need an AV, because some files on the DVD or USB could be infected.
Now let's say you want to navigate on other sites than the 5 "safe" ones. You will also need a HIPS, and to keep your browser and OS patched in order to keep your system secure.
Or, you could run the original configuration with no security and restore your OS every day from a backup, because you don't store anything important on that computer. Back to square one

What I am trying to say that being "secure" or "insecure" is just a matter of risk management/assessment, and no threat, no adversary and no configuration is the same for every computer.

 

Mman79: I read (and parsed) the entire post actually, I just thought the bit about ITW malware was particularly relevant.

Also, I would in no way recommend that anyone use XP at this point, if they can at all help it. However

See, I actually use Linux for just about everything. But Linux is really not an alternative for a lot of people, and new versions of Windows (or new machines with them preinstalled) are expensive, even these days.

I dunno, I'm just getting sick of hysterical warnings and ever-more-rapid hardware and software turnover. Between that and having seen relatively few instances of actual compromise, even on obsolete Windows versions, I have yet to be convinced that a reasonably cautious XP user would be in any significant level of danger based on what is actually present in the wild.

(Cue Microsoft in two years or so: "Windows 8 is convenient, but it's really, really insecure. Users should consider upgrading to the current version of Windows Blue, which will require 4 GB of RAM, but we promise it will perform better at all tasks.")

 

@Nebulous:

Well, sure, it's always been about risk assessment and management. However, using a 10+ year old OS, even "hardened" is just bumping up the risk unnecessarily. Some things though you simply cannot deal with no matter how many security programs you throw at them. The kernel in XP is one of those things.

 

Lol, I'm with you in regards to the "must upgrade now!" mentality. But, you have to see most of that for what it is, especially in the case of MS. Marketing is an entirely different matter.

I personally think that the security industry itself and the major tech media outlets are a tad bit overzealous about the state of security. It's a bit much to read "Millions more malware this year than last", when it's really 90% updated versions of old malware.

Linux, well, Linux is Linux. You know, not that long ago I would have been in the camp that believed Linux could not ever be a true alternative to Windows. Then Steam happened. While I'll state all day and all night that Linux won't reach Windows levels of usage, Steam helped tremendously. There are still issues such as the Photoshops and video card drivers of the world, but the barriers to entry are falling.

As I said in my previous post, kernel issues alone keep even reasonably cautious users from being safe enough. 3rd party programs can't solve all problems, especially not things like that. And, let's be realistic, how many of those millions of XP users take even some of the steps that have been talked about in this thread? How many of these copies of XP are used by people with the mindset of "Haha! I stole it, screw you MS!". Answers: 1. Very few. 2. An ungodly huge portion. That leaves a lot of low hanging fruit and ripe targets for the picking off. See, usually when these topics come up here, it's from a Wilders user perspective. But that's just not the way this quite large world operates. Wilders-type people are 1 percenters and you simply can't use such people to argue these kinds of cases.

P.S, if MS were to take that stance when Blue came out, that Windows 8 was sorely insecure and should be upgraded to Blue, they'd be hung, drawn and quartered in a PR sense, lol.

 

No expert at all on kernel vulnerabilities, and I will even admit there are numerous that existed and are patched, and likely many others not yet patched, but a common theme I see in MS Security bulletins, including the recent April bulletins, that might put their threat level in perspective, to some degree at least:

 

"Valid login credentials" covers a lot of ground. If you can inject code into a user's Firefox session, then you effectively have valid login credentials: that user's credentials.

I'm not arguing that kernel vulnerabilities are less severe than often presented, more that they're not in sufficiently widespread use to cause problems. Which may change... But frankly I doubt it.

 

A "specially crafted program" could be anything though. It's too easy to pull that one off.

@GullibleJones: That's the thing, the fact they are even out there to begin with is cause enough to consider the implications of running with an out of date, no longer patched kernel. It's just so easy to nail Java, Flash and un-patched programs first.

 

Just curious here, but have you actually done that? I think it would be a great little test to have someone who truly knows how to do that try it on a hardcore power-users machine.

I think its only too evident that there is no "fool proof" security, but it would be so very interesting to see real world results from many members here. Might be a dose of good medicine lol.

Heck, I wouldn't mind if I was the test subject. I can easily setup a machine for testing.

Just a thought

Sul.

 

I've done some in the past, yes. But Sully, I'll be right up front with you, I haven't messed with the "dark side" as far as actively hacking in so long, and I just don't have the interest in it. It's enough to keep up with trying to defend systems these days, let alone break them Toying with the idea here presents a few issues. For one, I doubt the mods will let that discussion last long. For another, there is no way on earth or in hell I'd trust even the most known of members on an internet forum to offer myself up like that.

I'm not claiming to be a security guru or anything, God knows I'm not. I've just "been around the block" so to speak enough times and listened to enough people a hell of a lot smarter than I'll ever be to understand that the continued use of XP as an internet-connected OS is begging for trouble. It's just not worth loading up all the security measures you can toss at it and hoping for the best, all because someone has a strange "love" of a handful of old programs. I just am against it wholeheartedly and don't really know what else to say on the matter. My simple opinion though, nothing more

 

Not so long ago he boasted that he was going to code some exploit that would infiltrate mine & others XP. Then he had to backtrack & admit he couldn't actually do it. So is he now in a position to try ? If so i'm up for it, along with Sully

 

True, but I wouldn't expect the forum to be involved in any aspect except the results.

lol, I must be risque or something, flirting with strangers

I probably wouldn't want to purposefully test my main machine, but its not big deal to put an image back on an older machine (or restore my main machine if it got hacked). I have nothing of any value to steal, so it matters not who hacks into my machine I suppose, other than the inconvenience of cleaning it up afterwards.

I've been preaching for years to people to keep sensitive information off thier hdd and on some portable media. I suppose that plays 50% of myself not worrying about being "hacked" - there's nothing to gain really. The other 50% I would say is I know how to tell if something is amiss most of the time, and its nothing to put my image back on. 10 minutes of my life lost is all.

Still, I would love to participate in a real world test to see how I fare, or rather to see if I fare as I think I would. Testbeds that attempt to do such things are alright, but I would love to see what a real, true to life hacker could do. If nothing else it would expose the flaws I currently have

Sul.

 

There seems to be an issue with quoting here at Wilders. Some quote partially, some, like yourself in your post attribute the quote to the wrong person. So, to avoid any undeserved attacks on HungryMan, you quoted what I myself wrote a few posts up from yours. I was making a point that 3rd party security programs don't magically make an OS 11 or so years out of date, more secure.

 

I understand what you're saying But for me, nope, not letting strangers in no matter how little or how much of value I have squirreled away on my system, lol.

 

You didn't quote HM as is expected on here ? unlike how i just quoted you above. Therefore i mistakenly missed your "'s and saw it as a quote from HM. Appologies to you both for that.

Well the offer still stands, i'm up for it too

Originally Posted ibit/hm

You said you could provide a POC for me & others to test on our comps, & that you expected it would gain access etc !

It's protected me Hundreds of times trying to run Nasties, including Rootkits

 

Ugh, my reply got eaten. I could have sworn HM posted something as "ibit"? And it disappeared somehow? And I was erroneously notified that this thread was closed?

Anyway...

I think I will attempt to settle this question with some VMs - a pentesting distro, and WinXP SP2. Can anyone recommend me a pentesting distro that's a bit lighter than BackTrack?

(Yeah, I'll be doing this on a machine with 1500 MB of RAM. Have I mentioned I hate hardware turnover?)

Edit: Kali Linux has a mini version that's only 22 MB (20 for the 32-bit version). Boo ya.

 

He did..I think it was him. My guess is that a mod got in touch and worked out his password issue. But then why were the posts deleted? Did I miss a fight? Maybe he self-deleted. Who knows.

 

Meanwhile the Kali Linux "mini" ISO turned out to be an installer. Feh. And installing Metasploit on my desktop requires registration. (As well it should, obviously, but still annoying!)

Also my Windows XP CD is no longer readable, so I'll have to go with Win2k.

I will see about tackling this tomorrow, I think...

 

No. From MS' pov, it literally means the attacker has to physically log into the target machine and run a specially crafted application to exploit the kernel vulnerability.

It's been done in this forum before. I'd be willing to subject my XP setup to an exploit attempt test

 

No, NO, NO. Why would you think it has anything to do with physical access?! Or even a standalone "special" application? GJ is right (thanks for explaining first, BTW). If the right code is running (started from any exploit), it's logged on. But, I already tried to explain that to you in your "choosing only the updates I require" thread...

The only difference between Remote Code Execution bulletins and Elevation of Privilege is that the latter requires an intermediate step of other code running, started somehow, first. Whereas the "end result" of RCE can "just happen."


Back when I used to run everything as unrestricted admin (before I knew about dropped rights, etc. ), I would also skip some of those updates. Not because I thought they needed physical access (nonsense) or separate app, but rather because everything was admin anyway, what difference did it make, as "elevation" wasn't needed...

Assuming you aren't running [exploitable stuff] as admin, you better install those updates! As I also said previously, you better KNOW what you are doing, talking about, etc. if you think you're going to be "wise" and decide what to install or not.

 

@ Mman79

You're not seeing things he did post ! Why it dissapeared, & then the thread got closed ? Now it's open again ??

Ahh, so that's it, you don't remember saying you would write a POC that would exploit my comp !

That "might" be ok, but unless you had a carbon copy of my system, it wouldn't be relevant.

I know we don't see eye to eye on these matters, but i've been trying to infect my comp for years, with no success, probably before you had a comp You have to accept that some people have been at it longer than you. Plus i don't think you have even tried to infect your comp with even ! nasty, never mind hundreds +

Anyway, all the best with your finals

 

That's what he was getting at though - ITW malware is mostly weak stuff. The argument here isn't whether the configured XP box is exploitable (it is), the argument is whether that exploitability actually matters in practice.

Edit: and wat0114, I'm afraid Dr. Larry Pepper above is correct. If an application running under your account has been compromised, the context the hostile code is running in is your account.

 

I'm quite aware of that. I'm only trying to point out what MS is implying in their statements. It seems pretty clear to me if you read the last two sentences, first paragraph...

http://technet.microsoft.com/en-us/security/bulletin/ms13-017

 

Has anyone here actually experienced privelage escelation on thier machines? I haven't, even running as admin on XP or 7. And I don't update except to slipstream service packs onto the source and reinstall.

For me "insecure" according to MS anyway has always been good enough.

Sul.