0-Days Not As Big of a Threat as You Think

That article is from 2008. I believe it was Sophos who came out with a more recent report indicating that the number of legitimate websites used to distribute malware has only continued to increase.

 

Maybe I'm just not sane That's okay, normal people bore me, lol. Look, I never said these 0 days didn't exist, I just don't believe they are as big of a problem as people like to believe. And yes, security companies do in fact feed on fear. To hear some of them talk, the Internet is cursed to suffer the same fate as Europe in the 14th century. Social engineering is where it's at for us "simple folk". No Stux, no Apocalypse-inducing super duper malware. And, social engineering happens to be the easiest form of attacks to avoid...provided you pay attention for more than 2 seconds.

There's a difference between threats the average person is going to face, and the lab projects that testers play with and purposefully go looking for. Not trying to start anything, I just don't believe all the hype and am not seeing these "nightmares" that are said to be waiting for me around every corner *shrug*

 

That verifies something I've been trying to get people to understand for a long time. The old adage, "don't visit (insert term) sites" is completely insufficient. Besides legitimate sites getting compromised, we've also seen that DNS is vulnerable. There is no such thing as a trustworthy site. With DNS poisoning, there's no guarantee that the site you want to visit is the site you'll end up at. Too bad if you have it listed as trusted. All of the internet should be treated as untrusted, with minimum permissions allowed in the browser. Only afterwards should permissions be increased if it's deemed necessary for the site to function.

I don't see nightmares around every corner, but I have run into malicious sites during searches for subjects that shouldn't have anything risky associated with them. The nightmares don't need to be at every corner you take. Just one of them is sufficient if your browser settings allow too much or your security measures are incomplete .

 

Oh, they definitely feed on fear. Norton proved that with their false studies showing how much security supposedly costs the US govenment every year and some other BS stats.

I do not think that 0days are overblown at all.

I disagree. Socially engineered malware is very dangerous. Android's proven that. The malware on the Google market place is fairly sophisticated often acting as a legitimate application and providing functionality such as a file browser etc to look more legitimate. How is anyone to tell that it's malicious?

Moreso when a user truly believes a file to be safe they often allow it to circumvent their usual security methods. This is where something like default deny fails.

I agree. Corporations, labs, and personal users will all have very different experiences. I do believe that 0day malicious files are still more common than, say, legacy ones. I do still believe that while 0day exploits are NOT commonly exploited they are something to be taken very seriously.

Agree completely. I think that's part of the issue with the current certificate system and I think it's an issue with computer policy in general.

 

If that's the case then, for example IE9, under Internet Zone...

enable: "Launching applications and files in an IFRAME" = Disable or Prompt.

Just harden the browser as Rmus continually attempts to hammer home, and harden the O/S with as much as is available at the finger tips, and these so called threats are rendered practically inconsequential.

 

often* open up. Not always. Plenty of other ways to go about it. I was just explaining why there are seemingly random sites hosting malware on those domain lists - they're usually references by legitimate sites.

 

It doesn't matter how many ways it can be done, they're easily blocked or at the very least easily overcome with a strong and sensible policy in place.

 

Yes, there are measures. But they won't necessarily work all the time.

If you got a site like wilders and it's been hacked and loaded up with malicious code what's your defense?

 

Any number of the following at my disposal:

-http://www.wilderssecurity.com/showpost.php?p=1954659&postcount=19486

 

The biggest help there would likely be EMET. EDIT: Or perhaps some other part. Hard to say. It depends on the complexity of the exploits used.

If it's an automated attack it'll probably fail with a powerful setup. If it's a direct attack probably not.

http://pen-testing.sans.org/blog/2011/10/13/tips-for-evading-anti-virus-during-pen-testing

I was reading this earlier today. A very nice "walkthrough" on what it's like getting into a system and avoiding antiviruses.

EDIT: My only point is that depending against 0day vulnerabilities isn't as easy as defending against known vulnerabilities. You never know what they'll target or how they'll work or what they'll do.

 

That looks to be someone's code for a backdoor exploit, no? If so, how exactly does that get on to a secured machine and allowed to run?

 

Social engineering or exploits. To get it to run on a system with default deny is a whole other story, and I don't know enough about it to say.

 

I rely largely on my "Spidey senses" (moxy) to defeat social engineering, and my security setup for the rest.

I don't know enough about it either, except I do my best to secure the machines in this household to the best of my ability with the means afforded to me depending on the O/S, with the goal of using as little 3rd-party security as possible. It hasn't failed me in years, even when I was using 3rd-party apps, and whether or not people want to attribute that to being fluky or having ability is immaterial to me. It's worked so far and that's all that really matters. If the day ever comes that something does breech these defenses, then I will have to seriously re-assess my security approach, but until then it's essentially status quo with occasional modifications along the way.

 

That should apply to all of the attack surface applications. Just as with implementing a default-deny policy or sandboxing attack surface apps, there's more than one way to defend or harden your browser. My preferred browser defense is to filter the content before it gets to the browser. I've also tightened the browsers settings and use several extensions. You mentioned iFrames for instance. In themselves, iFrames aren't good or malicious. It's what they're used to deliver that matters, and at times you might need to see their contents. The original Proxomitron filters have an easy solution for this. Convert them to links which allows the user to choose whether or not to open them. The filter has always been there but wasn't enabled by default.

Regarding the question:

The Wilders site has never needed any additional permissions to work properly, so no additional permissions are necessary to use it, unless you count allowing offsite images.

 

A secure system, whatever that maybe we know will stop malware in the first instance, the trouble is not everyone is a security researcher or system admin...

 

What type of file are you referring to? The only files this could apply to are executables. If the file is an installer or free standing executable, the user would need to let it run, but there would be no need to lower any other defenses.

The reason I mention this is because the vendors of conventional security apps like to mis-represent the usage of default-deny by claiming you need to whitelist documents, web pages, etc when the restrictions/policies apply to the handlers for these files. That's where the sandbox comes into play, sofware, policy, virtual, etc.

 

That's a solid approach you're using

Good point. No active content to be concerned about.

 

From http://www.computerworld.com/s/arti...ted_Microsoft_says?taxonomyId=17&pageNumber=2:

 

Seven myths about zero day vulnerabilities debunked

 

Remote execution without user interaction is still more important than remote execution with interaction. What a silly thing for him to say.

 

The fact that the user has to allow anything is the problem. You're experience and know what you're doing. The average user does not. Default-deny could never work for them.

 

So, you don't care about LNK and other dangerous exploits.

How so? I thought the LNK exploit used .lnk and .dll files, not .exe.

 

Well, a DLL is a binary executable, in this case triggered by code in the LNK file:



Now, a DLL is launched by rundll32.exe as you can see from the program name.

I don't know how Group Policies are set up (which was the original question), but I imagine it could specify any executable file type, or blacklist specific programs from running from external media.

My point was that it is easy to prevent unauthorized executable files from running without permission (remote code execution), if proper Polices or Security Products are in place.

regards,

-rich

 

I have to assume that you're referring to installing new applications or updates, or running a new free-standing application. Files types which already have default handlers specified shouldn't require the user to do anything.

A PC is most vulnerable when the system is being altered, not just from malicious code, but from undesired changes, incompatibilities, etc. This is especially true when default-deny is the primary defense, which is why I made updating and installing an admin-only duty. Because installing and updating are semi-normal tasks (not meaning user tasks), the users security policy needs to address this as well. Most people would consider my updating/installing policy to be too much hassle, but then I don't alter my system very often and I definitely don't install every minor update for every app I use.
My Updating/installing policy is as follows:

1. I make a full backup of the partition to be altered before doing anything. Most of the time, I use an Acronis Rescue CD for this.
2. The new application/update is uploaded to VirusTotal and checked.
3. All of my security apps remain enabled, regardless of what the installer says. All alerts and prompts get read, which can get beyond tedious when you're installing something like Open Office. SSM alerts me to attempts to add new drivers and services. When an installer says I should shut down my firewall, I'm already suspicious and watching for SSM or firewall alerts. It's entirely possible for malware to have a perfectly clean installer and to download the malicious components during the install process. If an application will not install without being given internet access, I usually kill the installer and restore the image made earlier.
4. I use Inctrl5 (works on XP and older systems) to monitor and record the entire install process. All drives and partitions are monitored. The external hard drive is disconnected. Inctrl5 gives me a full report of all new, modified, and deleted files/folder and a record of all registry changes. If used faithfully and combined with a full file list of the original system, the user has a written record of every file on their PC and what app it belongs to.
5. The new applications first run and the setting of its preferences is also recorded with Inctrl5.
6. When possible, this process is first done on a test unit or a virtual system.

Back on the subject of default-deny and the average user. It's true that the typical user wouldn't be able to configure their system or apps to enforce a default-deny policy. If someone else set it up for them, there's no reason that they couldn't use such a system, provided that they're not the sort that always wants to "install this or play that". I did this on a friends PC after their roommates (who were always looking for game cheats) kept finding those fake AVs. Installing an occasional new app for them was far easier than getting rid of those things.

Default-deny isn't really suited for users who change their systems a lot, no matter what their experience level. For all practical purposes, default-deny is an anti-change policy. Besides making it nearly impossible for unwanted code to alter your system, it makes it inconvenient for the administrator too, unless they choose to disable their defenses which IMO would defeat the whole purpose of implementing default-deny in the first place.

 

Which is my point. Default deny works as long as the user is ok having a static system. The problem of course is that if the user is downloading something and planning on installingit, malicious or not, they don't want a static system.

All that I'm saying is that default-deny is not going to work for the average user. It can work for you because you understand it but those steps you listed are asking way too much of a user. And frankly you shouldn't have to do those if the OS is set up properly (which is impossible with current operating systems unless maybe some selinux stuff i dont know about.)