Interesting Conversation with a Hacker

That's security thru obscurity.

SRP is still security thru good technique/mechanism, because it is most economical and effective for hackers to make malware that needs execution and memory-only attacks are limited in what they can accomplish.

Not security thru obscurity.

 

It's really not that different if you think about it. In both cases you're just not the target the hacker is expecting. It's not that the target is any more difficult it's just that the target is a minority and not common.

Use my 1bit entropy ASLR example if you'd like. It'll stop every automated attack that doesn't expect ASLR but it'll take 0 time at all to bruteforce through.

Is that security?

edit: I'm not saying to not use AE. I'm just saying not to rely on it and that, on its own, it's really useless except that hackers won't expect it.

 

I get your point but I consider the true value of SRP in the fact that hackers need execution and administrative rights to ultimately damage Windows and accomplish more than just opening a rogue security app thru hacking Mozilla, which at that point I'll see the BS and I'll reboot and it'll be gone.

Memory-only has it's limitations and I am confident that soon Microsoft and other AE companies will recognize this and find a way to stop this...

...That is if EMET turned up all the way (ASLR, SEHOP, DEP) isn't already stopping the few of these SOBs that are out there.

To your edit: I don't rely on it solely. The biggest security setup pitfall regardless of approach is relying on only 1 layer, in my opinion. ALWAYS use multiple, overlapping layers!

But I disagree that SRP is useless if they expect it. Again, the one thing that bypasses anti-execution isn't that threatening to a user that recognizes what to do, whereas the many things that will bypass anti-viruses alone without other safeguards can be VERY dangerous to any user.

 

I think that's true to an extent. A hacker is definitely going to want admin rights (though they don't need it necessarily, plenty of viruses will fallback if denied admin and instead just run as a standard user.)

If a hacker were to attack you with a technique that bypasses an AE I think rather than simply having Firefox open up the rogue app (I don't even think that's possible? IDK) it would either try to elevate to admin straight away and hope the user clicks Yes or it would try to hop to another process to elevate.

Memory-only definitely has limitations. But that doesn't mean a hacker's going to stay there, just start off there.

 

My work Windows 2000 box got a rootkit with almost no surfing with firefox and NoScript.

 

Just an example. Go with the 1bit entropy ASLR if you like.

 

So running on a SUA with UAC on maximum, let's say they bypass EMET and ASLR and they also bypass my SRP...

Well they can make their next move be finding a process that can do some harm but to do that they're going to have to use an admin elevation exploit. And they're not gonna fool me with a UAC prompt because any prompt I get when on the Internet gets a NO regardless of circumstances.

And if they do elevate to admin somehow well then they're also going to have to break out of Sandboxie...

...And then when they do that and they run a rogue I won't fall for it...

Or if they hide and wait until I do some banking then they have to bypass my identity protection, THEN my monitor service will alert me a large sum of money has gone and I'll immediately have it reversed then reformat my computer with a clean image.

Zero-Tolerance Policy for Hackers & Malicious Software.

EDIT: I forgot to mention that they're going to have to do all that using NEW, unpatched techniques because I aggressively keep up-to-date. Seriously already, just hack my neighbor who doesn't even know how to renew his AV subscription.

 

They dont need admin to do this.

This would probably be hard with experimental protection. Like I said, a sandbox is way better than AE.

Why would they try to trick you after having already gotten into your system?

What protection is that? If it's trusteer I think it's ~10 lines of code to bypass it.

But, yeah, they'll probably just use you as a botnet or maybe take over an account to send out spam.

Botnet needs admin, spam doesn't.

or clickjacking, also doesn't need admin.

But they could get admin if your UAC is on default settings or (since I'm sure it's maxed out) trick you or some other UAC bypass (inject into UAC, wait for user to elevate? wonder how that'd work) or escalation exploit.

But, again, they can do a ton as a user.

edit: But you're using Sandboxie and you're using EMET so that's pretty strong. And I think that AE can work in combination with something like Sandboxie.

 

1. When you say "they don't need admin to do that" I meant they'd need an admin likely to find and control a process with high enough integrity to do any real damage to Windows itself.

2. When you say "why would they try to trick you after they already gained access" I didn't mean rogue in that sense I meant rogue trying to get me to give them credit card info

3. When you say "experimental" just to verify you mean Sandboxie 64 bit with the experimental protection turned on?

 

To move to a higher level process they need equal or greater rights, true.'

2. Yeah, that's fine. They just don't really need to do that. I mean, they absolutely could and it would trick tons of people, they just don't really need to since there are plenty of ways to make money off of peoples computers.

3. Yes. To contain an admin process reliably sandboxie needs to be at a greater level than it. It could do it without it but not reliably.

 

Oh sorry I missed your other point.

No I don't use or know much about Trusteer. I have used Prevx SafeOnline (now WSA Identity Shield) on max for awhile and I use it for banking only since it doesn't work inside Sandboxie. Being completely honest I haven't really put too much trust in it and I've definitely heard mixed things about these types of technology but nevertheless it's still another valid "layer".

If money disappeared from my accounts I'd immediately type up a report of what happened and prove to my bank I didn't do it and prove I have many countermeasures so they don't think I'm someone who is careless.

 

I'm not saying you're insecure or that you'll be hacked. I'm sure your setup is fine - you're on Windwos 7, you use EMET and Sandboxie, and I think AE in the right hands is at least, as you say, a valid "layer" - all I'm saying is that it's not something to be relied on and it's not something I'd ever tell someone to implement. If they want to do it they can go for it but I don't think it's worth the time.

Otherwise, sure, in terms of the current threats we see it's gonna stop most things.

I just think the other stuff in your setup is way more useful.

 

Umm. Maybe you got it through an infected USB stick. Mind if I ask what rootkit, and how you found it?

 

Give me your i.p, I bet it will probably take a friend of mine 10 minuts to r00t your system without you knowing.

You don't need ADMIN rights to execute, and there a couple of exploits out there that make user accounts useless. you can even right straight to the RAM so that on a reboot the payload is still active and then execute when YOU think your safe.

Now what you should be worried about is BIOS hacks and viruses, new terrortory but they are out there. To my knowledge you can write to firmware by defult in windows 7 especially with the new UEFI style BIOS. Only Dr Web scans for BIOS exploits as far as I know.

 

You have seen too many spy movies. Your can't do much with an IP. May be DDOS, thats it. Forget about hacking via just an IP. You need to get the user behind. LoL

 

I never, ever said that you "need admin rights to execute." A standard user account won't stop execution. Software Restriction Policies will.

Writing to RAM? That's a new one to me.

As for me giving you my IP, I'm going to have to pass on that.

I'll tell you what though bud, I will gladly click the "!" button.

EDIT: Please see https://www.wilderssecurity.com/showthread.php?t=324880

 

just to be clear

remote hacking is possible by knowing just the IP ?

 

By just knowing the IP? No, none that I'm aware of. Hacking isn't Harry Potter stuff. And unless you just want to DDoS the system, you've got to get inside the system, and doing that requires the user to have an unsafe system or do something dumb like download a trojan or other piece of malware. Remember, hacking takes tools, and these tools have to be able to execute.

 

that what i know but

stevo is already behind a router from his setup
so :S :S :S

what FUD ?

i know that Remote hacks Nowdays is simply can't be done because of an inbound Firewall Router
also by default all system has and inbound Software Firewall

which get me thinking how do Worm nowday spreads
in LAN from an infected computer to it's freind behind the Router ? or Worm are bypassing the Walls ?

 

Never mind what No_Script said...he is not fully correct and he is partially misinformed about such things. When people say things like "I'll have you r00ted" they are just trying to either cause fear or give the impression they know more than everyone else.

I don't usually call people out publicly...in fact this may be the first time in a long time, but when people say something stupid that sounds in any way threatening to me...well...I have zero tolerance for hackers. This is a security forum...not a place to threaten people like it's a competition of who can and can't be hacked.

 

hope that's true
Don't worry STV0726 i always get threats like these xD

 

Worms spread through files sent from one system to another, say through a file attached to email. Again, malware, worms, whatever they may be have to execute. No matter the delivery method, they have to be able to act, and they can only act if you system is vulnerable or you pull a stupid. Anyone that says they can just get in without one of those two conditions being met are talking out of their rear ends.

 

Stay on topic all, please. Script kiddie language and or behaviour will not be tolerated.

 

Of course the system has to be vulnerable for any kind of attack/ remote code execution. I don't think anyone would argue otherwise... they'd have to be very confused if they did.

But every system is vulnerable.

It's a lot easier to hack someone on their network or to trick them into clicking a link since, of course, that "bypasses" the firewall.

It's not impossible though. There was that firewall 0day months ago for windows that would overflow.

Being behind a router is ok... unless you're like 99% of people still running the firmware that came with it.

 

You don't need to execute to exploit a system, really there are plenty of other options. UNUP exploit, TCP/IP exploit, FTP stack overflows, DNS poisoning, MITM, and I could go on.

BTW those who say you can't get Admin privilages with executing a virus/Malware your wrong, I'd suggest you google malformed SCR PPTP packets


99% of routers are poor security wise, NAT doesn't do much on consumer routers and most people just turn it on and leave it be. Even multi thousand dollar enterprise network routers like Cisco are easily hacked & the better ones like Juniper & Fortigate have bugs because they come with their own OS software which you can find holes in.