Leak Testing - Where is the Value

There are products available that don't include that so called bloat. There are choices for those who want it and those who don't want it. If these features - whether you deem them unnecessary or not - are implemented correctly, then it really isn't bloat. There is, of course, no denying that some of these products need more work before they are free of all major bugs, but the effort seems to be there from the majority of these developers to achieve that goal.

And it's not about how I want to see it, rather I'm only stating my opinion based on my unbiased, open-minded approach to the purpose of leaktesting. Admittedly, at times I used to feel it was pointless and overrated, but there are and have been some benefits to it, as already mentioned. It has caused some unnecessary paranoia, but it has also resulted in greater awareness to what some malware is capable of doing.

 

This gets to a point where it's real hard to say anything. Horse, beating, dead..
Note that i don't value leaktests that much either. My opinion is somewhere between Mrk's and Herbalist's.

So the answer is HIPS, and these shouldn't monitor these leaktest methods? Why? Just 1 question for those who say so.

While i can agree HIPS is better than Firewall leaktest detection (like Jetico, CFP 2.4 etc), choosing such firewall doesn't mean i'm "focusing on detecting intrusions rather than preventing" or "giving more importance to stop the criminals from escaping instead of keeping them out".
I'm not developing the firewall, i'm the end user. If i choose this FW, it doesn't imply i'm forgetting the rest.

One more thing that of course has been said before: if i use a LUA, will the firewall be bypassed just like that? Or if i block drivers and such with a HIPS (someone come up with another name).

Is it that weak i ask.

 

Or firewalls with built-in HIPS.

They should - and do - monitor these events.

What I've wanted to say, too

 

The value in anything can be measured in the perceived benefits it provides.

Products evolve by market forces. Firewalls have evolved into more than just a packet filter. This is neither good nor bad -- only thinking makes it so.

For those whose reason for a firewall is to have a packet filter and simple outbound control, the Leak Tests have no value.

For those for whom a firewall's deeper monitoring capabilities fit into their security scheme, the Leak Tests are beneficial and therefore have value.


----
rich

 

At a basic level, the firewall should just decide if a packet should be let though or dropped. Leaktesting should have always been in the domain of behavior blockers.

 

Hello

Most of us have used every software firewall there ever was. They have their uses.

One thing I DO want to mention is some 3 or 4 years ago I would come here and talk about rootkits and all I ever got was the same old rubbish.
They are only POC and nothing to worry about. I would think you have learned by now. We all also know before you can see the light, you need to visit the dark side for a spell.

I agree vitalization was the way of the current future. Now things are changing again. The bad guys are looking at ways to move around this too but in general they are not that worried at this point. They now the common house hold user won't be using a HIPS or VMWare.
Those of us that do, do so for testing purposes.

If these leaktests are now using rootkit technology, that is good.

I would think with people like Mark & now EP_XOFF Microsoft will be doing some pretty cool stuff. They have some pretty damn good advisor's now.

Joanna is working with Phoenix BIOS group with Hypervisor technology.

Will be interesting to see where all this goes in the next 5 years.

Just be advised not all of us cry the sky is falling based only on paranoia.

I will admit, at times I will make posts based on visions not delusions but as a rule they usually come true. You be the judge.

The two major players today are organized crime & foreign governments

P.S. Happy New Year !!!!!!!!!!!

Bruce

 

@controller,

My original question is which of these 66 leak tests do we need to worry about. You are one of the few to shed some light on this with your remark about how root kits were viewed a while back.

Everyone:

I think we are in a period of transition in firewall design where the emphasis is shifting from solely analyzing communications oriented events to going further up the chain to prevent unauthorized system changes that could lead to unauthorized outbound communication. This is not completely new as Jetico and some other HIPS enabled firewalls have been around for a couple of years. However, the trend is accelerating.

There are several challenges here. One is that traditional leak testing is not comprehensive enough to differentiate products capabilities. This is evidenced by what is going on at Matousec & Co.

The next challenge is that unauthorized does not mean the same thing as unwanted. Most of HIPS and HIPS enabled firewalls (or are they firewall enabled hips?) don't have much intelligence. They are so intrusive that it takes an expert to interpret if the warnings mean something bad is happening. Most users have to turn them off while installing new programs, which gets back to the old problem of how do you know if the program is safe.

It might be fun to play with new software, but computer security will not improve until better ways of combating malware are so widely adopted that the incentives for malware enabled computer crime are greatly reduced. I don't see this happening at the present pace of progress. Most of the solutions discussed in this thread are for experts only, which is too bad. The only thing with potential mass application is behavior analysis which is in its infancy.

@Rmus

"This is neither good nor bad -- only thinking makes it so."

Thats a gem, you should put it in your signature before someone else steals it.

 

Actually, Shakespeare already claims it:

"There is nothing either good or bad but thinking makes it so."

I was reminded of the tale of the fellow who decided to trick the wise man. The fellow picked up a tiny bird in his hand, and asked the wise man whether the bird was alive or dead.

If the wise man answered "alive" the fellow intended to squeeze his fist and kill the bird and show it to the wise man dead.

If the wise man answered "dead" the fellow would open his hand and show the bird alive.

Upon being asked the question, the wise man responded, "It is as you choose."

And so it is with the value of leak tests: it is as you choose.


----
rich

 

@Rmus,

Well, at least I can recognize great prose when it is offered, even if I did not know the pedigree. That it is from the pen of one of the greatest writers of the English language is all the more reason to add it to your signature line. My personal favorite: Brevity is the soul of wit.

Thanks for the tale of the bird. I remember that one.

OT, perhaps, but a little culture never hurt anyone.

 

It seems to me that since the introduction of HIPS and the results realized with them in unison with a user's chosen firewall, the HIPS serves as a firewall protector of sorts and this is been paired up by many who found they could easily knock down firewall leaktests with them with ease.

And it's likely IMO these results have lead up to OnlineArmor's implimentation of a HIPS to compliment the protections of it's firewall in a sort of Dual Wall of prevention. It's the classic layered approached now playing out in these type programs, firewalls that is, whereby these developers have verified there is a legitimate increase in security when coupled up this way.

 

Personally, I do like the leak-test programs, these give me insight into the OS/ comms made etc, and I certainly appreciate the time spent on the finding of these. But, saying that, I find many flaws in the firewalls that attempt to implement the interception / implementation of protection against these.
Simple example. There are some firewalls that will (depending on the user settings) alert to the loading of unknown dll`s,... but,.. the only option is to either allow this, or block the application being loaded into ~usually the browser (so no internet). Now I personally find this unacceptable, that is why I prefer to use an application (HIPS) that will actually block such a loading.

I admit, I look mainly at the inbound attacks, from what I see from the possible compromise of OS, well, there is certainly a need to keep the crap out in the first place.

 

Matousec has a small list of malware using these leak-test principles

As you see, this list is fairly outdated, since we know of malware who do unhooking, install their own network stack and exploit the services of Windows to deliver their payload. I'd say that most of the leak-test techniques are being actively used by current malware.

 

What I think that it should concern us the most is what matousec calls "Own Protocol Driver". It is a kind of attack that can't be stopped so easily because a protocol drivers runs at a very low level (NDIS), and it can't be associated by the firewall to a running application to be blocked (because it is in fact a driver). I suspect that all available firewalls at this moment try to avoid this situation only by denying the protocol driver from loading.
What I find really weird is that nobody tried to create such a leak test, because this technique is known for quite some time...

 

I guess this is one reason why we can pretty much conclude that no software firewall alone can cover 100% of the possible outbound conditions, and that a HIPS of some kind is needed to watch the driver installations... pretty much what people have been saying for a long time now...

 

If you run LUA, its not possible to install a driver. Of course, if you decide you want some free game and elevate to admin to install it, anything goes.

The moral of the story is protecting against drive by downloads is one thing, protecting against willfully installing bad software is another.

 

100% true, but what I tried to do is answer to Diver who asked what should we more concerned about

 

I know of that list and there is also one over at Comodo. Perhaps outdated, but all of 6 examples are listed out of 2 million possibilities. Most categories have no examples. Interesting as this goes to the heart of the value of Matousec's testing. You opine that most of these techniques are in use, but that conclusion is so central to my question that much more detail would be helpful. In my view, not only must the technique be in use, it would have to be proliferated for it to be a concern. Based on my reading, the main attacks are disabling the firewall altogether or sending "allow" messages. I have actually seen machines where the Windows XP firewall was disabled. However, the default XP firewall is easily the most used software firewall and it would be low hanging fruit, so to say. Most of us around here use something else.

 

Leak test? Who cares? It's like rating the value of various fire extinguishers after your house has burned down. All the advocates of "layered protection" that are using four or more "protective" programs are simply wrong if they are concerned about things that happen after the fact (leak tests). You must prevent malware from getting on your machine to begin with-that is the only objective that counts. You will not be able to stop them if they get in-they will burn your house down.

 

In all honesty I am somewhat of a leak test skeptic which is why I raise these issues. One concern I have is that Matousec does not distinguish network measures that are purely post infection measures from other measures like HIPS that prevent the test from running in the first place.

One could even ask if a test that causes Windows to give an unsigned driver warning is a valid test at all. What difference is that from a HIPS telling you the same thing?

Another thing I just noticed that for some techniques there are multiple tests. That would cause any firewall that does protect against that particular technique to have a low score. Is there any justification for such a heavy weighting of one particular technique? Well, none has been demonstrated.

It must be nice to be able to make a living tinkering with firewalls, finding bugs and selling the results back to the developers.

 

His methods could be perceived as shady by some, but he is not holding a gun to their heads demanding a ransom for his test results. He's done the work testing for and documenting the bugs he finds, then asks for recompense in return for the results. It's his time, effort and ability. Good for him.

 

What I dislike about leaktests is that every time a new leaktest apears, most of the firewall makers try to include a method in their product, so that the firewall pass the test. This is not the best method to deal with problems or flaws in their software. Instead they should design the firewall to work as good as possible from the start, and not patch it every time a new variant of leaktest appears.

 

Or because they realize their product is flawed and they are fixing something that someone else pointed out to them. Just a thought.

 

Personally I don´t understand why people keep discussing if leaktests are important or not, aren´t all these techniques used by real life malware? So yes, it makes sense to protect against all these methods, not? And Kaspersky happened to blog about this subject, just this week.

http://www.viruslist.com/en/analysis?pubid=204791977

 

Of course some of these techniques are used by real life malware, but no matter where one looks the list of examples is small. The Kaspersky blog gives 6. Somewhere else today I saw an article that said there are 500,000 different malware programs in existence. So, I wonder why only 6 out of half a million seem to make the list, and I wonder further, just how prevalent are those 6.

There is also a difference of opinion as to how to approach the problem. One is to provide pure leak protection as in Zone Alarm Pro and Comodo 2.4 where only network activity is checked. The other is to rely on other technical measures such as HIPS or LUA/SRP to make sure the bad stuff does not get to run in the first place. The newer firewalls combine both.

Matousec makes no distinction between these two methods, GKweb does. My observation is HIPS or LUA/SRP should stop every leak test dead, because these these tests were designed to evade network checks not HIPS. The correct way to test HIPS would require different tests and might even have to include the social engineering element in their analysis.

Finally there is the lazy click problem. A highly restrictive fiewall or firewall/HIPS combination is very intrusive and can cause the user to start clicking without thinking, thus nullifying its effectiveness. This is why smart HIPS are needed, or firewalls with outbound IDS signatures.