Matousec Discloses Critical Vulnerability in ALL HIPS

Discussion in 'other firewalls' started by ace55, May 5, 2010.

Thread Status:
Not open for further replies.
  1. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Although yes I develope and design at home, this is not the reason that made me apply my backup strategy. The reason is that you cannot trust security software, even if layered, 100%. So if you want real security for data and machines, you cannot avoid often images and backups.

    If the last known image is one month old then be sure that you'll lose things. If you have the time to reconfigure things and figure out what you have lost, then that strategy could be ok too. I have not said that any other strategy is not good. I have only said that security wise if you want to be safe you must have really recent images and real time synchronization ( for some data versioning is also absolutely needed ). For sure everyone knows better his needs.

    Images are saved on a linux machine too, that does only that job ( I mean backup of data and images ). Please tell me how this machine will ever get infected. That machine is 24/7 on and it's not the only place I store images.
     
    Last edited: May 6, 2010
  2. hundredpercents

    hundredpercents Registered Member

    Joined:
    May 6, 2010
    Posts:
    8
    It really depends what you do with your computer. It sounds like you need this type of back up strategy more than others. For me, the only data I would be fearful of losing are video and music files, and only because it can take a long time to acquire them!

    As I said, there would only be a need to back up an image when you do major updates or install/uninstall software. For me and the majority of people, this would only occur maybe once a month or even less frequently.

    And I disagree that doing image back ups twice a day is "for security wise". It's got nothing to do with actual security. It's more to do with "insurance". Restoring an image because of a malware infection simply means your "security" has let you down. Which by the way has yet to happen to me over the course of 20 years. And yet I still have "insurance" ready!

    Who knows what can happen. I'll always keep my back up drive isolated from my currently running system by default. It's safer that way, period.
     
  3. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Just FYI, Microsoft products will tend to use Microsoft API before resorting to hooks, if ever.
     
  4. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    I believe you say this because you understand as security only the use of security software. Restoring an image because of a malware happens only because part of my security system failed and fortunately not my whole security system. I consider imaging and backup strategies as security.
    I have never had an infection the last 10 years but that have never made to stop deciding and applying better security strategies.

    Nothing could happen. If you trust more a usb drive than all the things I have said then I guess I have nothing more to say.

    I have managed using machines with low power consumption and by "recycling" hardware when possible, to have a back up strategy that I consider that fits my needs and my idea of real security. Taking also advantage of low cost services like mozy and cloud online storage,
    using also strict policies about encryption, synchronization, versioning, backup, imaging, raid storage type and yes offline storage too ( never said I don't do that ) that work almost without any intervention by me, I have an almost a 100% secure setup. IF you add all the security software too, a possible disaster is almost impossible. And believe me a system like that does not cost a lot of money. Of course there are more professional ways to do this whole thing but I could not really afford any professional solution.

    Who considers security only the software called "security software" has understood nothing. Period.
     
  5. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    ALL VULNERABLE:eek:
     
  6. hundredpercents

    hundredpercents Registered Member

    Joined:
    May 6, 2010
    Posts:
    8
    Given your heated tone, I think I must have insulted you to some extent and I apologise for that. It was not intentional. It sounds like you have spent a long time setting up your back up strategy and it sounds very impressive indeed. I'm glad that it works well for you.

    However, I always consider back-ups as "insurance", rather than "security". For example, I can "secure" my passport by putting it in a safe with lasers around it. I can "insure" my passport by making an identical copy of it and placing it in another house (which is why the offline/isolated hard drive is always safer - there's no way malware could jump across thin air and infect your drive).

    If my safe is broken into and my passport stolen, my "security" has failed, and my identity potentially stolen. But because of my "insurance", I still have copy of my passport available.

    I hope that's now clear. Indeed you can argue that backing up is party of a security strategy. I just like to think of it as more of an "insurance".
     
  7. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    This to me is an example of what I refer to as Rutkowska Syndrome.
    These type of catastrophic security breaches always appear highly impressive on paper,yet strangely they don't seem to take over the real World as threatened.:doubt:
     
  8. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    @hundredpercents : I apologize too if my tone seemed heated. Hope I have not insulted you. I absolutely understand what you are saying. Your opinion is absolutely respected by me although I disagree.
     
  9. hundredpercents

    hundredpercents Registered Member

    Joined:
    May 6, 2010
    Posts:
    8
    Not insulted here at all.

    Perhaps the main reason why I like to differentiate security software and backing up is that backing up does absolutely nothing to stop identity theft. Also, backing up does not always prevent data loss. What happens when a killdisk malware hits your system and destroys your drive just before your next scheduled back up?

    Sure, that would be unlucky, but you can see why backing up isn't really part of computer "security". "Preventing" malware from entering and/or attacking your system is true computer "security".

    Anyway, we can agree to disagree.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Quote Matousec

    As far as i know most security products do use these types of techniques.

    EP_X0FF has said for a long time that using hooks is not good, and he should know :D

    As usual though, before ANY nasty can do it's dirty work, it has to be allowed to run. So if you have your browser locked down as tightly as possible, and don't run unknown code, i expect you will be immune from such attacks :)
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I must say I do commend Matousec. He has publicly informed all the bad guys of a weakness in security software that they can now exploit.:thumbd: :thumbd: :thumbd:
     
  12. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    I guess he's telling nothing exactly new to them, anyway - you have a point there, things like OIS Responsible Disclosure guidelines (PDF) is something completely strange to this self-proclaimed security "guru". :thumbd:
     
  13. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    no i guss its great he following open bsd theory make is public so more and more people come out with solution as well companies dont be lazy to patch it

    as far bad guys concern if there is vulnerability they find it out so its nothing new that whats their JOB is :D

    best security policy i follow golden rule of open bsd before i knew if that rule exits

    which is as few software are there in your system make ............it .......... ........as more secure ?

    1st opinion

    why is that let say i have a bunch of software to add layers of my security one of them get vulnerable it jeopardize entire my security


    decent security suite like KIS or NIS + one good encryption software that all

    + astaro security gateway as utm i think more than enough for home user

    astaro it self blocked 90-95% threats at gateway level then he have to find my local system and break security suite then strong encryption at end

    possibility of getting my suite is 100:1 because i got only one security program



    2nd general opinion

    if one software will comprise the other will take charge and stop if going further

    but in second case you are having too many security software at your pc let say 10 now bad guy had chance to 100:10 any one get him ist breach



    best regards mack
     
    Last edited: May 6, 2010
  14. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Welcome to Linux. Ubuntu, openSUSE, and Linux Mint are GREAT.

    Thanks.
     
  15. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Or the good Guys so that they can patch it. Don't you think? :thumb:

    Thanks.
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    And, how exactly are they helping the good guys/girls? The good guys aren't the security companies's folks, rather the people who make use of such tools.

    People like Matousec are not helping such users, rather helping the bad folks, by reporting the flaws and how to exploit them.

    Someone has mentioned that, Matousec reporting such flaws and how to exploit them, is no big deal, because the bad folks would already know them. Well, this isn't exactly true.
    While they (bad folks) do their own research, the fact is that, for a long time now, certain security "experts" saw a window opportunity for a new market - vulnerabilities research in software, including security software. So, why would a bad folk do that research, if others are doing it, and worse, revealing such flaws before being in contact with such software developers so they can fix such flaws.

    People like Matousec hurt no one, but those who make use of such applications.

    I'd perfectly understand if such article would be written after contacting with such security vendors and giving them time to solve the flaws in their products. If nothing would be done after a while, then yes, let people know.

    For what I could read, Matousec hasn't done that. Unless I missed something.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    In this case no. I am afraid, I think this matousec operation is totally self serving. Just my opinion, and can I back it with hard fact: no. Just a feeling based on observing.

    Pete
     
  18. BJStone

    BJStone Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    139
    I wonder how long it takes Matousec to come up with a nifty application which does not have the flaws mentioned. Of course not free, dollars have to be paid for that.
     
  19. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,081
    Location:
    Europe, UE citizen
    " As shown in the previous section, the idea of the argument-switch attack is quite simple. The attacker calls the system service with values of parameters that will certainly pass the checks made during the execution of services' hook handlers. When the faker thread gets its time slice, it tampers the contents of the parameters to values that would never pass the checks of the hook handler. If the tampering operation occurs after the security checks are done but before the original service, which does the main work, is called, the attack is successful. " ( from http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php ). I don't understand the process, I wonder:

    - the " values of parameters that will certainly pass the checks made during the execution of services' hook handlers.." are so common and knew that an attacker already knows them ? Shouldn't they are different from security software to the others ?

    - or, alternatively, the attacker's code can discover them alone to be detected and intercepted as malicious and not verified code/parameter ?





     
  20. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Has anyone tried on VISTA or Windows 7? I see that they only tested windows 2000 (?!) and XP.
     
  21. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Any non-patchguard (64bit windows) system I believe.
     
  22. dormix

    dormix Registered Member

    Joined:
    Aug 5, 2007
    Posts:
    40
    Location:
    Center of Italy
    Hi all!

    Then, is Patchguard the solution of the problem?
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
  24. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    By making the computer security world aware of it.
     
  25. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,339
    Location:
    Hawaii
    I do not think the following comments are OT because they deal with a vital type of program for sustaining effective security despite the vulnerability mentioned in *Matousec's Disclosure* -- the topic of this thread.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~

    In a prior post I emphasized the value of including a File Integrity Checker (FIC) in a layered security set-up. Commensurate with that comment, I would like to offer links to some good FICs . . .

    Tiny Watcher. Free

    Sentinel. Free

    AdInf. This FIC is super strong, & is designed specifically to work with Dr Web antivirus. However, AdInf will work alone or with other AVs besides Dr Web. FanJ gives a lot of information about AdInf at :HERE, and HERE, and also HERE. $9.95 one-off license fee. Has a 90-day free trial period.

    Fingerprint -- scroll down to the bottom of the page. It is no longer in development but that is of lesser significance for a FIC. Fingerprint is very configurable BUT (because of its configurability) it is a wee bit convoluted to set-up. Free
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.