Privacy Control - interesting....

Discussion in 'other firewalls' started by Durad, May 22, 2007.

Thread Status:
Not open for further replies.
  1. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    Concept of Privacy Control component implemented in the most Security Suites:

    “enter all your private data – PINs, Passwords, …”
    “we will analyze outgoing traffic and if some of your private data will be found – it will be replaced by “***”

    Cool idea but it DOES NOT work in real world.
    Why? Because almost all of the trojans encrypt all sending data and Security Suite will found nothing in such encrypted traffic!

    (from Kaspersky presentation)
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    And Kaspersky in order to check your SSL traffic is breaking into the certificate... uuuhm, don't like at all their solution to the problem.
    I don't want at all something sniffing into my secure connection while doing online banking.

    By the way, if kaspersky can break into certificates, what could stop malware to take advantage of this technologyo_O

    IMO... Not good ...

    Fax
     
  3. plantextract

    plantextract Registered Member

    Joined:
    Feb 13, 2007
    Posts:
    392
    that's not what that is about, it doesn't break into anything tto stop the trojan from sending data to the internet, it blocks it from accessing it in the first place.
     
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    That's what any security tool (e.g. firewall outbound program control) should do... :D
    Is this new?

    Yes, indeed, I am talking about their scanning of SSL encrypted channels.

    Fax

    EDIT: spelling
     
  5. plantextract

    plantextract Registered Member

    Joined:
    Feb 13, 2007
    Posts:
    392
    a firewall doesn't block a trojan from accessing hklm\...\encrypted passwords that's what the privacy control does
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    You mean they protect specific registry entries?
    Ok... fine. But this is new? I mean there are plenty of tools to protect the registry.

    Fax
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Well, well here we go again, need any help here?

    OP didn't say KAV broke into anything only that these Trojans send encrypted call homes? Fax please post your last reply to this same subject you gave me on the limitations on ZA's MyVault.

    plantextract, later on in my learning thread on optimizing ZA Pro Settings with Stem we will visit and test this feature and report. Feel free to join in the discussion.

    Kav is ZA's partner so it is interesting their presentation seems to depreciate these tools. Oh well, more later.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,051
    Curious how KAV is ZA's partner? If ZA is using the KAV engine, then that is no partnership.

    Pete
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    SSL traffic sniffing is largely irrelevant here since trojans aren't going to use SSL (it includes a site certificate check which is irrelevant to malware) but some other form of encryption.
    The only way to intercept and view SSL traffic (without cracking the encryption which is currently unfeasible) is to act as a proxy, where the browser makes an SSL connection with the proxy and the proxy creates a separate SSL connection to the destination site. Since the proxy's SSL certificate will not match that of the destination site, the browser should alert on this.

    There is, BTW, good cause for monitoring SSL traffic since https:// sites are as likely to pose a privacy risk (via web bugs, invasive Javascript, etc) as others - see the Dangers of HTTPS thread for more on this.

    Getting back on-topic, Kaspersky are in the right here. Such so-called "Private Data Protection" is in many cases worse than useless because it creates a false sense of security, encouraging users to take risks with private data that they would not otherwise. The only possible valid use for it is to ensure that people don't mistakenly enter sensitive information (credit cards, etc) on non-https:// pages. The only way to prevent malware from sending private data out is to block it from network access altogether.
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    I was just trying to understand what was the novelty here as compared to many other security tool... thats why I have referred back to SSL communications...

    So.. I was explained that KIS/KAV monitoring the registry where PW/Login are located. Protecting the registry or blocking something to communicate out is not new... By the way, credit cards are not stored in the registry.... and, as far as I can see, there is nowhere in KAV/KIS to input this information (may be I have missed it?).

    Yes, I in principle agree on the good cause... but the solution can be more dangerous than the cause...there are other solution that do not comprise a "man in the middle" type of approach or breaking the certificate. A SSL communication should ensure 1 to 1 communication between the two clients... with these solutions it seems not anymore the case. Moreover, malware need to be decryted in order to run on the system, so at this stage that it will trigger standard antimalware tools both in memory and/or on access.

    Don't get me wrong... I beleive that the latest KAV is the best antivirus and KIS one of the best all-in-one solution for malware protection but here we are talking about something different.

    Help?... ZA partnership? Can't follow here...
    Limitations of security suite? They have been just posted by the OP... :blink:

    Fax
    EDIT: and yes, sorry to the OP is I was OFF topic...
     
    Last edited: May 24, 2007
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Assuming you mean KAV's Proactive Defense, this is more aimed at blocking malware modifications to the registry (e.g. to run-on-start keys) rather than protecting credit card data. Where CC data is stored depends on the software used to remember it, and may well not be in the registry at all.
    There is no risk in having trusted software acting as a go-between for SSL, indeed there is a security benefit in that SSL pages can contain malware also. All a malware distributor needs to do is purchase a certificate using a stolen credit card and that gives them a means of bypassing many conventional web scanners and filters.
    Don't confuse run-time encryption of a malware executable with any encryption it may subsequently employ on its network connections. The idea behind filtering network traffic is to offer a chance to catch anything that an AV scanner misses, so it assumes failure on the part of the file and memory scanner.
     
  12. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Please refer to Fax's earlier post on privacy and comment.

    http:/www.wilderssecurity.com/showpost.php?p=996361&postcount=65
     
  13. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
  14. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Nope, I mean the specific new privacy features in version 7.

    Once upon a time the only way to sniff information from the client machine was to grab information before going into SSL (e.g. keylogger). So the only way to be compromised was to have a comprimised PC (client) or a compromise server (e.g. the bank and/or shooping server).

    Now we have a sort of new way to do it... i.e. replacing/overlapping/breaking (don't exactly know how KAV does it) the certificate.

    Is good that KAV does this? Well, I am personally not happy that confidential information that before where reaching intact the destination now will pass via KAV. I am sure that malware (before or later) may take advantage of this sort of shortcut.

    Yes, I don't. Something is information sent via encrypted channels and malware escaping detection due to encryption... something else is malware that need to be executed in the machine. The latter needs, at one point, clear channels to execute (unless you refer to cookies).

    Fax
     
Thread Status:
Not open for further replies.