ProSecurity v1.40 Public Beta 1 Released!

Hello,

I am very well aware of this fact, however you have to put things into context.

We do not talk here of having a legit file, and trying to find another random garbage file with the same MD5. We are talking about a Windows executable, and finding another file with the same MD5, following the constraint of the file that must be a valid Windows executable too. It makes the MD5 flaw unexploitable IMO.

Additionaly, I do not believe a single malware in the wild has the property of trying to duplicate file's MD5 (which sounds unpractical for executables anyway). That's why I think MD5 is still perfectly valid for Windows executables. Of course the fact that it is not used does not really matter, what matters is if it's practical or not.

If you have a link showing a valid executable file having the same MD5 than firefox.exe or iexplore.exe, then I would change my opinion
Also, SHA-1 is considered "broken" theoretically, would you suggest the same way than MD5 to drop SHA-1 and to use SHA-256 instead ?

In conlusion, if MD5 is added as an option as I suggested, everyone could choose the one he wants, MD5 or SHA-1 (SSM has this feature).
Anyway, it's not that of a big deal, that was just a suggestion.

Regards,
gkweb.

 

I will have to side with gkweb here. Actually the problem is even worse than Gkweb describes.

Actually even if we were talking about none-executables that couldn't be done. I suppose MS could do it but nobody else could. I believe that the hash is broken because one could with some effort force collisions to create 2 messages with the same hash function but that is not quite the same as being able to produce another message on demand with a specific hash of another arbitary existing message.

I can still dream of ways this can be exploited of course (e.g package two exes with the same hash, one good , one evil, and let the good one get executed first and whitelisted because it is clean, then some time later launch evil file with same hash)

But i believe Gkweb is right that the fact that both have to be functional executables makes it kinda of hard...

Actually I think at least 2 HIPS do that already...

 

Neither MD5 nor SHA-1 is bullet-proof, but SHA-1 is unquestionably stronger than MD5. It's a trade-off between computational speed VS difficulty to collide/counterfeit.

As cpu's become faster and faster AND also become multiplex, then even more advanced hashes (such as SHA-256) will become very feasible -- inasmuch as they will have little or no discernible effect (humanly speaking) on computer responsiveness.

Ultimately, perhaps, digital computers will become a thing of the past and we will all be using analog/AI computers, such as HAL on 2001...

 

Hello,

Without any proof from you or me, I decided to search for both of us, and you were right, more than you thought

I just found that site :
http://www.mscs.dal.ca/~selinger/md5collision/

They have two executables with the same MD5 available for download. It works as advertised on the screenshots.

I've never heard of that before, don't know how I could have missed that. Things are now however clear : MD5 is clearly obsolete in the light of this website. I were wrong. I'm sorry for people that I did lead in the wrong direction.

Don't forget to bookmark this link, the next time you will talk about MD5 with someone

Regards,
gkweb.

 

Very interesting. I read the link & grabbed it. Thanks for sharing!

 

Btw, I have a question, I noticed two features: "Spy password" and "Log Key Stroke", this will protect you against which type of keyloggers? Not a lot of HIPS are offering these kind of anti-keylogging features, so it does look interesting.

 

"Log Key Stroke": There are three types of keystrokes can be detected
1. Log key stroke from windows api GetAsyncKeyState.
2. Log key stroke from windows api GetKeyState.
3. Log key stroke from directX tech.
"Spy password": PS blocks password spier get password from the password inputbox.

 

Good question, Rasheed (& a quick/good answer by PSDev).

I had not noticed these 2 features (I'm trying beta 2 from time to time). Could I have a screenshot of them, please?

 

That looks pretty nice now.. Any problems so far with the 1.4 beta? I am planning on giving it a try after I mess with ThreatFire here for a few days..

 

Sorry for this stupid question but what does a shaded box with a checkmark mean?

TIA, SourMilk

 

I think it means it will ask/prompt the user about it when it happens.

 

Thanks!

 

Hi gkweb,very interesting read. I never knew that it can be so easily bypassed.
Thanks

 

@ PSDeveloper

Thanks for the info , but doesn´t it block hook-based keyloggers? And how exactly does the anti spy password feature work? Also, can you give some examples how OLE/DDE could be used by malware?

 

im kind of out of the loop since i have been doing other things, but so far the beta seems to be working well on my system, and i have sneeked a look at the new version in the works and it looks . . . . . . . . Enticing !

 

hook based keyloggers will be detected as global hook.
Anti spy password feature detect prog. send message to spy password.
There are some OLE/DDE testing programs, such as the PCFlank Leaktest

 

I got a child process "Alarm.exe" (by ProSecurity) running on my system.
What is it supposed to do? Can I shut it down?

Thanks.

 

This program is used for showing the warning box, if it's terminated, the warning box will not be shown and those privilege request will be blocked.

 

Can we perhaps also get a sneak preview of the new look? Come on, you can´t do this to us! I really wonder if the new GUI has become better or not.

 

I am also curious how the modifications for the GUI are?

dja2k

 

I will like a glimpse of the new GUI too since PS 1.40 beta 1's GUI does not draw correctly on my PC which uses large size screen fonts. A lot of texts were clipped in different places and I had to guess sometimes before clicking an option.

 

I've trying PS since v1.40beta 1, and I have to say it is GREAT !

There are some things which I would like to see improved :

* Cleared popups (colouring for different treat levels)
* Tray Icon : Using different Icons for Protected/ Learning/ Installing/ NotProtected.
(Right now You have no single idea about what mode it is in or if protection is ON/OFF)
* Please why in gods name is the beta version testing limited by a 30 day trial period ? I started testing out beta 1, currently testing beta 2, and in 2 days I will be kicked out of the beta testing. (30 day trial expired). I hope to keep testing the beta's and being able to post inconsistencies/bugs/suggestions.
* I also am a bit concerned as to when first installed, EVERY SINGLE file under the /Windows/ & subdir get complete control, this is a dangerous situation to start with. Why not get an option to set minimal user defined restrictions to those FULLY TRUSTED apps, untill the used decides to grant it more privileges.

Other than, PS1.4 looks like it will become the best of the whole pack !

Keep it up PSDev, and don't forget to give beta testers another period to continue beta-testing this wonderfull product when beta 3 arrives !

 

This will supposably be fixed come the next beta build.(3)

Posted here.
http://www.proactive-hips.com/cgi-bin/yabb2/YaBB.pl?num=1185421280

 

For the record both of these features, i.e., "Spy password" and "Log Key Stroke", are not new to version 1.4 as far as I can see. They exist in the current version 1.30.

The "OLE/DDE Control", "Shutdowning System" & ""Changing System Time" protection options are new.