Scope of security - trick or treat?

Hello,

This may sound like a big pompous rant, so feel free to ignore or even ask for deletion of the contents herein.

Recently, I have seen a serious surge in certain posts concerning protection, real-time and on-demand, as well as various aspects of protection and coverage provided by certain tools, like firewalls.

Good discussions are always nice, but a worrying streak nags at me. Many people use terms like hackers and malware in a very very active way. That is the only thing that keeps total havoc at bay is a huge range of security applications, as if each one of us has a dedicated hacker waiting to burst in and violate our PCs.

I find the trend a bit ... disturbing. While awareness is good, unreasonable fear is as much counterproductive as the acknowledgement of possible dangers.

Which brings me to my actual topic:

People use security arsenals - this or that - a mix of various programs that they have found to be best suited to their needs. Fine.

BUT ... apart from the following criteria:

Compatibility, GUI, usage footprint (CPU, memory etc) and other peripheral issues, what has decided that you should use what you use?

How many times have you had your computer port-scanned?
How many times have you had your anti-virus trigger an alarm?
How many times have you had your HIPS warn you about some strange process going on while browsing / chatting / gaming etc?
How many times have you had an anti-whatever pop an alarm?

Why do you think it's important that anti-virus programs update within an hour or three times daily and not one a day or every 48 hours? Why is that so crucial?

Why do people think they need special software just to conduct online banking or shopping activities?

Why do you think firewall must be able to defeat the system processes of the very system they are installed in?

Why do you want to use HIPS programs when your knowledge of how system works is limited to high-level processes?

Where does education kick in - as in learn new things every day - rather than use stopgap measures to prevent vulnerabilities in one's own education?

I think that sentences like >

... xxx ... keeps you safe from hackers and malware
... malware tries to get in
... rootkits are becoming more and more prevalent
... is safe but security experts claim there will be a 300% increase next month
... there is a proof-of-concept code that can turn any song into Shock The Monkey by Peter Gabriel in mp4 format

> are counterproductive and miss the real purpose of security programs that people use, heighten the feeling of fear, helplessness of the unknowing and prompt me to rethink the entire domain security practice going on.

Seems to me like a huge conspiracy to keep the masses under control and milk the honey from the pockets. I mean who has the greatest interest in wanting malware to continue existing - and keep the public awareness vectored onto how needy it is of security solutions.

What are your thoughts?

Mrk

 

Hum... i see you are a big critic of firewall's HIPS/leakpassfeature . Nothing to add there, i've seen your posts and understand what you mean.
But having HIPs in the Firewall is the same as having a sepparate HIPS and a basic Firewall. Except that HIPS in todays Firewalls are not comparable to SSMs, i get it. For me, it allows more control. Alright there's numerous way to bypass it, but it doesn't mean the firewall isn't trying. But yes, definetly isn't the best criteria for a Firewall.

About using HIPS themselves, i understand you, but maybe you miss the point of many of us. I used SSM free for kicks . I learned something with it too. Eventually i uninstalled because of stability issues. Because i know i'm not experienced, i use Prevx1, and i think it's a damn fine product. FP's or not (rare, only saw once i think, and it was today), i feel safe with it.

As for having lots of things installed, i'm with you, some users tend to have lots of apps for defending their computer. I have 3 real time, plus another that really doesn't do that much, but it is of sentimental value . None is AS. AS for me is useful to scan one every month or so to check if everything is ok. For that, yes, i have an arsenal, but i accumulated over time, and it only ocuppies a small space in the HD.

Fear, gotcha. No paranoia is good. Seeking the best defense possible is ok and more than reasonable though.

And as for seing the apps in action, yep, i've seen them. Avast! found trojans, so did AVGAS, A-squared and Spybot. GeSWall blocks Adobe Reader from accessing some protected folders, not being dangerous or anything, but i did see i working as it should. AReader was prob. just doing an inventory of PDFs, i know, but i saw how GeSWall works.

Now, the most important:

"Seems to me like a huge conspiracy to keep the masses under control and milk the honey from the pockets. I mean who has the greatest interest in wanting malware to continue existing - and keep the public awareness vectored onto how needy it is of security solutions."

Not conspiracy, but capitalism at its best (worst). Paying attention to the news, one concludes that this is the latest technique, inducing fear to sell more (goods or stocks ). That's one of the reasons that i almost refuse to pay for a security app. I consider paying one, but they give me alot of confidence. Haven't payed yet.

Did i forget anything? By the way, good topic

 

Hello,

Someone, you hit the right spot.

I can understand that you want to control applications. But the emphasis should be on "applications you trust". Your working environment. That's the whole idea.

Many people refer to HIPS as the beast that will fight other beasts. IMHO, this is the wrongest approach to security. First, why the hell do you let undesired applications reside on your machine. Second, why do you try fighting it on its own terms? Shouldn't you (not YOU specifically) decide what goes on? While most people refer to HIPS as PROACTIVE it's in fact RETROACTIVE. You respond to the perps by acknowledging their methods on YOUR own computer. If you were using HIPS to clear remote machines or server ... well, I could understand that. But on your own PC?

BTW, your Acrobat example is a good one. A nice example of useful HIPSing.

Firewalls are a sore spot for me. Again, it's having diarrhea on your machine and trying to keep it from leaking. And all these leaktests are useless if the culprit decides to open its own socket.

Which brings me to another set of questions:

How many times have you had an application hijacking / dll injection by a process that turned out to be malicious?

How many times did you pass real leaks and not just fun demos?

As to anti- catching stuff in real time? Please tell me how you managed that?

As to the fun of playing with apps - of course, that's why we're all here. That's not what I meant. This is not about the favorite movie for Star Trek fans (Empite Strikes Back, of course, like duh).

Mrk

 

I guess when people refer to HIPS, it's more when they download something (Ok i know), and then it acts as a malware rather than a Windows Vista Theme, for eg. You download this theme, but suddenly it tries to delete stuff, read important resourses, hook the system, whatever. You then realize it's bad, and block it. Then you remove it (lol, Prevx does it all; sorry for the comercial ref )

Proactive, to me, there are only these two concepts: Firewall and Sandbox type HIPS (in the general sense). That's the defense structure, besides Opera/Firefox-NoScript-Cookiesshmookie .
Something gets by, the AV/M has to catch it. AV is for historical threats , Prevx1 analyses the unknown. (i forgot, 123, 4 apps in my pc sorry)

I hang on to these because the computer does not drag due to them. If it did, time to cut something. The computer is made to enjoy it, or work with it. Not going to war with the internet.

To finish, no i haven't seen the FW passing a leak test, because i don't try them. It's enough to see others trying and their feedback. Neither real malware, but i did block things. LOL control freak
The ASs didn't catch on real time, only on scan (i only have free versions). Only once, SpyGuard, which i don't use anymore, and AVGAS, on the same threat, when it was on trial; both when i didn't use Noscript+GeSWall...

 

Interesting thread.....
Some thoughts on the issues;
Update frequency for any security program:daily is ok for me.Unless there is a new outbreak.
My criteria for a firewall are stealth rating,no major slowdown at boot, and stability.
People think they need special software for online banking because someone is cashing in on paranoia.
Education is still a big factor.Safe surfing habits can go a long ways toward security or lack of it.

 

Well that's quite possible. I read that some highly qualified members here who go around giving advise on security software and computers have themselves being hacked more than once. And they are running what we consider (here) as state of the art security.

I follow the crowd, I see what other people are doing. That is how I get interested in new products. If someone smart says it a great product and gives *technical* reasons (which I must be able to understand) why it is better I will definitely try it. Next I run tests like leak tests, test demos and check to see if it doesn't conflict with my 2 other HIPS , firewall and antivirus.

If it all checks out it becomes part of my new security setup.

I repeat the cycle about once every 1-3 months.

Don't know, I don't look at logs.

Well everytime I open my folder that contains the leak tests for one.
Once I was surfing to this website, and my AV complained about some malware in my cache.

Never. Though it happens a lot after I install a new program or sometimes even a new version.

See above.

It's crucial because it is needed to protect us against fast spreading malware. Why else? Imagine if the AV updates only once a day, and you get nailed by some malware that would have being detected if they had pushed updates at a more frequent rate.

Not sure what you mean.

because the system can't be trusted to defend itself.

Because it feels like I am doing something proactive defending my computer when I press those buttons to okay the prompts.

Also so I can feel good and look down at all the poor noobs who still don't get it and rely on outdated Antivirus and antispyware. Everyone knows those just plain don't work.

Learning to use HIPS is quite an education. Fastest way to go from a Noob who knows nothing about computers to a not-so noob.

 

I understand exactly what you mean Mrk, and heck... most of my computer related problems this past year or so have in fact, been self-inflicted from trying out this utility... or that application... LOL! But then again, trying out new stuff is half the fun...

I have to go coz I must try this new app: System Virgin Verifier... LOL! (Of course I don't need it and it could trash my system... but as I said, it's half the fun...)

 

Excellent thread.

It's easy to follow the hype.

I admit to being one that causes my own problems by installing this and that.

Trying hard to stop my paranoiac by telling myself the scan is always clean.

I have learnt a lot but am now asking myself if common-sense if my powerful weapon.

Looks like Mrkvonic has at last got me trusting in the force.

Ian

 

Nice thread mrk. You may or may not find this hard to believe, but I supervise my mom with what she can/cannot do with the computer .

I learnt most of my computer knowledge through testing out different applications, setups and methods over long periods of time and doing risky beta testing, I still remember how the beta version of XP SP2 crashed my computer badly, of course I tested the beta version out of curiosity. Of course at the end of the day I realise that I cause my own problems.

The purpose: To pick out the best solution which fits my computer best.
The goal: Independent self-support. NO technical support calls.

The biggest headache is the sense of paranoia which haunts me every now and then. Blame it all on my reading too much of others' malware encounters and computer problems. At times it makes me so frustrated that I feel like telling the person to piss off and go solve the problems on their own.

After all, I've come to believe that it's what the user does on the computer which determines the outcome.
To me,
Programs= tools
Knowledge= power. solutions.
You can have all the tools in your arsenal, but it's what you do with those tools which matters the most.

Common sense is just part of the solution. And I believe it is just one of the many skills applied when using the computer.

 

Real port scans, where many ports are scanned in a short period of time happens maybe once a week or so. Individual port scans, I guess they fall under "internet noice" are countless.

Not more than a handful this latest year, and most of them was when testing malware I knew would trigger my AV.
But before I knew about noscript extension to FF, I actually had some warnings from my AV about malicious javascripts. But of course those warnings came when visiting the darker side of internet. I rarely get any attachments (that I didnt ask for) in my mail, and if I do I delete them.

Never.

I have had some popups from Prevx1 when it didnt recognize some software I was installing.

Never.

I still dont know enough about computing (and I do always run as admin for convenience reasons) so I dont dare to let go of some of the protection. I have however ditched the intrusive software that gives endless alerts on everything that happens on my computer. Such HIPS were nice while learning stuff, but got annoying and therefore unsecure in the end. Based on my experience with different HIPS and FW with HIPS functionality the last 2.5 years.

 

Hello,

Nice discussion everyone - except DA, the neverending tosser

Seriously, to give my own input:

Except for a single port scan every 3-4 days, I've never seen any malicious activity taking place, in any form.

Combined, several years of online usage vs. what happens online prolly means you have to take special effort to hurt yourself as opposed to you have to take special effort just to stay barely ahead of the "bad guys".

I would like people who disagree with the "liberal" approach to step in. Their view of things might also be nice to hear.

Mrk

 

Hello,

Just a quick addition:

My father is not exactly the most computer-savvy person in the world. But my brother and I have taught him a few basic concepts:

Don't download **** - consult with us before you do.
Any email attachment that you don't expect - delete instantly.
He browses with Firefox (without any extension).

He was abroad for a few months. Even during that period, he simply updated Windows, and used the basic firewall / av that we installed for him, and had not the slightest of problems. And he also plays games, including online, visits sites of all kinds. Has his own laptop and takes care of it all alone - just Windows updates here and there, a bit of anti-virus definitions, occasional Firefox update, and that's it.

So all the hype about malware raping seasons a bit bloated, I might say.

Cheers,

Mrk

 

It would be good to see a sticky on how malware typically gets onto people's computers (because they download it and run it), what a hacker or bot would need to gain access (no firewall, vulnerable service listening), and the potential dangers of emails and websites and how to avoid them. Something that would explain the mechanisms involved, but pitched at a level that the relatively noob reader can understand.

Reading posts on Wilders, I get the impression that many posters, especially recent arrivals, have little understanding of the above, and set about building up impregnable fortresses and elaborating Byzantine strategies that go far beyond what's actually needed to stay safe. That was certainly the path I went down when I first came here.

 

Hello,
I've already written about it in one me earliest articles.
Will gladly make another one, more detailed or more graphical, if needed.
Mrk

 

Hello

I'm all for the enthusiastic amateur who enjoys experimenting If we leave it all to the 'experts' we must be totally at their mercy.

Good then that we have the experts to produce the software. Better still we have the experienced enthusiasts who like to learn and help keep the experts honest

One way or another, the enthusiast is driven by self-interest. If sometimes it takes a little fear to encourage the initial development of that self-interest, then OK. The more people take an interest the better for all of us. Once the fearful get somewhere like Wilders, there is the opportunity to replace the fear with a little understanding and score another run for the hometeam.

I think most people can see the majority are here because they enjoy raising the level of their own game. It's not about trying to scare the new guy.

A protected router/firewall, decent AV, fully patched OS with some unnecessary services disabled, together with script control on various (regularly updated) applications. This together with good practice helps keep my friends & family secure today.

A benefit of my interest is to help ensure they are secure tomorrow. Like for instance when a vulnerability is announced but a patch not yet produced. It's nice to be able to guage how much of a threat this is for them and how to advise them if necessary. This is easier because I enjoy and make use of all the threads. They aren't dry and technical. It is real people talking about their experience and concerns. All this keeps my interest piqued and encourages me to learn more.

 

Mrkvonic, Crashtest Dummy et al:

Just to stir the pot a bit I will issue 2 challenges for Mrk to put his honey on the table!

1. Raise your how many alerts, triggers, viruses, malware ?'s as a POLL!
2. Run one of your own PC's without ANY security at all, nothing, just the default setting on your browsers and OS, no routers, nothing then report back January 2, 2007.

However, I'm so paranoid I don't think either of these things will happen since he could be part of the vast right wing malware conspiracy. That poll would be very bad idea since more that 2 or 3 people might respond and the truth could emerge. Do you guys think that McAfee and Norton's secret malware hacker development groups will ever be exposed? They generate evil so as to prove the need for their products.
The end is near! Got to go now forgot to leave my front door and windows open

 

Actually, it's an interesting read from all, you just need to know how to read it...

For the computer literate and security aware - it is important to occasionally recall back to the days when you were completely illiterate in the area. What looks to be commonsense now was completely obscure then. What is painfully obvious now was impenetrable back them. This site currently has and will always have a range of experience among members. That brush of experience paints much of what you see here. You also have a significant range of needs and levels of risk aversion among the various users here. That explains part of what you see, unfortunately I realize it may be a small part at that.

One sentence captured it in a nutshell for me:

I see tendencies towards this as well, and it is unfortunate since this is not real life for most of us. It does happen - example: a coworker's daughter is currently dealing with a stalking ex-boyfriend. There was an apartment break-in and one worry was installation of tracking/logging software on a PC. The police are handling this one and doing a good job on it, but this is the overwhelming exceptional case. These types of circumstances can't apply to most of what we see here.

While it is always prudent to be self-aware of your situation, endlessly scanning logs and responding to false alerts should not be the norm for a typical home user.

With respect to some of the questions:

PC? None, I use a router. I also believe that achieving stealth is basically a misguided adventure.

Rather infrequently - but this metric should be approached with caution. It is the exceptional event that users should be guarding themselves against, not a norm of continuous attacks from the ravaging hordes. I see this as a part of the education dilemma that can be addressed and a part of the reason you don't need an absolute fortress. Most users are assisted by very simple measures that are turnkey solutions in the form of well designed security applications, custom configuration, and so on.

In the entire time I've tested/used various HIPS products - once, on my son's machine. BOClean alerted as well, KAV WKS missed it, and it was real malware. So, out of what was likely many hundreds (thousands?) of pop ups overall, one was real. I view this as a very real problem with this class of application if they are targeting mass market use.

It's not. Users obsessing over this are focused on the wrong issues.

This is a new one to me - I guess one persons paranoia is another persons market opportunity.

It shouldn't.

Never use a tool if you don't know what it does. You really don't need to understand in depth how it works, but you really do need to know what it does. Once HIPS get much more complicated than simple allow/block execution, most potential users are trodding on very soft ground.

Agreed

Don't lose track of the fact that while malware started as simple cyber-vandalism with no monetary goals, it is now a money making enterprise. Many purveyors of malware have clear commercial goals. Security providers certainly play on that reality to push sales, but the implied statement that security providers are necessarily the primary drivers here is simply a misguided conjecture.

While both suggestions have generally positive outcomes, they are unrealistic approaches in general and as indiscriminate as the HIPS solutions noted above. I simply don't see an operational difference between a false alert raised by, for example, a HIPS program and that mental false alert associated with an admonishment to automatically delete each and every email with an unexpected attachment. Both approaches scream of overkill.

From an industry perspective, some of the newer approaches are offered as an alternative to signature based approaches which may run into a performance brick wall as the database of known malware continues to expand over time. A key question is where that brick wall sits - and that's really unknown. At present, it is clear that signature based offerings still have plenty of staying power, while some of the alternate approaches have clear compatibility issues with Vista in it's current form.

You're right that many users need to step back and reassert their grip on reality. While oodles of options and distinct approaches are available to users, they really shouldn't adopt them all at once. IMHO they all represent distinct approaches to the same goal. My generic base recommendation? Router + AV or suite. Want to control communication out? Add a software firewall as well. Too much impact on performance? Go with a "lighter" AV. Still too much impact? Take advantage of security policies, virtualization/sandboxing, or start down the road of execution control/application firewalling. Still too noisy or slow? Go with a straight lockdown approach or put yourself in a position of running bare and being able to manually deal with any eventuality. The different approaches, and there are many, should not be merged into a monolithic package, but really should be treated as separate implementations with their own benefits and risks.

Any of them can work, any of them can fail. The key is understanding which are more likely to work, work well for you, and not saddle you with that vague air of paranoia every time you fire up your favorite browser.

Blue

 

Mrk,

Internet won't hack you unless you provoke it

I like it, it's a list of dos and don'ts that anyone new to security will find useful, and an entertaining rant too. What I had in mind, though, was the next step, an introduction to the underlying mechanisms. For instance,

is a useful metaphor, but it doesn't explain what's really going on. If I accidentally shut down my firewall, should I panic? (It's a rhetorical question).

To take another example, the section on P2P is how I run P2P, it's a good guide to staying safe. Also, I don't feel I'm taking any (security) risks with P2P, because I've read elsewhere that vulnerabilities in P2P apps are very rare. What I don't know is WHY they're rare. I'd like to find out.

So anything that would add knowledge to the basic guidelines would help people make more informed choices about security software and procedures. It seems there's a gap to be filled, as I've only picked up that kind of information in a piecemeal way, if at all. sukarof puts it succinctly:

 

Hello,

Thanks all, once again for a very nice discussion.

Escalader, I'm willing to participate, just a few clarifications:

OS - you mean Windows, of course?
Default browsers - am I allowed Firefox?
Default settings on OS - does that include Windows firewall?
System updates, am I allowed?
Can I use non-MS software, like OpenOffice?
The machine needs to be stand-alone, I presume, no NAT/ICS?

What should I do? Browse? Chat? Porn?

Mrk

 

From past experience in starting similar threads, You are never going to get that. Pretty much Everybody is going to agree with you (or stay silent), for fear of being seen as paranoid.

If a visitor only read such threads he would would have thought that everyone here feels HIPS are a joke and totally unnecessary.

The reality is totally different as you know.

There are "gurus" walking around lecturing on how insecure the OS is, and how HIPS is totally necessary

"experienced members" saying that HIPS X sucks because it fails to block test Y (despite the fact that various threads created have established that no one cares much about such tests lol).

You see people jumping ship to a newer HIPS product A for various reasons.
In one case the older product B, is criticized for lack of development and support, okay fair enough.

But in another case the older product C is being developed at a impossibly rapid rate, answers to support questions are rapid, and yet I still see self described "refugees" cursing that they bought Product C instead of A.

Why? Because Product A is getting way more hype and attention than Product C.

LOL. I thought you wanted answers that weren't 'liberal', mine are the only ones you are likely to get.

 

I go through phases with security apps. For a while it's max amount of apps. Now ondemand just Sygate & KAV. I'm good.

 

Hello,

Another thing I wanted to say: We all pay lots of money to be online. We might as well enjoy it. The world is so full of grief and war. Should Internet also be turned into another evil battlezone? Lean back, relax, enjoy.

Of course, none of this applies to people who LOVE to tweak and for whom the issue of security is fun. I meant the average people for whom the PC is the means and not the end.

Devil, I have no problem with people jumping board from product A to C. Or loving it. Or enjoying the thrill of tweaking / hacking / ruining their own systems. I love to do it myself. But when asked by someone "outside the circle of trust", I tend to approach it from a different angle. You cannot heap the burden of your security fun on an unsuspecting casual user. It's unfair. Like a doctor telling a patient all about his troubles with medicines. Sort of like Doc Deneeka in Catch 22.

Throw a list of 80 applications at a newbie and tell him to pray every night because nothing will save him ... instead, we could give him a few tips here and there, explain a few concepts. Give him a nice, easy comfy intro into the world of security. After all, learning through fun is the most effective way.

That's my rant for now, cheers.

Mrk

 

That's good advice, to anyone.

Blue

 

We are already way past this. Prosecurity and SSM are an example of the "put every feature and option into the interface as you can think of, prompt on everything" approach brought to its limits. Pretty much ProcessGuard/Appdefend x100.


And yet I see some self proclaimed experts using such products running around saying that his 3 year old offspring has no problems understanding what each prompt means (never mind that some of the prompts are so cryptic that even the average degree holder with computer science is baffled (if he was honest)). Or another guy saying that PS is great for people who don't know the correct answers to questions!!


I think Prosecurity does this total control approach slightly better than SSM currently (all that load libraries stuff), which explains all the 'refugees' from SSM to another. More control = good right? Never mind if we never use it at all, and just click yes to it without thinking much.

I think in time to come the successors to Prosecurity will be prompting you on every single CPU instruction cycle. Now that's control!

Or more likely invoke the idea of layers and use them all!

Firing my favorite browser doesn't saddle me with paranoia.

Nothing saddles me with paranoia compared to after reading this forum!

 

An excuse. People switching believe that they are more secure after switching and not just because they enjoy tweaking (though that might be a reason for the beta testers).

I seriously doubt anyone would switch if they thought it was weaker or even provided exactly the same amount of protection. I'm talking about people who really believe that if they don't keep up with what Wilder's considers 'state of art', they are in trouble and should switch.

I mean take PG, people say it sucks cos it hasn't had an update for a while compared to say newer products that release once a week or something. They say it is a problem also because the lack of support and answers at the forum.

What is the lack of support they are concerned about? Well seems to me they are worried about PG failing some tests (like the commodo leak test) or the keylogger/terminate tests of SSM and these are the questions they want answers to. Ergo, they are worried about their security...