Thoughts on minimal security

Discussion in 'other security issues & news' started by moriez, Oct 4, 2010.

Thread Status:
Not open for further replies.
  1. moriez

    moriez Registered Member

    Joined:
    Apr 20, 2006
    Posts:
    4
    Hi all,

    Sorry if this has been brought up before but I'd like your thoughts and/or suggestions. After installing XP again I am confronted with the question what security measures to take in the year 2010 and if at all neccessary. At the moment I have my setup @performance and run a minimal set of security:

    -XP is fully patched,
    -use the XP firewall
    -browse the net with Firefox w/adblock plus /no-script /ghostery
    -computer is behind a wireless Speedtouch 706WL which seems to have some firewall function (will have my ISP confirm this.)
    -I keep my processes/services in check through the task-manager and disabled all automatic updates from my (trusted) apps.

    I see the benefit of AV and decent FW but in recent years I have been infected with a virus or malware only once or twice. I am not worried about that. I am convinced an infection of some kind will not happen to me that easily because I know what to click and what not click although there may be some good trick once every blue moon. The thing that ''concerns'' me most is that big brother can follow my every move by IP logging. Is there other stuff out there that is worrysome these days?

    So, concluding, what do the guys -who seem heavily into securing their putors- think of (my) minimal security performance orientated set-up vs a better safe than sorry set-up. Discussion on the subject more than welcome to help form my and others opinions.

    Thanks!
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    My personal opinion is that if you put forth the effort to learn, situations like you describe are very common. Moving past the need for using many different security techiniques is a process. If you understand your actions and how much risk they pose, you might be able to get rid of many of the tools you used in the past.

    You don't mention if you log in as Admin or User. You don't mention if you download and execute a lot of files, or if you do a lot of banking etc. What you have stated is only 1/2 of the picture. To allow other people to assess what they think, you should provide a little more detail. For instance, if you said you were using SuRun with LUA and SRP, I might say it sounds good. If you said you were running as admin with exactly what you have stated, then I might say have you thought about LUA or Sandboxie.

    Unless you do something that you worry about tracking, why do you worry? That is another topic that I believe for many eventually loses importance. I know it has for me. If someone were to monitor my use of my machine, they must be pretty bored indeed, unless they like all the useless tech sites. I pay a lot of attention to my banking practices though, much more than I used to.

    HTH.

    Sul.
     
  3. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I started the first thread at Wilders claiming that what we have come to call "light virtualization"...specifically Deep Freeze and Anti-Executable..ALONE...rendered almost all of our security tools moot. It was extremely controversial and, at that time, most people had never heard of Deep Freeze (or any product like it); they would ask if "it's like what they use at libraries?" Of course that thread was 6 years ago. But, I believed it then and still believe it today. Sure there are exotic possibilities that - theoretically - could get past this setup, but it's so remote it's not even worthy of serious thought. So, I don't think you're too far off-target. Though I still believe the setup just described would make you near bullet-proof. Just add a myriad of products introduced since that first thread, it's no longer just Deep Freeze - there's Returnil, Rollback, Shadow Defender, Power Shadow and on and on.
     
  4. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,220
    Another vote for Sandboxie and/or Shadow Defender (although its future is in doubt). Backing up full images of the OS would also qualify as minimal security.
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,780
    I think your minimal setup is fine if it suits your needs and experience. I prefer a minimal setup myself, but I do still use an AV. I have, at times, gone with just LUA/DEP/SEHOP and so on, no AV. Still, I usually end up returning to using an AV, just an old habit that dies hard I guess.. It's all up to the individual user though, some feel they need all the heavy security apps, and others know they don't need 'em. To each his own, as they say....
     
  6. swami

    swami Registered Member

    Joined:
    Mar 24, 2006
    Posts:
    167
    OS and all apps fully patched. Firewall. Enough common sense. Not enough common sense, you might add an AV. That's good for me after years of playing with toy apps.
     
  7. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Minimal? That would mean minimal 3rd-party apps right? Assuming that's the case:

    Common sense, safe browsing/downloading habits is good enough. Keep yourself updated with knowledge if you have the time to.

    Using Windows internals:

    If all you do is to use your PC for daily browsing, stick to a limited user account...you can still do your admin tasks with the admin account or add SuRun for ease of usability.

    Disable AutoRun and you're good to go.

    If you want even further restrictions, you can use Software Restriction Policies.

    How about 3rd-party apps?

    Well, if you want, add in a lightweight AV for optional user space protection.

    There are are other routes such as sandbox, light virtualization, HIPS, behavior blocker, etc. You can opt for 1 but don't go any further if you're really keen on sticking to the 'minimal' concept.

    That's just about it really.
     
  8. moriez

    moriez Registered Member

    Joined:
    Apr 20, 2006
    Posts:
    4
    Right, your replies have given me somewhat of an idea of what I want and what is possible.

    I thank you all for your time :thumb:
     
  9. ddot

    ddot Registered Member

    Joined:
    Apr 7, 2009
    Posts:
    17
    This is how I see it. Most of the points in this thread revolve around ideas like sandboxes, virtualization, preventing code from auto running, preventing coding errors from being exploited and limiting access to the internals of the OS. When used smartly, various combinations of this should prevent any code from executing without your explicit permission.

    However I assume you install new programs from time to time. I assume you trust that program or otherwise you won’t be installing it. But what if it turns out that you trusted the wrong program?

    With the types of programs/strategies listed above, your protection ends once you give it permission to execute. What if you accidentally downloaded a fake version of the program? What if the website where you downloaded it from was hacked and malware inserted into the real program? Or what if, in a moment of foolishness, you tried out a program you came across that looked ok but wasn’t?

    Once you’re past the execute stage, only things like anti-viruses, behavioural scanners, hips type applications or any other program that checks things behind the scenes are going to be useful.

    I’m not saying you need any anti-virus/behavioural/hips application. The question is just how much do you trust what you allow to execute and make sure you realize the limitations if that trust was to ever be taken advantage of.
     
  10. katio

    katio Guest

    You see it wrong. My edit should suffice as the rebuttal... ;)
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    What defines "minimal security"? Number of applications or programs? Number of processes running? Memory, resource, disk space or bandwidth usage? Amount of user interaction or setup time required?
     
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I should think the most 'minimal' of all you have listed. It is to me anyway. Sometimes you can't be minimal in complexity but can in resource load or user interaction (pop ups). I should think Sandboxie would be the clear winner for a one stop shop minimalist tool. One program that can just about cover every need. Maybe the real winner would be System Restore? Or disk imaging, that is minimal, and I don't think you can find a better form of protection than a known good image ;)

    Good post noone :thumb:

    Sul.
     
  13. Jav

    Jav Guest

    Offline on-demand scanner or even online scanners such as virustotal.
    Check the web site reputation.
    Check digital signature and hash, so there is noway you will end-up with rogue version of the software you wanted to get in first place.
    And basics like this...

    But I see your point. And I agree with you. One may accidently put his trust on something wrong. Evrything is based on trust and it's really hard to define who is 100% trustworthy.
    You can check digital signature and be sure it is from the company who claims it is from. But who to trust? Microsoft? Adobe? Anything ltd?
    Do you trust third party extensions installed on your browser? Your addblocker? I don't =/
    see? It can go on forevar... Who to trust?

    Yeah, probably one will still need some second opinion. Be it some on-demand scaner, online scaner or something else.
     
    Last edited by a moderator: Oct 8, 2010
  14. ddot

    ddot Registered Member

    Joined:
    Apr 7, 2009
    Posts:
    17
    Excellent points. That's why I’m running Avira on-demand in combination with a Sandboxie/LUA/SRP setup. Allows me to double check things after an install to ensure I didn't inadvertently allow something I shouldn't have. Just one more layer.
     
  15. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    At the moment, my desktop has a fairly minimal approach to security. I've been through phases of installing multiple security programs on other computers. It is Win 7 64 bit, which is supposedly safer than 32 bit, although I am not sure exactly why. I have MSE & apart from a router firewall (plus Windows firewall of course) the rest of my security is at the browser end. This includes NoScript, Ghostery, JS whitelist (Chrome/Iron), WOT & adblocking. I may add programs later when I learn more about their compatibility with 64 bit, but to be honest, common sense is probably the best approach to avoiding malware. I'm sitting behind two firewalls & have a decent AV, browser protective methods, & I am careful where I surf & what I download. I feel pretty secure. :cool:
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    To me, minimal means very little system load, little disk space usage, and little if any effect on system performance. That rules out most AVs and security suites. There's nothing light or minimal with checking every file, process or activity against a ridiculously long list of undesirables. I've often suspected that this type of activity shortens hardware life.

    I use the same package on all versions of Windows from 98FE thru XP, with only the version of SSM changing. On XP, their combined memory usage is 14,420KB and uses 22MB of disk space, half of which is alternate and test configurations. On 98, the memory load is even less.

    Although the initial setup required a lot of user interaction, during normal usage now, it requires none. The apps all work silently, which takes all the risk out of letting others use the PCs. It takes away the need to patch every possible exploit ASAP because any payload that enters thru an unpatched vulnerability won't be able to execute anyway.

    For me, minimal means:
    Take the time to build, equip, and secure your system right the first time. Then relax and browse where you want, do what you want, let whoever use it, and not worry about it. Update when you feel like it or when an update offers something you actually want. I'd be willing to bet that the amount of time I spent building and securing my system is far less than most people spend trying to keep a default-permit system semi-secure.
     
  17. katio

    katio Guest

    Not any, but most. Not all vulns require execution. Default deny is not an answer to everything, you need at a minimum also privilege isolation.
    I see you are using very old operating systems which weren't being designed with security in mind from the get go (MS really started dealing with security proactievely with XP SP2, still only bolted on none the less), that translates into lots of kernel holes which again means lots of critical patches, so I don't really share your viewpoint on this one.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi katio,

    Can you elaborate on this, and point to an exploit in the wild to illustrate?

    thanks,

    rich
     
  19. katio

    katio Guest

    Anything that uses "data" files instead of "executable" files really, default deny policies don't cover these. PaX, NX, DEP, ASLR... on the other hand do for some classes of bugs and isolation can mitigate to some extent. Also default deny will stop them if the shellcode is only used to drop an executable. But strictly speaking the first stage still "executes" successfully, despite your execution prevention, even if it can't actually do anything "useful". And then there are macros, interpreted code like perl and python and batch/bash/... scripts, again not stopped by default deny unless you deny execution of the interpreter itself.

    Random examples off the top of my head:
    old but scary, it's kernel level, so even isolation could be circumvented (unless you use VMs +secure hypervisor = isolate the kernels themselves too) and of course also any default deny policy you have deployed (SYSTEM or root user can execute absolutely anything): http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

    http://www.mozilla.org/security/announce/2010/mfsa2010-08.html
    http://secunia.com/advisories/search/?search=png
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0385

    That's my favourite class of bugs:
    http://securitytracker.com/alerts/2006/Aug/1016621.html
    The only defense against them is Qubes OS which not only isolates kernels but network drivers as well.
    Yeah, even OpenBSD doesn't (note the NOTE ;) how typical for them, Linus does it too I heard....)
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1365

    Anything in the wild? I really hope not... Above is all patched now, a few were in the wild and can still be used successfully against people who believe they don't have to keep their stuff updated because of their uber secure setup...
     
    Last edited by a moderator: Oct 9, 2010
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi katio,

    Thanks for your clear explanation.

    A few comments:

    Most anti-execution products do not intervene at the shellcode stage, for sure. Here is a statement from the paper by the researchers of the soon to be released BLADE product:

    BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections
    http://www.blade-defender.org/BLADE-ACM-CCS-2010.pdf

    Indeed, you may remember Aurora at the beginning of this year:

    'Aurora' exploit retooled to bypass Internet Explorer's DEP security.
    http://www.darkreading.com/security/-vulnerabilities/showArticle.jhtml?articleID=222301436

    It's a cat-and-mouse game out there!

    Regarding your comment,

    Are you aware of buffer/integer/stack exploits in the wild that did not drop an executable?

    I've searched in vain, and found a few that targeted specific organizations, one attacked an Oracle database program.

    Take MS06-001 that you reference, the infamous WMF exploit.

    I happened to be online in December/05 when the first attack, the unionseek.com site, was reported at sans.edu. It attempted to drop an executable:

    [​IMG]
    [​IMG]

    Now, there was quite some hysteria over at the DSLR security forum because someone took the shellcode and showed how it could launch the calculator, proving that the shellcode could really do anything it wanted to.

    Several of us followed this exploit for some weeks and never found an example that did not drop an executable. A researcher at Sophos, I think, asked rhetorically, Why would they do otherwise? The money is made by getting a trojan onto the computer to set up C&C, etc.

    The reason I asked is that I make a distinction between a vulnerbility, and an exploit based on that vulnerability. Until I see an exploit, I don't pay too much attention to the continous barrage of vulnerabilities released daily. I realize I'm in the minority, but I make a risk assessment to determine what steps to take. Most of the time, there is nothing to do!

    To relate all of this to the topic at hand - minimal security - I will say that in my security work, which I'm doing less of these days, I work 1-on-1 with a home user.

    The first stage in setting up minimal security is to have a sound set of policies and procedures, regarding email, social engineering tricks, and the like. No one I've helped would be fooled by the rogue AV stuff, and the fake update messages, should the user get redirected to a malicious site, would be ignored because of following a sound policy about that stuff.

    A properly configured firewall prevents attacks such as the slammer worm, conficker.A, and the like.

    A properly configured browser prevents a huge percentage of drive-by attacks from even starting - the PDF exploit, for example.

    A robust default-deny product prevents unauthorized running of executables from any source, USB for example. It also prevents kids from downloading anything to the family computer not authorized by the parents.

    Other security measures to be suggested, depending on the user's computing habits. For example, a non-U3 type flash drive will not execute Autorun.inf. A good AV to monitor files downloaded on a regular basis -- very comforting for students at college. And so forth...

    While it can be safely hypothesized that a shellcode attack could do damage, nonetheless I'm not inclined to worry too much about it, unless exploits as such start to appear in the wild.

    Again, a risk assessment would determine the likelihood that a user would encounter such an exploit.

    regards,

    -rich
     
    Last edited: Oct 10, 2010
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Rich, I agree completely

    Some rare situations lead to program errors, a minority of those errors lead to vulnabilities, some of these are exploitable (e.g. the context can be created to change the code sequence in a controlled predictable manner), an even greater minority makes it to the wild (because computer configuration differ massively, the controlled hack must apply on a sufficiently large crowd[1]). Media seem to suggest that every vulnability will automatically lead to infection and mass spread of some whhhhhhhooooeeee exploit (everything is called exploit also).

    Example
    Most software can't be tested against all situations it could meet. Most of the time all known variations of the 'good' are tested, it is the error handling or rare situations which are often not completely tested [2].

    Example a buffer overflow occurs with a header of a PDF greater than 500 bytes. Obviously the programmer forgot to check the format of the header before processing it. When testing software who uses a header larger than 500 letters (bytes, assuming it is a string)? This in the context that all text writers know that they have to produce headers with 5 words maximum for maximum reader attention (see BBC news as a great example). So it is not strange when testing the PDF reader against several real world situations no one notices the program error.

    Next we have a bufferoverflow vulnability (again whhhhhhhooooeeee), any idea how hard it is to exploit a bufferoverflow vulnability? Now let's assume the malware writer has a way to find the offset right, he only has taken the first hurdle: injecting code to change logic of some program running.
    Next he has to find a way to drop an executable, execute it and make it persistant on my computer (survives re-boot) and get access to Admin or System rights level to own the computer.

    The fun of it
    It seems that running external code is the end of the world. I run external code all the time (javascript, flash, PDF. XML, etc) and nothing happens. As a matter of fact when I add an emoticon on this board I might initiate some external code :argh:

    Regards Kees



    Notes
    [1] The benefits of using another OS (Apple, Linux) or Webbrowser (Opera) or other PDF reader (supposed benefit of Foxit over Adobe, above example was a Foxit vulnability when I recall correctly).

    [2] The benefits to go with the crowd, chances are low you are the one who be hit first, applications with a larger user base tend to be more solid than their smaller competitors.

    You could combine 1 and 2 to stay on XP (or like Rich on 2000), all known exploits are covered, it runs blazing fast on new hardware, why exchange proven robustness for eye-candy improvements?)
     

    Attached Files:

    Last edited: Oct 10, 2010
  22. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Speaking of WMF...

    The exploits, our buddy, StevieO, gave us, didn't do the usual download and execute kind of routine... :) /just kidding :D ...they are not in the wild exploits but just benign test POC's that merely launched calc.exe or crashed explorer.exe.

    If I could remember, the well advertised Hardware DEP didn't stop the POC's most of the time as well as other buffer overflow protections like Comodo memory firewall, while Sandboxie contained all(?) of them and classical HIPS(if configured) were prompted of any activity after the initial shellcode injection or execution stage i.e, launching of calc.exe in this case.
     
    Last edited: Oct 10, 2010
  23. katio

    katio Guest

    Rmus, thank you for the in-depth reply.
    I think, given that these kind of setup and policy is getting more common, and surely already is in sensitive environments, government, large enterprises, hospitals what have you, there is a very real risk of an targeted attack that bypasses the policy and doesn't rely on the conventional shellcode drops executable staged attack. Since it's targeted (and such targets usually prefer covering it up if they get hacked) no wonder we don't see anything nasty like that attacking random internet surfers. Therefore, very good points and I actually agree with your conclusions.
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, his and some others' PoCs were very helpful in more ways than one.

    For example, it wasn't just the Windows Picture and Fax Viewer application that was vulnerable. This was a dangerous, mistaken assumption and not realized until a detailed description of the exploit appeared. This was a good one:

    How To Protect Yourself From The Windows Metafile Vulnerability
    http://www.bleepingcomputer.com/forums/topic39047.html

    securityfocus.com listed a number of vulnerable applications:

    Microsoft Windows Graphics Rendering Engine WMF SetAbortProc Code Execution Vulnerability
    http://www.securityfocus.com/bid/16074



    Those who didn't want to use an actual exploit could use the PoC to test their own imaging program. Some programs such as Adobe Photoshop don't use that engine, nor recognize that file type, thus displaying an error message:

    wmf_photoshop.gif

    Using an actual exploit to test IrfanView, which was vulnerable, the firewall alerts to the outbound connection attempt to download the malware:

    wmf-xsplad-irfanview.gif

    Question: In a previous post, I showed the exploit running from a web site and the payload executable blocked. Why did no firewall alert appear as the exploit was triggered?

    Answer: The web-embedded exploit uses the browser to connect out, which is a trusted application. IfranView, an imaging program, is not listed as a trusted application with the firewall (or shouldn't be!) so it is not granted free access to the internet.

    Another assumption that floated around the security forums was that this was a .wmf file type exploit, and all one had to do was to blacklist that file extension. Evidently people didn't read the Microsoft Advisory carefully:

    Microsoft Security Bulletin MS06-001
    Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
    http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
    Interestingly, when I renamed a .wmf file to .jpg, IfranView displayed this when attempting to open the file:

    wmf-testjpg-irfanview.gif

    There are many lessons regarding security -- minimal or otherwise -- from this exploit.

    1) It was a carefully crafted exploit aimed at millions of Win XP users, where the Windows Picture and Fax viewer was installed by default, using the .wmf file extension which would trigger automatically from code embedded in a web page. (Win98 and Win2K were not vulnerable to this attack vector. Win98 didn't have SHIMGVW.DLL and my Win2K didn't have the .wmf file type registered).

    2) The average user was not likely to be aware of any of these things that were going on behind the scenes, and, unless they kept up with security matters, would probably not even know about the exploit itself until a patch was released. Does that mean they were automatically vulnerable? Maybe, maybe not...

    3) Many knowledgeable people who follow security matters jump to conclusions without verifying sensational reports with information from tried and true security research sites. While this is not always possible in the early days of an exploit, careful users will not accept at face value everything they read, and will search around/wait for verifiable descriptions.

    4) The use of another imaging program for this exploit would require user interaction, ie, clicking on a file to open in the program. How would such a file get onto the computer? Another possible attack vector suggested was email attachments (although I never heard of any in the wild). This would require the user to open such an attachment, violating a principle of sound policies about attachments:

    • ignore those from unknown users,

    • verify those from known users.

    5) An application firewall is protection against untrusted applications being used to connect to the internet. PDF exploits, for example, use the PDF Reader to connect out.

    6) This, as with most web embedded exploits, drops a binary executable payload. With protection in place against such payloads, users are protected from all such exploits, where AV is often a day or two away from getting signatures, as in this case, for both the .wmf file and for the executable payload.

    7) For people with the above security and sound policies and procedures in place (the "maybe not" from 2) above), this exploit was not an imminent threat, notwithstanding all of the media hoopla! The same can be said for today's PDF exploits.

    ----
    rich
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are welcome, katio.

    By definition, the home user is not likely to see a targeted attack. We are happy for that!

    regards,

    -rich
     
Loading...
Thread Status:
Not open for further replies.