What are the odds?

Discussion in 'other security issues & news' started by Devil's Advocate, Mar 6, 2006.

Thread Status:
Not open for further replies.
  1. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    One thing Wilders has taught me is that handling security is a matter of
    "risk assessment and mitigation" as Bluezanttie puts it in a recent post.

    I believe risk assessment consists of 2 parts, one is the actually odds of it happening (likelihood) and another the severity of the damage if it does occurs.

    I personally have no problems with the second part, though we can discuss that in another thread if you want. But the first part is kind of hard, you read about all sorts of scenarios out there that can lead to infection, but which ones are likely?

    I'm going to list a couple of common scenarios, and you experts can tell me what you think the odds are of that happening. If you think the risk of that scenario coming true is very very high, rate it 10. If you think it is impossible, or nearly so rate it 0.

    5 would correspond to it happening roughly once a year. Each point above would be twice as likely.And each point below would be twice as unlikely.

    So
    0 =Almost impossible
    1 =Once every 16 years
    2 =Onces every 8 years
    3 =Once every 4 years
    4 =Once every 2 years
    5 =Once every year
    6 =once every 6 months
    7 =Once every 3 months
    8 =Once every 45 days
    9 =Once every 23 days
    10 =once every 11 days

    The key thing is to allow us to get a sense of what you judge is of a higher likeilhood.

    Also you can answer, based on your current setup.

    E.g I think the risk of getting infected by just visiting a site due to a zero day exploit is a 0 (almost impossible) because 1) I have javascript,java, etc turned off 2) I keep up to date with patches and workarounds for unpatched things.

    OR

    "I think the chance is moderately high (about once in 2 years), that is why I do x,y,z"

    The questions will be in another post
     
  2. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Browser related risks

    1. I visit a website and before I can do anything malware is loaded and run on my computer without any user interaction due to

    a)an unpatched vulnerability that is not known publicly.
    b)an unpatched vulnerability that has being announced, but no patch is available yet.
    c)an unpatched vulnerability (patch exists but you did not patch)
    d) A misconfiguration in my settings.

    2. I visit a website and I accidently allow some malware to start and install because of a misclick

    Being hacked

    3. I'm port scanned by a hacker, and using his "hacker magic" , he manages to own my computer due to exploiting

    a)an unpatched vulnerability that is not known publicly.
    b)an unpatched vulnerability that has being announced, but no patch is available yet.
    c)an unpatched vulnerability (patch exists but you did not patch)
    d) A misconfiguration in my settings.

    Being hit by malware

    4. I download some new program and install it, but it turns out to be bundled with adware (try reading EULA next time!).

    5. I download some new program and install it, but it turns out to be a malicious trojanhorse with a rootkit.

    6. Same as 4 and 5, but it is not detected by my primary antivirus/antitrojan.

    7. Same as 4 and 5, but it is not detected by ANY antivirus,antitrojan etc.

    8. Same as 4 and 5, but it is not detected by ANY security software on my computer (for HIPS assume it either doesn't alert, or you dismiss the warning as being not dangerous)

    9. I download a new version of a trusted program, but unknown to me it has being subverted and replaced with a trojanised copy.

    Phishing and Pharming

    1. I get tricked by a phising email
    2. My cookie/password is 'stolen' via XXS attacks
    3. Pharming (DNS posioning) occurs
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can non-experts respond?:)

    Interesting survey. I assume you mean "odds are of that happening" to the respondent, and not that we project it as likely to happen to others, for we can't know others' setups and thinking.

    Browser related risks

    1. I visit a website and before I can do anything malware is loaded and run on my computer without any user interaction...

    0

    Running in some type of "virtual" environment, or with anti-execution protection such as SRP or other products prevents malware from loading/executing.
    _______________________________
    2. I visit a website and I accidently allow some malware to start and install because of a misclick

    0

    same as above
    _____________________________
    Being hacked

    3. I'm port scanned by a hacker,

    0

    Firewall protection
    _____________________________

    Being hit by malware

    4, 5, 6, 7, 8 I download some new program and install it,...

    0

    Just based on experience and good judgment; using sites that I know to be trustworty. Has worked for 12+ years.
    ________________________________

    9. I download a new version of a trusted program, but unknown to me it has being subverted and replaced with a trojanised copy.

    0

    Can't imagine this happening to me based for same reason as above.
    ______________________________

    Phishing and Pharming

    1. I get tricked by a phising email

    0

    Common sense has protected me. My email program filters 99% of these to the trash bin.
    _________________________________

    2. My cookie/password is 'stolen' via XXS attacks


    EDIT: eyes-open just clued me in that XXS refers to cross site scripting, so I'll leave this unanswered until I find out more about how this works.
    __________________________________

    3. Pharming (DNS posioning) occurs

    0

    Using custom address groups in the firewall for my secure sites blocks this exploit

    ----
     
    Last edited: Mar 6, 2006
  4. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Rmus you are way more confident than me!

    I suppose if I meant the possibility of this happening, independent of any security aids? If this possibility is large enough it would help people decide whether to invest in anti-execution or sandboxing/virt stuff.


    But I must say your answers don't help me very much, becuase it everything is equally likely, I should guard against each of them equally. :) You mind telling us which ones you think are most likely?
     
  5. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    So you're asking "independent of any security aids" What even no FW or router, or do you mean with just one or both of those ? I'll answer with just a bidirectional FW then, because i think it would be most unwise to go online without one, at the very least an inbound one.

    Well if that means with out any security Apps whatsoever, it's down to how we have configured our PC's and browsers, and if we have all available patches in place etc. I've already stated in another of your threads, that i feel that if i didn't test Apps and visit potentially dangerous sites, then based on all the surfing i've done and stuff i've loaded, apart from one App that was infected with something that i DL'd, i would have been 100% safe ! But as nice as that is, and as lighter as my sytem would be, that does NOT guarantee in ANY way it would remain nasty free for ever does it. No matter how vigilant i try to be, who can ever plan for unknowns ?

    So far i've remained 100% safe surfing those sites and testing etc, because of the way i've configured my PC and IE, and have Apps running that have also jumped in and protected me as and when required.

    Lately i'm wondering more and more how i find all the time to devote to surfing around and testing etc, with everything else i do too, oh yeah plus sleeping now and then lol, plus i'm as safe as i know how at this present moment. So i may start to have a rethink about all this, and who knows you might see me dissapear altogether ! Well you wouldn't see me of course, as i wouldn't be here. Then again i'm not really anyway am i, as it's only 1's and 0's and pixels anyway.


    StevieO
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm sorry they don't help. I responded as I see the scenarios from my vantage point.

    Independent of any security, they are all theoretically 100% possible, as demonstrated by the recent wmf exploit. To rate the likelihood of occurrence under those circumstances independent of any security aids would be a guessing game, it seems to me - something I'm not very good at. For instance, the probability a person would go to such a site in the first place; or click on an e-card attachment with the exploit. How could you arrive at the odds of that happening?

    I would think the recent Remote Code Execution exploits are proof that investing in the stuff you mention would be wise.

    ----
     
    Last edited: Mar 6, 2006
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    1. I visit a website and before I can do anything malware is loaded and run on my computer without any user interaction due to

    a)an unpatched vulnerability that is not known publicly.

    0-1

    b)an unpatched vulnerability that has being announced, but no patch is available yet.

    0-1

    c)an unpatched vulnerability (patch exists but you did not patch)

    0

    d) A misconfiguration in my settings.

    0-1

    2. I visit a website and I accidently allow some malware to start and install because of a misclick

    0 (if I do this, I hit myself over the head with a sledge)

    Being hacked

    3. I'm port scanned by a hacker, and using his "hacker magic" , he manages to own my computer due to exploiting

    a)an unpatched vulnerability that is not known publicly.

    1

    b)an unpatched vulnerability that has being announced, but no patch is available yet.

    1

    c)an unpatched vulnerability (patch exists but you did not patch)

    0

    d) A misconfiguration in my settings.

    0-1

    Being hit by malware

    4. I download some new program and install it, but it turns out to be bundled with adware (try reading EULA next time!).

    0-1

    5. I download some new program and install it, but it turns out to be a malicious trojanhorse with a rootkit.

    0-1

    6. Same as 4 and 5, but it is not detected by my primary antivirus/antitrojan.

    1

    7. Same as 4 and 5, but it is not detected by ANY antivirus,antitrojan etc.

    1

    8. Same as 4 and 5, but it is not detected by ANY security software on my computer (for HIPS assume it either doesn't alert, or you dismiss the warning as being not dangerous)

    1

    9. I download a new version of a trusted program, but unknown to me it has being subverted and replaced with a trojanised copy.

    1

    Phishing and Pharming

    1. I get tricked by a phising email

    0

    2. My cookie/password is 'stolen' via XXS attacks

    0

    3. Pharming (DNS posioning) occurs

    0

    This is the roughest estimate I could make.
    Now as to why?

    Without going too deeply into details:

    Browser vulnerabilities - javascript / java off, underprivileged.
    Misclicks - I do misclick sometimes - only to see the dormant little javascript would-be action in the bottom bar of me browser, but this happens once in 3-4 months. But it's a long road from misclick to misinstallation. And then, some more.
    Hacking - Inaccessible ports, software with little chance for system-wide propagation.
    Downloads - Theoretically yes, but pratically no. Actively seeking and finding the super malware and wanting me to run it on my pc, plus zero detection, it can happen - once in 54 years...
    Fishing and farming - I have no friends, I don't get mails or use IM ... :)
    Mrk
     
  8. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    http://www.cgisecurity.com/lib/XSS.pdf

    Cross site scripting has more to do with the security/quality of code of the sites you browse on than the security of your personal workstation (though it can be prevented locally - by turning javascript off or "filtering" it).
     
  9. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    In response to your questions
    answer to all== Possible, but highly unlikely
     
  10. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Of course, I'm not an expert, but one observation I think is fairly easy to make :

    1) Infected through the browser, due to (d) A misconfiguration in my settings.

    If you are using IE, with standard security settings...and no other security...then go and visit say, 30 porn sites in a day...the chances of getting infected are pretty high....do that for a week, and it's almost guaranteed that you will get infected.

    Of course with good IE settings, or firefox with noscript etc...the chances drop dramatically.
     
  11. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hmmm... are there many known unpatched exploits for IE out there? 'Cause if not, it seems to me that your estimate is way too pessimistic.
     
  12. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Hmmm...trying to remember...I may be thinking back to pre SP2 (which was around the time that I started hardenning my system settings anyway)...so you 'may' be right.

    ...then again, I remember running a test on one particularly nasty site (in shadowmode) that came through IE (even with security setting on high), but not Firefox. That was only about 5 months ago.

    However, the simple fact is (by reports on % of people infected...and also by how much the internet security industry has grown) the vast majority of people are still getting infected. The two major ways have always been through the browser (I know DA has broken the ways through the browser down) and through email...with the IM's infection vector starting to gain ground.

    edit : Sorry DA, don't mean to hijack your thread. Hope you get more replies :)
     
  13. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Maybe not really "the vast majority" are getting infected, but sure there are a lot; however, you forget one important factor: many people who get infected do not even get infected through exploits. In fact, I really doubt that the majority of people get infected because of a vulnerability (whether a patch exists or not). Many simply download files or 'execute' ActiveX from untrusted sources, and have a blind faith in their antivirus application (which, sometimes, is not even updated) as if it would be able to protect them from EVERYTHING they do.

    I saw this a lot of times: people receive an e-mail with an executable attachment, and they blindly think "hey, the antivirus didn't catch it, so it must be safe". Same for browsing: sure, there the Coolwebsearch trojans are always up front when it comes to exploiting vulnerabilities, but that's just one side of it: I'm pretty sure more people are infected through social engineering than through exploits.
     
    Last edited: Mar 9, 2006
  14. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    No problem, in fact the discussion with TNT is in fact following the intent of my thread. It was naive of me to expect raw quantitive assessments of likelihood anyway.

    I suspect TNT is probably right in that people get nailed more through social engineering than through vulnerabilities (known or unknown), probably because there are more (stupid) ways to infect yourself, then there are vulnerabilities out there.

    On the other hand, I think TNT underestimates numbers of people who are nailed by vulnerabilities (known ones). Though they tend to be one off stuff that occurs not so regularly. Besides if you are smart enough to avoid problems above, the next likely factor is this one.

    But when it comes down to unknown vulnerabilities, I think it becomes pretty much a none-factor, and even if it was pretty high risk, I doubt AVs could save your ass anyway.
     
Loading...
Thread Status:
Not open for further replies.