What is the risk of stolen certificates

Discussion in 'other anti-virus software' started by Kees1958, Oct 30, 2010.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well,

    We all have heard about stuxnet and zeus using stolen or copied digital signatures. So how does it affect users like me who have set UAC to elevate silently?

    I have a deny install for non signed drivers and deny elevate to high rights of non-signed drivers.

    Because microsoft treats invalid signatures as unsigned programs copying of digital signatures like the Zeus malware on mobile systems, does not have a chance with my (safe-admin) setup.

    Stuxnet attack which had both a signed program and driver signing stolen would have owned my system when: I had deblocked to NW explicite ACE and the 1806 ADS deny execute bit.

    So I could only be infected when I had fallen for some sort of social engineering.

    An Antivirus would not have helped when I had the bad luck of being one of the first to run into these malware samples. But after a delay most AV companies would have provided protection.

    Please don't say I should have used Sandboxie or simular. Safe-Admin would only fail due to social engineering. Sandboxie does not help you against social engineering. An Hips would have fallen also, because it was me who would have allowed the pop-up. Only blacklist solutions help you with this.

    So this mini analysis shows, I was a bit to optimistic going naked (no real time AV). On the other hand the combo of 'selective new entrants deny all' (for low to medium) and 'allow for signed only' (for medium to high) goes down only for social engineering with stolen certificates. Safe Admin would have been as strong and as weak as any virtialisation or classic HIPS against social engineering.

    So analysis is a bit disappointing, on the same time it shows it as strong as the champs in Wilders Forum community.

    What do Wilders members think:
    a) Stolen certificates are a real danger of becoming a new theatcategory?

    B) BEsides whitelisting of signed certificates, a new blacklist category will evolve, being blacklisted certificates?

    c) Will this the threat be the issue that boost cloud AV's time advantage ?

    Please enter your 2 cents of though

    Regards Kees
     
    Last edited: Oct 30, 2010
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, I'd agree. But, I'd personally use something else rather than those cloud AVs. To use a cloud AV, I'd use ClearCloud DNS (which I do) or Norton DNS, and who knows AVG Identity Protection, which seems to be doing a damn great work fighting malware.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Cloud DNS (keeping away from risky area's) is something I had fully forgotten as a prevention. :thumb: good point. We are on Sunbelt Cloud DNS, would it have helped?
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not, if Sunbelt team hasn't xyz domain spotted as being distributing malware, like Zeus or Stuxnet.

    But, then again, maybe either wouldn't Prevx. That's why I'd rather bet on AVG Identity Protection (the one part of AVG AV Free, which you can use as being the only component installed and active, apart from the crappy pc analyzer one.), which clearly has been greatly improved since acquired from SANA Security.

    -Edit-

    Microsoft Security Essentials also has the following:

    Source: http://www.microsoft.com/security_essentials/privacy.aspx?mkt=en-us
     
    Last edited: Oct 30, 2010
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    MS supposedly has it but no one has ever seen it in action.
     
  6. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    My 2 cents and two different opinions:

    1. Opinion 1 - compromised certificates/private keys will eventually become a significant problem, being utilised by high revenue generating malware such as Zeus. The security most companies have around their private keys is very poor - an accident waiting to happen. Just ask the HSM vendors, who have been saying this for years.

    2. Opinion 2 - On the other hand, newer malware such as the Carberp banking trojan doesn't need a certificate to do it's business, and can infect non-admin users also. So perhaps this will be the infection process of choice for newer malware rather than going to the pain and expense of stealing certificates and private keys.
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    As Kees1958 mentioned, SAFE-Admin would take care of that. Only with social engineering attacks one would be infected. (By the way, SAFE-Admin principle does not only apply to Administrator accounts; also applies to standard user accounts like peaches.)

    So, the same scenario would apply here: social engineering attacks.

    That's why users still need a backup security, and it could be SRP/AppLocker, third-party DNS providers, like Sunbelt or Norton, the web browser own protection mechanisms (IE = SmartScreen; Google Chrome/Chromium = Google Safebrowsing; Opera recently partnered with AVG; Firefox also has Google Safebrowsing), etc.

    There are a great deal of combinations, and most will be very light on resources.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well, I don't understand why so many banks have such bad on-line banking security mechanisms. In the Netherlands we had the Postbank sending passwords through GSM which had a one time validity. Luckily the brand was killed in the Netherlands and now it is replaced by the temporary token generated PPK system. You need one PPK for entrance and one to four PPK for transaction confirmation (on which the total amount is part of the code hash-ing). So when you have a safe tunnel copying the data is useless for later theft.

    So MSE does has some fancy certificate check. Could anyone elaborate further?
     
  9. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    How exactly does Safe Admin take care of the installation of valid signed drivers (based on stolen certs)? Sorry, I'm not sure I understand your statement.

    As for social engineering, even the smartest people fall for that. Anyone who believes they would never fall for it is kidding themselves. A security model that works for everything except social engineering is not a strong security model in my opinion. As you say, users still need backups and there are plenty of choices available.
     
  10. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    If you'd ever worked for a bank you'd understand! That's why Trusteer has been so successful: "Hey guys, you don't have to change anything, just hand the problem over to us (Trusteer)".
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Sorry, I ended up quoting all your post. My comment was meant for the 2nd part of your post

    How exactly would I fall for a social engineering attack? There's only one way my system can become infected: browser. Everything that could be downloaded through the browser goes straight to a folder with low rights and no execution rights, etc.
    This leaves social engineering. Why would I fall for something telling, for example, I need to install Flash Player? I know I have it, and if for some reason I get such an alert, then I uninstall and reinstall Flash Player, if it happens certain contents I know to be safe don't work either.

    The same for pdf reader request, etc.

    Email? I use browser to check emails. I have a different browser profile just for it. Only access to the e-mail service domain is allowed. Everything I get in e-mail, which I do open and read, come from institutions I request information from, and therefore expecting such information. If I download some content, then it is seen a very restricted environment, and even isolated from the rest of the system.

    I watch youtube videos also in dedicated web browser profile, and only access to youtube domain is allowed.

    Most of my browsing is done in a very restricted profile, which takes care of most infection attacks, like drive-by downloads, exploits.

    SAFE-Admin is a great principle, but not the 100% solution against all. Even 1% of a bad situation, is a lot.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Fake/Stolen certs.

    I forsaw this as a potential problem several years ago, but even IT etc people said it could NOT happen :p Well it has, and i fully expect to see more of them from now on.

    It's one thing talking about the way some of us are set up, and another when it's the mass population out there who are not. In the main it's them that will be taken in by such things, and are, not us.

    The bad guys have to be always one or more steps ahead, otherwise they wouldn't be able to do what the've done, and continue to. It's not a game anymore, it's BIG business, but crooked !
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    And, that is exactly the problem. Most people lack education in what comes to computer security. For them, is just a all fun world (Internet) to play with. They enjoy clicking and installing or run whatever they find amusing, like those free and portable games. End result: infected system.

    For these people, social engineering is just one more attacking vector. And, as long as they don't become aware of all the others, then how on Earth wouldn't they fall for social engineering attacks?

    Now, SAFE-Admin can do a lot for such users, and they don't need to know all the inner stuff about integrity levels, etc.; all it takes is for someone to take the lead and explain on how to use it. If many people are willing to install HIPS, etc to people know nothing about how to answer pop-ups, then for sure SAFE-Admin will be a non-intrusive security for them, and will protect them efficiently, leaving 1% aside: social engineering. Users need to know they can't just install everything a website demands, or give personal information to websites. They also need to a take a closer look at the url addresses; start having as a good practice to know what their banks IPs are and write them down, and use a simple tool to translate the current url to an IP and see if matches; in doubt, contact with the bank, if they don't match. I doubt a bank will change IPs from night to day. Also verify what DNS IPs are set by the ISP and constantly check whether or not they haven't been changed (For these users a strong firewall policy on their own, would be hard, IMO).

    There are simply details that make a heck of a difference. Unfortunately, most people do not wish to learn or don't care at all.
     
  14. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    I think you're being to harsh on yourself.
    Safe-Admin was never meant to be The one layer to rule them all, right?
    Multiple layers will always be necessary and as Safe-Admin is not meant to defeat social engineering, it cannot be judged against it imho.

    a.So far those stolen certificates seem rare, very rare. High impact but scarsely found. So, very real but not (yet) a new category.
    c.Don't think so, a large majority of users is unaware of certificates, never mind stolen ones.
     
Loading...
Thread Status:
Not open for further replies.