A few thoughts:
If the originator of the software/hardware is working with an entity, such as a government (especially if the software is closed source) then we don't have any real security, only a trust with the originator of the software/hardware.
Assuming we can trust the originator and the process of delivering the software unchanged to the end user, it seems we need a better engineered OS so that we have layers of protection with the kernel being invulnerable to basic application malware. That is, application malware could get on a system but not take it over the core system.
It can be frustrating; for everything of beauty that mankind creates, mankind also creates the destruction of it.
Discussion on:
View:
Show:
As I get older, I see more and more of what you described in your last sentence. My worry is that the Internet as we know it is on that list.
Well, I abandoned the corporate aviation business at the pinnacle of it's golden age, looks like the personal computer biz has reached that turning point now that the big bucks are being thrown at the dark side of the equation.
Maybe I'll give pet-sitting a try. The critters seem to like me...
Maybe I'll give pet-sitting a try. The critters seem to like me...
The classic struggle continues. And in the movies, good always prevails.
Whitelisting is all well and good for corporates (or rather, it's hard enough to make work for a corporate environment), but for private people it's a no go. It defeats the very purpose of owning a computer: exploring, sampling new things.
Behavioral blocking of course has the downside of being so complex that one has to simply blindly trust that it performs as required (whereas a whitelist is dirt simple).
In the end, the only solution to government malware is to ban the government.
Behavioral blocking of course has the downside of being so complex that one has to simply blindly trust that it performs as required (whereas a whitelist is dirt simple).
In the end, the only solution to government malware is to ban the government.
what's next? 
"In the end, the only solution to government malware is to ban the government."
"In the end, the only solution to government malware is to ban the government."
What I'm really curious about is your solution. Dare I ask how you would approach that?
I don't think we have any other means for that than this "crowdsourcing"... but as can be seen from around the world, it can be pretty effective. Of course, putting away the government and having it stay gone is not the same. One quick exploration of that theme can be found by googling "Boulet rise of the geek" 
Potentially, heuristics could hit either a wall, beyond which it cannot develop, turning it into a dead end, or a breakthrough, after which it will know for a fact all that a program can and will and might do. At some point it might be a constant companion in the form of a CPU-level hypervisor, looking us over the shoulder, and looking over the shoulder of all the code as well. We'll be sitting in a sandbox ourselves, then, as befits the proteges of a digital nanny.
Potentially, heuristics could hit either a wall, beyond which it cannot develop, turning it into a dead end, or a breakthrough, after which it will know for a fact all that a program can and will and might do. At some point it might be a constant companion in the form of a CPU-level hypervisor, looking us over the shoulder, and looking over the shoulder of all the code as well. We'll be sitting in a sandbox ourselves, then, as befits the proteges of a digital nanny.
I asked about heuristics, and the big issue is false positives. There is also the constant tweaking of the algorithms to account for new and different malware, so using heuristics in a sense is reactive not proactive.
It may be that heuristics grinds to a halt, unable to keep up, so providing only a temporary reprieve.
It may also be that heuristics will have a breakthrough (potentially when all OSes are virtualized and the heuristics is being run from outside it, straight from the bare metal) so that all present forms of malware will die out.
What if heuristics is sometime able to pull info on the latest weaknesses in our software and hardware and then add all those exploits to its blacklist? What if heuristics will sometime be able to detect, say, a buffer overflow or remote code execution as it happens and kill the apps involved (automatically filing a report with relevant parties in the process)?
What if heuristics will someday be able to communicate through the cloud to the software manufacturers about its concerns? Developers will hear "There is a concern that PART X of your application is executed in an unsafe way, please consider changing it".
All sorts of things can be created.
The problem with whitelists is that unless they include hashes and checksums (which they could, even automatically updating them [but that opens a new weakness]), it's not so hard to guess what applications an organization relies on (even if one can't just ask an employee - which one usually can).
So there's no chance of whitelisting providing a breakthrough, and the possibility of whitelisting hitting a wall is just as huge as that of heuristics (conceptually).
It may also be that heuristics will have a breakthrough (potentially when all OSes are virtualized and the heuristics is being run from outside it, straight from the bare metal) so that all present forms of malware will die out.
What if heuristics is sometime able to pull info on the latest weaknesses in our software and hardware and then add all those exploits to its blacklist? What if heuristics will sometime be able to detect, say, a buffer overflow or remote code execution as it happens and kill the apps involved (automatically filing a report with relevant parties in the process)?
What if heuristics will someday be able to communicate through the cloud to the software manufacturers about its concerns? Developers will hear "There is a concern that PART X of your application is executed in an unsafe way, please consider changing it".
All sorts of things can be created.
The problem with whitelists is that unless they include hashes and checksums (which they could, even automatically updating them [but that opens a new weakness]), it's not so hard to guess what applications an organization relies on (even if one can't just ask an employee - which one usually can).
So there's no chance of whitelisting providing a breakthrough, and the possibility of whitelisting hitting a wall is just as huge as that of heuristics (conceptually).
You make sense. And since I am no expert, I will let others rebut.
Michael, great article as always. I recommend (in addition to definitions-based anti-virus) ThreatFire. Its a free behavioral analysis tool that watches what is going on with your PC. For example, if it sees the email port is in use but the email application is closed, it investigates and finds the app that is using it.
I also recommend Comodo Anti-virus as it has its own sandbox you can run new programs in to test if they are infected or not.
I've been a fan of F-Secure products since 2005 as well.
I also recommend Comodo Anti-virus as it has its own sandbox you can run new programs in to test if they are infected or not.
I've been a fan of F-Secure products since 2005 as well.
Although I haven't tested Threatfire, I recommend it and the Defense+ portion of Comodo which is constantly improving. You only need the firewall for this, but I can't attest to the full suite.
As I posted in your last article(I think); Emisoft's Mamutu already has a reputation for foiling the German government's spyware. At least this puts it in the news. I was impressed with the ability of Mamutu to find all of my hidden DRM spys in 5 seconds, after installation!!! I was never able to find them before, so that I could tech problems with protected content under IAA rules.
Unfortunately it is a paid solution, so I recommend a combo of Winpatrol, Comodo firewall with Defense+, and Threatfire. Even if you get into a fight with some really heavy hitters, with these solutions, and lose your computer, you will at least foil the mission of the criminals. I must say though, that the small number of clients I have, who are targets of government, or international industrial espionage, have had to give up on their PCs. The only next step for many of them is to graduate to high assurance hardware/software; and this is prohibitive in cost to many of them. One of them is luckily getting by with an old Mac using RISC (or the old Motorola) CPU architecture. Apparently they haven't been coding for that yet. There is also the solutions that operate in an infected enviroment, like Keyscrambler, Rapport, and LastPass. We need more thinking along these lines, if we are ever going to get a handle on this!
And there is always the LiveCD Puppy Linux solution - preferably run from an old PC with no firmware in the DVD device, and a fresh reflashed bios - no PCI cards. Doesn't hurt to keep this PC totally isolated inside the LAN with a KVM switch.
Bear in mind, that these attackers are so sophisticated that they have no trouble using your cell phone as a skip pad to attack your LAN and PC devices. One client I knew lost his Mac(intel based) during this kind of assault!
As I posted in your last article(I think); Emisoft's Mamutu already has a reputation for foiling the German government's spyware. At least this puts it in the news. I was impressed with the ability of Mamutu to find all of my hidden DRM spys in 5 seconds, after installation!!! I was never able to find them before, so that I could tech problems with protected content under IAA rules.
Unfortunately it is a paid solution, so I recommend a combo of Winpatrol, Comodo firewall with Defense+, and Threatfire. Even if you get into a fight with some really heavy hitters, with these solutions, and lose your computer, you will at least foil the mission of the criminals. I must say though, that the small number of clients I have, who are targets of government, or international industrial espionage, have had to give up on their PCs. The only next step for many of them is to graduate to high assurance hardware/software; and this is prohibitive in cost to many of them. One of them is luckily getting by with an old Mac using RISC (or the old Motorola) CPU architecture. Apparently they haven't been coding for that yet. There is also the solutions that operate in an infected enviroment, like Keyscrambler, Rapport, and LastPass. We need more thinking along these lines, if we are ever going to get a handle on this!
And there is always the LiveCD Puppy Linux solution - preferably run from an old PC with no firmware in the DVD device, and a fresh reflashed bios - no PCI cards. Doesn't hurt to keep this PC totally isolated inside the LAN with a KVM switch.
Bear in mind, that these attackers are so sophisticated that they have no trouble using your cell phone as a skip pad to attack your LAN and PC devices. One client I knew lost his Mac(intel based) during this kind of assault!
Nope, just about as far from it as you can get, so there may already be soemthing out there like what I'm going to describe and I just don't know it.
At a corporate level, is there something that would take a baseline of a system, and periodically compare that baseline to the current state? Then if you added an approved software, or installed an approved update, a new baseline is taken?
Of course, that wouldn't necessarily help with Flame, since it had a Microsoft certificate, it probably came through approved channels.
At a corporate level, is there something that would take a baseline of a system, and periodically compare that baseline to the current state? Then if you added an approved software, or installed an approved update, a new baseline is taken?
Of course, that wouldn't necessarily help with Flame, since it had a Microsoft certificate, it probably came through approved channels.
What you describe sounds like something I have run across and written about, but right now it escapes me.
Thanks!
Where we've gotten malware is that we have a medical system that the vendor says does not support AV of any kind. My response after about a minute of silence was, "You're joking, right?" They weren't. They said that it was a closed system adn there's no way it could get any type of malware or pass one on. It's on our network, so yes, it's possible. We got a nasty infection, and it was traced back to this system, and straight back to tech support at the vendor. The tech support fellow had an infection and when he connected, he passed it on.
I told them that they infected us, and we were going to use our AV, like it or not.
Where we've gotten malware is that we have a medical system that the vendor says does not support AV of any kind. My response after about a minute of silence was, "You're joking, right?" They weren't. They said that it was a closed system adn there's no way it could get any type of malware or pass one on. It's on our network, so yes, it's possible. We got a nasty infection, and it was traced back to this system, and straight back to tech support at the vendor. The tech support fellow had an infection and when he connected, he passed it on.
I told them that they infected us, and we were going to use our AV, like it or not.
I am curious if you determined what piece of malware it was? It hopped over the Internet?
The way they connect is odd, even for healthcare. They have a client that is installed on the workstation, and they log into a client on their end and connect directly to that workstation. They don't go through the usual VPN tunnel. The tech uploaded several files from his workstation and that's how Trend Micro believes he passed the infection to us.
I much prefer the vendors who have no connectivity unless they set up a webex and I share my desktop to them. That allows me to see exactly what they are doing, and is also an excellent learning opportunity for me. They also don't have any admin passwords. Yes, I'm tied to my desk for the druation, but I enter the passwords and have control over what they do and see.
I much prefer the vendors who have no connectivity unless they set up a webex and I share my desktop to them. That allows me to see exactly what they are doing, and is also an excellent learning opportunity for me. They also don't have any admin passwords. Yes, I'm tied to my desk for the druation, but I enter the passwords and have control over what they do and see.
I just realized what an attack vector that would be, trusted access and all.
Yet Linux has whitelisting for all packages almost anyone would likely want by default with strong cryptographic protections. You can take a risk with the latest unsanctioned packages if you wish though but you'll need to do a little more than download and click.
It's not just military, it has been well known for years and years that anyone can recompile an existing virus to avoid Antivirus scanners which is what heuristics attempt to combat.
Linux/Unix has had tripwire type systems which notify you of any baseline changes for years. Useful on more static secure systems like OpenBSD but does nothing for changes in memory until a reboot. Linux raises the bar for memory invading exploits by offering fast system wide updates too.
An easy to look after version of Linux may be far from infallible but it's right to raise the security bar above **** poor.
It's not just military, it has been well known for years and years that anyone can recompile an existing virus to avoid Antivirus scanners which is what heuristics attempt to combat.
Linux/Unix has had tripwire type systems which notify you of any baseline changes for years. Useful on more static secure systems like OpenBSD but does nothing for changes in memory until a reboot. Linux raises the bar for memory invading exploits by offering fast system wide updates too.
An easy to look after version of Linux may be far from infallible but it's right to raise the security bar above **** poor.
who are under attack and using Linux are a fail. I think the main problem is they are using a writable drive, if you could lock that drive(or use a LiveCD), then that would be a good short term solution.
Encryption can help of course, but some of the attackers goal is to simply destroy your business, and they can do that despite encrypted drives.
Encryption can help of course, but some of the attackers goal is to simply destroy your business, and they can do that despite encrypted drives.
embedding the malware in system device firmware, reload to memory after the whitelist.
Whitelist circumvented...
Electronic warfare is a school of measure and Counter, you can keep adding C's and one more C always remains.
Whitelist circumvented...
Electronic warfare is a school of measure and Counter, you can keep adding C's and one more C always remains.
All the experts said that historically the bad guys have always have found a way to circumvent any roadblock.
I would like to reply to Michael Kassner's assertion that Malwarebytes is an effective program to find malware on a computer. I had Malwarebytes and Microsoft Security Essentials installed, but that DID NOT prevent a whole slew of malware and viruses from infecting my computer and creating havoc. I discovered the extent of the infection when I downloaded and installed Advanced System Care with Antivirus 2013 and ran a full scan. There were 9,798 pieces of malware on my computer! I feel this program saved my computer from the trash heap, because I was considering buying another one because mine was so messed up. I had tried to fix it numerous times, without success. I will NEVER use Malwarebytes again.
I'm pretty sure CJames' post was /Sarcasm Mode: ON.
I was impressed by this one program. It said that 7 people were trying to hack my computer, in REAL TIME! And I wasn't even plugged into a network! *Laugh*
I was impressed by this one program. It said that 7 people were trying to hack my computer, in REAL TIME! And I wasn't even plugged into a network! *Laugh*
Ahem! They(iObit) are in court for stealing source code from MalwareBytes!! You gonna trust that Chinese company with your intellectual property? Good luck!
You can't have a proper defense without a blended one - no one solution is going to save you, and against the threats featured in this article, probably none will save you. Only new or different hardware, or a very severe drive lock program like Drive Vaccine will even come close.
You can't have a proper defense without a blended one - no one solution is going to save you, and against the threats featured in this article, probably none will save you. Only new or different hardware, or a very severe drive lock program like Drive Vaccine will even come close.
I advised against ASC from it's inception, due to the utter lack of transparency at the company. I have no idea if they were honest and sincere in their endeavors, and that's the point. When someone is totally reshuffling the operating system I do not give them the benefit of the doubt.
That they were based in China was the factor that made me comfortable with the decision to not use ASC and to recommend against it.
I didn't know they were sued by malwarebytes. The latter is a great bunch of folks who make an excellent, and to my eyes trustworthy product.
That they were based in China was the factor that made me comfortable with the decision to not use ASC and to recommend against it.
I didn't know they were sued by malwarebytes. The latter is a great bunch of folks who make an excellent, and to my eyes trustworthy product.
Because otherwise MBAM is just an on-demand scanner.
Also, no program is going to defend you from your own behavior, nor will any program help you if it is not updated.
And of course, detecting oodles of malware is usually the mark of a fake AV scam.
Also, no program is going to defend you from your own behavior, nor will any program help you if it is not updated.
And of course, detecting oodles of malware is usually the mark of a fake AV scam.
Just having the unpaid version already installed goes a long way. One severly hobbled machine I worked on, had all kinds of functions blocked by infections. Once I booted to safemode an ran MBAM a root kit and all kinds of malware came out of the woodwork. SAS flushed out even more and really set off a backdoor, that blocked any startup attempt. It took a further nuking the drive from space with Avast, and Kaspersky rescue 10 to flush the rest out. Of course you really have to wipe and re install after such episodes, but I like learning how to fight the bugs!
After a wipe/reiinstall, an Avast scan nuked what was left of the malware in the backup folder. He's been running fine since.
After a wipe/reiinstall, an Avast scan nuked what was left of the malware in the backup folder. He's been running fine since.
Is there a reason thin computing is not mentioned as a panacea against military-grade viruses? If your apps reside on a server (local or cloud) and your "modify" permissions only apply to data sets (but never executables), what are the chances of a contagious infection?
Sure, "pro" grade video editing and similar apps still need to be locally installed (although that is already changing) - yet what is the percentage of devices out there that need locally installed apps?
Sure, "pro" grade video editing and similar apps still need to be locally installed (although that is already changing) - yet what is the percentage of devices out there that need locally installed apps?
They say timing is everything. Woz went on the record recently saying the cloud is a bad idea. And, it just so happens Apple's iCloud just had a major attack:
http://blogs.computerworld.com/security/20793/woz-says-cloud-horrendous-wired-reporters-icloud-gets-hacks-hard
http://blogs.computerworld.com/security/20793/woz-says-cloud-horrendous-wired-reporters-icloud-gets-hacks-hard
Seems like we are talking about different issues.
Regardless of Woz' opinions and incidental hacks, what are real world security assessments of thin computing vs. a system with locally installed apps that have admin privileges?
I think that's the real question.
If there are any (security) benefits to thin computing, then thin computing is a viable alternative to local anti-virus protection, and should be presented as such.
Sure, the cloud is not bulletproof. I never said it was. Still, do you keep your money stashed under the mattress (i.e. local admin access), or put it in the bank ($cloud)?
Regardless of Woz' opinions and incidental hacks, what are real world security assessments of thin computing vs. a system with locally installed apps that have admin privileges?
I think that's the real question.
If there are any (security) benefits to thin computing, then thin computing is a viable alternative to local anti-virus protection, and should be presented as such.
Sure, the cloud is not bulletproof. I never said it was. Still, do you keep your money stashed under the mattress (i.e. local admin access), or put it in the bank ($cloud)?
Is you have no idea who else is using that Cloud Provider and it only needs one person who is being tracked by a Government Department to use that Cloud Service to cause it to be attacked and suffer. It would incidentally mean that everyone who uses that Cloud Provider is also being scanned.
While in theory the Cloud is more secure as it has a single point of attack and doesn't require thousands or millions of Local AV Products with Live Protection only the one it also means that when it is Infected it affects the Thousands or Millions and as such is a Juicer Target for the Bad Guys to attack.
Personally i see the Cloud as a Security Problem that makes things worse not better.
Col
While in theory the Cloud is more secure as it has a single point of attack and doesn't require thousands or millions of Local AV Products with Live Protection only the one it also means that when it is Infected it affects the Thousands or Millions and as such is a Juicer Target for the Bad Guys to attack.
Personally i see the Cloud as a Security Problem that makes things worse not better.
Col
This is a very substantial approach, HAL 9000, and totally unbiased.
You may see what you want, however only after we gather significant statistics for security breaches vs. usage, with major cloud SAAS providers and all local access, then perhaps we can talk security. Until then it's all smoke and mirrors and personal biases.
My point remains: is thin computing a possibility as a security mechanism? If so, why wasn't it mentioned or assessed in the article about security?
You may see what you want, however only after we gather significant statistics for security breaches vs. usage, with major cloud SAAS providers and all local access, then perhaps we can talk security. Until then it's all smoke and mirrors and personal biases.
My point remains: is thin computing a possibility as a security mechanism? If so, why wasn't it mentioned or assessed in the article about security?
Thin computing is something to consider, but as one with clients who used it when it was popular, I remember it having a whole different set of issues that were far worse than where we are today.
What's thin? The whole thing, or just the apps?
Where is the data?
Are we only concerned with local execution, or do we also have to consider the security of transmissions?
I mean, if local execution is all we're concerned about, then obviously thin computing is GREAT... but the point about the size of the target is true. There is no guarantee that the widespread deployment of thin computing won't simply shift the malicious efforts to focus on the servers instead. And then the harm caused by a single failure will be so much greater that it might even out the increased rarity of failures.
Where is the data?
Are we only concerned with local execution, or do we also have to consider the security of transmissions?
I mean, if local execution is all we're concerned about, then obviously thin computing is GREAT... but the point about the size of the target is true. There is no guarantee that the widespread deployment of thin computing won't simply shift the malicious efforts to focus on the servers instead. And then the harm caused by a single failure will be so much greater that it might even out the increased rarity of failures.
To the issues I was referring to. The bad guys would prefer thin-client computing, in the same way they prefer cloud computing -- one-stop shopping.
> but the point about the size of the target is true
Of course it is. Yet consolidation is always a resource-saver: consolidated targets are always easier to protect unless they are disposable. (Yet where data is concerned, nothing is disposable.)
Distributed data centers - do they consist of a gazillion easy-to-breach small sites, or of a smaller number of larger and harder-to-breach ones? Why do you think is that?
Of course personal computing is not fully ready for thin computing - I just really don't get this resistance:
"20 years ago thin computing was bullcrap"
"Woz said that security-wise, cloud computing is bullcrap"
"I personally think cloud computing is bullcrap"
"Apple iCloud just got hacked!"
Nice! Clearly a host of scientific evidence points to a pile of bullcrap...
Of course it is. Yet consolidation is always a resource-saver: consolidated targets are always easier to protect unless they are disposable. (Yet where data is concerned, nothing is disposable.)
Distributed data centers - do they consist of a gazillion easy-to-breach small sites, or of a smaller number of larger and harder-to-breach ones? Why do you think is that?
Of course personal computing is not fully ready for thin computing - I just really don't get this resistance:
"20 years ago thin computing was bullcrap"
"Woz said that security-wise, cloud computing is bullcrap"
"I personally think cloud computing is bullcrap"
"Apple iCloud just got hacked!"
Nice! Clearly a host of scientific evidence points to a pile of bullcrap...
Well Alex, you must be a younger professional. Cloud computing is nothing new. Historically it appears that we are on yet another cycle like neck-tie size. Single point of failure was given as the reason to switch to the PC originally.
Large targets are always harder to defend, and easier to take out... because, if you had read the article, you'd know that there is no defense against a military onslaught; only damage control.
A cloud provider must have many entry points... that's what their business is about after all.
They also can't very well limit what apps their clients run, since that is also what their business is about.
On your local network, the machines only have the means of linking up that you provide them with... even military malware cannot create network capability where there is none. That's the final line of defense, pull the router, and with a cloud solution you don't have that.
And on a cloud solution, someone can actually take over your data with out even moving it off site.
A cloud provider must have many entry points... that's what their business is about after all.
They also can't very well limit what apps their clients run, since that is also what their business is about.
On your local network, the machines only have the means of linking up that you provide them with... even military malware cannot create network capability where there is none. That's the final line of defense, pull the router, and with a cloud solution you don't have that.
And on a cloud solution, someone can actually take over your data with out even moving it off site.
"Large targets are always harder to defend"
Oh sure, which is why the marines are asked to spread out and sleep outside the FOB rather than inside of it.
Oh sure, which is why the marines are asked to spread out and sleep outside the FOB rather than inside of it.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
