A few thoughts:
If the originator of the software/hardware is working with an entity, such as a government (especially if the software is closed source) then we don't have any real security, only a trust with the originator of the software/hardware.
Assuming we can trust the originator and the process of delivering the software unchanged to the end user, it seems we need a better engineered OS so that we have layers of protection with the kernel being invulnerable to basic application malware. That is, application malware could get on a system but not take it over the core system.
It can be frustrating; for everything of beauty that mankind creates, mankind also creates the destruction of it.
Discussion on:
View:
Show:
As I get older, I see more and more of what you described in your last sentence. My worry is that the Internet as we know it is on that list.
Well, I abandoned the corporate aviation business at the pinnacle of it's golden age, looks like the personal computer biz has reached that turning point now that the big bucks are being thrown at the dark side of the equation.
Maybe I'll give pet-sitting a try. The critters seem to like me...
Maybe I'll give pet-sitting a try. The critters seem to like me...
The classic struggle continues. And in the movies, good always prevails.
Whitelisting is all well and good for corporates (or rather, it's hard enough to make work for a corporate environment), but for private people it's a no go. It defeats the very purpose of owning a computer: exploring, sampling new things.
Behavioral blocking of course has the downside of being so complex that one has to simply blindly trust that it performs as required (whereas a whitelist is dirt simple).
In the end, the only solution to government malware is to ban the government.
Behavioral blocking of course has the downside of being so complex that one has to simply blindly trust that it performs as required (whereas a whitelist is dirt simple).
In the end, the only solution to government malware is to ban the government.
what's next? 
"In the end, the only solution to government malware is to ban the government."
"In the end, the only solution to government malware is to ban the government."
What I'm really curious about is your solution. Dare I ask how you would approach that?
I don't think we have any other means for that than this "crowdsourcing"... but as can be seen from around the world, it can be pretty effective. Of course, putting away the government and having it stay gone is not the same. One quick exploration of that theme can be found by googling "Boulet rise of the geek" 
Potentially, heuristics could hit either a wall, beyond which it cannot develop, turning it into a dead end, or a breakthrough, after which it will know for a fact all that a program can and will and might do. At some point it might be a constant companion in the form of a CPU-level hypervisor, looking us over the shoulder, and looking over the shoulder of all the code as well. We'll be sitting in a sandbox ourselves, then, as befits the proteges of a digital nanny.
Potentially, heuristics could hit either a wall, beyond which it cannot develop, turning it into a dead end, or a breakthrough, after which it will know for a fact all that a program can and will and might do. At some point it might be a constant companion in the form of a CPU-level hypervisor, looking us over the shoulder, and looking over the shoulder of all the code as well. We'll be sitting in a sandbox ourselves, then, as befits the proteges of a digital nanny.
I asked about heuristics, and the big issue is false positives. There is also the constant tweaking of the algorithms to account for new and different malware, so using heuristics in a sense is reactive not proactive.
It may be that heuristics grinds to a halt, unable to keep up, so providing only a temporary reprieve.
It may also be that heuristics will have a breakthrough (potentially when all OSes are virtualized and the heuristics is being run from outside it, straight from the bare metal) so that all present forms of malware will die out.
What if heuristics is sometime able to pull info on the latest weaknesses in our software and hardware and then add all those exploits to its blacklist? What if heuristics will sometime be able to detect, say, a buffer overflow or remote code execution as it happens and kill the apps involved (automatically filing a report with relevant parties in the process)?
What if heuristics will someday be able to communicate through the cloud to the software manufacturers about its concerns? Developers will hear "There is a concern that PART X of your application is executed in an unsafe way, please consider changing it".
All sorts of things can be created.
The problem with whitelists is that unless they include hashes and checksums (which they could, even automatically updating them [but that opens a new weakness]), it's not so hard to guess what applications an organization relies on (even if one can't just ask an employee - which one usually can).
So there's no chance of whitelisting providing a breakthrough, and the possibility of whitelisting hitting a wall is just as huge as that of heuristics (conceptually).
It may also be that heuristics will have a breakthrough (potentially when all OSes are virtualized and the heuristics is being run from outside it, straight from the bare metal) so that all present forms of malware will die out.
What if heuristics is sometime able to pull info on the latest weaknesses in our software and hardware and then add all those exploits to its blacklist? What if heuristics will sometime be able to detect, say, a buffer overflow or remote code execution as it happens and kill the apps involved (automatically filing a report with relevant parties in the process)?
What if heuristics will someday be able to communicate through the cloud to the software manufacturers about its concerns? Developers will hear "There is a concern that PART X of your application is executed in an unsafe way, please consider changing it".
All sorts of things can be created.
The problem with whitelists is that unless they include hashes and checksums (which they could, even automatically updating them [but that opens a new weakness]), it's not so hard to guess what applications an organization relies on (even if one can't just ask an employee - which one usually can).
So there's no chance of whitelisting providing a breakthrough, and the possibility of whitelisting hitting a wall is just as huge as that of heuristics (conceptually).
You make sense. And since I am no expert, I will let others rebut.
Michael, great article as always. I recommend (in addition to definitions-based anti-virus) ThreatFire. Its a free behavioral analysis tool that watches what is going on with your PC. For example, if it sees the email port is in use but the email application is closed, it investigates and finds the app that is using it.
I also recommend Comodo Anti-virus as it has its own sandbox you can run new programs in to test if they are infected or not.
I've been a fan of F-Secure products since 2005 as well.
I also recommend Comodo Anti-virus as it has its own sandbox you can run new programs in to test if they are infected or not.
I've been a fan of F-Secure products since 2005 as well.
Although I haven't tested Threatfire, I recommend it and the Defense+ portion of Comodo which is constantly improving. You only need the firewall for this, but I can't attest to the full suite.
As I posted in your last article(I think); Emisoft's Mamutu already has a reputation for foiling the German government's spyware. At least this puts it in the news. I was impressed with the ability of Mamutu to find all of my hidden DRM spys in 5 seconds, after installation!!! I was never able to find them before, so that I could tech problems with protected content under IAA rules.
Unfortunately it is a paid solution, so I recommend a combo of Winpatrol, Comodo firewall with Defense+, and Threatfire. Even if you get into a fight with some really heavy hitters, with these solutions, and lose your computer, you will at least foil the mission of the criminals. I must say though, that the small number of clients I have, who are targets of government, or international industrial espionage, have had to give up on their PCs. The only next step for many of them is to graduate to high assurance hardware/software; and this is prohibitive in cost to many of them. One of them is luckily getting by with an old Mac using RISC (or the old Motorola) CPU architecture. Apparently they haven't been coding for that yet. There is also the solutions that operate in an infected enviroment, like Keyscrambler, Rapport, and LastPass. We need more thinking along these lines, if we are ever going to get a handle on this!
And there is always the LiveCD Puppy Linux solution - preferably run from an old PC with no firmware in the DVD device, and a fresh reflashed bios - no PCI cards. Doesn't hurt to keep this PC totally isolated inside the LAN with a KVM switch.
Bear in mind, that these attackers are so sophisticated that they have no trouble using your cell phone as a skip pad to attack your LAN and PC devices. One client I knew lost his Mac(intel based) during this kind of assault!
As I posted in your last article(I think); Emisoft's Mamutu already has a reputation for foiling the German government's spyware. At least this puts it in the news. I was impressed with the ability of Mamutu to find all of my hidden DRM spys in 5 seconds, after installation!!! I was never able to find them before, so that I could tech problems with protected content under IAA rules.
Unfortunately it is a paid solution, so I recommend a combo of Winpatrol, Comodo firewall with Defense+, and Threatfire. Even if you get into a fight with some really heavy hitters, with these solutions, and lose your computer, you will at least foil the mission of the criminals. I must say though, that the small number of clients I have, who are targets of government, or international industrial espionage, have had to give up on their PCs. The only next step for many of them is to graduate to high assurance hardware/software; and this is prohibitive in cost to many of them. One of them is luckily getting by with an old Mac using RISC (or the old Motorola) CPU architecture. Apparently they haven't been coding for that yet. There is also the solutions that operate in an infected enviroment, like Keyscrambler, Rapport, and LastPass. We need more thinking along these lines, if we are ever going to get a handle on this!
And there is always the LiveCD Puppy Linux solution - preferably run from an old PC with no firmware in the DVD device, and a fresh reflashed bios - no PCI cards. Doesn't hurt to keep this PC totally isolated inside the LAN with a KVM switch.
Bear in mind, that these attackers are so sophisticated that they have no trouble using your cell phone as a skip pad to attack your LAN and PC devices. One client I knew lost his Mac(intel based) during this kind of assault!
Nope, just about as far from it as you can get, so there may already be soemthing out there like what I'm going to describe and I just don't know it.
At a corporate level, is there something that would take a baseline of a system, and periodically compare that baseline to the current state? Then if you added an approved software, or installed an approved update, a new baseline is taken?
Of course, that wouldn't necessarily help with Flame, since it had a Microsoft certificate, it probably came through approved channels.
At a corporate level, is there something that would take a baseline of a system, and periodically compare that baseline to the current state? Then if you added an approved software, or installed an approved update, a new baseline is taken?
Of course, that wouldn't necessarily help with Flame, since it had a Microsoft certificate, it probably came through approved channels.
What you describe sounds like something I have run across and written about, but right now it escapes me.
Thanks!
Where we've gotten malware is that we have a medical system that the vendor says does not support AV of any kind. My response after about a minute of silence was, "You're joking, right?" They weren't. They said that it was a closed system adn there's no way it could get any type of malware or pass one on. It's on our network, so yes, it's possible. We got a nasty infection, and it was traced back to this system, and straight back to tech support at the vendor. The tech support fellow had an infection and when he connected, he passed it on.
I told them that they infected us, and we were going to use our AV, like it or not.
Where we've gotten malware is that we have a medical system that the vendor says does not support AV of any kind. My response after about a minute of silence was, "You're joking, right?" They weren't. They said that it was a closed system adn there's no way it could get any type of malware or pass one on. It's on our network, so yes, it's possible. We got a nasty infection, and it was traced back to this system, and straight back to tech support at the vendor. The tech support fellow had an infection and when he connected, he passed it on.
I told them that they infected us, and we were going to use our AV, like it or not.
I am curious if you determined what piece of malware it was? It hopped over the Internet?
The way they connect is odd, even for healthcare. They have a client that is installed on the workstation, and they log into a client on their end and connect directly to that workstation. They don't go through the usual VPN tunnel. The tech uploaded several files from his workstation and that's how Trend Micro believes he passed the infection to us.
I much prefer the vendors who have no connectivity unless they set up a webex and I share my desktop to them. That allows me to see exactly what they are doing, and is also an excellent learning opportunity for me. They also don't have any admin passwords. Yes, I'm tied to my desk for the druation, but I enter the passwords and have control over what they do and see.
I much prefer the vendors who have no connectivity unless they set up a webex and I share my desktop to them. That allows me to see exactly what they are doing, and is also an excellent learning opportunity for me. They also don't have any admin passwords. Yes, I'm tied to my desk for the druation, but I enter the passwords and have control over what they do and see.
I just realized what an attack vector that would be, trusted access and all.
Yet Linux has whitelisting for all packages almost anyone would likely want by default with strong cryptographic protections. You can take a risk with the latest unsanctioned packages if you wish though but you'll need to do a little more than download and click.
It's not just military, it has been well known for years and years that anyone can recompile an existing virus to avoid Antivirus scanners which is what heuristics attempt to combat.
Linux/Unix has had tripwire type systems which notify you of any baseline changes for years. Useful on more static secure systems like OpenBSD but does nothing for changes in memory until a reboot. Linux raises the bar for memory invading exploits by offering fast system wide updates too.
An easy to look after version of Linux may be far from infallible but it's right to raise the security bar above **** poor.
It's not just military, it has been well known for years and years that anyone can recompile an existing virus to avoid Antivirus scanners which is what heuristics attempt to combat.
Linux/Unix has had tripwire type systems which notify you of any baseline changes for years. Useful on more static secure systems like OpenBSD but does nothing for changes in memory until a reboot. Linux raises the bar for memory invading exploits by offering fast system wide updates too.
An easy to look after version of Linux may be far from infallible but it's right to raise the security bar above **** poor.
who are under attack and using Linux are a fail. I think the main problem is they are using a writable drive, if you could lock that drive(or use a LiveCD), then that would be a good short term solution.
Encryption can help of course, but some of the attackers goal is to simply destroy your business, and they can do that despite encrypted drives.
Encryption can help of course, but some of the attackers goal is to simply destroy your business, and they can do that despite encrypted drives.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
