[Shields Up] Computer Security Thread

Samir Duran Duran

Is WPA considered easy to crack yet or what is the goodest encryption these days?

Orca

At this point I think WPA2 is as good as it gets for consumer-grade wireless encryption.

TetraNitroCubane

DEFCON has been underway for a few days now, and a variety of interesting stories have surfaced. I'm not sure how much to stress them, though, as many are just hacker publicity for groups like Lulzsec and Anonymous.

One thing that's caught my eye, though, is an apparently brutal takedown of the Sophos antivirus suite. This was delivered as a presentation, but there's a Google Documents paper on the topic available here. The conclusion of the article is as follows:

Sophos demonstrate considerable naivety in many topics key to the efficacy of their product. Their widespread use of XOR encryption for secrecy, and their poor understanding of rudimentary exploitation concepts like return-to-libc reinforce this.

The promise of antivirus is that users will be less dependent on making good trust decisions. While certainly desirable, Sophos appear ill equipped to keep this promise with their current technology.

The pseudo-scientific terminology used by Sophos to promote their software masks elementary pattern matching techniques. While their attempt at implementing runtime exploit mitigation should be applauded, their failure to understand the subject area resulted in a substandard product far exceeded by existing published solutions.

The analysis is pretty biting, accusing Sophos of using doublespeak and obfuscating language to shield their lack of efficient protections. Even their signature based detections come under fire. The meat of the article is a bit too technical for me to digest fully, but it does seem very thorough. I'm hoping we can see additional in-depth analyses in the future, for other antivirus suites. I'd like to see them all broken down in this manner.

TetraNitroCubane

Nexus of the Internet - Clearing

You stand at the crossroads to the flow of all information. Your current position is very close to the Penny-Arcade forums, but at the edges of your perception you can sense the dark, chaotic forces of the nether-net. You feel you are being watched from the (Shroud) of darkness that encircles the area. A (Pedestal) rests in the center of the clearing. Exits are (N)orth, (S)outh, (G)ames and Technology, and (P)orn.

>Go P

You can't go that way.

>Examine Pedestal

A small, waist-high column stands before you. Atop its flattened apex, there rests a scroll and an sealed container. The scroll details that the container holds within an upgrade for Adobe's Macromedia Flash. The version contained within is 10.3.183.5 - more recent than what you currently have installed.

>Examine Shroud

Suddenly from the darkness, there spring a pair of wild, malicious programs! They attempt to attack you through a very new Flash vulnerability, grabbing you and trying to drag you toward an unknown URL. You must act quickly, or be taken to whatever destination these ruffians have in mind!

>Go G

There's no time for that now!

>Go P

There's REALLY no time for that!

>Get ye Flash

At the last possible moment, you grasp the pedestal, and acquire the upgrade for your Flash plugin. The malicious programs no longer can grasp you - their grip slips away now that the vulnerability in your Flash is closed. They grumble and snort, slinking back into the darkness to leave you alone once more. They size you up as they retreat - You know they'll return once they locate another vulnerability.

For now, you are safe. You have won the day, brave champion of the internet that you are.

>Go P

Orca

:^:

The Internet really is an Adventure, isn't it?

Aeyther

TetraNitroCubane wrote:

Nexus of the Internet - Clearing

:^:

Samir Duran Duran

Is flash just poorly designed or just completely worked over by hackers?

Mr_Rose

Why can't it be both?

(I just discovered an event ticket site that requires flash for taking payments but doesn't even use SSL. I decided I wasn't that interested in going after all…)

Dark Shroud

Samir Duran Duran wrote:

Is flash just poorly designed or just completely worked over by hackers?

The problem is that flash is just so old. People have had years and years to learn to it. So now it has to be dragged forward to meet modern security standards.

This is why I prefer silverlight.

Pellaeon

So I just put a new computer together with windows 7 home premium. On my old xp computer I had CA security suite because it came free with my cable. When I installed CA on my new box I kept having problems with the internet, webpages wouldn't always load, dns problems etc. despite having an existing router that my phone and xbox could connect to without problem, and CA suite was not being very helpful at all. After struggling for a while I turned off the CA firewall and turned on the Windows firewall and hey, suddenly I can connect to my network again and web pages load more than once every three tries.

I get the impression from the op that I would be better off with windows firewall and microsoft security essentials rather than CA. Is there any reason I should try and make CA work or should I just kick it to the curb?

Dark Shroud

With Win7 you'll be fine with MSE & windows firewall.

TetraNitroCubane

Glad to see my attempt at livening up the usual Flash update was well received, and not too terribly corny. Thanks, all!

Dark Shroud wrote:

With Win7 you'll be fine with MSE & windows firewall.

I quite agree on this point. Load yourself up with MSE and the Windows Firewall (I have mine set to 'Public'), and you should be fine. The CA security suite won't be offering you much more than what you'll be getting with those offerings.

As an additional note, however, I will say that NoScript and Flashblocking options for your browser should also be installed. As well as having MalwareBytes AntiMalware on the side.

Further tightening of security is possible, but with these tools installed you'll have a solid baseline of protection.

Jebus314

What's the forum's (read:TNC's) take on software versus hardware firewalls? I have a linksys router providing a hardware firewall, so is a software firewall a waste of time? They're both used for blocking incoming requests right (and outgoing if you're super paranoid)?

Orca

My take is that the hardware firewall will protect you against threats external to your network.

The software firewall is for threats that get brought into your network, because someone plugged in a thumb drive with something nasty on it.

Jebus314

Orca wrote:

My take is that the hardware firewall will protect you against threats external to your network.

The software firewall is for threats that get brought into your network, because someone plugged in a thumb drive with something nasty on it.

It seems like it would take a lot of work to get this to work though. From what I understand you'd have to setup blocking for outgoing requests, as well as specifying what programs can make requests on certain ports. This prevents malware from using any random port to contact home, and it stops it from using common ports like port 80, but it still won't stop it from using a common port (like port 80) if it can trick your software into thinking it's your browser; which seems like it would be very easy to do since your machine is already infected. I am not positive about this though, so I am interested to know if this is how the software firewall would be used, and how hard this would be to setup.

Orca

All of what you talked about is possible, but generally more of a pain than it's worth in my opinion (as I've said elsewhere, I know enough to hurt myself).

If you have some kind of a LAN behind the hardware firewall, then the software firewall is a fine and dandy thing for the reasons I gave. If you don't, then perhaps it is redundant--assuming you have that router setup properly and there are no holes you aren't aware of. Basically it doesn't really hurt you to just use the default windows firewall; it's there already, most applications talk to it easily, and it's easy to configure.

TetraNitroCubane

Pretty much what Orca said is my opinion as well. A hardware firewall is primarily in place to stop and filter inbound traffic to the system. The software firewall does that as well, but also has the ability to control and regulate outbound traffic. If you want to get really, really fine-grained with your control of a software firewall, you can customize it to a much higher degree than a hardware firewall (Though it's not always necessary to do that). Some people really like the power that comes with a software firewall, so as to restrict outbound traffic to their desired specifications. That can get a little complicated. The default Windows firewall, though, is pretty easy to talk to. It'll ask you about new programs, and allow you to block programs through its control panel. I've found it useful for specifically cutting off applications from the net, like for GFWL games when I want to play in offline mode.

There's something else, but I'll put down a big disclaimer that the following is just my personal opinion: If you've been infected, firewalls aren't necessarily going to do much for you. The talked-up advantage of a software firewall is that it can prevent malware from calling home once it infests your system, thus preventing data theft and eavesdropping. But if you get infected (and these days, that most likely means getting rooted) then the firewall isn't likely to know what's going on, can be bypassed, or even controlled by the infection (just as you infer above, Jebus). I don't put much stock in the idea that a firewall will keep you safe after an infection, but I do believe it is a necessary tool for preventing inbound intrusion. Software firewalls are also nice for keeping an eye on grayware that isn't out-and-out malware, but might be doing something you don't want. By that I mean programs that phone-home without your consent or knowledge can be blocked from accessing the net.

Tef

Gday gents, I'm building a PC for a mate who's absolutely technologically illiterate and I'm just chasing some input on the level of security I should set up for him. I originally thought running Securtiy Essentials, Malwarebytes and Comodo would be good enough, but I know he has terrible browsing habits and I'm wondering if it would be worthwhile going with a paid service like BitDefender.

I'm also thinking I should set him up with sandboxie but I just know that's going to be real pain in the arse explaining the implementation of it to him; is it worth the grief running it for him?

I'll also certainly be setting him up an LUA for his day to day browsing, I'm assuming that dropmyrights would be a good fit for him too? I'd like to implement some form of software restriction policy but I think that might be too much of a hassle

TetraNitroCubane

Tef wrote:

Gday gents, I'm building a PC for a mate who's absolutely technologically illiterate and I'm just chasing some input on the level of security I should set up for him. I originally thought running Securtiy Essentials, Malwarebytes and Comodo would be good enough, but I know he has terrible browsing habits and I'm wondering if it would be worthwhile going with a paid service like BitDefender.

I'm also thinking I should set him up with sandboxie but I just know that's going to be real pain in the arse explaining the implementation of it to him; is it worth the grief running it for him?

I'll also certainly be setting him up an LUA for his day to day browsing, I'm assuming that dropmyrights would be a good fit for him too? I'd like to implement some form of software restriction policy but I think that might be too much of a hassle

I'd definitely say that Microsoft Security Essentials and MalwareBytes are good starts. My personal opinion (others may have more detailed understanding than I) is that Comodo isn't going to be adding much to the mix here. Ditto with BitDefender. With MSE and Windows firewall, you've got those bases covered, and the other options are redundant, though potentially useful in a pinch. Looking toward additional, different layers of security is the best idea, as you've indicated.

A Limited User Account is a great idea. If you set one up, you won't need DropMyRights - DropMyRights is designed to allow Administrative users demote programs. If you're already running limited, you're already safe there in privilege regards.

In terms of Sandboxie and/or a Software Restriction Policy - These are the most solid defenses you could add to a system, in my opinion, because they are preventative, rather than reactive. They do come with the highest usability penalty, though. If your buddy is going to be installing a lot of software, you may be fighting an uphill battle. An SRP will keep things safe, but it will make installation of software a hassle that might be difficult for your friend if he struggles with computers. Sandboxie is very transparent if configured appropriately, in my opinion. You can designate specific locations, like a download folder, where files are to be automatically recovered. It's a bit of a security risk to do so, but it can help people who aren't necessarily good with computers. If your friend will be downloading and installing a lot of software, though, social engineering might be the bigger threat.

In the end, sadly, it's mostly dependent upon what your buddy is going to be comfortable with. I tend to be a bad judge of what people can handle, myself. I set some family members up with a Sandboxie install, and it was only a matter of a week before I was getting upset phone calls claiming that "Sandy-box is making Fox-Fire break my printer!"

Tef

Great TNC that's exactly the advice I was after, thanks. I think I might have had a fundamental misunderstanding as to how DropMyRights works. As I've never used it and only done a small amount of research on it, I had interpreted it as software that would let you run selected progams without needing to input admin passwords to boot it and perform actions within it.

I guess the real big point here is to curb his bad browsing habits and general poor PC security. He's learnt from bitter experience that no, in fact he hasn't won a brand new iPod and that a browser based malware scan he didn't initiate did not in fact locate a dangerous virus and need to be installed immediately. I think if I can explain how these kind of things infect your system and be mindful of it, we can put off sandboxie until later down the track.

TetraNitroCubane

Sounds like you're well on the right track. There are programs, by the way, to allow elevation of programs to Admin from a limited account. One in particular is called "SuRun" - But those programs are mostly for windows XP, where such a task was a pain. In Windows 7, the elevate to Admin feature built into the OS is the only way I know of to escalate privileges. I'm yet to find a way to accomplish this that doesn't involve manually entering the credentials each time. I'll look into it a bit more.

And from what you describe, some sort of sandboxing might be ideal for your friend. The nice thing about an SRP or Sandboxie is that, even in the event that he clicks on a malicious banner ad or agrees to install a malicious piece of software, it'll never infect his system - it will either get purged with the sandbox, or else be denied the ability to run. The downside is, of course, him wondering how to install software and/or wondering where his files are. Unfortunately the people most likely to benefit from a sandboxing or virtual machine solution are simultaneously those who have the hardest time using it.

Oh! Also, I'd be sure to install an Ad blocker, a Flash blocker, NoScript, and a browser capable of auto-updating itself. If you take care of the javascript and ad issues in a browser, you reduce the chances of an attack happening in the first place. Even if your friend specifically visits a nasty site, if NoScript is in place there's a chance that an attack can't launch to begin with.

Mace1370

I have a question for all you security buffs. I received two emails today from Microsoft notifying me that Xbox live points had been purchased on my account (4000 points and 1600 points). I haven't turned on my xbox for the last month or two, let alone purchased points. I called Microsoft and they have locked the account and are refunding me.

What worries me is that I assume someone got my xbox live login somehow. I have scanned my computer with Security Essentials, Housecall, and Malwarebyte. None of them found anything. Is it likely that I have a virus/malware that I have not detected? I am a little confused, since the login for my live account is different than pretty much every other account on my computer, and I haven't logged into my live account from my computer for at least 6 months.

Orca

If your password is something easily guessed, it could be that. Or if you've logged into your live account from another, infected computer.

Otherwise, yeah, I'd be worrying about an unknown, unidentified infection.

Mace1370

Orca wrote:

If your password is something easily guessed, it could be that. Or if you've logged into your live account from another, infected computer.

Otherwise, yeah, I'd be worrying about an unknown, unidentified infection.

It isn't something easily guessed. It was the exact same login as my Sony account back when that whole fiasco went down. I changed my Sony stuff, but didn't think about my xbox account. Maybe they got it from there? I dunno, if there was an infection on my PC that could get my live account I'm kind baffled why they would stop there. None of my other accounts were touched. And I haven't logged into my account from any other computer.

Orca

Ooooh yeah. You should consider your Sony info completely compromised at this point, so could well be where they pulled it from.

Dark Shroud

It's not just Sony, several companies have had their databases compromised. Groups like anonymous & lulsec seem to think releasing everyone's info some how hurts the company and not all of us.

You're best off using services like LastPass & Key Pass(sp?).

TetraNitroCubane

Sorry, I'm late to comment here, but Shroud and Orca are right. Password reuse is a big threat these days, because we as end-users are quickly learning we can't trust the companies and services that need our passwords. There have been an astonishingly high number of password/database leaks in recent months due to negligence on the other end of the secure connection. If you're confident that your machine is clean, then one of the recent leaks is likely the culprit. There were people all over Twitter during the Lulzsec storm boasting about XBLA and Paypal accounts they stole thanks to the Lulzsec leaks.

Once someone malicious has an email address and password from you (that they extracted from one of those leaks), they'll likely try the combination to break into your email account, as well as trying other services you're probable to be using (amazon, newegg, XBLA in this case). If they get into your email, they can use recovery options and your inbox history to get control of accounts with different passwords.

Using unique passwords for each site you browse/log into is important because of this. And because that's freaking hard to keep track of, Shroud's suggestion of a password manager is typically regarded as a good one.

khalathas

Hey all, I haven't been around since that TDSS discussion several pages back..but figured I'd best warn everyone about a new threat that makes TDL4 look like a puppy in comparison. It's alternately being called ZAccess, ZeroAccess, and MAX++.

It's a rootkit with INCREDIBLE regeneration capabilities, and has tripwires built in for when it's even detected at all.

Some writeups are:
http://www.eweek.com/c/a/Security/InfoSec-Cracks-Open-ZeroAccess-Rootkit-to-Find-Unique-Features-462289/
http://threatpost.com/en_us/blogs/zeroaccess-rootkit-latest-line-x64-malware-appear-052411
http://www.securelist.com/en/blog/493/MAX_sets_its_sights_on_x64_platforms

So far I have not yet found ANY reliable method of cleaning a system with it without damaging or outright destroying the OS. Until further notice, if you detect it, your only option is not just nuking the drive and partition table, but doing a full 0's and 1's sweep to purge even the unallocated space. This rootkit creates a hidden volume on the drive that isn't detectable by any known methods, and only a complete wipe and secure-clean pass (treat it like you're treating a drive with sensitive material before giving the drive away...32 passes with a wiper)...

As far as I can tell, the rootkit cannot easily infect vista/7 machines with windows defender intact, as we've gotten ahold of a live copy of the installer, and on a test machine, ANY attempt to run it has been stopped by windows defender. It seems the security has to be disabled by something else in order for it to slip by, or out of date. Once it's on, it does nothing destructive by itself, but acts as a remote control in order for more malware to be downloaded to the machine and installed past security, or whatever other commands the attacker wishes to issue to it.

So heads up, this one's nasty.

TetraNitroCubane

Holy cripes on toast, khalathas, that looks evil. From what you say, and the comments on the articles you linked, it seems like it's almost impossible to repair the infected system drivers without either damaging them, or some other component becoming compromised. I'm particularly intrigued by this statement from the treatpost link:

"Most interesting of all is when the downloader is run on an x64 system. This results in a dropper specially compiled for x64 systems being downloaded to the victim’s computer. This dropper does not contain a rootkit. It is usermode malware that replicates the behavior of an x32 rootkit except that its components are files and are stored in "$windir\assembly" with similar directory structures. Autorun on x64 systems is provided by the registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems”.

The idea of user mode malware having this kind of capacity seems off to me. How could the dropper put anything anywhere sensitive without admin access? I'm not saying it doesn't do that, I'm just baffled. This means that it'd be possible to compromise a LUA, if the vector were launched.

Also, if I'm interpreting this correctly... it creates a hidden partition? One that masquerades as unallocated space to evade reformatting? Pure, uncut evil, right there. I'm not sure how the nasty could launch itself again after a reformat, though. Would the MBR still need to be compromised for the dormant rootkit in the hidden partition to go active?

Thanks much for these links. Very interesting to see how this stuff has evolved even beyond TDL4.

Dark Shroud

Yeah, thanks to the recent hacks I get about 30 spam messages a day now in my spam folder when it used to be 1-2 every few months. I'm just glad I don't use the same pass word on all sites. I have to go through and switch a bunch of my stuff over to LastPass now before anything bad happens.

khalathas

I have no idea what its reactivation capabilities are post-reformat/reinstall...but as long as you don't take steps to nuke that hidden partition with a full drive-wipe utility of some sort...I would not trust it. Amusingly enough, its infection capabilities seem to be fairly weak, since we got ahold of the dropper and actually could NOT get it to infect the test machine...windows defender kept saying "no" and shutting it down. We think it must rely on some other malware as a delivery agent that assists by either sneaking it past active defenses, or shutting them down. Still looking for a cure...still not finding one. Interestingly enough, tdsskiller seems to detect it, but is unable to clean it. At least its a start.

Indica1

Microsoft Security Essentials and MalwareBytes Antimalware are both coming up as corrupt files when I try to install them. Have I fallen victim to some kind of sneaky virus?

Beltaine

Had to format and reinstall a Win 7 system today that was acting crazy.

MSE was installed and possibly running, but there was no system tray icon and no service listed.

I attempted to install our corporate Panda Cloud AV and it kept hiccuping on the install with an "unknown error".

While in the Remove Programs window, uninstallations would just kick off at random for random pieces of installed software. At this point I said fuck it, made a backup of user's files and proceeded with format.

I've had lots of quirky problems with people's machines running Security Essentials lately. I don't know if it's being targeted because it's free or what.

It's making me consider some of the paid software. Maybe the paid software companies are behind it.

Mr_Rose

The biggest problem I think you'll see with MSE is the updates.
Not that they are irregular or anything; rather, some people just don't set up an update schedule, or they tell it to ask them before updating and the pop-up bugs them until they cancel the updates entirely. And the newer the exploit and the older the definitions, the greater the chance of infection...

TetraNitroCubane

Sorry for the silence on my part lately. I've been out of town and away from the internet for more than a few days.

To chime in regarding the corruption of downloaded files on installation, I'd recommend grabbing the installers for MSE and MBAM from a known-clean (or cross-platform) computer and burning them to a disk. Then try to install them on the system in question from that disk. If you're still having issues after that, then I'd recommend trying a Rescue Disk or LiveCD. There are some infections that are vicious when it comes to polymorphic infestation of executables, and they can corrupt quite a bit. Of course, it could also be a hard drive issue. It's hard to say, but I'd at least try getting the files from another source first.

And yes, I do believe that MSE is gaining more and more visibility these days. Just like any antivirus suite, they've gotten big enough that the malware authors are specifically designing their payloads to avoid MSE. This is to be expected for any solution these days, even paid ones. ESET is great, and I love using it, but it's evaded just as much as MSE is according to the reports I've seen. This is why having layers of protection beyond signature-based antivirus is so important: You need antivirus to protect you from the known threats, but it's going to do jack-squat against the new ones.

Fuu

So, I read this thread because it is relevant to my job field, and knowing what to look out for is always nice without having to actually do research on my own, also the first hand accounts help.
After reading about Zaccess, I nearly shat my pants and made sure all my home units were updated and i've been keeping an eye out for when i inevitably run in to it at work. Well... I didn't run in to it at work. I'm sitting here with my uncle's unit running some scans cause he said it was acting screwy. Sure enough, he has Zaccess.

I'm attempting a removal with the following tools, It is probably going to go horribly wrong.

Spoiler:

KAV
Panda
Webroot
Trend
Spyware Doctor
A^2
HJT
and my last resort; DBAN

Has there been any successful removal of this fucker yet? Or is it nuke it from orbit in all instances? Also, is there any way to detect the hidden partition on the drive; possibly using linux?

Fuu

of triple posts

Fuu

Holy mother

TetraNitroCubane

While using a Linux BootCD might allow you to view the hidden partition, this little piece of hell seems to have the deepest tendrils we've yet seen in a rootkit. My strong advice (for what it's worth) would be to nuke from orbit in instances where you've confirmed a ZeroAccess infection. It's going to be less of a headache all around. Be sure to zero the drive, not just reformat.

If khalathas can give you any advice on the matter, it'll be better than my own. He's been poking at it, while I've just been trying my damnedest to avoid it!

Fuu

Yeah, I'm gonna see if i can just verify the existence of the hidden partition, then DBAN the whole HDD. I'm using BART PE to transfer files to an EXT HDD before filling the HDD, if i scan the EXT before plugging it in to another machine, it should be clean right? I'm in a command line environment for the most part, so unless i :welp: and transfer the loader to the EXT I should have nothing to worry about?

I'm terrified of the chance of having to do this to more than 1 computer.