Re: cydoor/altnet & others
From: Stefan Kanthak (postmaster_at_1.0.0.127.in-addr.arpa)
Date: 08/09/05
- Next message: Galen: "Re: AntiSpyware Beta1"
- Previous message: Nancy R: "Terminal servers missing required certificates"
- In reply to: Karl Levinson, mvp: "Re: cydoor/altnet & others"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 9 Aug 2005 21:11:17 +0200
"Karl Levinson, mvp" <levinson_k@despammed.com> wrote:
>
> "Stefan Kanthak" <postmaster@1.0.0.127.in-addr.arpa> wrote in message
> news:ukoCpNEnFHA.320@TK2MSFTNGP09.phx.gbl...
>
> I agreed with much of what you said in your follow-up to my other post.
Fortunately ;-)
> > [snake oil]
>
> What's snake oil to you is part of a best effort, defense in depth strategy
> to myself and others. The goal isn't to make the system 100% trustworthy,
> as that doesn't exist. The goal is to gather diagnostic information and
> hopefully make the system more trustworthy.
Right. But as you already said too: these tools might help in the hands of
the savvy user, not necessarily in the hands of the "amateur".
Nobody can make a system 100% trustworthy. But you can make a system (100%)
secure against well known attack vectors: when you don't offer services that
open ports on your internet connection these "active" remote exploits CAN'T
work any more. When you don't run with administrative rights but as restricted
user %SystemDrive%, %SystemRoot%, %ProgramFiles% and [HKLM] can't be written.
When you activate SAFER you don't give a damn to the malware on your floppy
disks, CD-ROMs, USB- and Firewire-Drives as well as that in your browsers
caches.
I set the 100% in parentheses because the measures I use and propose here
must not fail. I have to trust them, and I have to trust the platform they
run on. At least the Windows NT TCP/IP stack has no bad security record, the
NTFS and registry permission system too. Only SAFER is to new, but I've not
yet heard of flaws.
> > Sorry, but you can't clean a compromised system with all these "tools".
> > Will they find all backdoors? All modified registry entries and files?
> > For sure? With a rootkit in place?
> > No scanner can guarantee the ABSENCE of malware, and most of them won't
> > even detect the presence of malware.
>
> But that's true of 100% of the systems out there. All of them could have
> rootkits on them.
It depends. Your and my null hypothesis should be and is that a newly setup
system is clean, that it is setup properly and that the user does not do such
silly things as surfing with administrative rights and Active* turned on.
> So there has to be some criteria for deciding when to flatten.
Right. To mention the paper of Jesper again: "if the system is compromised".
And they also tell: "if a bad guy persuades you to run his software, then
the system ain't yours any more".
If only a user profile is compromised: flatten the user profile, there's no
need to rebuild the system, given that the user is a "restricted user".
> I wouldn't recommend the criteria of "my system has spyware on
> it," because probably over 90% of the systems out there have spyware... and
> because Ad-aware will find tons of cookies and simple registry values and
> report that you are seriously infected.
When I'm concerned about my privacy AND detect spyware: compromised!
On the other hand: a fool with a tool is just a fool.
Be it anti virus, Ad-ware or anything else: how shall the novice distinguish
between a (serious) compromise or just an attempt?
A personal firewall throwing a dialog box for every blocked(!) packet is the
best worst example at all!
Ad-aware that reports cookies as spyware ain't better: cookies are part of
the HTTP, and all modern browsers can block them.
Programs that still report the empty registry entries of Alexa as "bad" are
crap!
> Also, linking the presence of
> spyware to the possible presence of rootkits is similar to assuming that if
> you have apples, you may also have oranges.
Not completely: I just draw the worst case!
> In real life, a large majority of rootkits are detectable by tools that look
> at the system state, because it's very rare that the attacker successfully
> hides every piece of evidence. It doesn't have to be either / or. Running
> such tools can be a great way, or the only affordable way, to prove that a
> person or enterprise should go through the hassle of flattening.
Correct, IFF the person running these tools is able to interpret their results
properly.
> > So the really effective and in most cases also efficient way is to
> > flatten and rebuild. The rebuild has to be done right to have the
> > holes fixed that gave the attackers the possibility to infect the
> > system.
>
> That's the problem. I think you have to recognize that at least 50% of the
> time here, the rebuild will be done with flaws, or flaws will develop over
> time in the system, or the user will be hit by an unpatched zero-day like
> download.ject, or will otherwise install or fall prey to something that
> doesn't exploit any vulnerabilities at all, like a virus email attachment or
> a WMP file license attack or a credible phishing scam etc., even though
> you've told the OP to be careful of these things. Such training rarely
> lasts a year in most people. Many users and enterprises would have to
> flatten their systems monthly because of this. You could easily bankrupt
> many companies with constant flattening. That's why almost nobody flattens
> a system just because their system has a virus or spyware on it. Most
> systems find viruses and spyware constantly.
Hmmm... in a correct setup environment almost always the people are the weak
link.
But let's differ between home (including SOHO) and corporate users:
- the first are concerned about their privacy, managing their bank account
from their PC, but don't give a damn when getting hit by a virus or spyware?!
Yes, I know some of those people, and I call them morons... at least when
they ask me what to do and I tell them the right thing[TM] (which is NOT
always flatten, but "it depends"), but they deny to draw the consequences
if they have REALLY been compromised.
But who's to blame here: Bill Gates saying "information at you fingertips"
and all the marketiers saying "1..2..3..connected", selling an operating
system that clearly violates the first rule: never run as admin when you
don't adminster?!
- the second should not have to care, because their corporate IT manages
their systems. It's to sad that many companies let their employees work
with administrative rights. The corporate IT MUST know better, or they
should sign in. Oh yes, I hear the argument coming, that the superduper
mission critical XYZ application needs administrative rights. No, it
doesn't, its CRAP, worst CRAP, and its vendor has to be sued for beeing
unable to write NT-compliant software, and the people who decided to use
or even buy this crap have to be fired.
Stefan
- Next message: Galen: "Re: AntiSpyware Beta1"
- Previous message: Nancy R: "Terminal servers missing required certificates"
- In reply to: Karl Levinson, mvp: "Re: cydoor/altnet & others"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
