|
doctorfrog posted:Is that the sort of thing where you're vulnerable because you're running a Symantec product? You'd be safer with nothing? You can replace "Symantec" with other vendor names too.
|
#
¿
Apr 29, 2016 19:44
|
|
|
|
| # ¿ May 12, 2024 08:44 |
|
|
co199 posted:Ok, I'm not saying AV makes it cheaper, my question was specifically around securing a large enterprise, without AV, for a "reasonable" price. That's probably too broad of a specification, realistically, but for the sake of conversation we'll let it stand. Please do not engage in doing any sort of IT work, let alone security. AV is far from "reasonable" regardless of how cheap it is.
|
|
#
¿
Apr 30, 2016 00:25
|
|
|
Mustache Ride posted:My company is like that too. We don't apply to any of those regulations and we're at >30,000 endpoints. You are missing the point of why AV is complete crap. Just because you see it as a layer of security does not mean the layer is effective.
|
|
#
¿
Apr 30, 2016 22:06
|
|
|
Paul MaudDib posted:How are you defining effectiveness? Tell me how in a real world situation these would actually achieve more than 40%--I am being fair here because it's really 5%. Tell me why AV cannot catch most ransomware even with up-to-date definitions.
|
|
#
¿
May 1, 2016 02:24
|
|
|
Paul MaudDib posted:Way to beg the question. In the real world, As someone who used to work for an antivirus company, you absolutely have no idea. In your own words, how does antivirus work?
|
|
#
¿
May 1, 2016 05:20
|
|
|
Paul MaudDib posted:Well, signatures look for unique bit-patterns in a file or in memory. For a trivial example, the classic "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" string. Great. What else does a signature do? Does it have to rely on a file or in-memory? quote:Heuristics work by looking for patterns of characteristics and behavior of a process that might be suspicious. For example, a process that isn't signed by a trusted key, was recently installed, is running elevated, and has been a foreground window for less than a second might be a virus. No. quote:Then there's sandboxing, where you set up what looks like a real kernel but actually is a stub run by the AV program, to see whether an executable or process tries touching a file or system resource that it shouldn't. How does the sandbox deal with non-mutable system calls? So far you're not nailing how anti-virus works. Have you ever seen a signature? Or even better, write me a YARA rule that will detect 99.9% of ransomware. I do suggest that you read this thread before you proceed any further on debating here.
|
|
#
¿
May 1, 2016 06:28
|
|
|
Paul MaudDib posted:One rule will never catch 99.9% of anything. You're an idiot who's trying to score points by making an impossible request. Paul MaudDib posted:Top-tier antivirus software (Kaspersky, BitDefender, etc) consistently picks off 99.9%+ of known threats, 95%+ of unknown threats via heuristics, and 98%+ of malicious sites. That's pretty effective in my book. So what is it here? How does anti-virus catch "99.9% of known threats"? You think that multiple rules are piled upon it to come up with an answer? quote:Do you not drive with seatbelts because someone might t-bone you at 80 miles per hour and in that case you'd die anyway? Antivirus picks most of the low-hanging fruit - yeah the NSA is getting in regardless, but you don't have to make it easy for the first script-kiddie who gets a chance at you. I am not taking the NSA into account when I talk about things here; stop being obtuse. So instead of responding in a manner where you act as your ego has been maligned, how about you answer my questions? OSI bean dip posted:Great. What else does a signature do? Does it have to rely on a file or in-memory? If you're so certain about how AV works, answer these or shut up.
|
|
#
¿
May 1, 2016 06:55
|
|
|
invision posted:Infosec Internet Discussions: You forgot to add charlatans somewhere in that list.
|
|
#
¿
May 1, 2016 20:27
|
|
|
Paul MaudDib posted:Why? It's just YOSPOS having some drunken weekend anal leakage. You've got OSI Bean Dip, the Internet Antivirus Expert who once interned at Symantec or something, who just keeps asking someone to explain antivirus to him and who thinks the NSA is going after grandma's cat pictures (the explanation he gave in the thread he linked for why antivirus sucked, after I got past all the "under construction" paragraphs), and a bunch of white noise posters. So why can't you answer the questions I threw at you instead of devolving to throwing insults as if somehow I have maligned you? Surely you know must know more than me so step up here or show yourself out.
|
|
#
¿
May 1, 2016 22:56
|
|
|
Paul MaudDib posted:Top-tier antivirus software (Kaspersky, BitDefender, etc) consistently picks off 99.9%+ of known threats, 95%+ of unknown threats via heuristics, and 98%+ of malicious sites. That's pretty effective in my book. Paul MaudDib posted:One rule will never catch 99.9% of anything. You're an idiot who's trying to score points by making an impossible request. Paul MaudDib posted:Again, that's why we have heuristics. Here's a post I wrote last year when dealing with a similar argument: OSI bean dip posted:Traditionally, anti-virus works through a few ways: Now please stop it with the heuristics nonsense and if you want to argue in this thread, stop calling people and actually contribute to the conversation because this is in fact not YOSPOS. Hopefully the above was too long for you to read because apparently you've had some trouble reading other things and have assumed I am talking about the NSA here.
|
|
#
¿
May 2, 2016 06:49
|
|
|
online friend posted:nobody's posting conspiracy theories? where are you getting this? A lack of reading comprehension skills tends to lead to this belief that we're concerning ourselves with the NSA backdooring anti-virus products I guess.
|
|
#
¿
May 2, 2016 06:54
|
|
|
Wiggly Wayne DDS posted:If you've not paid attention to AV vulns lately we're pointing at zero interaction pre-auth rces to system - not lpes. That or destroying any concept of cert validity. Worse than the disease. Yeah. Like just look at this list of really loving dumb vulnerabilities: Remote debugger in TrendMicro left enabled Comodo forwards to non-mutable API calls on the host Comodo disables aspects of Chrome's sandbox TrendMicro has RCE problems Kaspersky buffer overflow And these are just a random sampling of vulnerabilities from that Project Zero page. Or you can see Tavis' Sophail presentation from 2011, which covers issues like XSS in the web protection module amongst others. This presentation is really what started the rabbit hole for him to go down on how loving dumb AV is designed. And lastly we have a bug for Symantec coming our way.
|
|
#
¿
May 2, 2016 15:34
|
|
|
Daman posted:taviso's AV bugs are cool but the "RCE" is rarely actually practical or part of the actual AV itself. nobody sane is recommending you install sophos or comodo. generally enterprise AV is all worthless, other protections should be in place on the enterprise network to protect endpoints on the network/permissions layer. enterprise is a totally separate theater. The problem I have with your reply here is that what you're saying is that we should overlook these vulnerabilities because no known malware is currently exploiting any of this. You are correct that in as far as any of us know right now nothing is currently exploiting a really dumb RCE in TrendMicro or whatever AV suite to get a foothold on the system. However, what you're forgetting is that what Tavis has found so far demonstrates a complete lack of care or at least intelligence into developing these software suites. If these applications are supposed to make us more secure, then why are there really obvious RCEs? Why is debug mode left on? What soft of loving moron creates a sandbox that allows for the passing of API calls to the host OS just because they assumed that it was safe to do so because they couldn't make system changes? These are the idiot decisions that make me wonder about the actual care and attention that goes into the development of these application suites that again are supposed to make systems more secure. You also are doing a disfavour to your argument by thinking enterprise and non-enterprise AV suites are different when in reality at their core they're not other than manageability. If we look at my earlier post, my argument against the use of it with the expectation of it doing anything is not based on idiotic vulnerabilities that have no business existing but instead the fact that signatures, heuristics, behavioural and everything else being done to detect malware just simply do not work. AV's biggest problem isn't the bugs within; it's the fact that it simply cannot scale. If I can pump out 200,000 unique copies of some ransomware in a single day that signatures cannot keep up with, heuristics cannot predict without causing havoc with other applications, and suspicious behaviour will never get wind of, how can I as an AV vendor expect to be able to keep up? It's really an impossible task to expect that you'll get enough analysts in the lab to come up with answers. This is why I find the whole notion of switching AV vendors after an incident as dumb because another wave of malware will pop up eventually and you'll be back at the same conclusion like you had before. AV provides a false sense of security and the suggestion that you should rely on it should only come from AV vendors themselves, not from people who shouldn't peddle crap. Lain Iwakura fucked around with this message at 18:47 on May 2, 2016 |
|
#
¿
May 2, 2016 18:18
|
|
|
Daman posted:of course you shouldn't rely on any one thing. defense in depth is not just a meme. picking an AV that doesn't come with debug JS servers is a part of that. most _do_ stop lovely kiddy trojans. I'd question whether the knowledge of having an AV would affect what a dumb user does at all. Okay. But how do you pick an AV that doesn't have dumb programming put into it? How many users avoided Comodo because they knew that it was doing harm to Chrome? How many users knew that TrendMicro was running the debug server? How many people knew that Avast was passing API calls to its sandbox to the host OS? None of them. So if I am someone who goes into a store to buy an anti-virus suite, I am likely the type of person to not know the above problems and will likely be at harm for further issues. Daman posted:of course you should consider that these vulnerabilities existed (in the specific configurations and components they occurred in) when deciding if av_vendor is a good choice. history of security issues, vendor response to these, and recent additions/changes to the product should all be taken into consideration.. one vendor's actions don't indicate every product is going to contain ridiculous issues. One vendor's poor coding shows the level of care being put into the engine. Daman posted:To me, it seems like the argument of "if one can get through, why bother at all?" You're still going to see attackers using simple malware spread, why not protect users who don't know any better from these? AV will totally trigger on old garbage trojans people cast a huge net out with. They'll still be affected by payloads that are well-written to avoid AV, but they would've been anyways? If a user is going to be at risk at catching "old garbage trojans", they're already going to get hit by something newer that is going to bypass the anti-virus anyway. The average user who goes and gets themselves infected with something that is old is more likely to get hit with something else because their hygiene is already compromised.
|
|
#
¿
May 3, 2016 15:43
|
|
|
Here's a practical one that you can do in Metasploit with the TIFF file format: https://www.rapid7.com/db/modules/exploit/windows/fileformat/mswin_tiff_overflow quote:This module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large vlaue, which ends up being 0, but it still gets pushed as a dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned by HeapAlloc will end up being overwritten by the memcpy function, and then later used in OGL!GdipCreatePath. By successfully controlling this function pointer, and the memory layout using ActiveX, it is possible to gain arbitrary code execution under the context of the user.
|
|
#
¿
May 3, 2016 21:48
|
|
|
Mustache Ride posted:I had an interesting meeting with Cylance. yesterday, who said they are using math models to predict the APIs and library loads commonly used by malware instead of signatures or I've had the pleasure in being stuck in a room with them and seeing the product demoed without an NDA. It does its "job" as an AV suite but I have yet to play with it beyond that. The fact that they won't let you demo it at all without an NDA is ridiculous and speaks volumes about what they think about it. One day I will write about it.
|
|
#
¿
May 5, 2016 14:48
|
|
heuristics
|
Mustache Ride posted:Yeah, in the sit down the Sales Engineer had some intersting things to say about some of the questions I had, including, and I quote "We're not on Virustotal because we would catch everything and then the big 6 would use us as a reputation source and everyone would be using our engine." When I had them pay my company a visit, they gave a full-on demo and even repacked the malware, etc to show off its abilities--which was suspiciously done mind you. When I asked what they'd do when their "magic math" is compromised, they said that they could just adjust some variables and carry on, which smelt of horseshit. Based on the demo I can say that they probably rely on signatures too but they danced around it when I asked them pointed questions about whether or not that was the case. A friend of mine at a similar-sized organization had demo'd their product and got into trouble over their NDA when they posted on a message board about it, being critical about some of its software bugs. I've been actively looking to get my hands on a copy of the product without an NDA and so far I have yet to succeed beyond the installer executable which still requires an MSI that I haven't gotten yet.  I really think that they're scam artists with a half-decent marketing team because they've gotten some "recognition" in various circles.
|
|
#
¿
May 5, 2016 15:19
|
|
|
The hype factor is seriously pumped. http://www.pcworld.com/article/3005677/business-security/new-dell-partnership-throws-doubt-on-traditional-antivirus-programs.html Dumbshit PC World article posted:A partnership announced by Dell on Tuesday shows how cybersecurity defenses are evolving, which could have wide-ranging effects on vendors like Symantec, McAfee and Trend Micro. It's really, really hard to find comparison details on them and this article that came out in November was as close as I could find at the time to talking about how "well" it "worked".
|
|
#
¿
May 5, 2016 17:49
|
|
|
Related, but how many of you are using FireEye HX at all? I don't care about the other FireEye products for this response.
|
|
#
¿
May 5, 2016 21:59
|
|
|
BangersInMyKnickers posted:A patch for that particular CVE has already been pushed via the update channel which is why they are disclosing it now. Check for version 1.1.1.4 of eng.sys/eng64.sys. The bigger issue is what the hell is going on with their coding standards where they think it is 1) acceptable to unpack malware in the kernel and 2) disable buffer security checks at compile because more eyes are going to be looking at their products for low hanging fruit after this and they won't bother disclosing it like Tavis did. I have yet to see how AV improves security but what do I know. 
|
|
#
¿
May 17, 2016 17:05
|
|
|
andrew smash posted:So I stumbled into a pretty glaring security flaw in a medical licensing board's Web portal by doing nothing more nefarious than trying to reset my password. Any idea how I should go about reporting this? Is this the US?
|
|
#
¿
May 17, 2016 20:55
|
|
|
Is it run by the state or is it private?
|
|
#
¿
May 17, 2016 21:21
|
|
|
PeppysDilz posted:I disagree. An OS firewall that blocks/alerts you when a new process attempts an outbound connection (like LittleSnitch on OSX) is very valuable. I know GlassWire works for this use case, but who knows if you should trust it, give Tavis 20 minutes with it and we might find you introduced new attack surface. So basically just stop using Windows :-P. The only time I tell people to stop using Windows is when they tell me they're too paranoid to use Bitlocker because "it's closed source".
|
|
#
¿
Jun 5, 2016 18:45
|
|
|
the real blah posted:I'm not sure of the best way to word this, but does anyone have a good tool for letting me test what ports are open through a firewall when I have no control of the firewall, but have control of both sides? http://scanme.nmap.org/ Run nmap against this.
|
|
#
¿
Jun 15, 2016 22:13
|
|
|
Just another reminder of why LastPass is garbage: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
|
|
#
¿
Jul 27, 2016 15:18
|
|
|
flosofl posted:There's this from Tavis last night: Separate vulnerability likely but yeah. LastPass is literal garbage.
|
|
#
¿
Jul 27, 2016 15:26
|
|
|
PBS posted:Seems as simple as not having autofill on. I have lastpass set so I manually fill username/password fields. So what will you do for the next vulnerability?
|
|
#
¿
Jul 28, 2016 02:00
|
|
|
PBS posted:I sent them an email asking them to stop having vulnerabilities, I'm pretty sure all potential issues will now be resolved. I don't think that you understand the problem with LastPass.
|
|
#
¿
Jul 28, 2016 02:18
|
|
|
PBS posted:Other than being a big juicy target maybe I don't. Here's the thing: LastPass cannot be audited without having to sign an NDA. You have no idea about the server-side aspect of how it runs and there have been far many problems. Nobody in here will be able to tell us how the server-side works and any suggestion that they're confident that they have made things secure is kidding themselves and are really giving charlatan-level advice. 1Password and KeePass are more than fine especially when you combine it with a cloud synchronization service like Dropbox, OneDrive, et cetera. Yes. Those services have problems in themselves, but if LastPass is breached in the right way (it's more than the cryptography we have to worry about here), all the passwords are going to be exposed. If someone gets their hand on a bunch of 1Password or KeePass databases, they're going to have to crack each individual file to get anything. KeePass and 1Password can rely on the length of time between now and long-past the heat death of the universe to protect your passwords if you don't set a lovely master password. LastPass just needs one simple breach and thousands upon thousands of users are going to be hosed. This is not the first LastPass problem nor will it be the last. Lain Iwakura fucked around with this message at 02:49 on Jul 28, 2016 |
|
#
¿
Jul 28, 2016 02:42
|
|
|
PBS posted:I appreciate the reply. Yes. Anyone who follows the same model like LastPass is likely to have the same problem. As with all cloud-based services, you have to rely on someone else to ensure that your data does not get exposed either through incompetence or by an oversight in the design--so far LastPass has yet to achieve defending itself from either. Again, you still run the risk by sharing your password databases on a cloud service, but you gain more control over mitigating the effects because you can rely on the format of the 1Password or KeePass files to ensure that the passwords stay safe--I'd still change all the passwords if my KeePass file or whatever was exposed, but it buys you a near infinite amount of time provided that the password set for the database is good enough. LastPass cannot provide you that level of security at all.
|
|
#
¿
Jul 28, 2016 03:01
|
|
|
doctorfrog posted:I say this as an outsider who doesn't know much, but it seems like you have to balance minimizing risk with butthole-tight/no compromises security with just getting on with your life. The problem with assessing risk is that it's not black and white like you think it is. If you're putting all of your financial-related account details into LastPass, who do you get to compensate you when there is an incident that is directly the fault of them? If LastPass suffers a heavy enough breach (similar in style to say Juniper's code injection) where it bankrupts LogMeIn, will your bank be of help? Can you sue LastPass if a vulnerably arises and you are directly affected by it in the same manner? These are questions that need to be answered before you even begin to assess the actualy risk you take by using something like LastPass. It's the same reason why I am waiting for the day that a bank opts to not compensate someone because they got their PC infected--London's police chief seems to think that this should be the case. 1Password and KeePass are not overly complicated nor a "no compromise" method of security. Besides, I don't put my online banking details into my password manager and it's one of three that never will end up in there.
|
|
#
¿
Jul 28, 2016 21:02
|
|
|
Boris Galerkin posted:Since everyone hates virus scanners here, what do I do about Windows Defender? Leave it on or turn it off? Just leave it on but don't waste money on another product. As for PGP/GPG, it's there for verification that what you published is your code just to prevent tampering. It's trivial to falsify who you are in Git, so signing the commit adds a level of verification.
|
|
#
¿
Aug 10, 2016 16:06
|
|
|
https://wicg.github.io/webusb/
|
|
#
¿
Aug 11, 2016 17:20
|
|
|
Windows and Linux are no different in terms of how "secure" they are but certain things are approached differently in each.
|
|
#
¿
Aug 21, 2016 05:01
|
|
|
It's as if a company wants to integrate a product they bought for billions into their own. The horror! Also if you're using your fingerprint to unlock your phone, security is taking a backseat in your mind anyway.
|
|
#
¿
Aug 25, 2016 17:35
|
|
|
Mustache Ride posted:I think he was talking about hardware fingerprints like user agents and device metadata, not your actual fingerprint. The thing about WhatsApp is that the conversations are kept private but there is no expectation that the meta data is. I am not sure why ItBurns fails to grasp the difference between the two.
|
|
#
¿
Aug 25, 2016 18:02
|
|
|
Mustache Ride posted:Back in the day the messages weren't even encrypted. They were stored in a plaintext database on the iPhone and relied solely on the iPhone's encryption to protect it (hah!). I haven't had to run a forensic case on an iPhone in a while, I wonder how much that has actually changed. Realistically the important thing here is not what is being done with the data at rest but what is being done with the data in transit. If the data is not being encrypted in transport, then there is little need to go and try and get your hands on your target's device. However, if you got your hands on the target's device, then what's to stop them from doing things like extracting the data out of memory or if the device is already unlocked? The iPhone is an example of where this is a problem, but it hasn't stopped the FBI in the past if the circumstances are right (this is not the secure enclave stuff). ItBurns posted:Don't be obtuse. It's a relevant development and a significant reversal of their position (and a few poster's own positions) with regard to sharing identifying info with FB and by proxy advertisers and law enforcement where the (now) encrypted messages can be stored until/if an attack on the encryption is found. What does it matter? You're using a third-party messaging application operated by a company that has a profit incentive. At the very least they encrypt the traffic going through their servers and there is no expectation that the meta data is obfuscated anyway.
|
|
#
¿
Aug 25, 2016 18:23
|
|
|
Wiggly Wayne DDS posted:Great so what does this have to do with infosec? Your privacy is a different subject entirely and you can go yell about it in D&D. It goes over the heads of people like ItBurns that these companies have profit incentives and aren't charities. It also doesn't help that he cannot the difference between information security and privacy. When I made the remark about pr0zac, I was talking about the encryption aspect of WhatsApp, not whether or not Facebook is going to integrate WhatsApp into its product ecosystem. But ItBurns wasn't able to elaborate much more than just taking stuff out of context because he doesn't really understand anything to begin with.
|
|
#
¿
Aug 25, 2016 18:35
|
|
|
|
| # ¿ May 12, 2024 08:44 |
|
|
Rufus Ping posted:this was the assumed threat model all along - it is precisely because you don't trust all third parties not to do this that you're using e2e in the first place Now be careful there or you'll end up with a new custom title that will be very mean. The problem with a lot of individuals is that they quickly conflate privacy and security and assume that they're one in the same. They're two complete separate topics and those who work in the field are able to recognize that. From a security perspective, WhatsApp is doing it right and is making it so you cannot snoop in on messages in transit; from a privacy perspective, WhatsApp is revealing who your contacts are and other meta data to the rest of the Facebook infrastructure, which includes potential advertisers, meaning that the messaging service is not exactly ideal. If you're concerned about WhatsApp--a privately-run service intended to somehow make money--making use of the data that exists within your account, perhaps WhatsApp was never meant for you to begin with? Like really while I recommend Signal instead (which uses the same cryptography framework as WhatsApp), the idea that you can entrust Moxie Marlinspike to always be on the side that we all would prefer is really asinine and that any concern you have over meta data leaking needs to be addressed in a completely different threat model. Like use Signal over WhatsApp but if you're looking for complete privacy over who you converse with online, that is a whole different kettle of fish and realistically you cannot completely rely on third parties to provide adequate privacy. But be aware of when you're conflating things because it makes you look dumb.
|
|
#
¿
Aug 26, 2016 02:01
|
|