Back to Top

Tuesday, August 07, 2007

Hack the Gibson #91

Read the reason for these posts. Read Steve Gibson's response.

This was an interview episode, so there is not much I can comment on. SpinRite appears again to save the day, again without the notification that backups are important and that a hard-drive which had a physical failure is very probable to fail completely in the short term and get in a state where no software can do anything with it.

Steve again rants about how browser scripting is enabling your client, your browser client, to run code from any site you visit. However what he fails to realize or to say that in the big picture any communication with an untrusted (and possible malicious) remote host can be dangerous, and that in the big picture scripting is not the problem. Admitedly scripting can be used to obfuscate these exploits and do other neat (from the attackers point of view) things, like tailoring the exploit to the exact platform the user is running, but in the end many exploits (like the ANI one for example) can just as well run without scripting as with it.

One reader asked my opinion about the Blink product they talked about in the podcast. (Disclaimer: this is my personal opinion, I doesn't necessarily reflect the opinion of any of my past or current employers, blah, blah). I didn't actually try Blink, but generally speaking if you have an environment which is different enough from the mainstream (like running as a limited user), you will be protected against 99.99% of the generic malware out there. Of course this probably will not protect you against targeted attacks, because that can be tailored to your exact environment. However this is only an issue if you are a company. So using something like Blink together with other good security practices will make your computer withstand 99.99% of the attacks. Additionally it might protect you against some exploits of the automatic kind (meaning where you don't have to do anything specific to get exploited), which is definitely a good thing. Also, I will have to check out its user interface to get a feel about how difficult it would be for an average user to make sense of it. In the end however it can't prevent the dancing bunnies problem, where the user is social engineered into making some actions (like downloading an executable and explicitly enabling it to bypass the security measures), out of which we see more and more.

In conclusion: it's probably a good product, especially given its price (free!), however it's not a silver bullet and caution still needs to be exercised even with this product installed.

4 comments:

  1. Anonymous7:26 PM

    Thanks for the answer to my e-mail question :) This is gonna be a longer comment and I understand it if you don't have the time or energy to read or reply to this. Just know that it took me over an hour to write this, so I would be pretty happy about an answer ;)

    I just re-read the interview of episode #91 where they talk about Blink, so I thought about the security of my system and what I could gain from Blink again. I would like to know if I missed some general ways a system like mine could be exploited and whether I understood the way Blink works. For this I'm gonna write a summary of my system, the ways I believe it is possible to exploit it and the possible gains from installing Blink to give you an idea about how far my understanding of computer security goes and to (pretty please :D) be corrected where I'm wrong:


    Basically I run an updated Windows XP with an antivirus program by Kaspersky and I connect to the internet through a router which doesn't allow incoming connections. My browser is Opera and I use Thunderbird for e-mail, usenet and rss-feeds.

    From my understanding I'd say this is a secure-enough setup for somebody who knows what he's doing on the net:
    1. The router blocks malicious programs trying to remotely exploit software running on my system if I did not forward the ports of that software.
    2. The browser is not widespread enough to be a target of most malicious websites. Additionaly I only visit websites I trust/think to be clean (No porn/warez/mp3 websites.)
    3. The antivirus does automatic scanning and is basically meant for files from friends.

    These are the possibilities I see to exploit my own system:

    1. Exploit a program I forwarded a port for in my router (For example, a torrent client).
    2. Exploit a function in a libary used by Opera or exploit a vulnerability of Opera itself through a malicious website.
    Same goes for every other software which I use to process data I got from the internet.
    3. Installing software containing a not yet detected virus/worm/trojan.

    Now, this Blink program seems to be scanning for malicious network packets or API calls through "hooking" itself into the API (Like a rootkit?), and - much like an antivirus program scans a file I want to start before it is actually started - scans all communications between programs, the internet, etc, for software exploits.
    From my understanding, this would also keep me safe in these scenarios:

    A. A program I forwarded a port for in my router has a known security hole. Blink has a signature for the exploit, scans all network packets going to this program for this exploit and removes the exploit if it is actually being sent.
    B. Opera has a known security hole and I go to a malicious website/connect to a malicious webserver which would exploit this vulnerablility. Blink removes the bad content/packet before it reaches Opera if it has a signature for this exploit.
    C. There's a not yet detected exploit which is executed from a strange place in memory. Blink possibly stops this because of it's exploit-like behavious.

    Did I understand this all right? If this Blink program really does all this, wouldn't it also extremely slow down the whole PC, way more than an antivirus program? Isn't API "hooking" a bit dangerous looking at system stability? I understand antivirus programs do it, too, but Blink appears to have to hook a few more APIs if it wants to provide this functionality.

    Again, I hope I'm not asking for too much, but I would love to get an answer on this :)

    Thanks for your time,

    Andreas S.

    ReplyDelete
  2. I'll appreciate your comment and will try to answer it, because more security = less problems for everybody :) (and also because I'm a nice guy, but that goes without saying ;)).

    You have assessed your security situation very well, and I'm confident that you are safer than 99.99% of the people using the internet (sadly, because many things you enumerated should be standard for any Internet user!). Some minor details:

    - Check if your router has remote management capabilities (most home-grade routers do), and if possible, disable it (or at least make it so that it can't be accessed from the outside) and assign a strong password to it.

    - Browsers interact with several plugins to display non-HTML content, so an other possible way of attacking a machine is through something like the Flash player, the Java runtime or Quicktime. Thankfully all three of these have auto-update features built into them, but you should still check that you have a recent version (for example older versions of the Java runtime didn't have the auto-update feature).

    This said, there still three things that come to mind which could improve your security:

    - Use the hosts file maintained by winhelp2002 (http://www.mvps.org/winhelp2002/hosts.htm). This has the nice side-effect that it also block many adservers (which equals less advertisement on webpages), is relatively easy to install and has minimal (negative) impact on the system.

    - The second thing would be to either run as a limited user and use solutions like RunAs or sudowin to elevate your privileges when necessary or use a HIPS like System Safety Monitor (http://www.syssafety.com/), the free version of which is sufficient. These steps have a much bigger impact on your day-to-day computer usage and can take a little time to get used to. Also, something like SSM has a bigger impact on your system than something like running as limited user, but also is much more visible (they will stop roughly the same amount of malicious code, but the systems built-into windows do no have an alerting system to notify you when something got blocked)

    - Finally, you could use something like Blink to stop unknown exploits, as you mentioned, however in general this would add very little to your security, not because the product is flawed in any way, but because almost all of the currently available exploits out there contain very little code, the only function of which is to drop an executable and launch it, at which step it would be caught by SSM for example.

    In the end one must accept that there is no such thing as perfect security (sadly). And that security and usability are many times opposing and everybody should strike a balance between the two which is acceptable for them. Coming back to the first idea, even if there were such a thing as perfect security, it would be completely unusable.

    PS. The academic definition of security includes three aspect of it: Confidentiality, Integrity and Availability. The posts (and also this comment) refer only to the Integrity part, as Availability is many times not as important to the end user and Confidentiality is directly related with Integrity. However this doesn't mean that one shouldn't concentrate on the other aspects, for example making sure not get get phised, which, without any malicious code, can compromise the confidentiality aspect of you security.

    Hope this helps.

    ReplyDelete
  3. Anonymous4:07 PM

    Thanks alot for the fast answer. It's nice knowing that my general understanding of security is not totally off :D

    Now about your tips:

    1. I'm not sure if I want to use a hosts.txt file to filter out bad websites. It's a cool method, especially because it's pretty logical that it doesn't break anything, but I even like the advertisements sometimes: They are also a nice way to give back something to a good site or blog by clicking on them (I suppose google doesn't like me for doing that ;), but I'm nice and read the advertising company's site a bit to ease my conscience).
    2. Thanks alot for the pointer to the System Safety Monitor. I like this approach way better than running as a limited-user. I have thought about doing so before, but as I often change hardware settings (like my network card's IP adress) and other things which sometimes do not work with a sudo implementation it would be really inconvenient for me to run as a limited user. As you say it's also nice to know when there actually was something on your PC doing strange things, so I will definately try out SSM :)
    3. I suppose I won't install Blink, especially because I don't like the idea of having API hooks everywhere. I know a few cases where they broke software I use and it's hard to find out if a specific software failed because of a normal bug or a badly programmed API hook.

    I understand the part about the 3 aspects of security. I've read about them before (They explained it pretty well in "Mastering FreeBSD and OpenBSD Security" published by O'Reilly), but for me learning about how to get integrity is the main goal. Integrity is what gives me the feeling "My personal computer is secure" when I browse the web, even though I know it's also important to keep an eye out for phishing attempts or similar stuff (like infected No-CD cracks for video games) and to do backups of important data. Also, availablility is pretty much a server issue to me: If my PC doesn't work anymore I just make a copy of my broken system onto a second HD and reinstall my OS :)

    Having said everything I want to say, I'm very thankful that you answered my questions so throughfully. It's not easy for me to learn about computer security, because it requires in-depth knowledge about how most stuff works, and this knowledge is pretty hard to gain when you are new in this job. (You basically don't know where to begin :) ). Getting answers from somebody maintaining a blog about computer security is a big help to check the confidentiality (and integrity?) of my knowledge.

    ReplyDelete
  4. Thank you for your kind words. And I'm really glad that I could help you by giving (hopefully ;)) relevant advice.

    The thing you said about the hosts file is a very good example of security being a series of trade-offs and the best you can do is inform people about the consequences of choosing one over the other (my worst enemies are uninformed decisions or decisions based on mis-information - something that clearly doesn't apply to your case :)).

    Finally, do keep in mind that I'm by no means "perfect" (and it angers me whenever somebody claims to be that in the area of - computer - security). What I write down is correct to the best of my knowledge, but it doesn't mean that I won't be proven wrong. However, the best I can do is promise that if I am, I will write about it on my blog :).

    ReplyDelete