With the recent spate of hacking sweeping everything from government agencies to online gaming services, security is very topical right now. Many are shaking their heads at the compromised companies and saying ‘Lol, noobs. Need moar firewallz’. Even companies whose defenses remain intact are vulnerable to Distributed Denial of Service attacks carried out by millions of ‘zombie’ computers scattered across the globe.
The root of both problems is the same: innocent users clicking things they shouldn’t. Whether you’re a CEO with admin access to your company’s network or some random Joe surfing the web, trying to view those naked pictures of Justin Bieber is going to compromise your computer and everything connected to it, unless you have the right protection in place.
I’ve done a bit (a lot) of research into this in recent times due to a ridiculous virus that took over my system, offering to clean the multitude of infections it ‘found’ if I would wire money to some smug bastard in Russia. This research has involved trawling forums and collating disparate information from individuals of a wide range of technical knowledge and experience, and distilling it into a refined depiction of the truth. In other words, exactly what you or I would go through every time we get stuck into a new RPG. However if you are not inclined to go through all this research yourself, allow me to share some things with you:
Here’s a reasonably up to date list of all manner of free security software.
Most forums are shit: Wilder’s security is a big exception, and where I obtain most of my info.
Anti-virus is shit: Anti-virus uses signature-based technology to compare processes that want to run on your computer to a database. The problem with this is that querying massive databases introduces lag to everything that you do, and that new threats require time to become incorporated to the database. Having said that, having one on hand to scan particularly suspect files can be a useful back-up. PrevX and Avast! are two examples that I’ve tried and found to be neat (the former uses cloud technology, minimizing system resources and ensuring the most up-to-date database).
Anti-virus vs anti-malware vs anti-spyware: Sometimes the distinctions between these are meaningful, but often they are pure marketing hype. Having said that, an example of non-hype is the free Malware Bytes Anti-Malware (the paid version offers real-time protection – not necessary as discussed above). MBAM also relies on signature-based detection, but the focus is apparently on finding infections missed by other anti-viruses. In other words, the infections that are actually going to make it through to most people’s computers.
Admin mode is shit, but you will probably use it anyway: In admin mode, malware can do whatever it wants to your computer. If you run as a limited user on the other hand, you will greatly limit the impact that malware can have. The problem is that if something tries to run that needs admin privileges, you will receive a vague prompt that authorizes it do all the high-privilege things that it wants to. It can be difficult to know whether you have a legitimate program or not here.
Windows 7 is more secure, but less secure: Compared to Windows XP (let’s not discuss Vista), Windows 7 has some improved security measures, such as Adress Space Layout Randomization (ASLR) which prevents buffer overflow attacks. In Windows 7 Microsoft have also beefed up protection of any attempted patching of the core Windows goodies (the kernel), with their technology known as Patch Guard. This makes it harder for malware to do nasty things, but also makes it harder for security vendors to ensure that their software has sufficient privileges to completely stop malware. So if you are running the latest and greatest operating system together with some of the security software discussed below, you may be more at risk than if you were operating under XP.
Chrome is the most secure browser: Firefox can come close if you install the ‘NoScript’ extension (and is woefully inadequate if you don’t). But it says something that at the yearly Pwn2Own hacker contest, the hackers have been unable to break Chrome (in fact, they don’t even bother trying).
Answering an endless series of questions is shit: HIPS programs (no, not that HIPS) establish a set of actions that each process is allowed to take. Can it alter the registry? Can it add itself to Windows start-up? Can it inject itself into Windows processes? Etc. This does not require an up-to-date database, nor does it need to be particularly taxing to the system. And they are extremely powerful. The problem is that the many questions can be difficult to answer for novice users, and a pain in the ass for all users.
Firewalls are good: If you are not behind a router, i.e. connected directly to the net, most experts estimate that without an inbound firewall you’ll become infected in ~10-15 minutes (!). Hackers have automated routines constantly scanning random IP addresses for vulnerabilities. Preferably get behind a router (which will reject unsolicited incoming connections for you), or get some software-based inbound protection.
The default Windows firewall offers completely fine inbound protection for this purpose. However what if our system becomes infected by a process actually initiated by us with an unwitting click? For this we need outbound protection. Most free and paid software firewall packages these days come with both this technology and with HIPS functionality as described above.
Decent free examples, bearing in mind the drawbacks of HIPS software, include Online Armor, Comodo, and Private Firewall.
Alternatives to classical HIPS - if you’re like me and don’t want to answer an endless stream of chat from your security software, there are actually not that many options available:
Policy-based HIPS: The idea here is to maintain a set of ‘Trusted’ and ‘Untrusted’ applications. Anything coming from a ‘threat gate’ – i.e. your browser, peer to peer programs, a USB stick, etc – are automatically untrusted. These processes run with reduced rights, i.e. are denied the ability to make any nasty changes to the registry, add themselves to start-up, capture the keyboard, etc. In this way we avoid answering a bunch of irritating questions. The drawback is that when we have something legitimate that does need to do these special activities to work properly, we have to remember to run it as ‘Trusted’ or it will not work properly. This is a small drawback for me given how powerful, light and unobtrusive these programs are.
The only options that I’m currently aware of with this type of functionality are DefenseWall, GesWall, and AppGuard. The latter is still in development but seems the most far along in terms of overcoming the Patch Guard protection of Windows 7 discussed above.
I’m still on Windows XP 32-bit and am happily using DefenseWall, which comes highly recommended from many independent, expert sources. It also passes every security test I’ve thrown at it with flying colours, operates very smoothly with no hitch to system resources as far as I can tell, and requires no set-up to do all this (this is good, because the UI is not user-friendly at all – it’s a good thing I never have to use it). DefenseWall is also not free, but does come with a lifetime license for ~$30 and you can evaluate it for 30 days before buying.
Sandboxing: Let programs do whatever they want to do – just run all threat sources in a virtual environment that does not get to make changes to the real system. When your session is finished, flush the sandbox and ‘poof’, any changes made by malware are gone. Of course, sometimes you’ll want to promote things from the virtual sandbox to become ‘real’ – it’s up to the user to decide when this is appropriate.
The best application to recommend here is SandboxIE. It’s free for a single sandbox (adequate for most users), but for more convenient functionality you can get the paid version and maintain multiple sandboxes.
Behaviour-blockers: These programs analyze collectively what each process is trying to do, assigning it some internal threat score. Do too many suspect actions, and you will automatically be flagged as malware. The good thing about this is that the user rarely hears from the application unless there’s a problem. The disadvantage is the slightly greater lag introduced (not as bad as for anti-viruses) and that the protection offered is theoretically not quite as high as for the above options.
If you go this route, Mamutu and ThreatFire come highly recommended.
Nothing’s 100%. What happens when I get an infection? There is only one known cure for this. You can’t rely on booting into Windows – once you’ve got malware, you have to assume that it’s the very worst kind, a rootkit. This is something that, in essence, becomes part of your Windows. The only way you can remove it is booting into a different operating system using trusted removable media. A good way to achieve this is using a BartPE disc such as UBCD4WIN, which draws from your own Windows files to create a ‘Windows lite’ that you can boot into and cleanse the little bastard out. Obviously, you need to have this disc prepared on a trusted computer.
From here you can run as many anti-virus scanners as you like until you find the culprit. (Most commonly recommended: MBAM, SAS). Alternately, you can use imaging software to restore a last known safe backup. The free version of Macrium comes highly recommended for this (as does the paid version – other recommended paid software includes Image for Windows and Drive Snapshot). These imaging suites typically allow you to create a rescue disc, which follows the same philosophy above of booting using a clean operating system. I like the sound of Macrium because it uses a BartPE environment, meaning that I can include all other manner of useful Windows security applications to run there as well, and because it comes highly recommended.
But I might not know if I have an infection. How can I tell that I don’t have some key-logger sending my banking info to Russia, without booting from a rescue CD and scanning periodically: Ok, we’re starting to get into paranoia DefCon level 5 here. But for this purpose you should look into anti-keylogger software such as Zemana or SpyShelter. Both have some decent HIPS functionality as well. DefenseWall provides good key-logger protection, but if I’ve unwittingly ‘Trusted’ some malware that logs key-strokes, I wouldn’t know about it. Zemana and SpyShelter have nice logging features that make sure you can discover things that have gotten past the net.
So, um, TLDR. Wtf are you running again? I’m running DefenseWall on Windows XP 32-bit. It comes with a firewall as well, neat. I use Chrome. That’s all.
With DefenseWall, malware can’t do anything to my system. But it could sit dormant on my system and infect somebody else if I were to email it to them. For this purpose and for any suspect files that I am considering running as ‘Trusted’, I keep MBAM on hand.
If I needed a firewall alternative I’d probably go for something like Privatefirewall. If I was to switch to Windows 7 64-bit, I would switch to SandboxIE because the developer has managed to ‘crack’ the Microsoft Patch Guard feature and so retain maximum protection. AppGuard looks to be developing in a promising manner here too.
So, that’s about it. If you take on even 10% of the above advice, you too can avoid becoming a member of the zombie bot-net horde (or, if you’ve been running with no protection, extricate yourself from the horde).
Tuesday, June 28, 2011
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment