|May the source be with you, but remember the KISS principle ;-)|
|Contents||Bulletin||Scripting in shell and Perl||Network troubleshooting||History||Humor|
Dr. Nikolai Bezroukov
Copyright 2012-2017, Dr. Nikolai Bezroukov. This is a copyrighted unpublished work. All rights reserved.
Windows is very complex OS and as a result of this complexity it is a very insecure system with almost zero integrity checking because security was never the Microsoft development priority. It cannot be property secured because there are multiple channels into your box first of all Windows update (but also multiple updaters from other applications)
And generally speaking, developers of a consumer OS usually have other priorities, as they are in the consumer market, not Pentagon software development market (although they are now definitely the main target of some NSA efforts ;-). And that consumer nature of Windows is reflected in Windows architecture which does not segregate well between "system" components and "applications" components (although Authenticode does help a lot). Being dominant desktop OS does not help iether. The dominant market share automatically means that OS is most targeted OS in existence.
Windows historically started as a GUI on top of DOS, a one user OS for an isolated PC. And that heritage is strongly reflected in modern Windows architecture. Moreover it structured user expectations even after Windows was completely rewritten as Windows NT (which is a derivative of VAX/VMS a solid multiuser OS.)
Unlike Unix which from the beginning was a multiuser system and needed to pay great attention to the tasks of separating user and application activities from system activities in Windows there is no such separation and during creation of thise aspects of VAX/VMS were bastardised in favour of continuity. Security in Windows NT was really modest -- single user who can run multiple tasks were enough but until recently there was a single filespace for system program (which were writable by the user), and user installed programs, permissions were lax and most users login as administrators, not like "regular"users (althouth in recent versions of Windows this is possible and even encouraged.
Again, as a legacy of Windows 3.0 and DOS typically Windows users are logged as administrators and application can install whatever they wish on the system with almost zero control. Many application require administrative privileges to function properly. At the same time modern Windows provide reasonably comfortable environment is user mode too, and this is the standard way it is used in enterprise deployments.
The fact that Windows became dominant consumer OS with over 80% of the market is a game changer in more then one aspect. Any "monoculture" of this magnitude attracts attackers like honey attracts flies. Moreover, Windows is now used far beyond its scope of applicability (for example in computers which control industrial processes -- SCADA devices). Also despite being a consumer OS, Windows now is widely used by governments, at least on desktop level. And it is governments which typically drive the efforts to create a secure OS. for example they financed creation of Trusted Solaris and at least temporarily financed development of OpenBSD but with Windows there is not Trusted Windows.
Work in a large organization tends to expand uncontrollably to fill all the time available for those who are assigned to perform it and consume all the resources assigned. This is especially typical for security departments which are often unable to do any useful job and replace it with imitation of activity in form of various policies and check lists.In other words Parkinson's law is perfectly applicable to windows security. Parkinson provided a very relevant example that UK ministry of Colonies has the most staff and moved to a larger, more plush building after Britain lost all colonies. This is very relevant example security wise, if we think about "After Snowden" and after "CryptoLocker" situation with security.
The situation with Windows security changed dramatically around year 2000, when governments (and first of all the USA) started to create their own cyberwar organizations, and even more so after discovery of Flame (discovered in 2012) and Stixnet. After that anybody who consider using Windows on a networked PC connected to the Internet (even via proxy) for more or less security sensitive tasks can be viewed as a complete idiot (especially on government level). In such cases there should alrays be separate "highly sensitive" network and "unsecure" network with no electronic bridges between them. But this is easier to say that to achive. As recent Hillary emailgate fiasco revealed, idiots (security wise) oin high goverment position are simpy too abandant to make this possible. Hillary essentially created a shadow IT department in the State Department with predictable consiequnces.
In 2017 the horse has clearly left the barn (as CIA exploits were downloaded on hacker sites and spread worldwide), but security departments now are better staffed and perform more useless work creating additional load on other parts of IT and end users, which lower the productivity without really enhancing the security (aka red tape).
In other words we need to accept that any computer connected to network is an insecure computer, and only the degrees on insecurity can vary. So all this recent fuss, for example, about particular SSL vulnerability should be treated with skepticism it deserves. The law of infinite numbers states that if you subtract one from an infinite number it remains an infinite number. With the level of complexity of modern Os and the level of penetration of government intelligence agencies (and first of all the US government) into companies like like Microsoft it is reasonable to assume that zero days exploits are always available to government hackers, and many be not only to them.
BTW the key decisions that affect security in a large organization are done by system architects, not anybody else. Security group in large corporations generally serves the role of night cleaners in the supermarket. And generally they are usually equally clueless ;-) Most of security activities outside architecture related issues often belongs to "imitation of activity" that Parkinson law is talking about. And while 80% is useless, out of those 80%, approximately 20% is definitely harmful. like Talleyrand used to say: First and foremost try to avoid excessive zeal.
Recently with Snowden revelations we learned about government-sponsored attempts to write information stealing Trojans for Windows (as well as other popular platforms such as iPhone, CISCO routers, Dell and HP servers) as if regular cyber criminals are not enough (see, for example, description of Flame). And in 2017 we leaned about arcenal of hacking tools that were developed by CIA and later got into shadow distribution channels. So called Vault 7 - Wikipedia
It goes without saying that for a consumer oriented OS enough money and research can produce devilish exploits that will penetrate even fully patched Windows 7 or 10 installation like knife goes through the butter. And it's naive to think that this situation can be changed. That mean that Windows is now and will be in foreseeable future an easy target for determined and well funded attackers.
A good thing about determined and well funded attacker is that they are pretty selective in their targets and probably will never try to get into computer of a regular Joe User. They go after a bigger fish. But a bad thing is that methods used by them now are in the open and will be gradually adopted by lower level cyber criminals and first of all by those who specialize in stealing financial information. That means that regular consumers who access financial accounts via PC now should pay special attention to this type of activity and preferably use for it a special PC (which is just a minor inconvenience). Old laptop with reinstalled minimal Windows installation is a good platform for operations with your internet accounts in financial institutions. This PC should not be used for anything else. For browsing Web, if you know Linux, you should use a Linux PC (accessible via remote sektop) as this way you cut off lion share of exploits.
There are several major things that you need to be aware of based on fundamental architectural weaknesses of Window:
A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva’s chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent.
On average, it took almost a month for antivirus products to update their detection mechanisms and spot the new viruses. And two of the products with the best detection rates — Avast and Emsisoft — are available free; users are encouraged to pay for additional features. This despite the fact that consumers and businesses spent a combined $7.4 billion on antivirus software last year — nearly half of the $17.7 billion spent on security software in 2011, according to Gartner.
For really dangerous data stealing Trojans and worms, the period from infection to detection is rarely less then a couple of weeks and typically user became aware about infection only several months later. When the gap between an infection and detect can be months or even years (yes, years) you better understand the risk you take. And use the second computer (or VM) for private activities as doing taxes and access to financial sites. Extra computer for this purpose is only around $300, which is a non-significant price for the peace of mind. Again, no matter what AV you have for processing of your confidential and financial data now you should use a different, second "secure" computer. Now PCs became almost so cheap that simple step is the most viable strategy of minimizing your risks.
And this problem of "chronic Windows insecurity" became more noticeable in the last couple of years and actually drive people from Windows to Apple. If not all, but the most defections of Windows users to Apple are driven by considerations that Windows became "a can of worms". And I think this information should get to Microsoft brass. There is a hope that Microsoft will gradually improve Windows, not if they don't take well publicized and effective measures situation for them can deteriorate despite the best efforts of Microsoft engineers. The problem is that many really effective antimalware measures break compatibility and as such is hugely undesirable form other points of view... The other go again the nature of Windows as a consumer system (for example signing of all executable that can run with root privileges with Authenticode).
|If not all, but the most defections of Windows users to Apple are driven by considerations that Windows became "a can of worms".|
I suspect that as of 2012 malware became strategic threat to Microsoft dominant positions and revenues in consumer market. Windows insecurity (inability of Microsoft to stop recurrent infections of user PCs by architectural methods) now became the selling point of alternative OSes and first of all Apple OS X. The most typical explanation of people who switched to Apple has nothing to do with the interface or slick design. It is "I am tied to fight malware/viruses in Windows" and "Apple has MS Office and that almost all what I need; and it does not have viruses". The latter is not true, but even if people just believe that Apple is more secure against viruses then Windows, that will generate migrations. Apple also greatly benefit from "security by obscurity" as it currently represents just 3% of the market or so.
Gradual erosion of Windows position also happening due to growing share of Android devices sales, with tablets with stylus representing more viable alternative to PC then before (see, for example, Samsung Galaxy Note 10.1 with S-pen as a typical representative of this class of tablets). Currently Android positions in tablet market, unlike desktop, are weak, but that might change as version 4.2 which represents more competitive platform for tablets then previous versions of Android. Attempt of Microsoft to capture part of tablet market while admirable distracts its attention to security problems. Windows 8 forte is touch interface that gives it opportunity to compete neck to neck with iPad and Android tablets, not so much greater security.
This is a big and complex topic we will just scratch the surface here. The key idea behind writing this section is show that you just can't secure Windows, no matter what you try. It is unsecure by design. First of all I would like to say that Microsoft is a great software development organization that brought to the world such masterpieces of software as MS Word 6 for DOS, Visual C++ 6.0, Excel 2003, FrontPage 2003, and many more. Which will be used and are used for many, many years after those versions were discontinued by Microsoft.
Most of strategic goals of Microsoft, until recently, were not aligned well with the security. Now the train, unfortunately, left the station as architecture of Windows is by-and-large fixed and changing it will break compatibility with valuable for consumer products and also deprive of revenue dozens of security companies which now control Microsoft in more ways than you can think (as Symantec lawsuit had shown). Simply put, finding security exploits in Windows and, especially, protecting users from them became quite big and extremely profitable business. Using them to exploit PC users became also quote profitable business as revenue of fake antivirus companies can attest. In such a situation, any single company even as big as Microsoft will be outnumbered and outgunned and will find itself on a losing side. To a certain extent that was unavoidable development due to huge success of Microsoft Os in consumer market where they essentially wiped out all the competition. Monocultures are always more successfully attacked.
Microsoft did demonstrated some courage under fire and managed to changing the situation to the positive with Windows XP SP3 after set of network worms and, especially in Windows 7, where signing of executables was at last (better late then never) promoted to the key files. Windows 7 also attempts to mitigate "universal admin mode" under which Windows are typically used via UAC. But here like in other attempts to beef up Windows security they forget to test social engineering side of equation. One of the questionable benefits of UAC is that it has conditioned people to believe that as long as the screen background is grayed out they can trust whatever is on the screen. As XP Antivirus Pro scareware demonstrated, this is not a reasonable assumption (Anatomy of a malware scam). Latest worms also represent is kick in chin for Microsoft and Windows 8 has some additional measures that help better to protect it from attacks. But it does not change the whole grim situation with Windows security, when user need to pay "security tax" just to use their PCs.
In 2011 and 2012 Microsoft has found themselves under the barrage of heavy artillery with such monsters as Flame and Duqu. That completely changed the picture again and put on the forefront the architectural problems of Windows, which are many. Unfortunately, some of security flaws of Windows are unsolvable within the current compatibility framework.
Microsoft made several very bad for security decisions (should we call them blunders ?) in Windows design. They are partially dictated by desire to make Windows more user friendly. Among those we can mentions the following (no attempts was made to create an authoritative list here):
Shadow data streams in executables. This increases malware potential to hide the data.
Non existent defense against changes of "system" attribute. System attribute actually is very important and useful file attribute (and that is one of the advantages of Windows over Unix), but the way it was implemented by Microsoft made is almost useless. Anybody with permission to write to the file can change the attribute, while change of attributes of the file should be higher level permission and attributes like system should be sticky -- once set it would be impossible to remove in normal windows setting like attribute immutable in FreeBSD.
Ability to run unsigned ActiveX. In general Microsoft was late in implementing sandboxing in Windows.
For a long time Microsoft just did not pay any attention to security at all and was primarily concerted with growth of market share (and then maintaining its dominant position) and compatibility issues. It essentially created and nourished the huge antivirus industry that now sucks a lot of money from consumers (this is a real Microsoft Tax).
But truth be told, Microsoft does not exist in vacuum. And other software development companies are much worse. Some popular application running under Windows such as Adobe products often represent far greater threat then Microsoft OS or any of Microsoft applications. Also as for applications, I am not sure that flaws in IE design were less important contributor to the current explosion of Windows malware then Windows OS problem in and by itself.
Microsoft generally can be considered to be a king of software complexity. It used it as a way to weed out competition and created such masterpieces as Excel, FrontPage, Word and several other "all-dancing-all-signing" software applications. The fact that they still are able to debug Excel is a testament of Microsoft unique abilities. But on OS level this infatuation with overcomplexity returns and bite them. And recently it did really hard ;-)
Typical Windows XP installation has over 300 drivers in C:\WINDOWS\system32\drivers\ and more then 2000 files in C:\WINDOWS\system32. The methods for determining from where and when particular driver of executable came are rudimentary. The methods of determining if particular driver or executable belongs of Windows or not are even more so outside signed executables.
The idea of registry as a specialized for configuration settings database was a great one. But implementation did not have clear architectural blueprint and degenerated into a mess. The key here in my opinion is understanding that registry should be more like a specialized virtual filesystem with timestamps for all elements and protection from unauthorized access on various levels (including using immutable attribute). To me it's classic example of "road to hell is paved with good intentions".
Microsoft wanted to replace the mess that text file configuration file represented and in a process created even a bigger mess. Level of architectural thinking in registry design is so low that now it is impossible to correct it without massive problems with compatibility.
Now Windows registry with its innumerous ways of launching executables is a perfect hiding place for malware. Inpenetratable maze of hives where you can hide an elephant, not just a single malware executable.
Still couple of changes in the direction of making it more filesystem line can make it more secure:
Structure of Windows system directories is also pretty chaotic. Application programs write their files God knows where. There is at least half-dozen of Temp directories, which are not automatically cleaned on shutdown. That prevent designating certain directories as read-only like it is possible in Unix during mounting of partitions. But that of course cuts user-friendliness of Windows, as any update of the drive became more complex procedure that requires reboot to safe mode. By extension Windows update also became limited to safe mode, which as the recent malware had shown can be a good thing to do.
In view of tremendous complexity of Windows, there should be a clear, iron distinction between system (Microsoft and its trusted partners providing drivers like Intel and Nvidia) and "application" directories in filesystem. No Symantec of MacAfee junk should ever pollinate system directories ;-). That "exile" should also be extended to third party drivers and DLL. And it goes without saying that no application program should be able to write to system directories.
Windows has a one interesting attribute that can be enhanced -- so called system attribute. For example, the system attribute should be used as a lock (may be with a physical button on the computer case) that allows changing critical files and directories. Once set it none should be able to remove it in the normal mode, only in safe mode. That change actually can be implemented by a binary patch to Windows and used in secure environments along with other measures. System attribute can play the role that the "immutable" attribute plays in Unix and it should be automatically assigned to signed executables and in Professional edition and higher it should be changeable only in safe mode.
Situation, when any malware can install drivers, like is the case in Windows XP, this is just a very bad architecture. And when IE does not automatically use "sandbox" for running non-signed ActiveX, it is also a very bad architecture.
Visibility of attributes of files and folders in Windows without special tools is ridiculously low. That creates massive opportunities for abuse.
Yes another problem is Windows update process which each and every software producer implements independently and that create a large network of covert channels into your system. Each updater can be malicious and represent a hidden channel via which malware is delivered to the computer. Historically this already was the case with Microsoft update.
Why Microsoft can't enforce a single update mechanism for all software packages? Why Adobe, the company that I disrespect and don't trust should have its updater on my system. Why Symantec should be another one. Google with its history of collecting excessive information about user browsing behavior another one (and pretty difficult to remove ;-). Mozilla yet another one. And so on.
And how difficult is to compromise one of several dozens of updaters installed, some of which are really just dirty hacks.
I think that update process is a soft underbelly of Windows and as such should be especially protected. May be it should be performed in a special mode, distinct from normal. The fact that Windows update is running as a regular process behind the user back is an architectural weakness that was already exploited and will be exploited in the future.
One way to "castrate" all this swarm of windows updaters is to block target IPs with which they communicate. The best way to do this is to use a private IP space with proxy. Non proxies protocols in this case will simply die out, and proxied can be tightly controlled. You can also block specific processes from using TCP/IP, which is a simpler
Similar situation exists with private schedulers. Almost each large software vendor has one and installs it (for obvious reason to control his update process). Backup program vendors like Acronis have one. Antivirus vendor have another one. And so on.
Another negative factor is a strong, dominant tradition of using administrator account for browsing Internet and reading email in consumer PCs. Again Microsoft did some steps to mitigate this "tradition" in Windows 7 (by introducing User Account Control (UAC) ), but they are not very successful. This horrible "tradition" is way too strong to overcome, but that makes Windows even more vulnerable than it should be. Web browsers and its plugin run with user credentials and if you are not an administrator, malware has much less "open space" to exploit. But typically only in corporate environment you can see users who do not administrator access to the desktop. This policy is enforced centrally and makes Web browsing much more secure.
Each AV company on the market tries to cover the whole filed. And fail miserably. There is no specialization among AV companies. Each of them claim that they are latest and greatest in everything. This is not true. The reality is that many Trojans in a wild are not detected by those companies in a six months period since first infection, in a year or never if infection scope is local and company mainly operate on a different territory. They are not more and more rely on automatic creation of signatures and malware authors know that and take countermeasures.
So when choosing an AV product it is important to understand that in a sense you are choosing from junk. It might work against more or less trivial threats. But as if the Trojan that infected your PC is complex you might not be lucky. Both McAfee, Symantec and Microsoft Security essentials list as healthy files obvious Trojans, even if customers send them samples several months before. Here is one telling example. There are cases of infection that demostrate themselve (among other psossble scenarios with four files in Desktop
-r-x------+ 1 nnb None 28365 Dec 9 2010 geraam.exeThose files (and respectively PC infection) are known since September 2012 or even earlier. But if you scan those files with a bunch of commercial antivirus none will be able to disinfect them. A couple will warn you about generic threat that those files represent. But this is about it. Here are results for the file done 2012-12-02
-r-x------+ 1 nnb None 53121 Dec 9 2010 kiaqas.exe
-r-x------+ 1 nnb None 57217 Dec 9 2010 mssvig.exe
-r-x------+ 1 nnb None 53121 Dec 9 2010 stdlas.exe
Antivirus Result Update Agnitum Suspicious!SA 20121201 AhnLab-V3 Spyware/Win32.Zbot 20121202 AntiVir TR/Crypt.XPACK.Gen 20121202 Antiy-AVL - 20121202 Avast Win32:Virtu-C 20121202 AVG Win32/Heri 20121202 BitDefender Gen:Variant.Symmi.6097 20121202 ByteHero - 20121130 CAT-QuickHeal - 20121201 ClamAV - 20121202 Commtouch - 20121201 Comodo UnclassifiedMalware 20121202 DrWeb Trojan.Siggen4.22099 20121202 Emsisoft Virus.Win32.Suspic.AMN (A) 20121202 eSafe - 20121202 ESET-NOD32 a variant of Win32/Kryptik.ANIX 20121202 F-Prot - 20121201 F-Secure Gen:Variant.Symmi.6097 20121202 Fortinet W32/Suspic 20121202 GData Gen:Variant.Symmi.6097 20121202 Ikarus Virus.Win32.Heri 20121202 Jiangmin - 20121202 K7AntiVirus Riskware 20121130 Kaspersky Virus.Win32.Suspic.gen 20121202 Kingsoft Win32.AutoInfector.a.(kcloud) 20121119 Malwarebytes Trojan.SpyEyes 20121202 McAfee Generic.dx!bfzg 20121202 McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.J 20121202 Microsoft - 20121202 MicroWorld-eScan Gen:Variant.Symmi.6097 20121202 NANO-Antivirus Trojan.Win32.Siggen4.yjqnv 20121202 Norman W32/Troj_Generic.EJKWZ 20121202 nProtect - 20121202 Panda Trj/OCJ.A 20121202 PCTools - 20121202 Rising - 20121130 Sophos - 20121202 SUPERAntiSpyware - 20121202 Symantec Suspicious.MH690.A 20121202 TheHacker - 20121202 TotalDefense - 20121202 TrendMicro TROJ_SPNR.06JB12 20121202 TrendMicro-HouseCall TROJ_SPNR.06JB12 20121202 VBA32 Malware-Cryptor.General.3 20121130 VIPRE Trojan.Win32.Generic!BT 20121202 ViRobot - 20121202
In reality this is a password stealing Trojan that belong to Win32-Zbot family.
In other words, insecurity of Windows feeds multiple security companies which often produce useless or harmful products
or are trying to sell marginally useful services. And in case of fake anti-virus vendors, harmful services bugled
A lawsuit filed against Symantec Corp claims that the software maker seeks to persuade consumers to buy its products by scaring them with misleading information about the health of their computers.
James Gross, a resident of the state of Washington, filed the suit in District Court in San Jose, California on Tuesday, according to his attorneys.
A copy of the complaint provided to Reuters by Gross's attorneys alleges that Symantec distributes trial versions of its products that scan a consumer's system, then invariably report that harmful errors, privacy risks and other problems exists on the PC, regardless of the real condition of the machine.
A Symantec representative could not immediately comment on the lawsuit, which seeks class-action status.
The company uses that scanning software to market Norton Utilities, PC Tools Registry Mechanic and PC Tools Performance Toolkit software, according to the complaint.
Norton Utilities and PC Tools are products that Symantec says help improve the performance of PCs and keep online activities private.
"The software is falsely informing the consumer that errors are high priority and in addition it is falsely informing the consumer that their overall system health and privacy health is low," said Chandler Givens, an attorney with Edelson McGuire LLP, the firm that filed the suit on behalf of Gross.
He said that his firm tested other Symantec products, but was only able to find problems with the three mentioned in the complaint.
Symantec, the top maker of consumer anti-virus software, is the maker of Norton 360, Norton Internet Security and Norton AntiVirus software.
Sales of all Symantec's consumer products -- including PC Tools and Norton Utilities -- rose 4 percent to $2 billion in its most-recent fiscal year.
The suit describes Norton Utilities and PC Tools as forms of "scareware," a common type of malicious software that causes pop-up messages to appear on computers telling users that they are infected with a virus.
"The truth, however, is that the scareware does not actually perform any meaningful evaluation of the user's computer system, or of the supposed 'errors' detected by the software," the complaint claims. "The scareware does not, and cannot, actually perform the valuable tasks represented by Symantec through its websites, advertising, and in-software display screens."
You should never fully trust security companies claims about percentages of malware they detect. In reality even with all of them installed you can have a passwords and financial information sniffing Trojan for many months. They are just "necessary evil" in the correct situation of malware proliferation which is byproduct of Windows popularity on one hand (and the ability to extract financial games from certain type of malware as well as form selling Windows exploits on black market) and architectural weaknesses of Windows on another.
While doing some useful and necessary work (for good money) they are always sitting between two chairs. Their revenue stream depends on your insecurity, not security. So on one hand they perform important and difficult role of protecting us from cyber criminals. On the other hands that are part of the ecosystem that stimulate the rise of cyber crime and sometimes serve as cyber criminals enablers. Here is one telling episode written by Jeremy Kirk (What's the price of a new Windows 8 zero-day vulnerability ) for Computerworld on November 2, 2012
It's not exactly the type of advertisement most people would understand.
For sale: "Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed)." It's part of a recent message on Twitter from Vupen, a French company that specializes in finding vulnerabilities in widely used software from companies such as Microsoft, Adobe, Apple and Oracle.
Vupen occupies a grayish area of computer security research, selling vulnerabilities to vetted parties in governments and companies but not sharing the details with affected software vendors. The company advocates that its information helps organizations defend themselves from hackers, and in some cases, play offense as well.
Vupen has found a problem somewhere in Microsoft's new Windows 8 operating system and its Internet Explorer 10 browser. The flaw has not been publicly disclosed or fixed by the company yet.
Vupen's finding is one of the first issues for Windows 8, released last week, and Internet Explorer 10, although vulnerabilities have since been found in other third-party software that runs on the Windows 8.
Dave Forstrom, Microsoft's Trustworthy Computing director, said the company encourages researchers to participate in its Coordinated Vulnerability Disclosure program, which asks that people give it time to fix the software problem before publicly disclosing it.
"We saw the tweet, but further details have not been shared with us," Forstrom said in a statement.
Vupen's Twitter message, written on Wednesday, implies the vulnerability would allow a hacker to bypass security technologies contained within Windows 8, including high-entropy Address Space Layout Randomization (ASLR), anti-Return Oriented Programming and DEP (data execution prevention) measures. The company also indicates it is not dependent on a problem with Adobe System's Flash multimedia program.
One wrong click and your PC is unusable. Or if your favorite site was broken and became malware distributor just a visit to this site. And recent racket performed by worms designed for financial gain is far from the work of amateurs, it is quite sophisticated. If you analyze July 2012 version of "Data Recovery" scareware, or launched in the second half of 2012 version of another fake called "Security Shield" as well as various version of Win32:Sirefef – a family of malware that controls infected computer’s Internet activities by redirecting requested URL to a different one, you will feel real anger toward Microsoft and other software vendors (Adobe recently became favorite target of malware authors with its pathetic Acrobat and insecure Flash as they provide ready backdoors for those who want to penetrate your computer; it looks like Adobe is patching Acrobat each week).
Microsoft is under pressure with shrinking market share and they can't switch to total signing of executables as this will destroy the industry they created (AV vendors) which became powerful enough to control Microsoft technical direction so that it does not hurt their profits. They tried to tighten the screws in Windows 7 but the security industry fought back (with Symantec suing them -- this company is really the most greedy and nasty of all AV vendors) and won. Like with financial industry you, the user, is a lucrative franchise that can be milked by both malware vendor and AV vendors. Squeezes from both sides.
Recently quite prominent position was achieved by a new type of malware which is called Scareware (but is as close to extortionware as one can get ;-). It's the main purpose of this scam creation is financial gain via some sort of implicit threat to the user. It became a real problem for Windows users, but also exists for Apple OsX.
The number of users who paid those extortionists is probably millions so we can talk about hundred of millions or even a billion of dollars of criminal revenue. This is not profits at the level of narcobarons revenue but this is not a small change either. XP Antivirus 2008 was remarkably successful defrauding scheme that brought authors around 100 million dollars.
On February 10, 2010 the United States District Court for the District of Maryland entered a default judgment and order for permanent injunction against Jain, Sundin and Innovative Marketing, Inc. that imposed a judgment of more than $163 million. Subsequently, on May 26, 2010, Jain, Sundin and Reno were indicted by a federal grand jury for the United States District Court, Northern District of Illinois for wire fraud, conspiracy to commit computer fraud and computer fraud. The indictment alleges that from December 2006 to October 2008, Jain and Sundin placed false advertisements on the websites of legitimate companies. Currently both Jain and Sundin are fugitives and the FBI is offering a $20,000 reward for information that leads to their arrest..
That means that against new high volume, high penetration speed written by professional programmers exploits AV software is always late. As Jesper M. Johansson noted in his 2008 whitepaper Anatomy of a malware scam devoted to XP Antivirus 2008 and 2012 scams:
This type of malware is very, very disturbing. One can only wonder how many users have been duped into installing ineffective security software, and what happened to their private information and credit card data when they paid for it. The presence of such software, and the overall very high quality of the ruse it presents, is frightening. More than likely, thousands of people have been fooled. In fact, this type of deception has been around for several years now, and it would not still be here if it did not work well.
This should serve as a dire warning to all: be extremely careful what you trust, and question everything that looks even remotely suspicious. For example, no website can run an anti-malware scan on your computer simply by your visiting the site. Any site that purports to do so is almost certainly run by criminal gangs.
Using PC for committing financial crimes including creation of army of zombie computers that are remotely controlled by the "master" of particular zombie network and used for spamming and other purposes make elimination of malware really difficult as it is now created not by malevolent amateurs, but by highly paid professionals who analyze deeply internals of Windows. That limit usefulness of security companies like McAfee, Kaspersky, etc as their opponent operates now work on the same or higher level of technological sophistication as they are. Other approaches are needed. At the same time to abandon Windows based on its insecurity is an overreaction. Linux is probably more secure as installed, but relative absence of high profile exploits is mainly connected to the fact that on desktop it is niche OS. Android might change that and there is already a mess with Android security... Also in a way if you can access Facebook from a device you do not need malware. You already have it ;-)
Another type of malware ( is called Remote Access Trojans( RATs). Some of malware belonging to this category can be part of any other type of malware, but most often can be found with data stealing Trojans
Facing this new generation of cyber-criminals even former IT security professionals like myself feel insecure and start viewing their own PC as a snooping device that is constantly on. You start feeling like the main hero of The Conversation(1974), the famous film by Frank Coppola. This is the way I how feel about PC :-).
|Facing this new generation of cyber-criminals even former security professionals like myself feel insecure and start viewing their own PC as a snooping device that is constantly on.|
Social sites is another problem. Some of them like Facebook are essentially private information collecting agencies masquerading as social sites. Facebook and other services are collecting so much information on their users that (as famous Onion spoof suggests), they actually outdid three letter agencies. In any case you can say privacy good buy. It is privacy of crowded street with video cameras each ten yards. Not all people can close their Facebook accounts as for many (not me) they represent essential services, a new reincarnation of AOL. Even if you don't have Facebook account, Facebook can collect (based on your IP) list of sites that you visited if the site has "Like" button.
That means that there is a need to create a special architecture to make our PCs more secure. Architectural approaches to increasing security are the most promising because they fundamentally change the environment in which malware operated. And the law of evolutions is that the more specialized organism is and the more adapted to the current environment it becomes, the more disruptive are to it even small changes in the environment. This is perfectly true about the malware which is a highly specialized software that makes several implicit assumption about the way PC operates.
While fundamental weaknesses of Windows as a consumer system make infections inevitable, there are step that increase the level of Windows "malware resistance" and cut the time and effort for returning the system to normal (in the order of increasing complexity). Some useful method of working with Windows that really increase security are difficult to acquire and I failed and returns to my old good ways multiple times. Please remember that something like Flame can be installed on you computer any time you visit unknown web site or open email with attachments and there is no way to prevent it even if you've all AV in the world installed on your PC with the most recent signatures and other bell and whistles. That also should serve as a motivation and nobody wants to be a hapless victim. To fight the invaders is the basic human instinct. And we should defend out territory and make life of cyber criminals more difficult to the extent we can without unduly harming our own productivity.
Currently computers are so cheap that using two to increase security is no-brainer. One computer should be dedicated to "sensitive transaction and information" such as tax forms access to your financial records and such. The other should be used for everything else. They can share a file system via network attached drive. Never use the same computer for browsing Web and reading email and for working with confidential information such as preparation of your Tax forms and Bank and investment sites. Use "Tandem computing" with one "disposable" computer used for browsing and Webmail.
That means running your applications on a "trusted computer" on one computer and Web browser and email from the second computer (which can be either virtual -- easy to implement on Windows 7 Pro or "real") with the "disposable" image.
No matter whether you implement "disposable computer" using real computer or virtual image you should never store any confidential documents on it or access your financial and other important sites from it. The second "sensitive information" computer should generally have minimal necessary for work number of applications installed and should be shut down when you are not using it. With towers you can put "disposible computer on your left side and your "trusted" computer on the right side and label them as "Secure" and "For Web browsing". Then you need to learn the discipline using each for particular tasks. The first step is to delete non-relevant book marks from each computer.
You can access "disposable" computer from trusted using Windows Remote Desktop but not vise versa. Those who know Linux well can also use a Linux machine (in this case you can use VNC) which provide higher level of protection because Linux is much less popular them Windows and rarely is targeted by malware authors. As such it is safer for Web browsing. When you enable Remote Desktop, by default anyone who belongs to the local Administrators group on the machine can log on to it remotely using Remote Desktop Connection. The same arrangement can be used on your working place, for example
With the current prices that set you back $300 for additional new desktop (Dell Inspirion 660s is $299 with Intel G465 CPU and 2 GB of memory: adequate for browsing and watching video. And a used one is just $150. Actually $150 is just three year subscription to a AV package such as McAfee or Symantec that provide only illusory protection while the second PC provides you real protection from malware with less hassle. Again you can connect to it using Windows Remote Desktop One advantage the setup with two identical laptops that I discovered is that you have an extra battery and tan take it on long trip on airplane. For example Dell E6320 can last one battery approximately 5 hours which is not enough for flights from the USA to Europe but two battery accommodate 9 hours flight just fine. And for laptops an additional battery is usually quite expensive and can cost as much as $130.
On laptop virtual machine can be used and Windows 7 Pro is perfect for that. One trick that helps is to make setting in IE in administrative account high for your "fortress laptop". That's generally make browsing intolerable enough to switch to other account to see the sites ;-).
You can "specialize" Windows installation on your "insecure computer" by using methods of protection of public computers. In XP and Vista you can use Windows Disk Protection (requires freeing some space on the harddrive by shrinking C partition) or some similar approach ("Install and forget" in Acronis). You can also emulate this mode on Windows 7. In this case changes made during the session will be discarded on reboot, which provides perfect protection against malware, protection unachievable with the traditional AV tools.
But there is a better and simpler way to protect your "insecure" part of the tandem: just use a virtual machine on the second computer. Most dangerous malware typically detects present of VM and just refuse to run, suspecting that it got into AV lab environment. Which is extremely desirable behavior, the behavior that what we need. Here is a pretty telling note by a user with nickname pbust, made in February 22, 2012 in Wilders Security Forums:
Approximately 1 out of every 6 malware samples we receive every day in 3rd level PandaLabs (called "critical malware" = most dangerous) is VM-aware and will either not run or run differently in a VM or sandbox environment. There's also readily-available tools to runtime-pack or crypt malware with detection of VM, Norman sandbox, Anubis, CWSandbox, etc.
Windows 7 Professional and Ultimate allows running second Windows instance (so called Windows XP-mode) which can be used for his purpose even on a single laptop allowing you to have a more secure environment within a single, portable computer. With virtual image is it easy to dispose all changes made to Windows configuration: you just overwrite the image with a backup. The Windows XP-mode is highly integrated with Windows 7, offering seamless operation (MICROSOFT VIRTUALISATION TEAM, 2009). That allows laptop users to benefit from "dual computers" configuration and enjoy complete protection from spyware as the browser and email are running is a separate, disposable Windows XP SP3 instance (virtual image). The installation for this additional Windows XP SP3 is free to download for Windows 7 Professional, Enterprise and Ultimate owners.
another important Windows XP-mode has an advantage as it can be implemented on a single laptop and enjoy "tandem computing" in a completely portable way. In case of real computer this mode can be enhanced using a third party separate firewall (for example a custom Linux box).
See also Managing Remote Desktop and Windows Disk Protection for more information.
Take special measures that that compromise of your account on one site, for example linkedin or gmail did not cascaded into compromise of your more important accounts. Break the opportunity to exploit your other accounts, especially financial accounts by stealing your password from social site and like by individualizing passwords with, say, two letter that reflect the site. For example, you can use am.camry.le12 for your Amazon account and eb.camry.le12. for eBay account. Or a.camry.le12.n and e.camry.le12.y. Don't worry too much about all this buzz about weak passwords. Passwords should be easily memorazable first, as the number of attempts to break them by brute force is very limited in most circumstances. There are also other more sophisticated ways to implement this idea. Have a master list of all your passwords and keep it in handwritten paper format in a safe or on a SD card inserted in one of your old, disconnected, phones that has ability to read SD cards (Old Blackberry phone is perfect for this purpose).
Backups can be used strategically -- not just as backups but also as a powerful security technology. See Softpanorama Spyware removal strategy for detailed explanation of ideas behind this strategy and steps necessary for accommodating it for the purposes of malware defense.
The key idea here is that a good disk image creating program (ghosting program) is worth a dozen of anti-spyware, anti-virus tools. It does not mean that the are useless. Microsoft Security Essentials (renamed into Windows Defender in Windows 8) is a good free AV tool that is well integrated and well tested with Windows for compatibility. So to ignore it is unwise.
But even for company with huge resources like Microsoft, it is very difficult to cleanly uninstall sophisticated malware which was designed with one or several mechanisms of recreating itself if some part is preserved after the cleanup. Also malware that is infected your computer is just one of hundred of instances for Microsoft and mostly is processed for creation of signatures automatically, so this approach has obvious limitations for sophisticated spyware which checks the environment in which it operates.
But by using an image restoration you can defeat even the most sophisticated spyware. The only precaution is that you should have multiple (for example daily) backups as the point of infection can be quite remote in time from the point of detection. It also make sense to perform a full backup of drive C before installation of any new programs. Windows 7 64 bit has around 60GB on system partition (without user data). Windows XP system partition footprint is typically 50GB or less (if user data are stored on the different partition). That will take less that an hour to backup such a partition which is a minuscule amount of time in comparison with the time usually spend in restoring Windows system after the infection (two or three days are common). You can do it daily or weekly but in any case this way you always have several previous versions that might be not infected. Existence of full C-partition backup also provides a baseline that gives you an opportunity to understand what changes the installation performed on your system. Add to this registry snapshot (less then 200MB) and you are well equipped to resist even the most sophisticated malware. Unlike AV program which depends on the recency and quality of their database this approach will work as it does not need to understand what this malware is about. It just return you to the "status quo".
Splitting the "system" hard drive into smaller C (System) partition (say 80-120 GB) that contain just OS files and a larger Data partition with user data is a very simple to accomplish in Windows 7. see
Adopt a "separate user data partition" setup: dual partition Windows configuration
Windows 7 can shrink system partition on the fly so freeing space in typical "all hard drive is C partition" configuration is just one click away. This logical step allow to shrink the size of "system" partition which in turn makes restoration of your OS from backup much more easier (as user data will be a separate partition) and your personal data more secure and more easily recoverable. On desktops instead of shrinking system partition and creating an new one for data it is easy to install a second harddrive, This approach is also possible on laptops with replaceable media bay, for example Dell Latitude Laptops -- you can simply replace DVD with the second harddrive and use USB DVD when needed.
This setup also makes use of Softpanorama Spyware removal strategy easier as amount of data you need to backup on C partition is much less then in the case all your hard drive in one huge C Partition.
Cyber criminals generally are conditioned to a "single account" PCs and even if they get admin privileges by exploiting some windows hole they generally limit their information search activities to this broken account (keylogging is a different matter as it works for all accounts)
For example, if you create account taxi to make your taxes by logging to it and install Intuit or TaxCut only for it. That makes your financial information more secure especially if after submitting taxes you make an encrypted archive out of data directory and delete actual files. Creation of taxes and other once a year reports can be neatly separated by using different accounts which actually helps you organize you files as well.
Differentiate security of accounts by setting IE security for Internet zone to high on those account that matter.
Please note that sharing applications between accounts is more difficult. For example Cygwin has difficulties if you use it simulaniously from Administrator accoutns and from a regular user account, as directories created while logged as Administroar are not writable from a a regular account.
But is you are not going to extreme modest separation of your activities between different account does help. It is actually pretty quick to switch to a different account. Takes less then 10 sec. so it is not time or effort prohibitive. But it requires disipline that is difficult to aqure for user who never used Unix and got used to a "single account" environment to such an extent that "single account usage" is almost synonymous with Windows. BTW Windows 7 provides much better protection from malware for regular user accounts then for administrator account (or any account with admin privileges)
Windows 8 does more steps in the direction of converting Windows into more secure "appliance for browsing the Web emailing and shopping" so it might be better for entry level users then Windows 7. Not so for advanced user,s as it tried to hide all command line related Windows capabilities. And that's really hurts.
Unfortunately the dominant culture of Windows usage is to use all powerful admin account for everything. Only some large enterprises limit their users to proper "less powerful" accounts as they can afford to administer PCs by a separate dedicated staff and they are more interesting in unification and security of corporate data then productivity of the users. This recommendation typically is ignored by users but it requires very little discipline as most users do not install anything often.
Never store important data in folders belonging to User home directory tree for account you use to browse the Web. If confidential data are not used pack them with the archiver using password for protection. Create executable self-unpacking archives as in case your archiver become incompatible with old backup format you still have access to the data. Most modem Archivers such as rar, 7zip, WinZip, has capability to encrypt the archives using user supplied password. You do not need complex password for this, but you need to save it in some paper form so that it never lost. This is a simple and reasonably reliable way to protect your financial data.
Always a different account for your tax preparation, bank access then from browsing and reading email. Encrypt your financial data with zip, 7zip or similar archiver, so that unencrypted stage was limited to periods when you are really working with them. There is no sense to give up your financial data such as IRS returns, etc that typically are stored on the same computer and the same account you use for browsing the WEB. That's plain vanilla negligence. Why you want to give all those data to the first jerk who manage to install a malware on your computer.
Practice "separation of duties" policy. When you browsing unknown sites run IE only under some regular user account that can't write to the registry (use switch to user option -- it's really fast). Never do "leisure" browsing from the account with admin privileges. Create yet another account and use only it for financial transaction, never for browsing the Web. Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.
You can configure UAC in your computer to meet your preferences:
Unlike Chrome, IE does not use sandboxing, but generally IE 10 is a pretty secure browser. So malware authors attack you mainly via applications such as Adobe Reader (fake PDF files) or Flash (fake Flash files). In ideal case the whole browser should run in the disposable VM, so that no matter was changed were attempted they did not last from one sassion to another as previous image is discarded. In the past IE was the dominant browser is attacked more often. Now Google Chrome holds approximately 40% share (while IE slipped to below 10%) with firewox as a distant second (around 25%). That means that Chrome and Firefox are attacked most often, especially the latter.
The problem with a typical "secure browser" recommendation is that it is actually easier said then done. For example, Chrome represents spyware in and by itself.
Anyway there are there are several steps that are implementable to make your Web browser less of a "gateway for malware":
Use primitive browser like Links. In many cases it is adequate. Experimental/Enhanced Links (ELinks) is a fork of Links led by Petr Baudis. the latest stable version is 0.11.7, released on 2009-08-22. It has a more open development and incorporates patches from other Links versions (such as additional extension scripting in Lua) and from Internet users. You can also use in Visual Studio 2013
Use special application that sandbox you browser such as Sandboxie (run on you desktop/laptop) or AirGap (runs in the clowd).
Use external "browser hosting" site like Browser Sandbox , Cross Browser Testing Tool or Spoon.net Spoon.net is an excellent subscription service that allows users with a basic free subscription to run any of the latest browsers in a virtual machine; Sandboxing on your own desktop has problems: see Does sandbox security really protect your desktop InfoWorld The problem, then and now, is the sandbox wall remained permeable, so Trojans and other forms of malware can slip through the virtual sandbox into your desktop.
Use DNS provider that protect you from malicious sites that Google propagates to
the top of some "exotic" searches (for small amount of money ;-). For example OpenDNS can be used
as you DNS provider (this actually helpful for any browser). This might help to prevent you from
visiting sites that are systematically spreading malware as well as sites that were just created to do so (less then
30 days old sites). As period of existence of malware sites is pretty short befor they got into blacklist
and are abamdoned. So by limiting your ability
to browse sites that are less then say 30 or 90 days old you can improve the security of your
browsing. Google sucks badly in this area (serving as a powerful advertizing channel for
spyware), as they are way too greedy.
For IE set high security mode for Internet Zone. The key idea is simple: use IE with high security mode for Internet Zone and medium in trusted zone where you should put all your regular visited sites. Typical way malware authors get into your computer is that they buy Google adwords and position their site high in some Web searches. You click and if you have anything then IE high security mode for Internet sites (which prevents running any third party ActiveX or Java) you are hosed. At the same time the most important sites (Amazon, your webmail, etc) that are crippled if Internet is assigned to high security mode can be still accessed if you put them in the trusted zone. This probably can be done automatically (Microsoft sucks big way by not providing more granular security modes and relevant automation), but even manually this maintenance step is not a big burden. The rule is simple: each time you add a favorite you also need to add it to Trusted zone. This probably should be done automatically.
You can use different browser for trusted site -- I personally use Firefox for such sites. but this requires strict discipline and this is not for every user (most user will follow this routine after spending six or more hours recovering from malware infection (and losing some money in he process), but after a couple of months this experience became forgotten and users return to their old, bad ways.
You can check when the domain was creates using simple Perl script running from CygWin session which lauches the broswer only if the site is checked for this criteria. That can probably be automated further and represent the most simple and effective security measure -- again malware distribution sites usually do not last that long. Most last less then a year. 30 days is probably a half-life for the majority of them. So avoid visiting sites that were created less then 90 days before you can somewhat diminish the level of your risk.
Use private VPM provider which also provides some defense from malware.
Run Your Web browser in VM which is possible with Windows 7 Professional and above by using Windows XP compatibility box.
Use linux bootable from DVD on a separately ("disposable") computer (old Dell laptop or Windows smartphone are OK) connect to it using XRDP. That guarantee that the computer will be reimaged on each reboot. Also this is not standard configuration, which somewhat complicates hacking as the amount of free space is very limited, you can also kill automatically all processes outside your standard set.
This method is often used at university labs and proved to be quite efficient as for malware protection. It is especially effective defense from RATS -- remote access Trojans -- which convert your PC into remotely controlled zombie. Despite all security programs that you have installed RATs can exist on your computer for months if not years. That means that if you store confidential information on your computer it is vital to reimage your computer when you start some important or confidential activity. In modern world doing something confidential on "dirty" image is neither confidential, not prudent.
On most PCs the set of installed applications nowadays is quote static and this fact makes creating so called "trusted image" much simpler. In you update your trusted image in parallel with main computer then restoring it when you are infected or need to perform some highly secure activities like filing your annual tax return (it goes without saying that you tax return should be copied from the harddrive to USB dives and backup CR-ROM. Do not leave highly confidential data like you tax return on your primary computer. You can also use a separate computer for highly confidential activities. Many households have such computers collecting dust in the closet. Reimage it once a year (tax preparation) or each time you need to do something that needs additional security. Do not use it for Internet browsing.
You can use "brute force" approach and restore the image using Ghost-like program ( for example Acronis True Image ) or linux live CD and Partimage. If your laptop has SSD this method is pretty fast, with restore less then 20 min. In this case the "Windows of opportunity" for malware is the period between re-imaging of the computer. Moreover as image is static you are better equipped for scanning dynamically registry, system and /Users folders for new executables that entered the system.
This method is OK mainly for advanced Windows users and IT professionals.
This is a typical method used in enterprise environment for protecting users but it is relatively easy to implement in home environment too. If you use a second physical computer that is running Linux for browser this is a natural thing to do and a very worthwhile enhancement. The key advantage is that all you Web transactions are logged and can be analyzed to see who is telegraphing information from your computer. You will be surprised how many vendors do that. If you have a box with a Web proxy (either real of virtual) you can point to it your Web browsers. In this case you ability to block sites by various criteria are extended by capabilities of the proxy. That permits blocking such snoopy sites as Facebook which polluted tremendous amount of sites with "like" button and copycats of this idea from Google. For home office and small firms Squid is free and very good Web proxy that I highly recommend. For larger firms appliances like Blue Coat are typically used. This method can protect you from many threats as well as excessive attention of Facebook and other information collecting monsters. It also moved the definition of "trusted sites" to the proxy level. For corporate environment it also can serve as anonimizer as all requests are coming from a single IP address. That method requires some Linux qualification and the desire to learn squid or other Web proxy configuration.
With current laptops with 4GB of memory, SSD drives and 3 GHz dual core CPUs and even more powerful desktops, scanning harddrive does not consume much resources and if it is artificially slowed it is not even noticeable. The simplest way is to run periodic, say once an hour scan and compare critical directories and critical parts of registry with the baseline. This method detects critical changes of configuration within a certain amount of time after they occurred although not "on the fly". As such it is a valuable method of protecting yourself from Data Stealing Trojans -- a new and dangerous class of malware that is created with the criminal intent to defraud you from your assets. But this method require higher level of qualification that regular user have so it is mostly suitable for advanced users and corporate environment. It also requires quit a bit of discipline in maintaining baseline and installing/upgrading applications and OS on your reference computer (which can be the same computer in which you just swap harddrive) first before installing it on your "main", working horse computer.
Installation of new applications and upgrade of OS should first be done of a reference computer on which there is no user activity. Individual user can create such reference computer by buying second harddrive identical to the one that is installed on the desktop/laptop for system image and replacing it each time one need to install software. Without maintaining reference image is difficult to sport the infection of you primary computer. In addition existence of reference image simplifies verification that nobody run anything in addition to what is installed on the computer. This is the way images are created in corporate environment. Usually this method requires existence of support personal who is at least part time are responsible for the maintenance of the reference image. It is difficult to implement for individual user. But this is the only method that allow you to protect yourself from the compromise introduced by the insider who has physical access to the computer. For example a corporate spy who tried to install some programs on your computer. Although in modern PCs you can install boot password making booting your computer without credentials much more difficult. Some laptops also have capability to use smart cards for boot authentication (Dell Latitude is one example).
This allow logs all the rejection and as such provides "on the fly" information as for components of PC which are trying to communicate to outside world without your permission and outside your control. Typically that setup requires high level of qualification and is support intensive so it is limited to large corporate environment. Although I saw them in some computer enthusiasts home networks.
Running your own DNS root server stops many attacks cold as after infection they will be no able to figure out how to communicate back to "mothership". Still they can do damage like deleting or modifying information on the computer. Several major corporation use this approach for protecting internal networks (not just DMZ but all internal network). This is a major undertaking and requires good knowledge of DNS and analysis of typical activity on the computer.
There are two general recommendation:
Steps described above can be foiled by determined attacker, but they do increase level of Windows "malware resistance" and decrease the time it take to return Windows setup to normal after the infection without investment in some expensive tools or hardware. Methods presented should not be used indiscriminately, you can select those that most suit your needs. You will be better off, if you create your own "protection set", depending on specific on your situation. For example, for people who know Linux well, more emphasis can be made on using Linux for Web browsing and media consumption. Also it is easier to implement networking components of malware defense such as caching DNS and Web proxy (Squid) on Linux.
I hope that this flexible approach will be useful for those who what to follow "semi-independent" path of securing their own Windows installation and not to be completely dependent on security companies.
Softpanorama hot topic of the month
Top Three Sandbox Tools You Should Be Using Blog Social Driver is a digital agency in Washington, DC
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.
ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: December, 09, 2017