Don't count on antivirus software alone to keep your data safe TJX hacking mastermind Albert Gonzalez scoffed at antivirus tools. He and his cohorts wrote malware specifically designed to evade their detection. One can imagine him laughing as his team of hackers broke into corporate networks using SQL injection attacks and gained administrative access. Then he probably guffawed, Bond …
I have 2 Networks Home & Internet Capable (Sandboxed/live DVD), only after checking & transfering VIA USB do files move from 1 to another, NO WIFi, sneakerNet can be a pain, but the last files/system, I lost to virus where on a Amiga ...
However leaving your files on a Azurb Clod Drive sounds like "Hackers heaven" plenty of time to rip the guts out of your Data ...
For me, that would be just far too inconvenient. I need all my devices to connect to the internet, that's their main purpose (other than photo/document editing, but the results of that work do in turn need an internet connection).
So, instead of your nuclear air-gap/read-only OS solution, I use a decent network firewall (pfsense - although most consumer routers are probably good enough), sufficiently configured, together with local AV, together with 'user' self-training (not clicking on suspect executables, not installing unknown programs from untrustworthy sources), and good (incl. offline) backups.
Well I bought a Series 1 PI, recently, was thinking of making that into a wireless Linux IpTables Firewall between systems, as it can't do a lot, but should be plenty for that, but before I could, I was getting A HP Lappy w/ win7 ready for Sale/disposal, It was online updating (768), when I noticed it going more "NUTS", it was infected by Cryptolocker from a Flash Animation on Web Page, NOT by me doing anything but going following a link in Google News. I killed it, Disassembled it, & sent it back via their "Comms channel", with several hundred extra zeros, BUT it was a TOR'd address .....
So thinking I will keep SneakerNet as is ...
Yep, Synaptic Package Manager can/will removed FLASH only from restricted extra's Pack in Ubuntu & Friends, but that should work for any Debian install, with Synaptic ...
In Firefox install "User Agent Switcher" addon, and make firefox think it's on a MAC, so YouTube etc still work ...
Still using Adobe Flash? Oh well, get updating: 15 hijack flaws patched ..
http://forums.theregister.co.uk/forum/1/2015/02/05/adobesighpatches_anothersighflash_zeroday_vulnerability/
Whilst the content may acceptable, I'm just wondering why this article appears in a "news site"? It's not exactly earth shattering revelations, it's verbatim Information Security 101.
What next? "turning your PC off at night saves energy"
Also whilst I agree that nothing is 100% secure and it should be difficult for an attacker, you've missed an important point, it must be remain useful to the business.
I can take a laptop, shut it down, put it in a safe and destroy the key. The laptop is now, as near as possible, 100% secure from cyber threats. Unfortunately in the process its now lost all value to the business.
Yes, but it isn't exactly news and, as mentioned above, it is hardly an in-depth analysis. There are entire suites of applications, certification sets, and careers based on information security in one form or another. This, while nice as far as it went, amounts to what an IT professional might send out as an annual reminder to those who write the checks as to why we do what we do. I honestly do not understand why it has been posted to an IT news site.
Antivirus software "alone" can't do anything. In 20 years of having a home internet connection, I think AV has detected maybe 2 threats on my system. It's debatable whether it will ever pay for itself in terms of the storage, memory and CPU resources it demands; and since no financially or personally sensitive information is stored anywhere on the machine, it's unlikely to protect me from much personal loss. Really it's mostly there as a courtesy to others, who might otherwise be inconvenienced by my machine's spamming or DDOSsing them.
When I took my old XP machine offline permanently, I tried to uninstall and disable the AV. Not an easy thing to do, it turns out. For several days I found myself treating the AV itself as malware.
What I do care much more about, though, is the firewall. Now that's something I wouldn't be without.
.. about HIDS/NIDS and APT detection.
You need to keep an eye on your network traffic and server integrity. We have a number of internal hosts that run fake services (basically following the principle of a honeypot or its predecessor, Fred Cohen's Deception Toolkit) that should never be touched by anything but a security scan - those are primary alarm signals to check what is going on. Also check for protocols you normally have no use for.
Next up is the whole issue of Advanced Persistent Threats, which is really the "here and now" of the bigger hacks. These things were going on for months before they delivered results, yet were never spotted. I have not yet seen a decent, integrated solution for APT but I'd welcome one..
I read a translation of a Chinese Blog Post, regarding using a SUBSETMASK hack to effectivly "cul-de-sac" systems and entire networks, maybe even countries, into a Group/net you control, Not sure about some of it, as translation wasn't great. I think/wonder if it's a old system tool, which some have forgotten about, maybe @ their peril ....
Sorry about Caps, Spacing, Typo's ...
I was shown this translation "printout" @ a friday arvo "IT types" Pub thing, and asked to form a opinion, I looked @ it & was a code injection to enable using subset mask & "Something else" which is the bit I didn't understand, to Gain a Escalation of privledges in/on system/network & allow redirection of traffic thru this "NEW" network with Full Admin/supervisor control ...
It warbled on @ end, I think they may have been gimberling into a mirror, while saying it ...
Some of the dodgy emails that get past the Demon and Norton filters for my domain are apparently from known persons or businesses. It often takes a visual inspection of the raw headers to decide that the origin is suspect.
Don't think I've seen many almost convincing payloads that were also from the genuine source.
When I read comments like, "they run the risk of being infected by rogue JavaScript running in the browser." I cringe. There is no way on planet Earth of infecting a machine by it running some JavaScript and HTML in a browser. The only thing JavaScript can write to, is cookies. This, again, is idiotic scare-mongering to attract readership. Granted, if somebody clicks on a link and runs whatever it leads to by acknowledging consent, then more fool them. But, on its own, with no clicking or acknowledgement, a website cannot infect a PC that prompts for any activeX to run. JavaScript can't - someone give me an example, if you think otherwise.
I Googled "drive-by infection" and the first two results were this and this.
In the second article, it is clearly stated that "Just surfing to an affected website is enough to infect a computer".
I do believe that that sentence is in direct contradiction to your belief that "on its own, with no clicking or acknowledgement, a website cannot infect a PC".
And would you care to clarify how, on the one hand, you talk about Javascript in most of your post, yet you say "a website cannot infect a PC that prompts for any activeX to run" ? Where does ActiveX come into the discussion, and how exactly do you believe that ActiveX is, in any way, secure after all the holes that have been found in it ?
"With drive-by infections, it is enough to simply visit a website to infect a computer with malware. Visitors don't need to start a download or install anything - the website does this automatically!"
My browser will not automatically download anything, without asking me where it should save it first. What kind of browser are you using that would do this? An idiotic one by the sound of it.
"Yet If a browser has a relevant safety gap, such scripts can access a user's computer directly. This therefore enables malware to move from the server to the browser, and via the security gap to the user's computer, without any conscious action by the website visitor at all."
Again, it's a problem with the browser, and you should change your browser.
The reason I mentioned ActiveX is because that is the biggest hole in your browser, then comes Java (I do not allow this to run), then Flash (run with permission). That leaves JavaScript with Ajax or other call-to-the-server methodologies, which can only write to the web page, open new web pages, or write to cookies. None of those compromise a PC.
JavaScript and HTML are not capable of infecting your PC. Buggy browsers, ActiveX, Java and Flash, however, can. The article is talking about Javascript. Now, go back to sleep!
It's not really the websites, it's the large heaps of third/fourth/etc party gubbins that appears on every flipping site (reg not as insane as many) that you just have to trust that someone somewhere has at least glanced at to ensure that their random ad-plonking and/or social-network button array hasn't had something extra included without them noticing.
That's a lot of people and systems effectively trusted by proxy which is never a good thing - having to disable scripts gets tedious and is a bit of a kludge for a problem that should not exist.
And on rare occasions the thing that killed your browser is actual malware.
Zero day exploits do not bypass antivirus protection, no do they have anything to do with AV software as the article suggests. A 0day might be used as the initial step to get the malware on the machine but they are entirely different things.
Crypting your malware to avoid signature based detection, splitting and scattering the malware across many memory locations, unusual hooks to existing processes and also tricks to make individual AV's think they have crashed or timedout are just a few of the things that are done to bypass AV's.
'Legitimate work sites' should not be considered malware free. AD server farms sites that serve many top web sites are often compromised to serve malware and some even slip through the front door in that way. Both Google and Microsoft have had their ad servers serving up malware.
Take a layered approach to security and make sure to include network traffic analysis.
Yeah, especially when they utterly fail to stop a new version of a virus, or when they mistake a Windows system file for a virus, quarantine it and crash the system, or when they grab 99% of CPU for minutes on end and keep you from doing your job without rhyme or reason.
The only thing that is reliable with AV software is the fact that your PC now belongs to it, not to you.
Unfortunately, as imperfect and annoying as they are, we do indeed need them. Therefor the only thing we can do is find the anti-virus that will be as efficient as possible while bothering us the least.
A real treasure hunt, and the treasure is our security.
TJX hacking mastermind Albert Gonzalez scoffed at antivirus tools. He and his cohorts wrote malware specifically designed to evade their detection.
Ooh, scary. Would malware inadvertently designed to evade detection be scarier? I can't decide.
One can imagine him laughing as his team of hackers broke into corporate networks using SQL injection attacks and gained administrative access.
One can, though one hardly wishes to. And what this has to do with antivirus tools I cannot guess.
Then he probably guffawed, Bond villain-style,
I think this is somewhat less than probable. Yes, the blackhats tend to have poor social skills, but guffawing at your own exploits is taking megalomania a bit far. (And do Bond villains guffaw? I can't recall any doing so. Perhaps a bit of chortling.)
as he uploaded the malware directly into server memory,
Easier than uploading it directly to disk...
and when the corporate networks began happily delivering customer credit card data directly to his servers chuckled all the way to the bank.
Chuckling now? The man runs the gamut of mirthful expression. That bastard!
And, again, the relevance of all this to antivirus software is a bit distant. I know, there's some vague point about Mr Scary Person employing attacks for which AV is not a defense. Surely this could have been expressed with less speculation about his maniacal outbursts?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
