|
apseudonym posted:Operating systems have improved extremely since what you learned starting out in tech and they've long surpassed in quality the AV software that claims to protect them. Microsoft is doing gently caress-all to effectively protect the user session. Keep crap out of system or stop rootkits? Sure, but you don't need system to run a botnet client if the same user is on all the time and you're blocking system sleep. The integrity level scheme with UAC is a nice start but its not consistently used and plugins often give an easy escape path.
|
#
?
May 2, 2016 16:17
|
|
|
|
| # ? Apr 27, 2024 23:21 |
|
|
Paul MaudDib posted:Thrashing any given platform doesn't prove that it's more vulnerable than an unthrashed platform. I highly encourage you to consider the medical problem of detection rates of (eg) thyroid nodules versus actual cancerous nodules. A vulnerability is not the same thing as a virus, just the same as a benign nodule is not the same as a cancerous nodule. What vulnerabilities in any platform does AV close off? None. You're again conflating malware with vulnerabilities, and that's not correct, most malware does not exploit any vulnerability. BangersInMyKnickers posted:Microsoft is doing gently caress-all to effectively protect the user session. Keep crap out of system or stop rootkits? Sure, but you don't need system to run a botnet client if the same user is on all the time and you're blocking system sleep. The integrity level scheme with UAC is a nice start but its not consistently used and plugins often give an easy escape path. Window's model's greatest failure is the complete lack of sandboxing anything from anything. The amount of bullshit one random program can do another is just sad. apseudonym fucked around with this message at 16:45 on May 2, 2016 |
|
#
?
May 2, 2016 16:18
|
|
|
Would just like to throw out that the red text for him is fantastic.
|
|
#
?
May 2, 2016 16:27
|
|
|
apseudonym posted:What vulnerabilities in any platform does AV close off? None. This is very important. Please read this text. Vulnerabilities are how malware get installed, not how malware does its dirty work. And the network-facing software like browsers are increasingly pointless for scale attackers (vs directed) to use, because they get patched too quickly. Except Java, but plugins are dying soon too, and Java is basically unnecessary for the web today anyway. (We have some vendor finance apps at work that need browser Java, so the people who need them get VMs to run them on. The VMs are wiped and recreated after every session, even though they're network-constrained to not leave the corporate network. Java: eternally vigilant.)
|
|
#
?
May 2, 2016 17:16
|
|
|
ChubbyThePhat posted:Would just like to throw out that the red text for him is fantastic. 
|
|
#
?
May 2, 2016 17:19
|
|
|
OSI bean dip posted:Yeah. Like just look at this list of really loving dumb vulnerabilities: taviso's AV bugs are cool but the "RCE" is rarely actually practical or part of the actual AV itself. nobody sane is recommending you install sophos or comodo. generally enterprise AV is all worthless, other protections should be in place on the enterprise network to protect endpoints on the network/permissions layer. enterprise is a totally separate theater. bugs that result from scanning downloaded files (CHM, kaspersky upx bug, etc) are not practical for widespread random idiot infection. you're usually not going to be able to detect and filter for specific AV users and send AV-specific payloads(with the exception of a few awful solutions nobody normally recommends that add plugins+headers). throwing these payloads at everyone would result in your poo poo getting detected in a flash. even if you ignore this problem many bugs in this category that taviso finds are also not actually remotely exploitable on platforms with ASLR and DEP (Windows), as a separate bug to generate a good heap spray or memory exhaustion usually isn't there. all of this is _high effort_ for EK authors. bugs that result from mitm are lol who the gently caress cares, you'd get about $5 for a full chain using that on the market. not practical to use to infect random idiots. bugs in massive products like TM are funny, but who the gently caress is recommending TM to their family? generally people suggest (the user versions of) bitdefender, malwarebytes, eset, maybe kaspersky. the non-enterprise versions tend not to include misc garbage. some of taviso's best bugs in poo poo that actually matters, like his ESET emulation RCE, are /still/ useless to infect rando users. code execution on modern windows was totally defeated by mitigations. his example ran on OSX because of this. people tried to make his exploit generic and failed because of this. even good security researchers will overstate the practicality of their bugs so that people will patch them. imo y'all combine enterprise vs idiot user recommendations too much. misc_ransomeware_2000 / EK_hailsatan_666 are not really using AV vulns for RCE/LPE because they loving suck and there's easier ways. most even dip the out and stop execution if they can detect AV because it's _not worth the time_. if they don't target $CJ_AV_REC and $CJ_AV_REC stops them occasionally and saves time cleaning grandma's computer there's really no problem in having them. "lol don't use AV just update" isn't helpful when there are offerings that don't include nodejs, a loving password manager with code execution, and ASLR defeats. these will stop a variety of infections and nobody is targeting grandma for an AV RCE that requires a mitm.
|
|
#
?
May 2, 2016 17:44
|
|
|
Daman posted:taviso's AV bugs are cool but the "RCE" is rarely actually practical or part of the actual AV itself. The worst thing that Tavis has found is not a set of specific vulnerabilities. Rather, it's the iron-clad evidence of industry-wide, structural disregard for the security impact of these products on the end user.
|
|
#
?
May 2, 2016 17:59
|
|
|
Daman posted:nobody is targeting grandma for an AV RCE that requires a mitm. Jokes on you, I'm from MawMawSec - make all my money getting grandma boxes and selling their AOL account information on underground forumz.
|
|
#
?
May 2, 2016 18:05
|
|
|
Subjunctive posted:The worst thing that Tavis has found is not a set of specific vulnerabilities. Rather, it's the iron-clad evidence of industry-wide, structural disregard for the security impact of these products on the end user. I watched his video where he presented the Sophail paper (https://www.youtube.com/watch?v=h_JjNJ45PCM) and there's just the overwhelming impression that anything that wasn't developed a decade prior and just left to rot while all the real work happened in the marketing department, was just done to the barest minimum standard of being 'done' so that whoever was responsible for it could go home.
|
|
#
?
May 2, 2016 18:09
|
|
|
Daman posted:taviso's AV bugs are cool but the "RCE" is rarely actually practical or part of the actual AV itself. nobody sane is recommending you install sophos or comodo. generally enterprise AV is all worthless, other protections should be in place on the enterprise network to protect endpoints on the network/permissions layer. enterprise is a totally separate theater. The problem I have with your reply here is that what you're saying is that we should overlook these vulnerabilities because no known malware is currently exploiting any of this. You are correct that in as far as any of us know right now nothing is currently exploiting a really dumb RCE in TrendMicro or whatever AV suite to get a foothold on the system. However, what you're forgetting is that what Tavis has found so far demonstrates a complete lack of care or at least intelligence into developing these software suites. If these applications are supposed to make us more secure, then why are there really obvious RCEs? Why is debug mode left on? What soft of loving moron creates a sandbox that allows for the passing of API calls to the host OS just because they assumed that it was safe to do so because they couldn't make system changes? These are the idiot decisions that make me wonder about the actual care and attention that goes into the development of these application suites that again are supposed to make systems more secure. You also are doing a disfavour to your argument by thinking enterprise and non-enterprise AV suites are different when in reality at their core they're not other than manageability. If we look at my earlier post, my argument against the use of it with the expectation of it doing anything is not based on idiotic vulnerabilities that have no business existing but instead the fact that signatures, heuristics, behavioural and everything else being done to detect malware just simply do not work. AV's biggest problem isn't the bugs within; it's the fact that it simply cannot scale. If I can pump out 200,000 unique copies of some ransomware in a single day that signatures cannot keep up with, heuristics cannot predict without causing havoc with other applications, and suspicious behaviour will never get wind of, how can I as an AV vendor expect to be able to keep up? It's really an impossible task to expect that you'll get enough analysts in the lab to come up with answers. This is why I find the whole notion of switching AV vendors after an incident as dumb because another wave of malware will pop up eventually and you'll be back at the same conclusion like you had before. AV provides a false sense of security and the suggestion that you should rely on it should only come from AV vendors themselves, not from people who shouldn't peddle crap. Lain Iwakura fucked around with this message at 18:47 on May 2, 2016 |
|
#
?
May 2, 2016 18:18
|
|
|
someone in the tech journalism circle needs to write a good exposé on AV firms and all the bullshit Ormandy is digging up, but lol tech journalism
|
|
|
#
?
May 2, 2016 18:29
|
|
|
Subjunctive posted:This is very important. Please read this text. Vulnerabilities are how malware get installed, not how malware does its dirty work. And the network-facing software like browsers are increasingly pointless for scale attackers (vs directed) to use, because they get patched too quickly. Except Java, but plugins are dying soon too, and Java is basically unnecessary for the web today anyway. (We have some vendor finance apps at work that need browser Java, so the people who need them get VMs to run them on. The VMs are wiped and recreated after every session, even though they're network-constrained to not leave the corporate network. Java: eternally vigilant.) I'm not sure I'd go so far as to say that vulns are how malware get installed/executed. Often times it's us, the user, that executes the malware.
|
|
#
?
May 2, 2016 19:25
|
|
|
apseudonym posted:I'm not sure I'd go so far as to say that vulns are how malware get installed/executed. Often times it's us, the user, that executes the malware. lack of education/awareness is a vulnerability by definition
|
|
#
?
May 2, 2016 19:37
|
|
|
online friend posted:lack of education/awareness is a vulnerability by definition If the security of your system depends on users(or IT admins or whatever) being smart and constantly vigilant about security then it is an unfixable system.
|
|
#
?
May 2, 2016 21:07
|
|
|
apseudonym posted:If the security of your system depends on users(or IT admins or whatever) being smart and constantly vigilant about security then it is an unfixable system. i never said that, all i said was that it is a vulnerability.
|
|
#
?
May 2, 2016 21:10
|
|
|
online friend posted:i never said that, all i said was that it is a vulnerability.
|
|
#
?
May 2, 2016 21:28
|
|
|
apseudonym posted:I'm not sure I'd go so far as to say that vulns are how malware get installed/executed. Often times it's us, the user, that executes the malware. Sorry, I mean that to the extent vulnerabilities are relevant, they're an installation vector and not really part of how malware goes about operating (excepting some escalation vulns that make persistence and hiding easier).
|
|
#
?
May 2, 2016 22:42
|
|
|
Paul MaudDib posted:Probably about the time you post an actual argument that isn't "trust me" or conspiracy theories or some clickbait poo poo. What? There are plenty of articles stating that NSA is planting backdoors into encryption including the NSA themselves http://www.theguardian.com/us-news/2015/feb/23/nsa-director-defends-backdoors-into-technology-companies Mass wiretapping and opportunistic decryption? Do you know what encryption is? I feel like you are just saying words now and didn't read about the Dual EC stuff.
|
|
#
?
May 3, 2016 00:40
|
|
|
The NSA doesn't need to backdoor AV, the vendors already do that without their help by writing poo poo software.
|
|
#
?
May 3, 2016 00:48
|
|
|
You don't need a backdoor if the front door and all of the windows are open.
|
|
#
?
May 3, 2016 00:58
|
|
|
I'm graduating from college in the fall with a BS in Computer Science, any tips on getting a job in the infosec industry? I'd rather be on the blue team/admin side of things but I'm kinda worried that I'll be job hunting and end up in something akin to a basic tech support job, and I've spent way too much time and money in college to really be able to afford that. I'll have an S+ and probably a CCNA by then, if those will help. I know those are very basic, entry-level certs but it's what I can afford on my budget and I had to start somewhere.
|
|
#
?
May 3, 2016 00:59
|
|
|
Swagger Dagger posted:I'm graduating from college in the fall with a BS in Computer Science, any tips on getting a job in the infosec industry? I'd rather be on the blue team/admin side of things but I'm kinda worried that I'll be job hunting and end up in something akin to a basic tech support job, and I've spent way too much time and money in college to really be able to afford that. don't pay for your own certs, that's what employers are for. i don't know poo poo about entering the job market on your side of the world so i can only really give the incredibly generic "attend meetups around your areas of interest and get talking to people because a) connections are great b) you can find out what the hell they want from new hires" here, sorry. also i wouldn't assume your degree is going to count for anything. good luck with the job hunt
|
|
#
?
May 3, 2016 01:12
|
|
|
Swagger Dagger posted:I'm graduating from college in the fall with a BS in Computer Science, any tips on getting a job in the infosec industry? I'd rather be on the blue team/admin side of things but I'm kinda worried that I'll be job hunting and end up in something akin to a basic tech support job, and I've spent way too much time and money in college to really be able to afford that. see if you have a local convention (bsides, for example). don't just be a fly on the wall, ask questions, no matter how dumb they may sound. figure out what you want to do and ask people in the industry the best way to get into it. in my experience, people in infosec love to help people trying to break into the industry.
|
|
#
?
May 3, 2016 01:36
|
|
|
Is there anything more recent than Ormandy's 2012 stuff on Sophos being poo poo? Central IT at my workplace has a 'policy' that it has to be installed on all machines (including RHEL machines) and having it sitting there taking up 200+ Mbytes x 2000 VMs seems like a waste of resources.
|
|
#
?
May 3, 2016 01:42
|
|
|
Mr Chips posted:Is there anything more recent than Ormandy's 2012 stuff on Sophos being poo poo? Central IT at my workplace has a 'policy' that it has to be installed on all machines (including RHEL machines) and having it sitting there taking up 200+ Mbytes x 2000 VMs seems like a waste of resources. i can probably guarantee you that they won't change the policy even if you gave them evidence that sophos as poo poo
|
|
#
?
May 3, 2016 01:43
|
|
|
Mr Chips posted:Is there anything more recent than Ormandy's 2012 stuff on Sophos being poo poo? Central IT at my workplace has a 'policy' that it has to be installed on all machines (including RHEL machines) and having it sitting there taking up 200+ Mbytes x 2000 VMs seems like a waste of resources. Just use the back door to disable all of them. 
|
|
#
?
May 3, 2016 01:51
|
|
|
Subjunctive posted:The worst thing that Tavis has found is not a set of specific vulnerabilities. Rather, it's the iron-clad evidence of industry-wide, structural disregard for the security impact of these products on the end user. like right, you say this, but for most products when the bug is found it has pretty fast response time to patch. I'd say ESET is a decent company and while their SDLC may not be the best (causing these bugs), major bugs are patched in under three days of report time. that's really all you can ask from a vendor, bugs will happen. Most of the critical level bugs I find stay functional in major products for years. Is Microsoft ignoring security because they vastly improved font rendering times on older systems by rolling it into the kernel? There's still security issues with that code to this day. There's a variety of stories in the Windows kernel that are similar. OSX is no different, they have so much fluff running at a privileged level that there's a huge attack surface they've only tried to fix it by creating a walled garden with as many mitigations as possible for certain platforms running their kernel. Does this mean there's evidence of industry-wide disregard for the security impact of kernel components? Grouping every AV vendor together without considering how mature their offering is and how much auditing has been done against their products is a mistake. You're not getting remote nodejs debug servers in MBAM, and they've got MBAE which actually has a decent library of mitigations implemented using EMET as a template (MBAE being much more friendly to end-users). Obviously trying to enumerate which vendors provide a decent product by those "catches X%" statistics bullshit is a waste of time. They all do nearly the same thing, they should probably be enumerated by the number of IOCTLs their driver serves, the amount of extraneous bullshit they include (as negatives), and the number of transparent security audits that have been done in the last few versions (several have bug bounties). OSI bean dip posted:AV provides a false sense of security and the suggestion that you should rely on it should only come from AV vendors themselves, not from people who shouldn't peddle crap. of course you shouldn't rely on any one thing. defense in depth is not just a meme. picking an AV that doesn't come with debug JS servers is a part of that. most _do_ stop lovely kiddy trojans. I'd question whether the knowledge of having an AV would affect what a dumb user does at all. OSI bean dip posted:The problem I have with your reply here is that what you're saying is that we should overlook these vulnerabilities because no known malware is currently exploiting any of this. OSI bean dip posted:signatures, heuristics, behavioural and everything else being done to detect malware just simply do not work. OSI bean dip posted:If I can pump out 200,000 unique copies of some ransomware in a single day that signatures cannot keep up with, heuristics cannot predict without causing havoc with other applications, and suspicious behaviour will never get wind of, how can I as an AV vendor expect to be able to keep up? To me, it seems like the argument of "if one can get through, why bother at all?" You're still going to see attackers using simple malware spread, why not protect users who don't know any better from these? AV will totally trigger on old garbage trojans people cast a huge net out with. They'll still be affected by payloads that are well-written to avoid AV, but they would've been anyways?
|
|
#
?
May 3, 2016 02:01
|
|
|
gently caress all of you! I'm keeping eset installed! Swagger Dagger posted:I'm graduating from college in the fall with a BS in Computer Science, any tips on getting a job in the infosec industry? I'd rather be on the blue team/admin side of things but I'm kinda worried that I'll be job hunting and end up in something akin to a basic tech support job, and I've spent way too much time and money in college to really be able to afford that. Check with your school's CS IT department if you're just trying to get any experience before you graduate. Pretty easy in if you're a student in the program, and they should be looking for people for the summer and fall. A fellow classmate of mine did it and was really into it.
|
|
#
?
May 3, 2016 04:31
|
|
|
Daman posted:...but for most products when the bug is found it has pretty fast response time to patch... I will admit that this is in fact true for some vendors. The IKE buffer overflow in the Cisco ASA in February would be a good example of a super fast patch made to a number of different code trains for the same device family. (Ok, Cisco knew about the issue before the general internet did. But still.) However many many vendors are terrible about this sort of thing and take stupid amounts of time to issue patches. Even then the patches don't always actually fix the problem. You would be amazed how often a vendor will tweak something minor so that example exploit code no longer works but then someone slightly modifies the exploit code to get around the fix within a day or two because the vendor didn't actually fix the underlying issue.
|
|
#
?
May 3, 2016 04:42
|
|
|
I am the pusher robot
|
|
|
#
?
May 3, 2016 04:43
|
|
|
Do I have stairs in my house
|
|
#
?
May 3, 2016 05:04
|
|
|
Jabor posted:Do I have stairs in my house Heuristics have not detected any. *falls down the stairs*
|
|
#
?
May 3, 2016 05:10
|
|
|
Daman posted:At a chosen point of attacker effort, defense against them does not work. the point of a dumb user running an AV solution is to raise that level past "standard irc botnet." poo poo like this is detected just fine all the time. has there been any malware for sale in the last decade or so that only drops one payload? i have no idea why "well, that probably got them all. it definitely got one" would inspire confidence also "don't open random attachments from yourbank@jkhagkjakjga.ru" would get you past that level
|
|
#
?
May 3, 2016 11:46
|
|
|
I love the fact that people here seem to be suggesting not adding an extra lock on your door because burglars could go in through the open window instead. Yeah, it doesn't stop anyone but the very dumb burglars that will still try the door anyway because they can't climb through the window. However at least some portion of the burglars are exactly that. And if a sophisticated burglar could abuse the lock to get in anyway, that's the exact same result as not having put the lock on in the first place.
|
|
#
?
May 3, 2016 13:51
|
|
|
And that lock can burn your door down, or move your jewelry to the front step.
|
|
#
?
May 3, 2016 13:52
|
|
|
If we have to talk in analogies, I think the point being made is not to put a poorly made lock on your front door that throws your windows open without you realising.
|
|
#
?
May 3, 2016 13:53
|
|
|
As opposed to having everything open at all times? I'd say it's an improvement. It's like everyone in here is aiming for 100.0% effectiveness, whereas the sane people are looking for covering the 20.0% of cases they can cover with minimal effort. I mean, you can't honestly be claiming that you can cover 20.0% of cases by not doing anything.
|
|
#
?
May 3, 2016 14:06
|
|
|
if we must go with analogies, you're advocating safe sex by removing the condom and trusting the rhythm method
|
|
#
?
May 3, 2016 14:13
|
|
|
BangersInMyKnickers posted:Tavis Ormandy turned his terrible gaze towards Symantec and hit paydirt. Expect big rounds of emergency patching in the next 3 months if you're running their products. Or maybe they don't do anything and you get some 0day CVEs when he goes public. On this subject. How in the gently caress, in 2016 are we still encountering failures to patch and hold a spreadsheet with just the most cursory loving information about your critical apps and hosts. AV: Heartbleed - 107 instances of vulnerable OpenSSL in AV. This version is three years old. Java: 44 versions, not one instance of current revision - IT confirms no need for Java, so it really isn't a problem as far as they are concerned, as in "we don't use Java so we don't see this as a risk". Adobe acrobat reader: 63 versions - Including adobe acrobat reader 6. This customer has 107 staff and 3 computer janitors and an IT manager. Customer allows personal webmail, including unvetted 100+ Megabyte downloads from Tencent QQ personal webmail service. Customer allows unencrypted USB. Customer feels proud that they have a handle on Data Loss through dropbox. How? Well, only IT can access drop box and will download your files and send them to you via email (which has led to a full scale information security breach and the reason I am involved). The IT admin responsible for downloading? Yes, you guessed it. The same pokemon downloading fucktard that is in charge of patch management. The same IT admin with Java 6 and Adobe 11.0.10 on his workstation.
|
|
#
?
May 3, 2016 14:15
|
|
|
|
| # ? Apr 27, 2024 23:21 |
|
|
Red Mike posted:As opposed to having everything open at all times? I'd say it's an improvement. It's like everyone in here is aiming for 100.0% effectiveness, whereas the sane people are looking for covering the 20.0% of cases they can cover with minimal effort. I mean, you can't honestly be claiming that you can cover 20.0% of cases by not doing anything. I don't know where the 20% number comes from, but most AV has side-effects that are pretty undesirable in terms of security, performance, and user experience. Nobody is aiming for 100% effectiveness. The position of the "insane", some of whom are accomplished security professionals, is that AV is a net negative. The positive elements (ability to catch lazily-deployed virus payloads) are decreasing and the negative elements (aggressive upsells, interference with system operation, security vulnerabilities that transcend mere self-parody) are increasing.
|
|
#
?
May 3, 2016 14:21
|
|