|
Daman posted:of course you shouldn't rely on any one thing. defense in depth is not just a meme. picking an AV that doesn't come with debug JS servers is a part of that. most _do_ stop lovely kiddy trojans. I'd question whether the knowledge of having an AV would affect what a dumb user does at all. Okay. But how do you pick an AV that doesn't have dumb programming put into it? How many users avoided Comodo because they knew that it was doing harm to Chrome? How many users knew that TrendMicro was running the debug server? How many people knew that Avast was passing API calls to its sandbox to the host OS? None of them. So if I am someone who goes into a store to buy an anti-virus suite, I am likely the type of person to not know the above problems and will likely be at harm for further issues. Daman posted:of course you should consider that these vulnerabilities existed (in the specific configurations and components they occurred in) when deciding if av_vendor is a good choice. history of security issues, vendor response to these, and recent additions/changes to the product should all be taken into consideration.. one vendor's actions don't indicate every product is going to contain ridiculous issues. One vendor's poor coding shows the level of care being put into the engine. Daman posted:To me, it seems like the argument of "if one can get through, why bother at all?" You're still going to see attackers using simple malware spread, why not protect users who don't know any better from these? AV will totally trigger on old garbage trojans people cast a huge net out with. They'll still be affected by payloads that are well-written to avoid AV, but they would've been anyways? If a user is going to be at risk at catching "old garbage trojans", they're already going to get hit by something newer that is going to bypass the anti-virus anyway. The average user who goes and gets themselves infected with something that is old is more likely to get hit with something else because their hygiene is already compromised.
|
# ? May 3, 2016 15:43 |
|
|
# ? Apr 27, 2024 18:13 |
|
The last hundred or so posts in this thread have been a great read. What are the opinions on torrenting movie files and TV shows? Is there possibility of code execution in popular video file containers? It's a long time since I realised the idiocy in using pirate software from torrents, and as recently as couple of years ago I was happy to get free Windows activation by using a dodgy bootloader. Times have changed and I'd like to think I'm less slapdash these days, but it's so convenient to grab a copy of that TV show you missed.
|
# ? May 3, 2016 21:20 |
|
There was an ffmpeg vuln a little while ago that allowed remote attackers to see files on a system that executed a malformed playlist file. So if you don't keep VLC up to date you could be vulnerable to that. That kind of thing could happen in video files. Software is full of bugs. I guess the point is that lazy programming or poor code testing could result in vulnerabilities in anything, so it's entirely possible.
|
# ? May 3, 2016 21:32 |
|
Codecs (video, audio, image) are legendarily fertile territory for bugs. Stagefright, for example.
|
# ? May 3, 2016 21:34 |
|
It's theoretically possible but probably more trouble than it's worth, as most movie and TV show releases are done by groups and distributing infected files would get you blacklisted from a lot of the major torrenting sites. Those same torrenting sites, mind you, have no problem with fake download buttons that redirect you to malware and scamware. And the worst possible thing: onClick popups.
|
# ? May 3, 2016 21:36 |
|
Here's a practical one that you can do in Metasploit with the TIFF file format: https://www.rapid7.com/db/modules/exploit/windows/fileformat/mswin_tiff_overflow quote:This module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large vlaue, which ends up being 0, but it still gets pushed as a dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned by HeapAlloc will end up being overwritten by the memcpy function, and then later used in OGL!GdipCreatePath. By successfully controlling this function pointer, and the memory layout using ActiveX, it is possible to gain arbitrary code execution under the context of the user.
|
# ? May 3, 2016 21:48 |
|
https://en.wikipedia.org/wiki/Stagefright_(bug) e:fb On October 1st, 2015, Zimperium released details of further vulnerabilities, also known as Stagefright 2.0. This vulnerability affects specially crafted MP3 and MP4 files that execute their payload when played using the Android Media server. The vulnerability has been assigned identifier CVE-2015-6602 and was found in a core Android library called libutils; a component of Android that has existed since Android was first released. Android 1.5 through 5.1 are vulnerable to this new attack and it is estimated that one billion devices are affected.[25]
|
# ? May 3, 2016 22:56 |
|
Dex posted:if we must go with analogies, you're advocating safe sex by removing the condom and trusting the rhythm method My safe sex analogy was better. Trying to explain the situation with analogies is like trying to guide someone through building a combustion engine over the phone - that is, not likely result in anything but wasted time.
|
# ? May 4, 2016 01:52 |
|
It's like putting too much air in a balloon!
|
# ? May 4, 2016 04:37 |
|
Thanks for the replies regarding media files. It seems that the best strategy is to choose your media player carefully, stick to one or two media players and keep them up to date.
|
# ? May 4, 2016 04:51 |
|
That won't really help in any meaningful way - I think you underestimate just how vulnerable media codecs are if your conclusion is "keep VLC up to date" If you think getting your box popped via an anime mkv is a realistic scenario you need to guard against, you'd be better off installing EMET or watching everything in a VM
|
# ? May 4, 2016 05:13 |
|
Well I want to be able to watch an mkv/play an mp3 on my desktop PC the same as most people. I don't want to fire up a VM to do that. I suppose it comes down to accepting that it's not watertight security and if I'm using a torrent that's a popular TV programme then I'm not the only one that's gonna be susceptible and there's likely to be a buzz about a recent exploit on the Web.
|
# ? May 4, 2016 05:44 |
|
So if you're setting up a new 100 person office with a 100k budget for server and infrastructure related stuff, how would you go about making the users least likely to get infected or otherwise gently caress up their machines? The users are a standard cross-section of average American users, from 20 to 60, with at least 10 people too useful to fire, but too stupid to train in any meaningful fashion. They run windows software, need adobe reader, java for a lovely web app, and will revolt of flash isn't installed for their stupid cat.swf email chains that go around. Things I've seen in this thread so far: Some form of application white-listing via Applocker or other mechanism to cut down on garbage drivebys Websense or some form of filtering service to blackhole the known virus sites, and to keep users out of areas of the internet significantly more likely to infect them. An email filtering service that allows you to disable attachments of arbitrary type, gently caress you invoice.zip.exe A robust backup system with server snapshots that users can't modify or delete, disable the ability for users to roll back folders, copy/move vss snapshot data only. A firewall/IDS of some description.
|
# ? May 4, 2016 09:24 |
|
A KnowBe4 subscription and management buy-in on the idea of training staff being part of a solution
|
# ? May 4, 2016 09:50 |
|
Thanks Ants posted:A KnowBe4 subscription With "training" by mitnick? No thanks.
|
# ? May 4, 2016 10:03 |
|
That does sound off-putting but the fake phishing emails and reporting on who is clicking them is useful information to have.
|
# ? May 4, 2016 10:18 |
|
DeaconBlues posted:Well I want to be able to watch an mkv/play an mp3 on my desktop PC the same as most people. I don't want to fire up a VM to do that. I suppose it comes down to accepting that it's not watertight security and if I'm using a torrent that's a popular TV programme then I'm not the only one that's gonna be susceptible and there's likely to be a buzz about a recent exploit on the Web. Pay for you Movies / TV Shows then
|
# ? May 4, 2016 11:58 |
|
Stanley Pain posted:Pay for you Movies / TV Shows then I don't believe that everyone in this thread pays for all of their media, even the most security conscious. ;-)
|
# ? May 4, 2016 12:18 |
|
DeaconBlues posted:I don't believe that everyone in this thread pays for all of their media, even the most security conscious. ;-) i do.
|
# ? May 4, 2016 12:20 |
|
Dex posted:i do. You're everyone? Like a collective conscience or what
|
# ? May 4, 2016 12:27 |
|
Haquer posted:You're everyone? more of a gestalt entity, that pays for poo poo
|
# ? May 4, 2016 13:33 |
|
Dex posted:more of a gestalt entity, that pays for poo poo Hey there, paying for poo poo buddy.
|
# ? May 4, 2016 13:36 |
Methylethylaldehyde posted:They run windows software, need adobe reader, java for a lovely web app, and will revolt of flash isn't installed for their stupid cat.swf email chains that go around. Don't install flash. Nobody needs flash.
|
|
# ? May 4, 2016 14:41 |
|
DeaconBlues posted:I don't believe that everyone in this thread pays for all of their media, even the most security conscious. ;-) Some of us do I guess. I stopped pirating software because Steam made it easy to get/play games and I don't have to worry about sketchy releases, cracks, etc. I stream 100% of the music/movies/tv shows I watch/listen to. Once in a blue moon I even go to the cineplex and watch something there :shobon
|
# ? May 4, 2016 18:40 |
|
I guess it's moot whether I torrent, you torrent or anyone else in the thread torrent's movies. I was interested in finding out if there was a real threat from manipulated video files. It seems that that attack vector is very much an ongoing possibility.
|
# ? May 4, 2016 20:17 |
|
Absurd Alhazred posted:If it's the company I think it is then it does in fact stay installed, constantly "suggests" that you buy the full anti-virus, and finds problems like "this web browser you never use has some kind of edge-case vulnerability if you are dumb enough to use it, but if you want us to automatically fix it you'll need to buy our full suite." To follow up here: this vendor's tool was installing itself and being obnoxious, so we have removed it from the program until they remedy that. We do not want to be recommending tools to our users that result in AV software being installed. Thanks for the report, Absurd!
|
# ? May 4, 2016 22:06 |
|
Subjunctive posted:To follow up here: this vendor's tool was installing itself and being obnoxious, so we have removed it from the program until they remedy that. We do not want to be recommending tools to our users that result in AV software being installed. Complaining is where I'm a Viking!
|
# ? May 5, 2016 02:02 |
|
It isn't, like, the top factor, but I think "not having to worry about whether that keygen will own my machine" definitely makes my top 3 reasons I'm happy to pay for things.
|
# ? May 5, 2016 09:11 |
|
I had an interesting meeting with Cylance. yesterday, who said they are using math models to predict the APIs and library loads commonly used by malware instead of signatures or heuristics OSI have you used their engine before? They claim it didn't need to be online to pull signatures and it has some pretty nice looking features that makes us want to rip and replace our Bit9 infrastructure with it.
|
# ? May 5, 2016 12:28 |
|
math + commonly used = heuristics No?
|
# ? May 5, 2016 12:34 |
|
That's what I figured as well but they claim it's not true heuristics, but an algorithm generated using machine learning over 18 million PEs.
|
# ? May 5, 2016 12:37 |
|
It's heuristics with marketing, and they refuse to give anyone access to analyse it without signing a NDA
|
# ? May 5, 2016 12:46 |
|
Yeah I realize that. I'm giving you guys the responses I got when I said these exact same things. I just wondered if anyone here had played with it and if it was worth a POC to throw some stuff against it and see if it holds up. It certainly sounds too good to be true to me, but we have some specific cases where we need some sort of solution that doesn't require being online. I have no intention of changing anything without a full in depth POC and more details behind closed doors about how it works.
|
# ? May 5, 2016 12:50 |
|
Wiggly Wayne DDS posted:It's heuristics with marketing, and they refuse to give anyone access to analyse it without signing a NDA Any security product that you can't test/analyse without an NDA isn't something I would want to buy. NDAs always make me think of snake oil. Independent verification is crucial in the security world. Antillie fucked around with this message at 14:31 on May 5, 2016 |
# ? May 5, 2016 14:26 |
|
Mustache Ride posted:I had an interesting meeting with Cylance. yesterday, who said they are using math models to predict the APIs and library loads commonly used by malware instead of signatures or heuristics I've had the pleasure in being stuck in a room with them and seeing the product demoed without an NDA. It does its "job" as an AV suite but I have yet to play with it beyond that. The fact that they won't let you demo it at all without an NDA is ridiculous and speaks volumes about what they think about it. One day I will write about it.
|
# ? May 5, 2016 14:48 |
|
Yeah, in the sit down the Sales Engineer had some intersting things to say about some of the questions I had, including, and I quote "We're not on Virustotal because we would catch everything and then the big 6 would use us as a reputation source and everyone would be using our engine." My boss and I also kept cracking up in the meeting because the sales douches were so like those in the most recent Silicone Valley episode. The Cylance guys had not seen Silicone Valley, of course.
|
# ? May 5, 2016 15:01 |
|
Mustache Ride posted:Yeah, in the sit down the Sales Engineer had some intersting things to say about some of the questions I had, including, and I quote "We're not on Virustotal because we would catch everything and then the big 6 would use us as a reputation source and everyone would be using our engine." When I had them pay my company a visit, they gave a full-on demo and even repacked the malware, etc to show off its abilities--which was suspiciously done mind you. When I asked what they'd do when their "magic math" is compromised, they said that they could just adjust some variables and carry on, which smelt of horseshit. Based on the demo I can say that they probably rely on signatures too but they danced around it when I asked them pointed questions about whether or not that was the case. A friend of mine at a similar-sized organization had demo'd their product and got into trouble over their NDA when they posted on a message board about it, being critical about some of its software bugs. I've been actively looking to get my hands on a copy of the product without an NDA and so far I have yet to succeed beyond the installer executable which still requires an MSI that I haven't gotten yet. I really think that they're scam artists with a half-decent marketing team because they've gotten some "recognition" in various circles.
|
# ? May 5, 2016 15:19 |
|
Mustache Ride posted:Yeah, in the sit down the Sales Engineer had some intersting things to say about some of the questions I had, including, and I quote "We're not on Virustotal because we would catch everything and then the big 6 would use us as a reputation source and everyone would be using our engine." So either they are allergic to money or they don't think their product will stand up to serious scrutiny. Since they are a for profit company I find the former very doubtful. Which leaves the latter. Antillie fucked around with this message at 16:33 on May 5, 2016 |
# ? May 5, 2016 16:30 |
|
OSI bean dip posted:When I had them pay my company a visit, they gave a full-on demo and even repacked the malware, etc to show off its abilities--which was suspiciously done mind you. When I asked what they'd do when their "magic math" is compromised, they said that they could just adjust some variables and carry on, which smelt of horseshit. I'm having a hard time finding non-effusive coverage about them online (I spent a whole couple of seconds googling them!), but sounds to me like they've been founded by quantitative finance people.
|
# ? May 5, 2016 17:13 |
|
|
# ? Apr 27, 2024 18:13 |
|
The hype factor is seriously pumped. http://www.pcworld.com/article/3005677/business-security/new-dell-partnership-throws-doubt-on-traditional-antivirus-programs.html Dumbshit PC World article posted:A partnership announced by Dell on Tuesday shows how cybersecurity defenses are evolving, which could have wide-ranging effects on vendors like Symantec, McAfee and Trend Micro. It's really, really hard to find comparison details on them and this article that came out in November was as close as I could find at the time to talking about how "well" it "worked".
|
# ? May 5, 2016 17:49 |