It's high time some of these compliance groups got together and had a good hard look at themselves.
It's been years since desktop signature-based antivirus provided a significant improvement to security. Every time there's a cryptolocker outbreak, I see people scrambling to make decisions like "we need to replace McAfee with Kaspersky", as though they feel that's their answer.
When you try telling an insurance auditor "we have a whitelisting application, nothing runs unless I've approved it, products like Symantec Endpoint are unnecessary in that environment", you first get a confused look, then you hear "ok, so you're DON'T meet the minimum basic security requirements, let me write that down".
It's gotten to a point that it's actively part of Intel Security's advertising, with a recent partner promotion pushing to "help your clients meet their compliancy requirements". The brochure never even mentioned actually securing anything, just how it ticked various boxes.
This is actually a real problem we need public perception changed. If you have proper white-listing in place then AV does nothing but actually decrease the security as these AV programs probably need to be white-listed and thus expose the machines to the kinds of issues as shown here.
Unless the compliance auditors are happy with the software just being installed and don't check whether it actually runs. That would still be a colossal waste of money for the licenses but at least it would not compromise your security.
You touch on a rather huge issue in the industry. So many IT companies out there are hiring one or two (if they're lucky) "Security Professionals" that are responsible from endpoint security, to managing the SIEM to digging deep into every popcorn noise that their IDS/IPS makes. There's a lot of boxes to check and there's nothing like hiring one poor soul to check them all in the name of compliance, while their board (Who reluctantly hired the poor guy or gal) is deeply shrouded inside a false sense of "Hey we are HIPAA compliant for another year!" security.
As a lawyer who deals with contracts, one of my major pet peeves is the stupid warranty that requires a party to use "industry-standard virus detection software". I'm fairly certain that none of the lawyers who insist on that language know anything about IT security.
When I was first getting into IT, I was trying to configure a low-end 'soho' cisco modem. It had a java-app webpage for configuration... which only ran on windows/IE (couldn't be forced to load elsewhere), was missing two-thirds of the device's capabilities, and was just generally awful.
I asked a netadmin friend for some advice, and he said "Oh, that thing is just there to tick boxes - no techie would ever use it. 'Does it have a GUI configurator?' -> box ticked". Meanwhile the techies just configured the modem like any other bit of cisco equipment: via the console.
I don't think we have any antivirus on our work computers. It works out ok because, after all, we don't have internet either. It's amazing how hard it is to run a malicious executable when you can't get them onto your computer...
(of course I've no doubt there are plenty of people smart enough to write their own but that's not the concern)
Couldn't agree with you more. Every tool in the world won't help you defend against a user with privileges being phished into doing something inappropriate.
And, even for those of us who are somewhat savvy, having refreshers to remind you things like never, ever, click on a link in an email, navigate through the website instead. Be hyper cautious about opening every attachment, period. Ensure that your system firewall is set to default deny, and think twice about opening up rules when an application demands them - and consider making them temporary rules. (Little snitch is great for that). Make sure the OS is updated routinely....
With that said, operating systems could help us out a little by reducing the almost infinite number of threat surfaces that exist so that we can more easily audit our system. The sheer number of places that an auto-launching/malware/kernel extension can hide in OS X makes it next to impossible for me to figure out whether my system has been compromised - particularly if something is able to hide itself from Little Snitch.
And I won't even go into the insane number of network accesses that most applications want these days...
But yes, the only sustainable security strategy is education.
I think that's an incorrect standpoint to take when you factor in how technologically agnostic most folks are. I would better think of it as "security is default, but you can disable it if you really, really want it that way."
decentsecurity.com is an effort of InfoSec Taylor Swift (@SwiftOnSecurity). If you can deal with the occasional Cortana fanfic & some Linux trolling it's definitely worth a follow.
I didn't understand that part at first, but it is hilarious.
They apparently use their own product on their email server, which unpacked the POC by guessing the password of the archive, scanned the uncompressed file and triggered the bug that was being reported. Love it !
Can't help but wonder if attackers already knew this. There seems to be quite a few bugs found by taviso in antivirus code in the past few months, which has got to either attract attackers to look more closely at it or possibly break their existing exploits. Either way, it's frightening!
Increasingly, my non-computer savvy family members ask me what kind of anti virus they should use. I used to pick one to tell them since I know they aren't as cautious as I am, but I am not sure I have a good answer for them any more. Has AV software reached the point that a lay user is more vulnerable with it than without it?
My current recommendation when I get asked that question is not to bother with any third-party AV and just use Windows 10 with Windows Defender (unless they're on OS X anyway). When I'm asked to set things up, I switch their default browser to Chrome (or Firefox for those who "don't like Google"), add uBlock Origin and use Click-To-Play for plugins (which, surprisingly, isn't much of an inconvenience once you block ads anyway). If someone asks for extra protection, I add OpenDNS Umbrella to the setup ($20/year for 3 devices), which is a nice additional layer of defense. Chromebooks are also a great option if someone's not doing much other than email, web browsing and such.
My other recommendation is to use a tablet for things like online banking. (Yes, even an outdated Android tablet is probably less likely to catch malware that will steal your money than an average computer.)
> On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process.
Is this a real thing? Hands up, who runs Norton on Linux? Is it because it is used as a central back-end / service to check attachments. But then why does it run as root?
At least in the card processing space, one of the PCI requirements is "5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)."
The phrase "commonly affected" is the place to make an argument here, but I'm sure people take the easy option of just running an antivirus.
It's not uncommon to run vendor x's anti-virus on the PC/desktops and vendor y's anti-virus on the mail systems (often not running a Microsoft operating system).
It looks like the researcher sent a proof of concept zip file to symantec which was pw protected with a common password. Symantec's system then tried the common password, extracted the zip, scanned the POC code inside, which crashed their own system.
From the report:
Project Member Comment 1 by [email protected], Yesterday (42 hours ago)
I think Symantec's mail server guessed the password "infected" and crashed (this password is commonly used among antivirus vendors to exchange samples), because they asked if they had missed a report I sent.
They had missed the report, so I sent it again with a randomly generated password.
I understand how this vulnerability can be used to corrupt the heap, as it's writing more data than malloc was asked to reserve, so it can overwrite memory allocations from other parts of the program.
I am curious as to how would one create a reliable remote code execution exploit out of this? I guess that one may be able to find a function pointer somewhere to overwrite, and use that to control program flow to your shellcode - but as this is dynamically allocated memory, could it not be adjacent to pretty much anything?
How would an attacker approach making a remote code execution exploit, given these constraints? Is it possible in practice or more theoretical?
(I'm not challenging this classification, just would really like to know how this works!)
That rings a bell -- I remember back in the early/mid 2000s, when the AV vendors started to port their products to Mac OS X. The darwin (OSX) kernel/driver mailing lists seemed to get a lot of questions from AV devs, asking how to do things in the kernel that really, really, really should not be in the kernel. It was at that point I resolve to never run any AV software.
Well, at least they handled it fairly quickly - it was submitted on May 6th and according to
https://www.symantec.com/security_response/securityupdates/d...
a patch was deployed and should be automatically downloaded. I'm running Symantec and LiveUpdate did download some stuff but nowhere it says whether version 20151.1.1.4 is already there or not. Ah well
Operating systems need to offer better protection. I am tired of buying the OS then having to go buy the equivalent of anti-lock breaks, air bags and seat belts from a third party.
This is just a stupid, lazy way of doing business.
[+] [-] technion|10 years ago|reply
It's been years since desktop signature-based antivirus provided a significant improvement to security. Every time there's a cryptolocker outbreak, I see people scrambling to make decisions like "we need to replace McAfee with Kaspersky", as though they feel that's their answer.
When you try telling an insurance auditor "we have a whitelisting application, nothing runs unless I've approved it, products like Symantec Endpoint are unnecessary in that environment", you first get a confused look, then you hear "ok, so you're DON'T meet the minimum basic security requirements, let me write that down".
It's gotten to a point that it's actively part of Intel Security's advertising, with a recent partner promotion pushing to "help your clients meet their compliancy requirements". The brochure never even mentioned actually securing anything, just how it ticked various boxes.
[+] [-] pilif|10 years ago|reply
Unless the compliance auditors are happy with the software just being installed and don't check whether it actually runs. That would still be a colossal waste of money for the licenses but at least it would not compromise your security.
[+] [-] Dagwoodie|10 years ago|reply
[+] [-] nihonde|10 years ago|reply
[+] [-] vacri|10 years ago|reply
I asked a netadmin friend for some advice, and he said "Oh, that thing is just there to tick boxes - no techie would ever use it. 'Does it have a GUI configurator?' -> box ticked". Meanwhile the techies just configured the modem like any other bit of cisco equipment: via the console.
[+] [-] Ntrails|10 years ago|reply
(of course I've no doubt there are plenty of people smart enough to write their own but that's not the concern)
[+] [-] godzillabrennus|10 years ago|reply
[+] [-] CiPHPerCoder|10 years ago|reply
I've long argued that the only sustainable security strategy is education.
If you're a developer/engineer/consultant/rockstar/ninja/etc. and never bothered to learn how to write secure software, start here: https://paragonie.com/blog/2015/08/gentle-introduction-appli...
[+] [-] ghshephard|10 years ago|reply
And, even for those of us who are somewhat savvy, having refreshers to remind you things like never, ever, click on a link in an email, navigate through the website instead. Be hyper cautious about opening every attachment, period. Ensure that your system firewall is set to default deny, and think twice about opening up rules when an application demands them - and consider making them temporary rules. (Little snitch is great for that). Make sure the OS is updated routinely....
With that said, operating systems could help us out a little by reducing the almost infinite number of threat surfaces that exist so that we can more easily audit our system. The sheer number of places that an auto-launching/malware/kernel extension can hide in OS X makes it next to impossible for me to figure out whether my system has been compromised - particularly if something is able to hide itself from Little Snitch.
And I won't even go into the insane number of network accesses that most applications want these days...
But yes, the only sustainable security strategy is education.
[+] [-] hndl|10 years ago|reply
I think that's an incorrect standpoint to take when you factor in how technologically agnostic most folks are. I would better think of it as "security is default, but you can disable it if you really, really want it that way."
[+] [-] lqdc13|10 years ago|reply
There is a good amount of intuition that goes into it. Such vulns are relatively rare compared to the things they run into multiple times a day.
[+] [-] coredog64|10 years ago|reply
[+] [-] epmatsw|10 years ago|reply
[+] [-] molyss|10 years ago|reply
They apparently use their own product on their email server, which unpacked the POC by guessing the password of the archive, scanned the uncompressed file and triggered the bug that was being reported. Love it !
[+] [-] saturncoleus|10 years ago|reply
Increasingly, my non-computer savvy family members ask me what kind of anti virus they should use. I used to pick one to tell them since I know they aren't as cautious as I am, but I am not sure I have a good answer for them any more. Has AV software reached the point that a lay user is more vulnerable with it than without it?
[+] [-] pfg|10 years ago|reply
My other recommendation is to use a tablet for things like online banking. (Yes, even an outdated Android tablet is probably less likely to catch malware that will steal your money than an average computer.)
[+] [-] rdtsc|10 years ago|reply
Is this a real thing? Hands up, who runs Norton on Linux? Is it because it is used as a central back-end / service to check attachments. But then why does it run as root?
[+] [-] mcpherrinm|10 years ago|reply
The phrase "commonly affected" is the place to make an argument here, but I'm sure people take the easy option of just running an antivirus.
[+] [-] ajdlinux|10 years ago|reply
[+] [-] jlgaddis|10 years ago|reply
[+] [-] beernutz|10 years ago|reply
It looks like the researcher sent a proof of concept zip file to symantec which was pw protected with a common password. Symantec's system then tried the common password, extracted the zip, scanned the POC code inside, which crashed their own system.
From the report: Project Member Comment 1 by [email protected], Yesterday (42 hours ago)
I think Symantec's mail server guessed the password "infected" and crashed (this password is commonly used among antivirus vendors to exchange samples), because they asked if they had missed a report I sent.
They had missed the report, so I sent it again with a randomly generated password.
[+] [-] hwhatwhatwhat|10 years ago|reply
I understand how this vulnerability can be used to corrupt the heap, as it's writing more data than malloc was asked to reserve, so it can overwrite memory allocations from other parts of the program.
I am curious as to how would one create a reliable remote code execution exploit out of this? I guess that one may be able to find a function pointer somewhere to overwrite, and use that to control program flow to your shellcode - but as this is dynamically allocated memory, could it not be adjacent to pretty much anything?
How would an attacker approach making a remote code execution exploit, given these constraints? Is it possible in practice or more theoretical?
(I'm not challenging this classification, just would really like to know how this works!)
[+] [-] drewg123|10 years ago|reply
That rings a bell -- I remember back in the early/mid 2000s, when the AV vendors started to port their products to Mac OS X. The darwin (OSX) kernel/driver mailing lists seemed to get a lot of questions from AV devs, asking how to do things in the kernel that really, really, really should not be in the kernel. It was at that point I resolve to never run any AV software.
[+] [-] yread|10 years ago|reply
[+] [-] JustSomeNobody|10 years ago|reply
This is just a stupid, lazy way of doing business.
[+] [-] hwhatwhatwhat|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]