Recurrent question

Nope.

Read again. I wrote "in a given scenario" for a reason. If the scenario changes, you have to re-evaluate your measures. However, that does in no way change the binary nature of security.

cu

59cobalt

Here's something for you. I did a Google search for your phrase "the binary nature of security" and came up with this. Kinda interesting and informative... note the last paragraph before the quotes end.. :)

"Does Security Have A Binary Nature? A primary critique of the attempt to arrive at a single scalar measure of security can be summarized as the "binary nature of security." [8, 9] The view here is that a system either has a security flaw or it doesn't. This has a long tradition: either a (security) proof is correct, or it isn't; either an algorithm is correct, or it isn't. In this view, assigning a numeric value is problematic: while an initial security review that misses a subtle flaw would give a system a high security rating, a subsequent review that discovers the flaw should cause the rating to plummet to zero.

What is missing here is that security is truly binary -- but only in an information theoretic setting. By this, I mean that the evaluators/attackers having unrestricted code inspection and unlimited computational resources. Here unrestricted code inspection is required because in live systems limits such as account lock- out when maximum login attempts are reached can limit the amount of information that is learned by the experimenter. In lieu of unrestricted code inspection, we can substitute instead the ability to revert the system to an earlier state.

Clearly, when in such an information theoretic setting where computational resources are unlimited, exhaustively testing all reachable states of a system is feasible. By doing so and seeing if any undesirable states are reachable, we can determine if the system is secure.

Of course, real computing systems do not operate in an information theoretic setting. If that were the case, not much beyond one-time pads could be used. "

Here's the link if you want to see the entire thing:

http://66.102.7.104/search?q=cache:KPPfVb3fBIkJ:

Obviously once bad code has executed it's too late, but even then PFW's can still prevent some (dumb/old?) code from calling out. It may not prevent changes to the OS but it's better than nothing, and can keep the problem local. Some people have installed a PFW which has then alerted them to trojans already running and connecting out.

I had a look at breakout-en.c. At a guess it locates the IE window, sends the url to it and whacks the return key for you. Is this roughly correct?

While downloading

AVG said: Virus detected while opening file: C:\\Documents and Settings\\#\\Desktop\\breakout-en.exe Trojan horse Clicker.XH Ah. First it's a virus then it's a trojan :) The AVG database said: Clicker - The exact description is not available. 1st catch to AVG.

I tried to run it in a sandbox and got an "access is denied" error as expected. I had to disable the resident scanner and quit AVG to get access to the file. 2nd catch to AVG. Then I ran it without explorer running and got your message, then checked the sandbox to see that no files were in it. I ran it sandboxed again with IE open but it couldn't find IE, so I ran it unsandboxed with IE running and received "The page cannot be displayed." I checked ethereal and no packets had gone out. As I use Firefox or Opera on this computer I have denied IE all access using Outpost Pro (which I've been trying for a couple of weeks now). 3rd catch to Outpost. So the IE rule was deleted. I ran it again and Outpost asked if IE could access the internet. 4th catch to Outpost. Then a rule was created to allow IE to access the internet and breakout accessed your website through IE.

So AVG caught it twice and Outpost caught it twice. If IE had been my default browser only AVG would have stopped it. I don't know how long AVG has been able to detect it but when breakout was written it probably went undetected by anti-virus programs. So this seems to me like a browser vulnerability that exploits the fact that a browser is allowed through the firewall, rather than an actual firewall exploit. More than that it is a user exploit because I forgot to use my brain and ran untrusted code. So once I ran it I was toast anyway, it could have wreaked havoc on my HD and left me with no firewall or OS.

Breakout can do me no harm from the outside, I have to download it and run it. Therefore it can't negate the fact that some PFW's are useful for external protection. It also needs to latch on to a program which is allowed through the firewall. Therefore if I had no PFW installed Breakout should be able to latch on to any program I have installed and have full remote access with programs I have currently blocked access to. With a PFW installed it can only call out through programs that already have access through the firewall.

On the subject of the XP firewall, as that blocks no outbound it is inferior in that respect to firewalls that can block some outbound and therefore not as useful. Breakout would automatically get past the XP firewall.

Outpost contained Breakout and IE until I removed all references to IE from the rules.

I'd say that more than half is old and dumb. If we stop protecting against the old stuff people can go back to using it against us.

What, svchost.exe?. ZoneAlarm calls it "Generic Host Process for Win32 Services", which it got from the file description. Get

it and look for svchost.exe. I have two instances running, the others I had previously closed. The first says: C:\\WINDOWS\\system32\\svchost -k rpcss I don't want RPC accessing the internet.

The second says: C:\\WINDOWS\\System32\\svchost.exe -k netsvcs If I right click it and select properties then click the services tab it says: Services registered in this process: AudioSrv Windows Audio CryptSvc Cryptographic Services dmserver Logical Disk Manager Netman Network Connections Themes Themes winmgmt Windows Management Instrumentation

If I click Netman it tells me it "Manages objects in the Network and Dial-up Connections folder, in which you can view both local area network and remote connections."

None of these has any need to access the internet so I can safely deny all access to svchost.exe without losing any functionality. It's a doddle :)

I did say protocols. :)

I know. But it's theirs now.

Ric

Ok, let me also ask you this.. VB is constantly recommending the Windows Firewall over any personal firewall. Now let's take the average teenage home user. He installs Kazaa cause he wants to do p2p and grab mp3's and maybe apps or p*rn, all kinds of stuff. There's no talking him out of it either, he's going to use Kazaa no matter how much you tell him not to. And God knows what comes bundled with Kazaa nowadays, right? Could be spyware, malware, who knows?

So what do you recommend to someone like this for "security" (and there are millions of them, in fact at any one time 4 million + online using Kazaa alone, so you know there are millions in this situation). Let's say he has an AV already. Ok, that's good. But what does he use for a firewall? You're going to recommend the Windows Firewall? :)

Given that his "security" is dubious at best, would it not be better to at least use *something* in the way of a personal firewall and try to at least block some of the outbound nonsense resulting from the garbage Kazaa installs?

We would all have to agree that he is not "secure", so given that, what's his best option, assuming that he insists on using p2p apps and doing unsavory things? This, by the way, is typical behavior and the situation for millions of people, and there's no stopping it.

Kerodo quoted:

That's not to say they cannot - the problem is we don't have the math to operate a general purpose computing system in an information theoretic setting.

This statement currently cannot be mathematically proved or disproved - even when given a definition of "not much".

Triffid

*sigh*

OK, please explain, how you would define "security". What do you mean with "being secure". "Some attempt is better than none"?

Yours, VB.

This is wrong BTW: for a given scenario where this matters, also the computing power of the attackers will be defined.

Beside that, I would not define security "binary", like Ansgar. But I'm requesting to distinguish between provisions which make one secure against a given scenario and provisions which do not, as I requested in

Useless I'd call provisions like "Personal Firewalls" for controlling already running malware, which lead into the situation, that it's very unlikely to gain control over a sensible attacker. If you want to, then they're building class [D].

Yours, VB.

Kerodo wrote: [Kaaza]

I'd recommend using other software. There are many much better P2P networking implementations.

Even if it's useless, so he can say "I've done at least _anything_, so it's not my fault after all"? No, thank you. This will not make him more secure, this will not make the other users in the Internet more secure at all.

Yes, and the "Personal Firewall" providers are enforcing this situation by lying: "We can stop phoning home applications!!!11!!111 Install our product and you're secure!!!11!1111"

Yours, VB.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^

This is an oxymoron.

Yes. Which has alerted it. Like "acroread.exe wants to call out!!!11!!11" - "No, I don't want this!!!11!! This bad, bad phoning home!!111!!111"

And no Adobe Reader updates any more, and the next Adobe Reader hole leads to thousands of extra 0wned boxes. And it's the fault of the "Personal Firewalls", all these thousands of extra 0wned boxes are there, because the concept of asking the user is b0rken.

Yes.

It is proof of concept code. You can download

and compile it yourself.

Your AV solution outclasses itself here, because to classify POC code as "Virus / Trojan horse" is so ridiculous, that I'm happy to see the providers of "security" software are capitulating ;-)

BTW: anti-virus software works, as I stated already.

No problem. This works with any browser. It's POC code. If you don't understand the idea of a proof-of-concept, you're testing is useless.

POC code for firefox you're getting here:

I did not write POC code for Opera, while this should be as easy as for Internet Explorer and Mozilla Firefox, because it's not the fault of the browsers what's going on here. You can try yourself.

AVG can catch it, as any AV program can - I stated this for times and times now, could you _please_ aknowledge this now?

Outpost did not.

Outpost just catched the IE, because you're not using IE as your default browser (unlike 80% of the users do), and you didn't try out the POC code for your browser:

This exactly is what I'm saying. Outpost cannot stop such "phoning home" at all.

No. It has nothing to do with a browser vulnerability. Please read the source code.

And it's the declaration of bankruptcy for AVG to detect this completely harmless binary as "Virus / Trojan". There is no code at all, which could do harm in it, maybe with the exception of doing harm to the sales figures of "Personal Firewall" software, when people are realizing, that they were fooled of such manufacturers.

*sigh* - we're _talking_ here about running untrusted code, aren't we? "What is if malware already is running" is the _topic_.

Yes. The next reasons, why "Personal Firewalls" are useless. You can fight this a little bit by not working as Administrator, so the "Personal Firewall" software has more rights than the malware code.

But with Outpost, you're likely losing here, too, because Outpost installs system services, which open Windows, and very likely Outpost itself will be the software program, which makes your computer unsecure in this scenario.

No. You can use the Windows-Firewall for example, and it is sensible to do so, as I stated.

Yes. And the default Webbrowser, what do you think, the default Webbrowser, has it access to the web or not?

It is not inferior. Windows-Firewall cannot block this communication. Outpost cannot do so. No "Personal Firewall" can block such communication.

So they're all identical in this matter.

Yes. You know what svchost.exe is. I know it.

And, please tell me: how many of the _home_ _users_ know such things? I'd guess the number to 0% of the home users, rounded to .1%.

What is "theirs"? The TCP/IP network protocol familiy? IBTD.

Yours, VB.

I guess we all could go on and on here, but there isn't much point in that unless we just enjoy hearing ourselves talk... I guess what I am trying to say is, a personal firewall can still be useful to at least alert a person to something trying to connect outbound, whereas Windows firewall will not do this. I realize this doesn't guarantee "security", but I still believe the pf can be useful to some degree, at least as an alert mechanism. This is about the only reason I would use one. It let's me know if and when something odd tries to dial out (rare but it could happen), at which point I would probably just restore my HD from an image and be done with it if there was a problem.

I personally just use a router and an AV here most of the time. My habits are good generally, and fairly safe. I have never seen any malware on my machine, and viruses are extremely rare, it's been years since I have seen one at all.

But a lot of people are not safe in their internet habits and for them, a pf might be useful, more so than just the Windows firewall. It might not be what you'd call "security", but it can still be useful.

Kerodo wrote: ["Personal Firewalls"]

To make that clear: here we can meet.

Of course, some people who are using, let's say, Sygate as analysis tool for network connections, can use it, and it's useful for them.

I have nothing against this point of view. This might be true. I personally would prefer other tools for network analysis, but why not?

My point is, that no-one managed to show me that "Personal Firewalls" are increasing the level of security of PCs for their primary users, the home users. At least they're doing this not compared with best practice (stopping TCP servers and RPC) or the Windows-Firewall.

But I have many facts here that lead to the perception that "Personal Firewalls" _decrease_ the level of security of PCs for their primary users, the home users. As a result of these facts, I'm judging, that "Personal Firewalls" at least are useless for the security of a home user's PC, and in many cases even are dangerous.

If you have other sights and views, I'm happy to hear them. Maybe sometimes in the future there will be _one_ _single_ manufacturer of a "Personal Firewall", who will implement useful and sensible things, like a Tor or AN.ON client, or an easy to use OpenPGP implementation, or at least _anything_, with which an home user can do something sensible.

Perhaps. *sigh*

Yours, VB.

I was referring to installed trojans not PDF reading software. That would be the fault of the user not the PFW. What about an alert like "donaldduck.exe wants to connect to the internet?" Are we not allowed to control donaldduck and the like because some people don't know what Adobe Reader is?

Thanks.

I suspect AVG is programmed to recognize the breakout file itself rather than evaluating the code as malicious.

I understand. It's a few minutes work, simple code to prove a point. It could be adapted to open the default browser, connect out, then visit a remote site and download and run some code (which could have been included in breakout anyway). Breakout as it stands would be useful for "the user has to be tricked into visiting a malicious website" type vulnerabilities, but can be adapted in many ways.

Yes. Do you know how long it was from release of Breakout till the AV programs had it added to their sigs?

Yes it did. I had to change my firewall rules twice before Breakout/IE got any packets out.

Agreed.

I did try breakout-mozilla-firefox.exe but nothing happens when I double-click it or run it from the command line. Nothing in the sandbox, no traffic in ethereal and cpu stays 100% idle. So I had to use breakout-en.exe and IE.

I did. Like you said the coder needs know nothing about firewalls, just send the url to the browser window. If it's not a browser vulnerability why is a different version required for each browser, yet both versions will bypass any firewall?

I'd guess that if you added a useless function and recompiled it, AVG would not recognize it. Developers don't like to be seen to be vulnerable to POC stuff.

Then who ran it if not me? If it comes in through the usual malware/spyware channels then things like AdAware and Spybot can help. Process Explorer will show you what's running and HijackThis will allow you to control what runs at startup.

Good advice. I should follow it myself one day. It seems second nature to do this with Debian, but I never get round to it with XP.

"Amongst the many things this malware does, all of which require admin rights, are:

• Creating files in the system32 directory. * Terminating various processes. * Disabling the Windows Firewall. * Downloading and writing files to the system32 directory. * Deletes registry values in HKLM.

All these fail if the user running the e-mail client is not an administrator."

That's from: "Browsing the Web and Reading E-mail Safely as an Administrator"

where the more stubborn ones can download DropMyRights.msi to help offset the problems of running as admin.

Yes, I don't like Outpost and it won't last long on this computer. It does have ok logging though.

According to

"Currently, 0 out of 3 Secunia advisories, are marked as "Unpatched" in the Secunia database."

See below.

They can. Mine did until I changed the rules. This only works with programs that already have access. What Breakout does do is pose the question, what good is application control if programs can be so easily manipulated? But it doesn't bypass packet filter rules.

I don't know. But my firewall isn't useless because some people don't know how to use theirs.

If I had said I don't use any microsoft networking protocols someone would have said "what about TCP/IP?" :)

Ric

No. This is what I'm criticizing: it is a braindead & b0rken concept to ask the only person who has no clue of what's going on with such questions: the home user.

Because of this, of course it's the fault of the "Personal Firewall" providers to implement such ridiculous and dumb concepts in software for home users.

It's not home user's fault not to know what's going on - it's her/his FSM-dammed *RIGHT* not to know, what's going on technically, but just _use_ their computer, isn't it? Especially, if she/he buys _security_ software for being _protected_.

AVG has a virus signature for breakout-en.exe. And this is ridiculous.

No.

This is not the point. The point is, that with arbitrary URLs you can send arbitrary data, you can "phone home". If you want to have a remote control software for example (sometimes called a "Trojan"), you can have a look on Alexander Bernauer's wwwsh. He used my POC code to demonstrate, that it's easy to write such a software with it. No "Personal Firewall" in our test managed to detect this communication.

Outpost did NOT, because you have used the _WRONG_ POC code for the situation on your PC. The POC code we're talking about is written for the situation having Internet Explorer as the default browser. And all what Outpost detected was, that you're using Internet Explorer now.

Please try the code for Mozilla Firefox, if this is your default browser. If it doesn't work, let us work out the correct code for your testing environment.

This is POC code, not a working malware. For a working malware, I'd hack code for any widespread browser into the program (ca. 20 lines per browser), and would use the right code for the default browser, of course.

OK. Then maybe this code is not compatible with your Firefox version. I only tested on a German version of Mozilla Firefox, and it's some days ago.

It's not a vulnerability, because the browsers are just doing what they're designed for. They're working perfectly in this case. Please read:

This is nonsense.

So we agree, that you can remove your "Personal Firewall" and enable the Windows-Firewall, and nothing will change (with the exception, that you'll not have the problems of your "Personal Firewall" any more)? ;-)

*sigh* - I will not comment this any more. If you cannot understand the idea behind "proof of concept" and why this has nothing to do with a real attack, then this discussion will not lead into something sensible.

Yes. Of course. With your _default_ _webbrowser_, because this program _does_ have access.

Yes. Exactly. You will understand at last?

It's not _necessary_ to even _obey_ application filtering, you just can _go_ _around_ this ridiculous door, because there is no wall around it!

Congratulations! You got the point!

[svchost.exe and port 53]

Please be honest. We both know, that nearly nobody of the home users have a clue of such things, don't we?

Someone knowing nothing about network protocols. The TCP/IP network protocol family is not from Microsoft. Not at all.

Yours, VB.

Uninstall Kazaa.

If he insists on using Kazaa, there's nothing you can do to help him. You can't secure an apartment if the owner insists on keeping the door wide open. Simply give up and enjoy yourself. It's not worth the effort trying.

cu

59-that was easy-cobalt

While I can sympathize with this view, there is no device or software intelligent enough to make the decision for them. Certainly not PFW's.

Do you know of any software that can achieve this? How about a free version for those that won't pay money for a solution like this?

This is more the job of anti-virus/trojan/malware.

Which proves that it can only communicate through a browser that is allowed through the firewall, but then just about every home computer has a default browser that is allowed access.

Firefox 1.5

I would have swapped one set of problems for another. :)

I've understood that for quite a while now, and I think many others in this group have as well. What people are saying is that despite their failings they still find PFW's useful.

Those that do might be a small percentage but they still amount to a high number of people. In the right hands they can be useful tools. In the wrong hands they will give you a sense of security when you have none.

Now you are being insulting and nitpicking :) I didn't say ...... never mind.

Ric

Oh yes, there is a way to decide: just keep the PC which should be protected clean from running malware, and forget the useless popup idea. It does not work.

Don't ask the user, she/he will decide wrong anyway.

Yes, I'm working with Macintosh computers from time to time ;-)

Would be nice. But all what I can see as "Desktop for Linux" or BSDs unfortunately is trying to rebuild all errors of Windows.

Yes.

This is a beta version. I did not test with pre-releases at all. But of course, it's not a big problem to create POC code for Mozilla Firefox Beta, too. Just try this at home ;-)

No, why?

Then please explain _one_ _single_ _feature_ of a "Personal Firewall", which results into more security, which cannot be achived much easier without a "Personal Firewall".

Do you remember? I'm listing here problems, b0rken concepts and security breaches of such "Personal Firewalls" now for a while:

- installing system services which open windows, for example Sygate and Outpost, which is a security breach

- opening useless popups, which usually are leading into wrong decisions from home users, and at best are abused by malware like the AutoClicker shows us

- giving a "good feeling" to home users, where they better shouldn't have one by lying to them "we defended you from an ICMP attack from 127.0.0.1!"

- adding extra code to an already complex system, and by that increasing the code base for possible exploits (as the Witty-worm showed)

- implementing counter-productive and completely incompetent concepts like "filtering out PINs" et.al., as for example Zone Alarm and Symantec Norton do

- making PCs vulnerable to extra DoS attacks like the SelfDoS attack, i.e. Outpost, Sygate, Zone Alarm and Symantec Norton do so

- making PCs slow and nearly unusable as a side effect of this bloatware, like Symantec Norton does

... (to be continued ;-)

And what can you report about good things, one gets by installing a "Personal Firewall"?

At best: "if one knows much about IT and networking, one could use them sensibly, if one does not want to use better tools".

Very convincing ;-)

This I can sign. And as a result of the fact, that they're offered for home users and the most of all the people, who are using them, are not able to use them sensible, they're useless for the most of all the people. And they're even endangering them.

Beside the question, I really don't understand why one wants to use a "Personal Firewall", if one has a deep knowledge about computers and networking, and there are so many other useful tools in the wild, which are not implementations of incompetency like many of the "Personal Firewalls" are ;-) But of course, everybody can decide themselves ;-)

Yours, VB.

Yes. But if the user has no PFW they get no pop-up and the packets get out anyway. If they get a pop-up and don't know what to do they will guess. If they guess wrong the packets get out as if they had no PFW, and they are left with a false sense of security. If they guess right the packets are blocked. At least there's a 50% chance of being right. This is assuming that something like Breakout doesn't answer the pop-up for them. :)

I don't think pop-ups should usually be enabled on a PFW anyway, unless in learning mode for configuring new programs. It seems best to delete _all_ the default rules, deny everything (log instead of alert), then make a rule for everything that needs access.

And? Do you mean OS X? :)

The windows firewall comes with it's own set of problems. If I want to use it I have to install ICS, and have ports permanently open. And I think Microsoft's security reputation speaks for itself.

They stop my keyboard from phoning home. Why should my keyboard want to phone home? It's a Microsoft Internet Pro Keyboard, and I like it apart from this strange fault/feature.

They can offer fine ICMP control. Firewall logs are always good a source of amusement. Logs may be sorted by source IP, source port, destination port etc.

Yes. A stupid thing to do.

Bad config.

And scan sites like grc telling you that because you passed their "stealth test" you are invisible to "hackers" on the internet.

Like wanting to install ICS when you enable the XP firewall.

Here's a little help. :)

"Software Firewalls versus Wormhole Tunnels This article explains how the PCAP library on Windows can be used to render software firewalls and client VPN environments ineffective, easily bypassing traditional security measures."

"Software Firewalls: Made of Straw? Part 1 of 2 This article looks at design issues with software firewalls that can render them useless in several ways." "Software Firewalls: Made of Straw? Part 2 of 2 Part two looks at Layered Service Provider based Trojans hidden in the protocol stack, providing stealthy communication through an open firewall port." Bypassing Windows Personal FW's

ACK. It takes a while to figure out which ports apps/protocols usually run on, but PFW's can help to teach people this. Admittedly a few good books might be better, but playing with PFW's can be interesting.

Unless it involves pop-ups? ;-)

OS X has it's problems as well.

's the first time an OS has made the Sans Top 20.

I used the Powerbook G4's for a couple of weeks earlier in the year. OS X looked but I had to spend most of the time with the hardware :(

Oops. I just tried it. No open port. It's been a while.

It only does it once every 2 or 3 months. If it did it more often I'd redirect it to a computer on the LAN and get a dump, and answer it with netcat. I'd like to know what its up to, or at least in which direction most of the traffic flows.

I'm trying. :)

ICMP control will secure you from enumeration. Logging is like belated security. You can check your logs and see what you might have prevented if you checked your logs more often :) The most obvious of course is restricting access to services by IP address, which I think most firewalls (XP included) are reasonably good at. Most exploits seem to be trying to get out rather than in.

The less said about Norton....

Then maybe people should be encouraged to buy a router instead of using the Windows firewall. If someone has trouble configuring a PFW then they will have trouble configuring Windows firewall _and_ windows services.

I'd say again that a router fits the bill but then I see enough posts saying "how do I configure my router?"

Yes, of course. Categories lesser than Windows, but it's not absolutely secure against anything.

These "experts" are writing here: "MacOS includes software that has critical vulnerabilities and Apple has a patch policy, described below, that do not allow us to be more specific in identifying the elements of MacOS that contain the critical vulnerabilities."

This is completely ridiculous. With every security update of Apple you're receiving a description, which component was vulnerable for what exactly. Just read them.

And even if Apple would not do this, our "experts" could have a quick look onto what was patched, couldn't they?

So those "experts" are none.

Sorry, please post something substantiated, not something about evil, which does "not allow us to be more specific".

You were unlucky with your device? Sincere condolences ;-)

No. Or: please define "enumeration".

Home users, please. They don't have a clue of technics, please remember that.

There is no difference in security by doing this. But: why not?

Home users don't need to configure the Windows-Firewall at all. It's there in the default config, and that's it.

With

there is a one-click configuration for stopping services with Windows 2000 and Windows XP before SP2. They have to do one single click. And that's it.

Only routers fit the requirements for home users, which have a sensible default configuration. Forget the rest.

Yours, VB.