Domain: diamondcs.com.au
Stories and comments across the archive that link to diamondcs.com.au.
Comments · 16
-
Re:Wow good job Red Hat.
I'm not talking about any single commercial in particular. As a general take on all of the commercials combined the message is basically thus; if you switch from Windows to Mac OS X you will never have to worry about any security issues ever. Wrong. There is no security magic bullet. Contrary to whatever that kid from Jeepers Creepers says.
As for Vista's new security, it's basically a take on ProcessGuard which I have used and loved for a long time. Every executable file you run is hashed and then compared to the database. If that executable is not in the database or has a hash different than what is listed it triggers a prompt.
In other words, just like the Windows firewall, Vista's new security feature is a watered down version of better and more popular security software. The difference is that now every clueless Joe Sixpack that buys a Vista PC will have these things included instead of having to buy it separately. That's damn good news for the internet. Fewer zombies, less identity theft. It would be nice to never get another hacker paying for auctions with a stolen paypal account, to never have your IRC server dropped by a spoiled child, no more SMTP relays pumping millions of spam emails. Oh that would be such a dream. That will probably never happen but the fewer idiots getting owned, the better for the rest of us.
-
Re:Next Step
how to disable autorun
3rd party program prompts before executing unknown code/drivers, prevents hooks, etc
If Microsoft adds this stuff by default they are being anti-competitive. If they don't then they are selling an insecure OS. Basically they are damned if they do, damned if they don't. Windows has plenty of leaks but there are plenty of ways to plug them. The days of relying on Windows to include everything for you should have ended in 2001. -
More than one solution to the problem
There are different requirements for enterprise use than for personal use. I will try to help out a bit for those in the corporate world. For example, SpyBot and Ad-Aware are only free for personal use. Because of this, IT shops are not supposed to use this without buying a license. So what should an underfunded IT department use?
Anti-Virus: Yeah, it's usually not great for catching spyware, but the latest versions of all vendors should at least slow down some of it. In our organization, we have several different versions of Norton Anti-Virus, from 7.x to 10.0. So if one PC has lots of problems with spyware, putting version 10.0 on there helps fight it automatically.
Microsoft Anti-Spyware: This is a pretty good tool for unmanaged environments. It is better than Ad-Aware or SpyBot, from my experience. I am not sure of the licensing, however, since we don't use it here.
Autoruns and Process Explorer: These are fantastic products that you can use at work for free, as long as you always download it from www.sysinternals.com when you put them on a PC. Autoruns will give way too much information about what starts up and what has hooks into the OS. To the average user, this can be overwhelming and even dangerous, so make sure you know what you're doing when you remove something. Process Explorer is a great tool for seeing what is running. It is miles better than Task Manager that ships with Windows. It shows you what hooks into what processes and will even allow you to pause a running application!
StartupList and HijackThis: These two programs will help you figure out what kind of nasty stuff you might have running. I am not aware of the licensing issues with these, as I usually use Autoruns instead.
APT, APM, and TaskMan+: These three tools are process explorer type utilities. However, with APT and APM, you can unload a certain DLL file. This is very useful if you have a dll that you can't delete and that keeps regenerating all of the other junk you just removed. Simply unload the DLL from anything it is hooked into and then you can delete everything. TaskMan+ lets you kill almost any process, including services. Best of all, these products are licensed without restriction.
I hope these help. Sorry I can't write more but I'm at work fighting off the bad stuff myself ;) -
Re:Strider ghostbuster...
UBCD4WIN now comes with RootKitty (freeware).
http://www.ubcd4win.com/forum/index.php?showtopic= 2424
As for shareware rootkit removers, it took about 30 seconds for me to find these:
http://www.diamondcs.com.au/processguard/
http://www.greatis.com/unhackme/
http://www.wenpoint.com/product/product.html (HiddenFinder) -
Re:There is a solution
-
Re:wow....
Just tested on Windows Server 2003...
.shs, .pif, .url, and .shb files exhibit this behavior. I do not have microsoft access installed, so the .mam and .mad files show up as normal.
I looked a little more into it, and there is a NeverShowExt REG_SZ entry in the registry for each file type that does this. Here it is described in detail.
I would suggest searching through the registry for NeverShowExt and deleting the occurrences you find under HKCR. Be careful editing your registry, do it only if you know what you're doing, etc. -
Re:Here's how to do it on Win2k
Dellater will delete a file the next time Windows boots, while the splash screen is displaying. I had to use it on a particularlly nasty bug that had 2 processes running. You'd kill the first and the second would restart it.. Delete the "Run" registry entry and it'd come right back. They even started in safe mode. Dellater allowed me to delete the exe's when I rebooted then go in and delete the registry keys and finish cleaning the mess.
-
Groann
Disabling this is as simple as killing the process, then using APM to unload MadCHook.dll and createprocesshook.dll from each process. An alternative is to blank dbGames.ini, save and set "Read-Only" (though in some cases, this will not work, as the file will be set as "In-Use") Curiously, for something that is supposed to be entirely local, it frequently wanted to access the internet. Whether this was for Database Update, or to act as spyware, I haven't determined yet.
-
Re:exe != wiretap
If the prosecution has no way of verifying that the files found were not tampered with, then they will lose, and the technology will be refined until they can verify that no tampering was done.
Under your 'Do the right thing' scenario, the police will not only always lose, but they will render any computer evidence completely inadmissible by installing such a program. How can you determine if a file is created by police.exe or by the user behind the mouse and keyboard? There is absolutely no way to verify if the evidence is real or planted. Further, the prosecution won't care. Prosecuting lawyers don't care about being right. They care about winning. They will do everything in their power to hide the technical details, claiming they can't turn over info on the program itself for national security reasons or some other some other steaming pile of BS.
Have a look at the ridiculous crap they're using. The simple fact that it uses rot-13 should speak volumes. Oh and look at that: "open ip:port", "put filespec". Isn't that convenient. The average cop using this thing can't even figure out how to remove the bot's email address from the registry. Now suppose just one of those cops has a brain and a grudge, or perhaps h4x0r cop has no scruples and is looking for that big promotion. Whatever the case, you are screwed and the 'good guys' won't be any wiser. Why? You said it yourself:
People accept that and trust that there are controls in place to prevent Law Enforcement from manipulating them for nefarious purpose. The same would be true in tapping of a computer.
I'm not talking about a big evil conspiracy. Remove all the checks and balances and it only takes one bad apple. Without the full text of the law I can't be certain, but from the looks of it this is really bad news for Australia. Recording keystrokes is bad enough since it catches a lot of text you never actually save or send anywhere. Not specifically baring remote access and arbitrary code execution however removes any similarity to wiretapping/bugging and makes framing anyone a piece of cake.
-
If you must run unpatched and connected...
...then carefully remove as much Microsoft software from your machine as possible.
Start with MSIE and MS Outlook, then MS-Office (replace them with FireFox, ThunderBird and OpenOffice, respectively). Really dig in and make sure every trace of them has been removed, don't stop at believing what the MS uninstaller tells you about MS Outlook.
Don't offer any shares, even to the LAN (get people to dump stuff elsewhere on the LAN and you pick it up from there), connect to the minimum number of shares (zero if possible) and for the shortest reasonable time.
Run a good firewall.
Pray a lot.
One more option: if you have a modern Linux box around, throw LogicWave at WINE on that and see how far it gets. If it doesn't work outright, maybe you can hack up an interface to the actual analyser in WINE. That'd be a lot of effort for one workstation, but if you have 20 or so it might be worthwhile. -
Re:Bah Apple did it before
NTFS has "Streams", essentially a more generic case of the HFS. You don't just have two forks, you have a nearly infinite number of forks/streams, with the unnamed stream being the "normal" file. Windows uses this forks for file descriptions and a few other things. But nearly nobody knows this feature. It seems even the virus programmers don't (ab)use it.
Google found among others this page explaining those streams a little more.
The most evil thing about streams is that you can only see the default stream using "onboard" tools like "dir" or the Explorer.
Tux2000
-
Re:Hypocrites.Sorry, but Sygate has one major problem - it does not attempt to intercept and filter traffic over the loopback interface (127.0.0.1). This means that if you are running any proxy software that uses this address (e.g. Proxomitron, WebWasher, Naviscope, MailWasher) then any and every application on your system can access the Internet using the rules you have set up for the proxy. See the loopback vulnerability thread from the Sygate forums for more detailed information.
This is also a problem for the firewall I use, Outpost since it has a default System rule of "Allow Loopback" - however this can be removed, fixing the problem. You then need (and will be prompted) to create separate rules for each application that needs access via the proxy software.
That's about as secure as you can make an average home users computer without uberexpensive corporate solutions
I'm going to disagree with you again here...running anti-virus software is still a necessity and if you download a lot from "questionable" sources (IRC, P2P, Usenet), then Anti-Trojan software is strongly recommended. The best here appear to be TDS-3 and TrojanHunter. Also, running an application firewall (one that intercepts calls between Windows applications) like System Safety Monitor can do a lot to prevent malware from getting started on your system.
-
Yes, that's exactly what I said.
immunity is exposed by infection. It isn't created out of thin air as needed
Wrong. That's exactly the way our immune systems work in some ways. The body has innate immunity against certain germs i.e. the immunity exists before the germ even infects.
Yes, that's exactly what I said. "Innate immunity" is the same as immunity "exposed by infection" in the same way that rocks are exposed as the tide goes out.
BTW, we do have pre-emptive antivirus software.
This is different to how the body deals with novel attackers; the body patterns a specialised defensive cell after the attacker (kind-of makes a negative of the attacker). Then defenders bred from that cell can then bind with and neutralise the attackers, in principle before they destroy anything valuable.
-
You *need* to get out and about more
I've never met anybody who was smart enough to write a good virus and simultaneously preferred using Microsoft Windows as his/her desktop OS.
I can introduce you to at least four. One of them writes anti-trojan software for his living.
-
Trojan Defense System is better
Australian made and amazingly comprehensive, especially under the hood.
-
Hidden A.D.S. A.P.I.?
The original Java developers were Unix programmers, Windows users, and Mac dilettantes. The I/O APIs they invented were more than a little Unix-centric in both obvious and not-so-obvious ways, and really didn't port very well. For instance, initially they assumed that the file system had a single root. This is true on Unix, but false on Windows and the Mac. Both the new and old I/O APIs still assume that the complete contents of a file can be accessed as a stream (true on Windows and Unix but false on the Mac).
I'm no Java expert, but I'm sceptical that *all* the contents of a Windows file can be accessed as a stream. What about the hidden NT Alternate Data Streams? They can't be deleted (apart from the file to which they are attached), and can even be attached to directories. This is analogous to the Macintosh Resorce Fork.