Check Point Introduces New CPU-Level Threat Prevention

An anonymous reader writes: After buying Israeli startup company Hyperwise earlier this year, Check Point Software Technologies (Nasdaq: CHKP) now unveils its newest solution for defeating malware. Their new offering called SandBlast includes CPU-Level Threat Emulation that was developed in Hyperwise which is able to defeat exploits faster and more accurately than any other solution by leveraging CPU deubgging instruction set in Intel Haswell, unlike known anti-exploitation solutions like kBouncer or ROPecker which use older instruction sets and are therefore bypassable. SandBlast also features Threat Extraction — the ability to extract susceptible parts from incoming documents.

It seems to work, too

[dreamchaser]

I do a lot of Check Point engineering/consulting services and this is one of the more exciting things they've done in awhile. Even though they didn't actually develop it they've done a good job integrating into their firewall suite. It is not a panacea; nothing in security is, but it is good stuff.

Re:It seems to work, too

[Monoman]

I would rather they buy out a company that has good tech support and services. We have been a CP customer for over a decade and their stuff is great until things go wrong. Dealing with their support/services can be a nightmare at times.

Re:It seems to work, too

[dreamchaser]

Oh I agree. I rarely have to call the TAC but it can be a struggle. That's why a lot of our clients use our support services. I don't work our support desk, I do design/pre-sales/installation/consulting, but the guys who take calls are really good. They rarely have to escalate to the TAC unless it's a bug.

Re:It seems to work, too

Take all of this with a grain of salt as I'm an outsider who has never worked for them. This might not be the case with all of their offices. Buuuut....

To souce talent, Check Point uses some of the lowest quality recruiters I've had the, erm, "pleasure" of meeting. You know, the kind of agencies that hire ex-retail workers with a year of total working experience to screen serious IT folk.

Entry level people are often paid well under $20 per hour for networking-related labour, while "free lunches" (aka never leave your desk again) are used to entice new applicants to join. Where I live, it's more profitable to get a ho-hum office job and avoid IT-related stress. The prevailing truth seems to be it's a great place to work if you're fresh out of post secondary and utterly desperate to put your papers to use. They also insist on standardized testing for their hires -- the kind of rigorous, jump-through-the-hoops stuff that we all love to hate.

But don't take my word for it -- cruise the intertubes, and you'll find the usual sort of up-talking about the company that goes on from freshers who lack dignity and self respect. Also: Isreal HQ. Thanks, but no thanks.

I felt compelled to post this because, as other Slashdotters have noted, their software is generally pretty junky. And I figured it might provide some perspective as to why :).

Excited about what deubging Instructions are

[Billly+Gates]

I never heard of deubging before and can't seem to find a Wikipedia article on it?

However, what is stop malware from using this to avoid detection at the cpu level where there is no footprint. It could be used to disable AV endpoint software as well.

Re:Excited about what deubging Instructions are

[AmiMoJo]

Those instructions are privileged. If normal software tries to execute them it will simply crash (remember those privileged instruction errors when running old software on Windows 95, Mr. Gates?)

To execute these instructions the code needs to ask the OS to run it at the highest privilege level, normally reserved for the core OS and certain drivers that need to do some tricky hardware stuff. If a virus can get to that level you are screwed anyway.

Re: Excited about what deubging Instructions are

[OhSoLaMeow]

Sandboxing

That's gotta be even more boring to watch than golf.

Article or press release?

[Quinn_Inuit]

Is the anonymous reader just quoting a press release? It doesn't seem like there's much analysis or original thought in this "story."

Re:Article or press release?

[cdrudge]

It doesn't seem like there's much analysis or original thought in this "story."

I thought almost every /. post was just the first paragraph of the article. There's summaries that aren't just copy/paste jobs?

Re:Article or press release?

[bonfirer]

It doesn't seem like there's much analysis or original thought in this "story."

I thought almost every /. post was just the first paragraph of the article. There's summaries that aren't just copy/paste jobs?

Right. PLUS- I haven't seen a comparison to other anti-exploitation methods in any of their PR

Re:Article or press release?

[Quinn_Inuit]

A fair point. I guess I'm used to it copying the first few paragraphs of an article about the topic, so there's at least some analysis involved. For instance, I thought these two articles from yesterday were much more helpful than a press release-type article like the one in the OP:
http://tech.slashdot.org/story...
http://developers.slashdot.org...

Re:Article or press release?

[coofercat]

It's very informative that they thought to put Checkpoints trading symbol in the advert^H^H^H^H^H article though, now I know where to invest my money - that's the kind of information I come to slashdot to find.

Re:Article or press release?

[sociocapitalist]

Is the anonymous reader just quoting a press release? It doesn't seem like there's much analysis or original thought in this "story."

I couldn't even get through the summary without choking on the Checkpoint marketing bullshit.

This might be a good product - might not. What I'm sure of is that it won't fix the underlying problems with the layers of ancient code that they're going to stack it on top of.

Interesting

[Tough+Love]

Interesting. It should up the game for threat prevention, however it is a practical certainty that the black hats will learn from this technique in order to develop new and nastier exploits. If they have not already.

White list or you're jerking off

[Karmashock]

You have a white list of acceptable code and instructions and those are the only ones permitted...

Or you're basically daring the hackers that you're smarter than they are and you have thought of and dealt with any conceivable exploit they could think of or find.

And guess what... you are not smarter than they are... individually man for man... maybe... collectively? Not even remotely.

And it gets better because not only are you not smarter than them but you're also not aware of every exploit they're going to use.

Which means your blacklisting of naughty bits of code will accomplish fuck all.

You stop this by WHITE LISTing good code and good instructions. And yes yes... the thing that makes some things good or bad is the context... but that is implicit in the concept of white listing isn't it, chum? So there you go.

You white list.

Now is the home user douchebag going to white list properly? of fucking course not. Fuck him. He's on his fucking own. Sell him some of your blacklist snake oil. But for the SECURE environments... I'm talking about corporate and government systems that you don't want to be a giant fucking shit show... You whitelist or go fuck yourself.

Its that simple.

No no... White list... or:
https://www.youtube.com/watch?...

Re:White list or you're jerking off

Dangerous comments - you're going to invoke APK talking like that!

Re:White list or you're jerking off

[CODiNE]

And whitelisting blocks ROP?

Re:White list or you're jerking off

[Karmashock]

How are you introducing the malware into the system? Specifically.

Re:White list or you're jerking off

[Karmashock]

I made it very clear I wasn't trying to protect the home user.

My context is a secure and managed corporate or government network or data center.

You lower the bar to "that machine that guy over there is masturbating to" and the only way I can protect that system is to walled garden it so hard that it literally would have to have factory writelocked memory.

That's the whole security regime on these tablets and smartphones that everyone likes. So the home users are apparently okay with a big company telling everyone what they can and can't install on the machines.

Fine. That's your solution for the home user.

And here you might say "what if he downloads something or something is snuck into an app"...

in the case of downloading something... you don't permit executable code unless it went through your "market" or whatever you want to call these gate keepers. And as to something getting white listed that shouldn't have been whitelisted. The whole point is that you don't do that with a white listing system. So... if you're doing something that is antithetical to the entire design philosophy... I guess that would be a problem... sure.

Re:White list or you're jerking off

[Karmashock]

going through your video, the first thing I saw in there was "what happens if someone sends a link to bad executable code to your stupid employees through email?!" ... well, a white listing system would not allow the executable code in the link to do anything. Also the fucking link itself might not even work because depending on the security of the network I might not permit any random computer to talk to your computer.

Why would I let an email client download and execute any random fucking code in an email? So right off the bat this video has me baffled.

Skipping past that he's talking burying weird instructions in PDFs etc. One thing I do to avoid that in particular is that I don't use standard programs to open files like that where possible. I use third party programs and one of the fun things about such programs is that while they have exploits their exploits are DIFFERENT. Getting a PDF file to execute X or Y using Adobe Acrobat Reader is a different kettle of fish to getting one of the third party programs to do the same thing.

Its not a perfect solution to the issue but it is marginally more secure.

Another thing that I do is that I control the permissions of every program so that it can and cannot do certain things. I'm not giving acrobat the ability to write to the registry or really do anything that it doesn't actually need to do.

That's really what all of this malware exploits. Overly permissive security settings.

You lock it down so that only the programs that are supposed to run have permission to run and even then you define what permissions it has while it is running. Can it access the local network? Can it access certain segments of the file system? Can it read or write to system files or the registry?

You just go through a long list of permissions.

And the reality is that most programs need very little to actually operate properly.

Take one of the more annoying applications... the web browser. It has to be able to access pretty much any address, downloads are often required which means we're letting this thing download ANYTHING to the workstation, then the fucking things have to allow HTML, Java, Javascript, cookies, flash, etc. How do you secure that?

My first step and again... this is a corporate/government secure network context... is that I don't permit you to access just anywhere on the internet. Someone in a context like that doesn't need to get to facebook. They can use a different system for that.

That alone reduces the threat dramatically.

The next thing is... sure... I'll let you download something and that something could be fucking awful but you can't "RUN" anything you downloaded. Nothing. Everything comes into the system with the presumption of being full of fucking snakes.

And if it is a document from a poorly designed file type that can include executable code in a data file... then you deal with that by limiting the permissions of the program itself so it can't really do anything.

And the firewalls are also going to stop whatever program or malware that got into the system from phoning home.

I really could go on and on and on. But the point I was making is that rather than trying to define bad code, the security community should be focusing on identifying GOOD code. Its much easier to know what should be allowed to run than not and only give the good code the freedom it needs rather than just give everything fucking root.

Re:White list or you're jerking off

[Karmashock]

you didn't answer my question. How are you introducing the malicious code?

Answer the question please.

Re:White list or you're jerking off

[Karmashock]

Wrong.

Rhonda does what she's told or else she gets the hose again. You people keep ignoring the point about this being a secure system.

We're not talking about whatever jerk off network for idiots at the mustard factory you're running.

I even cited blocking domains. In secure systems you only permit communication to domains on an explicit basis. You don't let them talk to just fucking anything.

So for example, facebook is blocked. Why would anyone doing their job need to access facebook? I do permit an isolated wifi network to connect to anything. HOWEVER... that is a BYOD network that office systems will not connect to because not a fucking one of them has a wifi card. They're all wired. And here someone says "what if someone brings a laptop and connects it to the network!?"... then they won't even get an IP address... obviously.

And then someone says "what if they spoof a MAC address!?" Well, Rhonda isn't doing that. That's a deliberate attempt to breach the network's security which means any pretense of "oops that was just an honest mistake" goes completely out the window. And even then... while you'd get an IP address, you would not get access to servers and any system that connects to the network without doing certain things after it turns on will get flagged even if it has a known MAC address. Which means I'll get a text message within minutes of such a system connecting and then I'll go hunting for someone to mutilate.

And it goes without saying that you'd need to be INSIDE my network to even do that.

As to malvertising... I'm not sure what you think the threat is here. If they can't pass executable code to my systems then at best they're going to make someone's eye's bleed with penis enlargment ads or something. I don't really care about that. Beyond that, you're unlikely to be able to serve such ads if I restrict web access to domains that you have a "reason" to check and not just give you permissive access to the entire internet for no reason.

As to ROP, you're using good code only in part. What you're executing, the order of execution, and the object of execution are instructions you passed to the system. HOW are you introducing that code into the system? I'm having a hard time understanding the infection vector you're suggesting here. Because all the ROP infections I've seen have had very typical infection vectors. Once they were in the system they were a pain in the ass to deal with but you still had to play in the sewer drain to the infection in the first place.

Look, I don't even give my users a full workstation. Why would I? They use thin clients that link back to a terminal server. And the terminal does not retain changes to clients between boots. Every time they boot into their workstation it is tabula rasa. If they want to save something, they save it to the file server. Point is... even if you were able to infect an endpoint... the infection would be very short lived and wouldn't accomplish anything.

Re:White list or you're jerking off

[Karmashock]

... and this was introduced to the computer... HOW?

did someone walk over to the machine and ejaculate it into the USB port? How did it get into the system?

I know what ROP is... I want to understand how you're introducing the infection to the system.

Lets say I have a clean system. Everything is from the factory. I put it together, I install from the DVD.

Okay... how are you infecting me? Lets say I connect this machine to my organziation's firewalled network. So... how are you infecting me. Where is your infected code coming from?

if you say something about block chains again... I will strangle you with your umbilical cord. The block chains are how the infection operates but it is not how the infection was introduced to the system.

I want to know how you're getting this in the machine in the first place. HOW are you infecting the machine.

Re:White list or you're jerking off

[Karmashock]

As to subscriptions for signed modules... I think an open source list system will work just fine.

As to government hacks getting whitelisted... that's why it has to be open source.

That said, I think you're over estimating the difficulty here. The trick is to control ways code can be introduced into a system, properly identify that something is or is not code, and then run that code by the white list.

The trickiest thing is going to be some dumb hybrid file formats that contain executable code for dubious reasons. But that just means you need to control the permissions of those programs so they don't have the permissions to do anything that would be a problem to the system or themselves. And if they can't do anything harmful then the code even if it is going wild inside of excel or whatever is just going to fail to do anything harmful and then drop out of memory on program termination.

Re: White list or you're jerking off

[Karmashock]

Yep... I keep hearing about these demon PDF files... poor Adobe. First flash and now PDF.

Two issues with this concept.

1. You're assuming I'm opening the PDF with adobe acrobat. Its a good assumption but it isn't necessarily valid. Lots of programs can open, edit, and write in PDF. I prefer actually to not use acrobat precisely for this reason. I avoid standard programs where convenient. No one cares about acrobat. You change excel or word and people lose their god damned minds. But change acrobat and most people don't even notice.

2. Any code operating from within acrobat would be using acrobat's own permissions to do whatever. If I restrict those to something tight enough that it can't really do anything then what are you going to do to me? If you can't access the internet to download a proper bit of malware. If you can't modify system settings. If you can't even change your own settings. Why do I care?

All these exploits rely on essentially shitty security. Its all "well after we sneak by the bank guard we'll just break into that cardboard box they store the money in and we'll be home free"...

There isn't one layer of defense. There are many layers and getting acrobat or excel to act crazy shouldn't be enough to actually threaten security.

My systems are locked down to such an extent that I can have a given endpoint entirely 100 percent infected and it still doesn't compromise the network.

Re:White list or you're jerking off

[Karmashock]

I hold the distinction so far as I know of being the only person on this site that has gotten along well with APK... to give you some idea of how crazy you probably think I am.

He's an interesting guy and unlike most of his detractors he's actually built something that actually works and he actually knows "something". He's abrasive, largely indifferent to the opinions of people he sees as knowing less than him, and some what robotic in his communication style.

That said... I empathize with that entire personality profile since it largely mirrors my own.

I don't believe in coddling retards. I'd prefer to piss them off and then slap the shit out of them until they learn their place. Its initially annoying but in the long run it is less work to maintain a functional social model if everyone is keenly aware of their place in the hierarchy. As to being indifferent to the opinions of ignorant people... sort of the same thing again. Dumb people have dumb opinions. As to a robotic communication style... I've been accused of that myself many times and i frankly don't see any shame in admitting it. I do have a "rules based" personality. I operate on a core logic. I don't make choices based on emotion. This baffles the humans but it is actually my nature. The reason in my own case is that I do not trust my own instincts or emotional compass to be a reliable guide for action. In my childhood it repeatedly let me down so I learned to think rationally simply as a survival strategy because my instincts are basically broken. As such when I see someone else operating under a rules based mental frame work... although a perhaps repetitive one from my perspective... I have some empathy for it.

The first time I encountered APK he tried to fight me. I kept refusing to get upset, responding rationally, being patient, and offering credit where credit was due. And he eventually started being nice to me. So, progress.

I have a long history of working with troubled geniuses. I grew up with a few and I work with a few on a regular basis. The world is full of a lot of really smart people that were sadly traumatized by their mentality because it disturbed their early childhood by isolating them.

A lot of them grow up to be odd people but they're frequently exceptionally productive members of society if you can put up with a little of that oddness and show them a little human compassion and understanding.

Just my own experience with such things. To each their own.

Re: White list or you're jerking off

[Karmashock]

You're not thinking about this systematically. You're using magical logic and I can't go through the chain of logic when everything looks like a long string of unlinked and unassociated preconceptions. Its just a bunch of givens.

You're saying
X=5
Y=2
R=94

etc

And there's no association or proof or causal chain in it anywhere that I can evaluate.

You say that if the code gets into a program with limited permission on a network with limited access to specific domains on the internet that someone is going to take over the whole fucking network when the whole thing is knitted up tightly at every fucking level?

No, motherfucker. Absolutely not.
https://www.youtube.com/watch?...

Re:White list or you're jerking off

[KGIII]

Nah, you're not the only one who gets along with him. I get along with him and I don't even usually use a host file - however, I articulated my reasoning and know the consequences of my actions and make that choice based on security versus convenience. He might be a bit abrasive but I have a handy wheel on my mouse and don't actually care to silence anybody. Also, he knows some surprisingly esoteric stuff. I approached him much like you did. I enjoy poking the strange things - that's how you learn stuff. He's harmless and seems to be genuinely concerned with keeping folks protected from malware and ads.

Then again, I enjoy your comments as well.

Re:White list or you're jerking off

[Karmashock]

Its good to know I'm not alone in this respect. Its always distressing for me to see people ragging on the guy when most of the people doing it are f'ing useless fuckwits.

If there's anything I decry in the modern era it is that the playing field has been leveled not just between the haves and have nots but also between the competent and incompetent.

APK is a man on a mission... and he's actually built something pretty cool. To get dog piled by witless nothings is an indignity.

Re:White list or you're jerking off

[KGIII]

Who among us is not abrasive when we know we're right? I'd not take his approach but that's probable because I'm a bit lazy and don't tend to care that much. I've noticed that his comments don't get repeated if nobody mods them down - he seems to repeat them because they are no longer visible by default.

I'm working on something even better

[JoeyRox]

Electron-level threat protection. It analyzes randomly-moving electrons to decide how best to separate people from their IT budget dollars.

Re:The strange power of delusional phantasy!

[Karmashock]

their are many companies that offer white listing solutions...

Here was one I found with a single google search:
http://www.kaspersky.com/partn...

I also liked the barrage of toothless AC peasants cackling below you attempting to tag me with rotten produce.

The white listing system works and has worked for many years and there are many applications of it that are known to work quite well.

They're paradoxically easier to set up than blacklisting systems because they're a great deal more simple. All you do is make it so the computer can run LESS than it was designed to run and you set LESS to EQUAL what you want it to run. The other things that COULD run on the system before... simply can't.

I love that you think this is hard to do... think of the way a black listing anti virus system works. It looks for known bad code and then intercepts it. That's how it works.

A white listing system does the opposite. It intercepts EVERYTHING and prevents ANYTHING what so ever from running assuming that anything and everything is a virus... EXCEPT things specifically defined to it as NOT a virus.

Its the same system only instead of trying to guess every virus and malware possible... I just define whatever is currently running as GOOD and if anything is added to the system then it is ASSUMED to be bad unless otherwise stated.

Its a very simple system and I operate white lists pervasively on many systems using several of the most popular techniques for implementing them.

This is fundamental IT security. That you're ignorant of it is not surprising or embarrassing for you. You don't know what you're talking about. I do. I am an expert. You're an AC shit head.

*wink*

The final straw

[johannesg]

The software Checkpoint makes already prevents any kind of useful work from being done on a machine. Now it takes the logical final step, and just completely stops the CPU from doing anything at all! Our IT department will love it for sure. Anything they can do to slow down actual business processes.

Seriously. We use Checkpoint at work. On a fast machine with an SSD, compiling takes longer than on machines with a normal harddisk...

Re:The final straw

> The software Checkpoint makes already prevents any kind of useful work from being done on a machine.

So it's taking over from MacAfee Home Edition?

An Advert

[Stonefish]

I expect my ads to be off to the side and not the main course on slashdot. What was the price of this post?
+2 for subtlety......... cocks

Re:An Advert

[nazsco]

not to mention the fake first post adds to the ad instead of cursing, as usual. can it get more obvious?

Re:BINGO

[johannesg]

Your solutions are not solutions at all. You are basing everything on a combination of trust, and techniques of dubious real-world value. That's fine for a few very specific domains, but in the real world things like "time to market" also matter.

Whitelisting is bullshit. I should not have to rely on a "trusted" list of applications; I should trust that the OS has containers that stop any damage from being done in the first place. And I don't want to give an application either nothing, or the keys to the kingdom, which is essentially what UAC or sudo ask you to do. Let me choose what it gets on a case by case basis: network access, full screen access, access to specific devices and directories, etc.

Can you write malicious software in Ada or Java? Of course, and it's trivial. Can a person with a CS degree write bad software? Don't make me laugh, I see it every day. Those are not solutions at all.

The answer is not trust, it is containers with specific, easily understood access rights.

Re:Well

http://l4hq.org/projects/os/
http://ssrg.nicta.com.au/

Please excuse me for brutally pasting this here:

  Past achievements of the SSRG team include:

        World's first formal proof of functional correctness of a complete, general-purpose operating-system kernel, plus a proof that the kernel binary is a correct translation of the C implementation;
        Formal proofs of isolation properties (integrity and confidentiality) of the seL4; together with the above this establishes a complete proof chain from high-level security properties to the kernel binary, making seL4 the first provably secure OS kernel;
        First-ever sound and complete timing analysis of a protected multi-tasking operating system kernel
        Two papers accepted to SOSP'09 (including a best-paper award). These are the first papers from Australia in the 42-year history of the top OS conference;
        Design and implementation of a high-performance capability-based secure microkernel (seL4) that integrates kernel and user resources in the same protection and management framework;
        All recent Apple iOS devices ship with a security processor controlled by a fork of our L4-embedded microkernel;
        A new approach to the design of device drivers which eliminates the majority of typical driver bugs by construction (Dingo);
        A comprehensive approach to accurate energy management via dynamic voltage and frequency scaling that does not rely on pre-characterisation or inaccurate models of the hardware (Koala);
        Highest message-passing performance ever reported on a number of architectures.
        A review of the impact of process simulation research upon software systems published at ACM Impact Project workshop.
        The Lending Industry XML Initiative (LIXI) developed and released industry-wide reference business processes, architectures and implementations for lending transactions to more than 100 Australian financial firms.
        Contributed to ISO/IEC/IEEE 42010 Systems and software engineering Architecture description standard.
        Our Empirical Software Engineering team named one of the three top research groups in the field in Communications of the ACM
        Our spinout company Open Kernel Labs has deployed OKL4, its descendant of our L4-embedded microkernel, in billions of mobile devices.

Re:BINGO

[aberglas]

Yes, but you also demand vast amounts of useless functionality. 100% compatibility with every ill-concieved feature that has ever been added in the past. To be in lock step with the latest fads in UI. And that means huge amounts of code, and huge amounts of complexity.

Which is why your containers will leak like a sieve.

Re:Your WALL OF TEXT

[Karmashock]

Why would I talk to double click? I don't even talk to double click on my personal machine at home? why would I let a protected system talk to doubleclick?

Access denied.

I'm generally a believer in not running code that I don't need to run. That extends to javascript.

I am currently blocking about 5~7 domains from serving javascript on this site alone... right now. And I've seen sites that were trying to push me to run 20+ javascript domains for a single page.

Its dumb.

I run script when it serves a purpose. And then I only run the script that I need to run to permit that purpose. And i do not permit domains I do not trust to run anything.

I've never seen anything where I "had" to run double click. I feel bad about it sometimes because the sites likely lose ad revenue. But I'm not running the code. I will happily display the image but the code... no.

As to embedding malware in a PNG file, my understanding is that you're not infecting anything with that file unless the image file is not merely displayed by run as an executable.

its less that some image files contain viruses than that you can write an executable so that it displays as an image if given the appropriate file extension. But so far as I know, the image file itself will not infect anything unless executed rather than being read as an image.

Correct me if I'm wrong. If that works then the webbrowsers are more incompetent than I had imagined.

Regardless, I don't run scripts or access domains that I don't need something from. I'm quite happy to give them nothing.

Re:Well

[Karmashock]

As to PDFs... two things.

1. I try to use non-standard applications for such uses where I can get away with it. Acrobat reader for example is one I generally replace with a third party alternative. Your executable code will assume acrobat and it won't get passed anywhere via that little tweak all by itself.

2. The PDF readers etc have restricted permissions. The code in the file uses the application's own permissions to do things and it doesn't have the permissions to do anything that would threaten me. Is there a reason I need to give Excel Network or internet access? Any reason to give Excel access to system settings? What is it going to do?

The workstations are thin clients that connect to a terminal server. And the templates refresh on each login so even if you corrupted excel some how it would be clean again on the next load.

As to the IT industry being full of suckers... I would agree. They seem entirely incapable of grasping what it means to put on your game face... to go to war over the network. They don't take any of it seriously and frankly I think a lot of that attitude is why other aspects of business and government actually don't take IT seriously. It shows. You are serious or you're not taken seriously.

So they pay the price over and over again. They get treated like shit and their systems get raped by the first black hat that really tries. Fuckwits.

Is my system perfect? Its as close to perfect as I've been able to make it. its pretty fucking secure. There have been many attempts and... I believe no breaches ever. Can I know? Its possible. Its just not very likely. I don't just have firewalls but I also have a very robust logging and reporting regime. Lots of things are logged and a penetration should show up in the logs.

Re:The strange power of delusional phantasy!

[drinkypoo]

You're arguing with APK, right? It seems like his "No, this isn't APK, you can tell because I didn't mention hosts files in this comment" style. Don't do that. It's a waste of time. He doesn't even write funny responses. HTH, HAND.

Re:The strange power of delusional phantasy!

[Karmashock]

I get along with APK just fine. I've had a few discussions with him. I like him. :-D

Unlike most of the people that diss him he actually knows something, has accomplished something, and has one of the few novel perspectives on stuff.

Does he go on and on about his host file thing? Yeah. The man is advertising to a certain extent. he hears all these problems and he's like "my program solves this" and everyone is like "fuck you you're stupid!"... think about how that would make you feel.

As I said, I get along with him just fine.

Re:Your WALL OF TEXT

[Karmashock]

hmmm... I'm still seeing the presupposition that the program in question has the permissions. And you're still forgetting the firewalls.

I mean... fine... you might get by ONE defense by doing something like this but to actually be effective you need to get past them all. And I don't see that happening.

I mean, fine... you get some code into active memory... great... but what permissions does it have? Its going to inherit the permissions of the host program. So you're inheriting the permissions of what? Internet explorer/firefox/chrome/opera/whatever? Congrats. Its permissions are shit.

Re: Your WALL OF TEXT

[Karmashock]

I do it on a large a very large network, dude.

I do a lot of it with control of DNS servers. If you're talking about blocking doubleclick.. I mean... that's an easy one.

The whitelisting isn't just for programs. Its for web domains as well. We have several different networks but for this discussion you just need to know there is an unlocked Wifi Network for people to facebook on and there is a HEAVILY locked down wired network is which what the machines I actually give a shit about are connected to...

Totally scalable. And in case you're curious... we have about a dozen external IPs though most of them are for specific servers. In so far as the users are concerned there are TWO IPs. The locked down wired network and the everything goes download horse porn network. And nether the twain shall they meet.

Look look look.

Here's the thing. Security is very very serious in my context. Enough that... well there are security guys with guns... and those guns have bullets in them.

So... Keep that in mind when you're saying something I'm saying isn't realistic. It isn't just realistic... its every fucking day. Its just high security.

How many of you guys operate managed air gapped networks? That's one of our layers of security for the archives amongst other things.

Is this reasonable for everyone? No. But its reasonable for more people than do it. A lot of these corporate and government breaches could have been stopped if they had been more serious about it. Sure, an Ed Snowden can nail you if one of your IT people goes rogue. But short of that, I don't see how you break a system like this... and even the Ed Snowden thing has a solution. The solution is drastic... but effective.

Is there an echo in here?

[phonewebcam]

Qualcomm just announced the same

Re:Is there an echo in here?

[bonfirer]

Not even closely related let alone "same" ... read both articles again

Re:Thanks Karmashock... apk

[Karmashock]

It doesn't matter. I only get harassed by a couple AC trolls... I recognized one of them... and I've decided to call him "bingo the clowno"... :)

Oh and communists don't like me because whenever their failed ideology comes up I take some joy is rubbing their stupid faces in it.

Besides that... I generally get along with everyone.

APK, have you thought of making an application of your DNS hostfile thing ON a Raspberry pi? Like actually package it as an appliance image?

Because the Pi has more than enough brain power and bandwidth to handle a network DNS server. The pi costs about 30 USD.

My main issue with your program is that while it is applicable to ONE computer I'd like to try it on a wider network. Point the router DNS to the Pi and then have the Pi effectively filter the DNS results of the entire network.

Maybe I'm being dumb and there is already a superior product for this that you'd like to suggest. I do operate a lot of DNS servers in the few networks I manage but controlling these subscription based DNS lists is not practical.

Just an idea and all the best.

Re:Wasn't me Karmashock... apk

[Karmashock]

On the issue of hostfiles I like the concept of security through DNS because it eliminates a huge number of threat vectors very cheaply and is very hard to bypass.

The virus would have to have to have its own DNS query system which would increase the complexity, code size, and detection surface of the malware.

I think DNS filtration should be a bigger aspect of firewall operation. Obviously a proper firewall has to expand that to IP filtration.

I'd like to see two way filtration based on DNS name where in if the DNS name is redirected to localhost that the firewall is also made aware of the correct IP for that hostname and also blocks any attempt for that IP to be accessed at the firewall level.

Managing all the fucking IPs I have to make available at the firewall is irritating. I passively block anything not on the allowed list on the high security network. Where as I use more of a blacklisting system for medium security networks. The low security ones only block pornography and known blackhat IPs.

Anyway, if you ever came along with something that made managing a really comprehensive blacklist for a large network easy... you could get yacht money. Just fyi for thee. We're currently still managing a lot of this stuff manually. There are tools that try to help but they generally are all for show and don't actually work when the barrel is against your temple and the hammer cocks back.

And in a high security network... that is PRECISELY when the fucking thing needs to work. We both see these nutty hack demos at the hacker conventions where things are just WIDE OPEN to attack. And I'm sure it baffles you as much as it baffles me.

i think to some extent it explains the shift to cloud services. The clouds for all their sins generally have "better" security. Good? Great?... perhaps not. But better than nothing.

Re:Your WALL OF TEXT

[Karmashock]

... sure you could nest a million different things in there that will serially defeat everything but I don't see it working in one shot like that.

My experience with these things is that they contain one or two things in them to break through and then the presumption is that they'll be home free.

If the security is layered and pervasive and customized and contains lots of brute force defenses like write locked files or protocol shifts or nasty firewalls.

I've never even heard of a malware that worked like that.

Even the whole stuxnet thing which was a state sponsored malware attack wasn't as sophisticated as what you're suggesting.

And while... sure it could work, I think you'd need to have detailed insider knowledge of how my systems are set up to actually design such a thing properly. You can't just guess.

I don't believe in being standard. Standards can be studied and war gamed against, and defeated prior to battle even being joined. If you're non-standard then no preconceived attack can reliably work without insider knowledge of the structure.

Re:DNS & hosts = bread & butter... apk

[Karmashock]

As to electricity, I'm talking about a Pi to do it which would gobble 5 watts of juice.

Oh well, I don't know what you do professionally but if you came up with an appliance application of your software that could be integrated into a network... It would be worth yacht money.

As to OpenDNS... I've had some problems with their DNS lists.

But again, the concept here that would be GOLDEN would be a recursive white/black list that associated Domain and IP address firewall rules in a manner that if you blocked a Domain, the system would do DNS query for that domain, capture all the IP addresses associated with it and then blocked both the Domain AND the associated IP addresses.

And likewise, blocking an IP address should do a DNS query to find domains associated with that IP address... and at least give the option to block the listed domain associated with the IP address as well as all other associated IP addresses linked to the domain.

There are some programs that work with hardcoded IP addresses that they link to. Obviously knocking the DNS out makes it MUCH harder for malware to operate on your system. BUT, we have to keep in mind that we're in an arms race here and the opposition will of course resort to IP addresses if they feel that DNS is a fatal liability for their attacks. And as such obviously any proper firewall has to filter IP addresses.

The problem I have with that is that managing all those IP addresses is a pain in the ass. Google has a zillion IP addresses. So how do I enable all the addresses for google. Sure, they have an IP range which you can enable or disable. But they're not all contiguous which means they still need to be cited separately and they do get added to occasionally which is annoying.

A smarter firewall rules management system with a fixation on hostname resolution to IP or IP to hostname would be interesting. Again... it would be worth yacht money.

Re:Questions, Possibles, & Suggestions... apk

[Karmashock]

Sounds like you've earned your rest.

Its nice to find someone else here that agrees that the solution to all this sneaky security shit is to brute force block it.

Its always some new buffer overflow this or memory exploit that. Who can be bothered to keep up with it all. It wasn't a problem in the pre internet age and it is a problem now. So the problem is the access and the need to limit it to what it needs to be rather than anything any person anywhere could possibly want ever. Which is generally how people run their networks.

As to email servers and filtered DNS. You don't need to only have one DNS server. :D

Tell the work stations to use DNS server 1 which is locked down. Tell Server group A to use DNS server 2. etc.

I am playing around with some open source firewalls. Its currently making me want to hurt small animals because the damned thing accepts the command, shows the command was accepted, and then ignores it. :-D

That is the face of insanity.

As an aside, with the nonsense with ICANN, I feel an increasing need to internalize DNS within the organization. DNS is just an internet phonebook really. Nothing says I have to list or not list what ICANN wants in the list.

I'm watching the EU slowly move to suggest certain sites be stripped of their domains. Its mostly criminal sites but any authoritarian measure starts with "lets do it for the children" type arguments.

Something that should be kickstartered or something... I'd do it if I had the balls. Would be push the cheap appliance DNS servers that are so simple any idiot could plug them in. As a political statement on top of anything else. Just make it clear to the politicians etc that actually the internet is an entirely arbitrary framework there are no choke points for them to exploit to enforce their various whims.

Sorry... I'm a crazy American... I burn with a certain zeal for such things. I can't help it.

Re:Your WALL OF TEXT

[Karmashock]

When I find someone has made an error, I tell them not only that they made the error but the nature of the error and help educate them so they learn from the experience.

lets say I'm wrong as a given here... what did I learn or did you teach me simply by saying I was wrong? I don't understand the error you're suggesting I made here. You've given me not only no opportunity to validate your opinion as to whether YOU are right but you've also given me no opportunity to correct my own opinion.

Can you explain my error in some detail please so I can validate its accuracy and if it is accurate correct my own thinking.

What i tend to find in these security discussions where someone says "you're wrong karma" is that they assume one LAYER of security is ALL the security. I'm just guessing you're going to say "this thing you said wouldn't stop X"... okay but what about the security walls before that one thing and after that thing and so on? Eh?

I do a lot of BRUTE FORCE things to secure my networks. Start with what I feel are good initial premises.

1. I don't assume that I've thought of everything.
2. I don't assume that my code is perfect.
3. I don't assume that I'm smarter than my attacker.
4. I don't assume that they're simply not going to make the effort.

That's just some basic thoughts in my head as I deal with this situation.

I don't try to make some perfect egg shell defense. My network is more like a motte and bailey castle. Layers.

Re:Layered security/Defense in depth works

[Karmashock]

On the issue of DNS, so long as the exchange server doesn't use Open DNS but the rest of the network does, I think in your scenario things would have been fine, no?

Re:Sorry for late reply & no... apk

[Karmashock]

I'm sure you'll get issues. I'm just saying it is possible to mitigate them if you understand what is causing the problem.

I don't have a problem with an email server having a fairly permissive internet connection. I"m more inclined to restrict the connections of workstations.

That said... obviously the email server needs a heuristic firewall. And I've seen many email servers that are only permitted to connect to specific machines. As in... you cannot send addresses on that server unless you're on a whitelist or in a VPNed intranet. It does make sending emails to that server harder but then the only people sending or receiving emails in that system don't especially care since security is more important... and the first thing they do whenever they use their laptops to do work is login to the VPN. So they wouldn't care anyway.

Re:Cause = AD dependency on DNS

[Karmashock]

Yeah but you're supposed to use nested DNS.

host file > AD > Router linked DNS which can be open DNS.

So you point the workstation at the server as you would normally. Then you point the server at the router or whatever your DNS server is which can have OpenDNS set as its DNS and... no worries.

There are issues and more than what I've cited here but you can deal with it if you're determined.

I like your host file system. I'll fuck around with some scripts to see if I can burn the feature into a server.