Main Area and Open Discussion > General Software Discussion
Firewalls, What you need to know...
mouser:
awesome post.
as i was telling philKC on the irc chat, this is the first firewall leak tester that beats me, because it tries to run any non-default browsers it finds on the system, and while i have my default browser blocked, i have others which are allowed to connect through the internet.
the way to defeat this is (and now this is the first demonstration i've seen of why its important) to have security that alterts you to when one program tries to launch another, and allows you to set rules restricting that. this might still not protect you if the app is already running, but it would save you from most situations.
checking whether your firewalls can block such launches of other programs. agnitum has some support for this but i have it disabled - i guess its time for me to rethink this..
I also want to comment on the idea of blocking outgoing connections:
I agree 100% with PhilKC that having good outgoing blocking in your firewall is critical - you really do need a firewall with good outgoing blocking rules, but as a layer of protection defense, and as a good way of keeping track of what programs are tring to send information where.
However, it's very important to realize that no matter how good your firewall is, if you actually launch an evil program on your computer, you have lost.
No matter how good your firewall is, launching a trojan on your pc allows it to do whatever it wants and breaching your firewall may be the least of your problems. Other registry defense and sandboxing tools may help you a little, but basically such a program can do all sorts of damage i think that are going to be hard to stop if the program is truly determined.
To quote from War Games, the only way to win is not to play.
The most important thing is just to not run programs on your pc unless you really trust them. One exception to this so far is the use of virtual machines, which is making it easier to safely run questionable stuff, since they offer much better sandboxing than other approaches. In addition to VMWare, there are some free virtual machine tools which may work well enough for this purpose, and it's worth your while to get a virtual machine tool if you do a lot of software testing of questionable files. See our review here: https://www.donationcoder.com/Reviews/Archive/VirtualMachine/index.html
mouser:
i also wanted to post an extra thanks to philKC who found an amazing registry key: "SOFTWARE\\Clients\\StartMenuInternet\\" which apparently lists all installed browsers on your computer (works for me!), and will be useful to me for next version of browser tray switch.
ps. i dont know what this registry key does - one way to thwart this attack is to rename that key if its not used for anything important.. the basic attack though could easily use other ways to locate common browser installations.
PhilKC:
However, it's very important to realize that no matter how good your firewall is, if you actually launch an evil program on your computer, you have lost.
-mouser (December 02, 2005, 04:32 AM)
--- End quote ---
And with the increase in IM programs being used to transmit Virii through a trusted source (your friend), it's becoming very difficult to know what's evil...
one way to thwart this attack is to rename that key if its not used for anything important.. the basic attack though could easily use other ways to locate common browser installations.
--- End quote ---
As you said, "this" attack... If the source was closed, and this was in compacted c++, there would be no way to know the key... We (computer users) need a solution, and, in my eyes, it's the firewall makers whom are lagging behind
PhilKC
Carol Haynes:
As you said, "this" attack... If the source was closed, and this was in compacted c++, there would be no way to know the key... We (computer users) need a solution, and, in my eyes, it's the firewall makers whom are lagging behind
--- End quote ---
They may be lagging behind - but the real issue is really at Microsoft's door - if WindowsXP had some semblance of security built in most of the third party security providers would be unnecessary. I guess MS are being philanthropic!
One solution to this problem is to run something like DiamondCS Process Guard all the time, and don't allow programmes (and I suppose especially browsers) to run automatically (just click OK each time it is an intentional launch). It wouldn't stop the problem if browser windows are already open but it would stop any browser being launched by another program without permission.
The biggest problem I can see is that we have to trust so many programs - many usefully check for updates, use webpages to provide help and support from within the application, use the Internet Explorer engine to display their pages (eg. how many people are running Weather Watcher? that is basically Internet Explorer running all the time it is loaded).
nudone:
great post PhilKC.
can't wait to read the next installment.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version