Is the traditional way of work of many security solutions literally "dead" ?

Hello,

I know that this subject can possibly has been discussed in some place on this forum, but I have inumerous doubts regarding this (and have not found any topic with something similar to what I would like to discuss), and would like to know your opinions.

Speaking for myself, I current have installed in all my machines Comodo Firewall Pro V3, BOClean and Avira AntiVir Personal Editon Classic (only until the new CAVS be released). I also use good practices while browsing the web, and don’t worry about it the majority of the time, because I have a good knowkedgement regarding this subject. I am not a expert, but I am not a newbie, too.

I also know that the new CPF V3 has a HIPS System integrated, and that the future version of CAVS will integrates with BOClean, among other powerful features.

So, my doubt is: is the traditional way of work of many security solutions based on signature files “dead”? Is the pro-active systems (like the one inserted on CFP and like the new “ThreatFire” by PCTools) the future of security, leaving the traditional and old method on the past, and make it use unnecessary?

Can we expect that one day we will only have pro-active systems on our machines, based on the “community learning” or not?

Can we expect that only using a tool like CFP 3, together with good practices while browsing the web is enough to protect us from any malware?

I was thinking on it due to the crescent increase, day by day, of new types of malwares, that growing much more faster than the capacity of the security companies in detects them, and so update his solutions.

Is the HIPS systems, the behaviour analysis, the use of very good alternatives like Defense+, CleanPC mode (on CFP 3) and, sometimes, “sandboxies”, more reliable and secure than the tradition model of signature based solutions? Can we assume that this way of work is enough for the present days?

Even the heuristic system is not enough, in my opinion, because I have already experienced very bad experiences with it, with constants false-positives, etc. And “heuristic” is not the same thing that HIPS and/or pro-active defense systems, in my opinion.

I have tried in the last days the tools SandBoxie and SafeSpace, but I am not sure if the slowing that it causes to the computer is acceptable (except for the cases when we want to “try” some software without cause any damage/modification to our systems) when all we want is “security” and “speed”. Of course, alternatives like that really provides a secure enviroment, but what is the cost?

So, due to the above, what do you think about? Can we expect for a day when only an unique solution “non signature based” will be enough for our security?

What your opinion?

Regards

Signature based detections alone will not suffice in the future, but some hacker technologies are looking like they may die a short death:

Rootkits (Windows vista will not allow kernel mode access, so rootkits will be able to be removed with a lot more certainty)

Some types of Buffer Overflow exploits (Windows vista loads critical system processes into different locations in memory on every reboot).

Increased process isolation (Windows Vista: I THINK a process can no longer inject a DLL into another process within memory)

TPM modules, (Most modern day processors, partially implemented in Windows Vista and will increase with future versions of windows) Can’t infect a program file if it is encrypted on disk and isolated in memory.

etc.

Information security is changing, one type of attack disappears and another one emerges.

One thing is for sure, the resources (Mainly intellect) needed to create exploits is going to increase.

Potentally off topic:

How TPM works(Very Rough, going of stuff I read a fair few months ago so it may not be 100% accurate):

TPM is a DRM technology which in my opinion is going to be a key tool in anti-competitive behavior which the laws in each respective country will have “deal with” eventually. The TPM chip is the hardware component of what supports the “Bit locker” functionality in Windows Vista, basically it works on public key encryption. So lets say I buy program “A”, in the purchase process I give the company my public key, they encrypt the body of the program with that key. Then they send the program to me, I can then run the program because the “header” stub retrieves the key from the TPM chip on my computer and decrypts the “body” of the program with that key. They have a way to make sure that only the appropriate program can retrieve the appropriate key, not sure on the details with that. Since I am the only one with that private key/public key combination I am the only one that can run the program on that one computer, in effect program “A” is locked into the computer.

A group of companies are implementing this (A google search should reveal who). Since this “Group” of companies control who they allow to have a key in the TPM chip, they control who’s software can be protected by the TPM chip…

…and i will no longer be able to install my licensed AV software on a new computer… and will be forced to use cracks 'cos i don’t want to pay another time for the thing i already bought.

as for the security methods… Signature-based methods may become the least effective part of security, but i don’t believe it’ll ever die. Yes, behavior analysis is much more effective in terms of malware detection, but it also gives plenty of “false positives”… maybe an “intellectual” behaviour analysis can save the day - giving less false positives but again, leaving a chance to avoid it since the “dumb” method check EVERY action, and the “clever” one alerts only when it thinks the action is suspicious, and by now it’s the power user who knows WHAT is suspicious in every particular case. Combined with a safelist - it could lead to more secure environment. BUT. Signature-based detection is by far the one and only method that 100% guarantees the user that when the alert is shown - there IS something malicious. Average users don’t know what is a “suspicious” action, they know only “good programs” and “viruses”. If the AV doesn’t detect it - they believe the software is safe no matter what alerts it generates. When a tiny game asks for internet connection, modifies system files and tries to install kernel driver- it is probably an unknown malware, but they will never know that. No AV alerts - no viruses. They think AV is 100% secure. And that’s why signature based detection will never die. 'Cos if it dies - it will lead to even more insecurity.

Umm…

If I remember correctly, I’ve read way some time ago (must be a year or so at least???), that TPM “technology”, combined with a new line of “unique ID” processor technology, are the future of MS hardware-based “spy” technology.

Can anyone confirm this? Anyone read about this too?

If Vista already implements this technique, well, then, I ask: Can VISTA, by any means, be more “secure” than former OS’s?

It rather seems to me, that paradigms have change.
Software access to the hardware kernel only allowed for allied software companies (Paid or none)

And, in the end…
Doesn’t that mean there is now a new dimension of “hardware spyware” and “homephoning” technology implanted into the whole thingie?

If yes (I hope I’m wrong here?) there’s no doubt that Linux would be the only reasonable alternative.

Melih, can you please let us know your precious opinion on this?

Cheers

Vulnerability in Vista announced this morning that allows for privelege escalation - hello rootkit!

And, Rotty?

DRM technology means elevated security now?

I sincerely doubt that. Remember the SONY rookie?

In Sony’s understanding, this was part of D.igital R.ights M.anagement, too, yay?
So the thought behind it was good, but in effect it created new open doors.

What’s the difference between SW rootkit teq and HW ID teq?
Only difference maybe the amount of user’s trust in something. Right?

What the hell…

Panic: Nothing is impossible (-:, Vista means better security not perfect security…

Sony had a half-baked DRM measure, poorly planned and poorly implemented.

TPM and driver signing make up the copy protection scheme along with locking down the OS in general (Process isolation) etc. The drive signing system seems to be complicated but I am not sure on the pricing, this would be as cheap or expensive as Microsoft wants… I cannot find any information about the pricing of the TPM key’s either. I am not sure whether the TPM chip is fully implemented yet.

The security that is to be implemented is a two edged sword ;D, on one side Microsoft and co (Those involved in implementing the TPM chip/Support) to my understanding fully control who’s software is protected by the TPM module. This COULD go as far as killing any chance linux has, charging at such a high price that new software producers starting up, don’t have a chance on earth of being able to afford the copy protection. Hence the smaller software companies release software that is much easier to ■■■■■ (Because they can’t afford otherwise), and they are forced off the market while the companies that can pay a large amount per year don’t have their software pirated (In theory). I did search but I can’t find details as to how much Microsoft is charging for copy protection with the TPM chip?

The second edge is that for the DRM to be successful, Microsoft and co have to lock down the channel from the hardware to ring 3 (User mode) the ENTIRE channel needs to be protected. Kernel and/or hardware hacks mean game over. The side-effect of this is that processes are more isolated, the kernel is locked-down (A lot less kernel mode rootkits) along with a swag of other protections that symantec papers cover fairly well.

A third issue is that a company will not longer be able to reverse engineer a competitors product for the purpose of interoperability, since I am no lawyer I won’t comment on the legal aspects. But technically, this means that programs such as open office may no longer be able to support Microsoft Word document formats.

My issue with this is that Microsoft and co have too much power, this in theory could lead to anti-competitive behavior and higher consumer prices because of decreased competition (Even though piracy might be lower, less competition will most likely destroy any price benefit to do with decreased piracy).

I would fully support an independent party to give out access to the TPM DRM protection capabilities instead of Microsoft and co.

http://www.symantec.com/avcenter/reference/Security_Implications_of_Windows_Vista.pdf

Getting back on topic, the above are the factors that WILL have to be taken into account to develop the next generation of malware.

ANY protection can be cracked as long as you have the binary in your hands. So no, piracy wouldn’t be gone :))))

What if the body of the binary is encrypted, the TPM chip as I understand it, holds a private key, in the full implementation of the TPM module you give the person/company you are buying the product of your public key. They then encrypt the body with your public key, when you run the program the “Header” retrieves the private key from the TPM chip and decrypts the program. Thus, the binary is encrypted on the hard drive, and when run is isolated and protected from the hardware to the OS, to Usermode.

Vista does checks very often to check that someone is not using hardware reversing techniques.

If Microsoft and co go to far, the courts in each respective country may decide that the TPM module is no longer used for the primary purpose of DRM but for anti-competitive behavior. And within a week shops will spring up with a hardware and software hack.

This may hinder file-infecter viruses.

then what about installing software on “different” (upgraded) computers? my brother changes the hardware often and now he is no longer able to activate Windows Vista via internet, he has to call Microsoft…

I was a tad incorrect on exactly how TPM works:

I imagine that your friend would have to call the company to “Activate” the product/transfer to a new computer assuming your licensed to do so (I am not 100% sure on this).

I really can’t see Microsoft and Co NOT getting so greedy as to take full advantage and start using the technology in anti-competitive ways. We will have to wait and see. Linux also seems to have the ability to take advantage of the TPM chip. But since the Linux groups don’t own the technology I can’t see Microsoft and Co letting this last long…

Things I look forward to with TPM and Vista:

Cheating is stopped in online games
A more hardened OS against malware (By no means perfect).
Run as limited user by default

Bad things:

Possibly less interoperability (I don’t know for sure so don’t quote me, and I am NOT a lawyer but I THINK that interoperability is protected so there might be a chance that defeating the DRM in certain countries MIGHT be legal for the purpose of interoperability) Seek legal advice on this topic.

Less control over media we have licensed, this in most markets is not an issue as there is fair competition. The problem I have is that markets that have one or two competitors now have FULL control over pricing, as people can no longer pirate stuff. While I don’t support piracy, I support keeping them honest.

Moving software from one computer to another is most likely going to be very painful.

At the end of the day, it will be totally defeated. Which means the criminals get the stuff for free without all the hassles and the majority of people that do the right thing, have to put up with the DRM and the hassles associated with that. And no doubt, hackers will find a new swag of tricks to use.

I imagine that your friend would have to call the company to "Activate" the product/transfer to a new computer assuming your licensed to do so (I am not 100% sure on this).

this must mean there must an “if/else” somewhere (to apply a new activation code), and therefore it is crackable…
I always say that any protection can be cracked. If not cracked - it can be bypassed. If not bypassed - it can be cracked.
Maybe it will be more complicated, but nevertheless - StarForce and various dongle protections are being cracked.

That depends on what activation involves.

activation involves something server-side and something software-side. Since software is located on YOUR machine, not the remote server - therefore it could be cracked or maybe fooled using sort of “activation emulator” (saw this once, a small exe runs, you change hosts file and redirect activation server address to localhost…). Activation means a software recieves something from the server - therefore, you could fake it. And if not - there is an if/else that checks server reply. So it could also be fooled.

While searching through the net i once found an article that described a particular vulnerability in some encryption software that crypted exes. The vulnerability in implementation of encryption algorithm allowed to extract exe file without the right password by modifying the if/else cycle that checked the password. Of course it’s different as the exe data was stored unencrypted inside the file but nevertheless this shows that anything can be fooled.

I was using the term “Activation” loosely, it would involve getting a newly encrypted .exe. I don’t know exactly what each company will do. But I can only guess that is what will happen.

Exactly.

It’s not that hard actually to break such TPM. Key: Virtualization.

A criminal buy a legal software, install it inside a Virtual Machine. Wham! He got a running code.

From there, he backtrack, and find all necessary keys.

Then, he unlock the software, name it “Gold Version”, and share it through the Internet.

TPM is a self-defeating approach. It alienates and punishes honest individuals, while imposing no hardships whatsoever to pirates.

And then, there will be the problem of big Enterprises; they don’t want to be saddled with such hardships. They will DEMAND and even SUE TPM implementers, forcing them to produce software without TPM ■■■■.

Case in point: Windows XP Corporate Edition, which was released after an uproar by businesses not wanting to open up their firewalled network for activation. Microsoft was forced to produce this Edition which does not need activation.

Really, the attacks of the future is that upon people. Social engineering, and phishing, thats where things are leading to. Granted spyware is currently at large, but why go after things that can be patched? When you can go after an ignorant human?