HookSafe Rootkit Protection

Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance.

The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that’s tightly locked down. The researchers, from Microsoft and the computer science department at North Carolina State University, plan to present their findings Thursday at the 16th ACM Conference on Computer and Communications Security.

The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6-percent reduction in performance benchmarks, making HookSafe “the first system that is proposed to enable large-scale hook protection with low performance overhead,” the researchers said.

Rootkits that rely on a method known as kernel object hooking involve modifying kernel data hooks. Because they are scattered throughout the operating system memory, and often co-mingled with other kernel data, they are generally hard to protect. Scientists have dubbed the problem the “protection granularity gap” because effective protection requires byte-level granularity while commodity computers allow only for protection at the much broader page level.

The researchers worked around this limitation by relocating almost 5,900 kernel hooks scattered across 41 physical pages to a page-aligned central location. They then used a “thin hook indirection layer to regulate accesses to them with hardware-based page-level protection.”

They tested the protected system against nine rootkits written for the Linux 2.6 kernel. Seven of them failed to install at all thanks to the memory protection, while the remaining two failed to hide themselves because of the hook indirection.

Source:
http://www.theregister.co.uk/2009/11/11/hooksafe_rootkit_protection/

Posted in Linux, Security, Software | No Comments

Is Antivirus Dead?

Security is never black and white. If someone asks, “for best security, should I do A or B?” the answer almost invariably is both. But security is always a trade-off. Often it’s impossible to do both A and B — there’s no time to do both, it’s too expensive to do both, or whatever — and you have to choose. In that case, you look at A and B and you make you best choice. But it’s almost always more secure to do both.

Yes, antivirus programs have been getting less effective as new viruses are more frequent and existing viruses mutate faster. Yes, antivirus companies are forever playing catch-up, trying to create signatures for new viruses. Yes, signature-based antivirus software won’t protect you when a virus is new, before the signature is added to the detection program. Antivirus is by no means a panacea.

On the other hand, an antivirus program with up-to-date signatures will protect you from a lot of threats. It’ll protect you against viruses, against spyware, against Trojans — against all sorts of malware. It’ll run in the background, automatically, and you won’t notice any performance degradation at all. And — here’s the best part — it can be free. AVG won’t cost you a penny. To me, this is an easy trade-off, certainly for the average computer user who clicks on attachments he probably shouldn’t click on, downloads things he probably shouldn’t download, and doesn’t understand the finer workings of Windows Personal Firewall.

Certainly security would be improved if people used whitelisting programs such as Bit9 Parity and Savant Protection — and I personally recommend Malwarebytes’ Anti-Malware — but a lot of users are going to have trouble with this. The average user will probably just swat away the “you’re trying to run a program not on your whitelist” warning message or — even worse — wonder why his computer is broken when he tries to run a new piece of software. The average corporate IT department doesn’t have a good idea of what software is running on all the computers within the corporation, and doesn’t want the administrative overhead of managing all the change requests. And whitelists aren’t a panacea, either: they don’t defend against malware that attaches itself to data files (think Word macro viruses), for example.

Full Story:
http://www.schneier.com/blog/archives/2009/11/is_antivirus_de.html

Posted in Internet, Security | No Comments

Drowning in Passwords: Tips to Stay Safe and Sane

If you spend much time online, you probably have the same problem I do: How to remember your ever-growing list of online usernames and passwords-and stay secure at the same time.

You’re savvy enough to know that identity theft and illegal access to personal and financial data are real-world problems that you want to avoid. But what are you doing about it? Odds are, not much, says Andrew Jaquith, a computer security analyst at Forrester Research. “There are two classes of people; those who seem to care about the security of their accounts, and those who act as if they don’t.” Most people, he says, fall in the later category.

If you’re one of the majority, your security strategy may be nothing more than using a single password for every site you need to access. On the one hand, the chances of it being stolen aren’t terribly high and you probably won’t forget it. But if it is stolen, the malefactor will have access to your entire online life, including bank accounts and maybe medical records. Not a pretty thought.

It turns out that there are a number of strategies that will help you avoid that ugly scenario. Most of them are simple, free or quite inexpensive, and much more secure than what you’re doing now. But some are just halfway measures that could let you down in a pinch.

Source:
http://www.computerworld.com/s/article/9140585/Drowning_in_Passwords_Tips_to_Stay_Safe_and_Sane?source=rss_security

Posted in Internet, Privacy, Security | No Comments

Critical Flaw Found in Linux Kernel

There is a NULL pointer dereference flaw in the Linux kernel that can be exploited by attackers to gain root access to a vulnerable machine.

The vulnerability is in version 2.6.21 of the Linux kernel and some Linux vendors already have taken steps to fix the vulnerability. Red Hat has released a fix for the flaw in several versions of its Linux distributions. Red Hat also has released advisories on the issue, explaining the vulnerability and its effect on vulnerable machines.

A NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe’s reader and writer counters. This could lead to a local denial of service or privilege escalation.

Debian also has posted instructions for addressing the flaw in its Linux distributions, which are vulnerable to this problem by default. NULL pointer dereferences are particularly complex problems that are difficult to exploit in many cases. This particular problem was identified in mid-October and so far, there have not been any public exploits released for the Linux kernel flaw.

Source:
http://threatpost.com/en_us/blogs/critical-flaw-found-linux-kernel-110509

Posted in Linux, Security | No Comments

Scramble on to fix flaw in SSL security protocol

Software makers around the world are scrambling to fix a serious bug in the technology used to transfer information securely on the Internet.

The flaw lies in the SSL protocol, best known as the technology used for secure browsing on Web sites beginning with HTTPS, and lets attackers intercept secure SSL (Secure Sockets Layer) communications between computers using what’s known as a man-in-the-middle attack.

Although the flaw can only be exploited under certain circumstances, it could be used to hack into servers in shared hosting environments, mail servers, databases, and many other secure applications, according to Chris Paget, a security researcher who has studied the issue.

“It’s a protocol-level flaw.” said Paget, the chief technology officer with a security consultancy called H4rdw4re. “There’s a whole lot of stuff that’s going to have to get fixed on this one: Web browsers, Web servers, Web load balancers, Web accelerators, mail servers, SQL Servers, ODBC drivers, peer-to-peer protocols.”

Although an attacker would first need to hack into the victim’s network to launch the man-in-the-middle attack, the results would then be devastating — especially if used in a targeted attack to gain access to a database or a mail server, Paget said.

Source:
http://www.computerworld.com/s/article/9140362/Scramble_on_to_fix_flaw_in_SSL_security_protocol?source=rss_security

Posted in Internet, Networking, Privacy, Security, Software | 1 Comment