unexpectedlocalsettings
localsettings 时间:2021-04-12 阅读:()
Protectingtheirreplaceable|f-secure.
comStudyoneffectivenessofpopulardefensemeasuresJarnoNiemel.
VirusBulletin2013Twitter:@jarnomnStatisticallyeffectiveprotectionagainstAPTattacksWhyThisResearchWasMadeApplyinghardeningincorporateenvironmentisexpensiveThusIwantedtogivedecisionmakingsupporttoolsforcorporatesecurityInthisresearchweevaluatedpopularhardeningapproachesagainstasetofexploitsAttacksanddefensesevolveconstantlysowefocusedmoreondifferentstylesofapproachratherthanexactsettingsortoolsFortestsweobviouslyusedpubliclyavailabletoolsExploitsUsedInTestsTheusedexploitsetconsistedof~930confirmedexploitdocumentsamplesSamplesinthewild2010-2013CVEidentificationwasdonebyscanresultsMostexploitshaveshortlifespaninactiveuseAPTnatureverifiedbycontextidentificationPressevents,conferenceproceedingsDiplomatic/politicalreports,analysisHumanrights/activismreports,articlesMilitaryreports,events,analysisBusinessrelatedmailF-SecureOctober10,20133050100150200250300051015202530354045500102030405060708090100110120130140150051015202530354045501.
1.
101.
3.
101.
5.
101.
7.
101.
9.
101.
11.
101.
1.
111.
3.
111.
5.
111.
7.
111.
9.
111.
11.
111.
1.
121.
3.
121.
5.
121.
7.
121.
9.
121.
11.
121.
1.
131.
3.
13AnalysisMethodWetestedsampleswithWindowsXPSP3AdobeAcrobat8.
0.
0AdobeFlashplayer6.
0Office2003WeintentionallyusedobsoletesoftwareversionstoenableasmanyexploitsaspossibleWeusedautomaticforensicstocheckforexploitsuccessindicatorsNetworkcommunicationProcesscreationFilecreationEachexploitwasverifiedtoworkconsistentlyinbasesystemF-SecureOctober10,20134ProtectionMethodsApplicationmemoryhandlingmitigationsApplicationSandboxingHardeningapplicationsettingsHardeningoperatingsystemF-SecureOctober10,20135ApplicationSanboxingChrome,Acrobat,etcpopularappshavebuiltinsandboxingTheproblemwiththemisthatattackerhastocircumventtheminordertoexploitThuswewantedtotestexploitsagainstunexpectedsandboxingWeusedSandboxie3.
76ProwithcustomconfigurationOwnsandboxforeachdocumenttypeFileexecutiondeniedforanyfilescreatedbysandboxedapplicationNofileaccessoutsidethesandboxforAcrobatAccessto%documents%%recent%andnetworkdrivesforOfficeapplicationsF-SecureOctober10,20136ChangestoOfficeInstalledOfficefilevalidationInstalledMOICEisolationSetMacrosecurityleveltohighDisabledtrustonadd-onsandtemplatesChangestoAcrobatDisabledopeningnon-PDFattachmentsDisabledtrustinmultimediacomponentsDisabledmultimediaplayerDisabledJavascriptF-SecureOctober10,20137HardenedSecuritySettingsForClientAppsAdvisoriesoftenhavemitigationinstructionswhattodobeforepatchisavailableWewantedtofindouthoweffectivethosemeasuresareingeneralWhoonearthneedsaflashcontentinPDFfileinthefirstplaceAfterVBpapersubmissionNSAcameoutwiththeirAcrobatguidelineshttp://www.
nsa.
gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.
pdfHardenedSystemAccessPoliciesInT22011weannouncedresearchpointingtothathardeningbreaksmalwareHoweverAPTsarequiteadifferentbeastcomparedtoplainoldmalwareWetestedthesamplesagainstfollowinghardenedsystemsettingsBlockedfilewritingtorootsofC:\,D:\,etc,%localsettings%,%appdata%BlockedfilewritingrecursivelytoC:\windows,%programfiles%PreventedfileexecutionfromC:\,%documents%,c:\RECYCLER,%temp%,%APPDATA%,%localsettings%F-Secure10.
lokakuuta20138ApplicationMemoryHandlingMitigationsMemoryhandlingmitigationspreventtypesofmemoryoperationsneededbyexploitsThusnormalappsaremostlyunhinderedwhileexploitsfailtoworkCurrentlyonlytoolprovidingsuchcapabilitiesisMicrosoftEMETAllocationmitigations(SEHOP,Heapspray,ASLR,Nullpage)Codeexecutionorloadingmitigations(DEP,ROP,Bottomuprnd,EAF)Hookingpreventions(Deephooks,Antidetours,Bannedfunctions)ForthisresearchweusedEmet4.
0bwhichwasthelatestavailableF-SecureOctober10,20139ApplicationSandboxingResultsUnfortunatelySandboxieinterferedwithourautomaticforensicsWewereabletogetresultsfor452sampleswith100%protectionOftheremainingsampleswetested60randomsampleswhichhad100%protectionSowecantsaywithfullcertainty,butthirdpartysandboxingseemstobeeffectiveBuiltinpayloadsweredroppedbutnotexecutedSampleswhichtriedtodownloadwereblockedF-SecureOctober10,201310CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-565921CVE-2008-48411CVE-2009-09271CVE-2009-3129219CVE-2009-43249CVE-2010-01886221231CVE-2010-08068CVE-2010-12975CVE-2010-257217CVE-2010-288382CVE-2010-3333133946CVE-2010-365429CVE-2011-00971CVE-2011-010168CVE-2011-061121CVE-2011-12691CVE-2012-0158144916CVE-2012-07792GrandTotal894556737HardenedClientAppsresultsHardeningapplicationsgave80%totalprotectionagainstexploitsCVE-2010-0188failedasnotallsampleswereusingJavaScriptCVE-2010-0188failedaswedidnotthinkifisolatingRTFfilesCVE-2012-0158alsofailedduenotisolatingRTFfilesInOffice2013OFVandMOICEarebuiltinInAcrobattherecommendationsstillapplyF-SecureOctober10,201311HardenedSystemAccessPoliciesresultsHardenedsystemaccesspoliciesgaveverysmalltotalprotectionof~10%~7%werepartiallymitigatedNetworkwasblockedin40samplesProcesscreationblockedin28samplesSointotalsystemhardeningisineffectiveF-SecureOctober10,201312CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-5659201CVE-2008-48411CVE-2009-09271CVE-2009-3129159528CVE-2009-4324324CVE-2010-01882942CVE-2010-080671CVE-2010-12975CVE-2010-2572287CVE-2010-2883327250CVE-2010-3333182141CVE-2010-365411126CVE-2011-00971CVE-2011-010145113CVE-2011-0611192CVE-2011-12691CVE-2012-015815217CVE-2012-07792GrandTotal34634115189MemoryHandlingMitigationsResultsEMETwasabletostopeverysingleexploit!
However4.
0bisnewerthansamples,soresultscanbeskewedThereareclaimsthatEMETcanbecircumventedButinourtestswecouldnotfindasamplethatactuallydoessoMemoryhandlingmitigationsarenoteffectiveagainstallexploittypesIfexploitisbasedonotherthancodeexecution,EMETwillnothelpButsuchexploitsareveryrareandwecouldnotfindinthewildsampleF-SecureOctober10,201313CVEfailedsuccesscve-2004-021001cve-2006-249201cve-2006-359003cve-2007-5659021cve-2008-484101cve-2009-092701cve-2009-31290219cve-2009-432409cve-2010-01880296cve-2010-080608cve-2010-129705cve-2010-2572017cve-2010-2883082cve-2010-3333098cve-2010-3654029cve-2011-009701cve-2011-0101068cve-2011-0611021cve-2011-126901cve-2012-0158043cve-2012-077902GrandTotal0927DefenceInDepth,HardenYourNetworkPreventlateralmovementwithinyournetworkIsolateeverythinginnetwork,noinboundtoclientsnooutboundfromserverBlockremoteexecutionandRDPfromotherthanadminnetworksegmentAllowusertologinonlytohisworkstationsIsolateemailtoapprovedbusinessuseonlyAllowemailonlyovercompanymailserverDon'tallowmailsendingwithoutuserauthenticationControlDNSresolution,donotallowunknowndomainstoresolveMostAPTC&CinfrarelyonbeingabletoresolvedomainnamesMakedatadifficulttostealUseDRMtomakestolendocumentsworthlessUserightsmanagementservertoprovidetransparentcryptofordocumentsValiduserscanreaddocuments,stolendocsareworthlessoutsidecompanyWatermarkcompanybrowsersandcheckwatermarkinserverHaveownbrowserthatcanaccessonlyintra.
CheckagainstthatintheserverWatermarkcanbefaked,buthardtoget100%rightonthefirstgo->alarmUsetokenbasedemailcertificatesandcryptoforallinternalmailDirectstealingofmailfilesbecomesuselessAttackerneedstodecryptmessagesbeforestealing,whichslowsdownattackandgivesyoutimetoreactConclusionsWiththeexceptionofOShardeningallothermethodswereveryeffectiveVeryfewattackersaimatanythingbutdefaultconfigurationWhichmethodstousedependsonwhatyourcorporateITfindseasiesttodeployAsruleofthumballapplicationsthatdealwithexternaldatashouldbehardenedPersonallyIwouldrecommendacombinationofhardenedapplicationsettingsandEMETSandboxingisalsoveryeffectivebutcanrequireefforttomakeittransparenttousersMostimportantthingtodoisnottorelyonasinglesecuritylayerOurcorporatesecurityproductisverygoodatcatchingexploitsbutnosinglelayerisgoingtobeenoughF-SecureOctober10,201316
comStudyoneffectivenessofpopulardefensemeasuresJarnoNiemel.
VirusBulletin2013Twitter:@jarnomnStatisticallyeffectiveprotectionagainstAPTattacksWhyThisResearchWasMadeApplyinghardeningincorporateenvironmentisexpensiveThusIwantedtogivedecisionmakingsupporttoolsforcorporatesecurityInthisresearchweevaluatedpopularhardeningapproachesagainstasetofexploitsAttacksanddefensesevolveconstantlysowefocusedmoreondifferentstylesofapproachratherthanexactsettingsortoolsFortestsweobviouslyusedpubliclyavailabletoolsExploitsUsedInTestsTheusedexploitsetconsistedof~930confirmedexploitdocumentsamplesSamplesinthewild2010-2013CVEidentificationwasdonebyscanresultsMostexploitshaveshortlifespaninactiveuseAPTnatureverifiedbycontextidentificationPressevents,conferenceproceedingsDiplomatic/politicalreports,analysisHumanrights/activismreports,articlesMilitaryreports,events,analysisBusinessrelatedmailF-SecureOctober10,20133050100150200250300051015202530354045500102030405060708090100110120130140150051015202530354045501.
1.
101.
3.
101.
5.
101.
7.
101.
9.
101.
11.
101.
1.
111.
3.
111.
5.
111.
7.
111.
9.
111.
11.
111.
1.
121.
3.
121.
5.
121.
7.
121.
9.
121.
11.
121.
1.
131.
3.
13AnalysisMethodWetestedsampleswithWindowsXPSP3AdobeAcrobat8.
0.
0AdobeFlashplayer6.
0Office2003WeintentionallyusedobsoletesoftwareversionstoenableasmanyexploitsaspossibleWeusedautomaticforensicstocheckforexploitsuccessindicatorsNetworkcommunicationProcesscreationFilecreationEachexploitwasverifiedtoworkconsistentlyinbasesystemF-SecureOctober10,20134ProtectionMethodsApplicationmemoryhandlingmitigationsApplicationSandboxingHardeningapplicationsettingsHardeningoperatingsystemF-SecureOctober10,20135ApplicationSanboxingChrome,Acrobat,etcpopularappshavebuiltinsandboxingTheproblemwiththemisthatattackerhastocircumventtheminordertoexploitThuswewantedtotestexploitsagainstunexpectedsandboxingWeusedSandboxie3.
76ProwithcustomconfigurationOwnsandboxforeachdocumenttypeFileexecutiondeniedforanyfilescreatedbysandboxedapplicationNofileaccessoutsidethesandboxforAcrobatAccessto%documents%%recent%andnetworkdrivesforOfficeapplicationsF-SecureOctober10,20136ChangestoOfficeInstalledOfficefilevalidationInstalledMOICEisolationSetMacrosecurityleveltohighDisabledtrustonadd-onsandtemplatesChangestoAcrobatDisabledopeningnon-PDFattachmentsDisabledtrustinmultimediacomponentsDisabledmultimediaplayerDisabledJavascriptF-SecureOctober10,20137HardenedSecuritySettingsForClientAppsAdvisoriesoftenhavemitigationinstructionswhattodobeforepatchisavailableWewantedtofindouthoweffectivethosemeasuresareingeneralWhoonearthneedsaflashcontentinPDFfileinthefirstplaceAfterVBpapersubmissionNSAcameoutwiththeirAcrobatguidelineshttp://www.
nsa.
gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.
pdfHardenedSystemAccessPoliciesInT22011weannouncedresearchpointingtothathardeningbreaksmalwareHoweverAPTsarequiteadifferentbeastcomparedtoplainoldmalwareWetestedthesamplesagainstfollowinghardenedsystemsettingsBlockedfilewritingtorootsofC:\,D:\,etc,%localsettings%,%appdata%BlockedfilewritingrecursivelytoC:\windows,%programfiles%PreventedfileexecutionfromC:\,%documents%,c:\RECYCLER,%temp%,%APPDATA%,%localsettings%F-Secure10.
lokakuuta20138ApplicationMemoryHandlingMitigationsMemoryhandlingmitigationspreventtypesofmemoryoperationsneededbyexploitsThusnormalappsaremostlyunhinderedwhileexploitsfailtoworkCurrentlyonlytoolprovidingsuchcapabilitiesisMicrosoftEMETAllocationmitigations(SEHOP,Heapspray,ASLR,Nullpage)Codeexecutionorloadingmitigations(DEP,ROP,Bottomuprnd,EAF)Hookingpreventions(Deephooks,Antidetours,Bannedfunctions)ForthisresearchweusedEmet4.
0bwhichwasthelatestavailableF-SecureOctober10,20139ApplicationSandboxingResultsUnfortunatelySandboxieinterferedwithourautomaticforensicsWewereabletogetresultsfor452sampleswith100%protectionOftheremainingsampleswetested60randomsampleswhichhad100%protectionSowecantsaywithfullcertainty,butthirdpartysandboxingseemstobeeffectiveBuiltinpayloadsweredroppedbutnotexecutedSampleswhichtriedtodownloadwereblockedF-SecureOctober10,201310CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-565921CVE-2008-48411CVE-2009-09271CVE-2009-3129219CVE-2009-43249CVE-2010-01886221231CVE-2010-08068CVE-2010-12975CVE-2010-257217CVE-2010-288382CVE-2010-3333133946CVE-2010-365429CVE-2011-00971CVE-2011-010168CVE-2011-061121CVE-2011-12691CVE-2012-0158144916CVE-2012-07792GrandTotal894556737HardenedClientAppsresultsHardeningapplicationsgave80%totalprotectionagainstexploitsCVE-2010-0188failedasnotallsampleswereusingJavaScriptCVE-2010-0188failedaswedidnotthinkifisolatingRTFfilesCVE-2012-0158alsofailedduenotisolatingRTFfilesInOffice2013OFVandMOICEarebuiltinInAcrobattherecommendationsstillapplyF-SecureOctober10,201311HardenedSystemAccessPoliciesresultsHardenedsystemaccesspoliciesgaveverysmalltotalprotectionof~10%~7%werepartiallymitigatedNetworkwasblockedin40samplesProcesscreationblockedin28samplesSointotalsystemhardeningisineffectiveF-SecureOctober10,201312CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-5659201CVE-2008-48411CVE-2009-09271CVE-2009-3129159528CVE-2009-4324324CVE-2010-01882942CVE-2010-080671CVE-2010-12975CVE-2010-2572287CVE-2010-2883327250CVE-2010-3333182141CVE-2010-365411126CVE-2011-00971CVE-2011-010145113CVE-2011-0611192CVE-2011-12691CVE-2012-015815217CVE-2012-07792GrandTotal34634115189MemoryHandlingMitigationsResultsEMETwasabletostopeverysingleexploit!
However4.
0bisnewerthansamples,soresultscanbeskewedThereareclaimsthatEMETcanbecircumventedButinourtestswecouldnotfindasamplethatactuallydoessoMemoryhandlingmitigationsarenoteffectiveagainstallexploittypesIfexploitisbasedonotherthancodeexecution,EMETwillnothelpButsuchexploitsareveryrareandwecouldnotfindinthewildsampleF-SecureOctober10,201313CVEfailedsuccesscve-2004-021001cve-2006-249201cve-2006-359003cve-2007-5659021cve-2008-484101cve-2009-092701cve-2009-31290219cve-2009-432409cve-2010-01880296cve-2010-080608cve-2010-129705cve-2010-2572017cve-2010-2883082cve-2010-3333098cve-2010-3654029cve-2011-009701cve-2011-0101068cve-2011-0611021cve-2011-126901cve-2012-0158043cve-2012-077902GrandTotal0927DefenceInDepth,HardenYourNetworkPreventlateralmovementwithinyournetworkIsolateeverythinginnetwork,noinboundtoclientsnooutboundfromserverBlockremoteexecutionandRDPfromotherthanadminnetworksegmentAllowusertologinonlytohisworkstationsIsolateemailtoapprovedbusinessuseonlyAllowemailonlyovercompanymailserverDon'tallowmailsendingwithoutuserauthenticationControlDNSresolution,donotallowunknowndomainstoresolveMostAPTC&CinfrarelyonbeingabletoresolvedomainnamesMakedatadifficulttostealUseDRMtomakestolendocumentsworthlessUserightsmanagementservertoprovidetransparentcryptofordocumentsValiduserscanreaddocuments,stolendocsareworthlessoutsidecompanyWatermarkcompanybrowsersandcheckwatermarkinserverHaveownbrowserthatcanaccessonlyintra.
CheckagainstthatintheserverWatermarkcanbefaked,buthardtoget100%rightonthefirstgo->alarmUsetokenbasedemailcertificatesandcryptoforallinternalmailDirectstealingofmailfilesbecomesuselessAttackerneedstodecryptmessagesbeforestealing,whichslowsdownattackandgivesyoutimetoreactConclusionsWiththeexceptionofOShardeningallothermethodswereveryeffectiveVeryfewattackersaimatanythingbutdefaultconfigurationWhichmethodstousedependsonwhatyourcorporateITfindseasiesttodeployAsruleofthumballapplicationsthatdealwithexternaldatashouldbehardenedPersonallyIwouldrecommendacombinationofhardenedapplicationsettingsandEMETSandboxingisalsoveryeffectivebutcanrequireefforttomakeittransparenttousersMostimportantthingtodoisnottorelyonasinglesecuritylayerOurcorporatesecurityproductisverygoodatcatchingexploitsbutnosinglelayerisgoingtobeenoughF-SecureOctober10,201316
- unexpectedlocalsettings相关文档
- eu_directiveslocalsettings
- spotlightlocalsettings
- 华为localsettings
- SIGNlocalsettings
- greatestlocalsettings
- attachedlocalsettings
数脉科技8月促销,新客减400港币,BGP、CN2+BGP、阿里云线路低至350元
数脉科技(shuhost)8月促销:香港独立服务器,自营BGP、CN2+BGP、阿里云线路,新客立减400港币/月,老用户按照优惠码减免!香港服务器带宽可选10Mbps、30Mbps、50Mbps、100Mbps带宽,支持中文本Windows、Linux等系统。官方网站:https://www.shuhost.com* 更大带宽可在选购时选择同样享受优惠。* 目前仅提供HKBGP、阿里云产品,香港...
Virtono:€23.7/年,KVM-2GB/25GB/2TB/洛杉矶&达拉斯&纽约&罗马尼亚等
Virtono最近推出了夏季促销活动,为月付、季付、半年付等提供9折优惠码,年付已直接5折,而且下单后在LET回复订单号还能获得双倍内存,不限制付款周期。这是一家成立于2014年的国外VPS主机商,提供VPS和服务器租用等产品,商家支持PayPal、信用卡、支付宝等国内外付款方式,可选数据中心包括罗马尼亚、美国洛杉矶、达拉斯、迈阿密、英国和德国等。下面列出几款VPS主机配置信息,请留意,下列配置中...
Megalayer美国服务器CN2优化线路30M带宽3独立IP限时月299元
Megalayer 商家算是比较新晋的国内主机商,主要方向是美国、香港、菲律宾等机房的独立服务器为主,以及站群服务器和显卡服务器。同时也有新增价格并不是特别优惠的VPS云服务器。上午的时候有网友问问有没有CN2线路的美国独立服务器的,这里我推荐他选择Megalayer看看,目前也是有活动截止到月底的。Megalayer 商家创办2年左右时间,如果我们初次使用建议月付体验。目前在进行且可能截止到6月...
localsettings为你推荐
-
支持ipad全国企业信息查询网上如何怎么查询全国企业信用信息公示系统查询重庆杨家坪猪肉摊主杀人重庆九龙坡区治安好么ipad代理想买个ipad,3000至4000元左右有什么好的网站ipad颁发的拼音发字的多音字组词tumblr上不去吃鸡更新完打不开,成这样了,怎么办在线等,挺急的电子商务世界美国电子商务的发展经历几个阶段工具条工具栏不见了怎么办qq挂件QQ免费挂件怎么用