Upload
others
View
15
Download
1
Embed Size (px)
Citation preview
Data Transmission in Internet Security Products
Speakers:
Philipp Kratzer
Peter Stelzhammer
www.av-comparatives.org November 2014
ww
w.a
v-c
om
pa
ra
tiv
es
.org
Page 2
What we do:
Independent Tests of
IT Security Software
Our goal
- independent, detailed, high-
quality test results
- free of charge for the end user
http://www.av-comparatives.org
• About Us
– Founded 1999
– Independent Testing Organization
– Leader in Security Software Testing
• People
12 in Innsbruck, Austria
3 in Chennai, India; 2 in Beijing, China
More than 30 volunteers worldwide
• Equipment
More than 600 Servers - more than 500 TB of data,
located in our datacenters in Innsbruck and Munich
More than 120 malware and spam honey pots
worldwide, also in Japan and in China
Malware
We stopped counting at 250 Million samples
Independent Tests of
Anti-Virus Software
ww
w.a
v-c
om
pa
rati
ve
s.o
rg
• Academic Partner
University of Innsbruck – Faculty of
Computer Science and Quality Engineering
Partner of Laura Bassi Centre of Expertise
University of Hongkong
Brandeis University
Polytech Montreal
• Misceallanous
Frequent Speaker at Security Conferences
Alliances: AMTSO, AVAR, EICAR, IEEE
Independent Tests of
Anti-Virus Software
ww
w.a
v-c
om
pa
rati
ve
s.o
rg
Malware evolves – so does Anti-Malware
Page 6
Changing
From file-based
distribution to
distribution via
Internet
New Vectors
Websites
Spam
but still files
New Devices
Smartphones
Tablets
Hybrids
Evolution of Anti-Malware Technologies
Page 7
Signature
detection
Heuristic/
EmulationBehaviour/
HIPS...
Cloud/
Reputation+ + + +
Malware Protection Moving to The CloudExample: F-Secure File Reputation Service
Page 8
Real-time Protection Network
DNS LOAD BALANCER
A
Report user’s action and submit the
sample (if permitted) back to Real-
time Protection Network
If Unknown, automatic binary
analysis and update of all
data centers
M
If Automation cannot
decide, submit to Malware
Analyst
DeepGuard
Malware attempts to enter host
Signature-based scan reports as
Unknown
2
If Unknown, request user’s approval for
program execution and permission for
sample submission
If Unknown, get status from
Real-time Protection
Network:
• Block Known Bad
• Allow Known Good
• Unknown, continue
Signature-based detection
3
5
1
4
Check cache for predefined action
If the file has been executed once
earlier, the results are cached (entries
in cache have lifetime)DeepGuard behaviour analysis:
• Block Bad Behavior
• Allow Good Behavior
• Unknown, continue
No Connection – No Protection
Page 9
Cloud Servives
Better Protection
with Datasending
Whitelisting
Blacklisting
Reputation Service
Local Protection
Heuristics
Behaviour
Signatures
Best Practice
Combination of
Cloud- and
Localprotection
Transmit only as
less data as needed
Page 10
What can be done?
Tracking
- Browsing Behaviour – they know where you go – and when!
- Data Transmission of Files and Hashes
(not only PE, also Documents like Excel, Word)
your personal or business data could be inside)
Cross-Device Tracking by User-ID
- Like Google-Analytics, but on the user-side
Misuse by Government
- Combination of AV-Vendor, Provider and Government
- Dragnet Investigation
Qihoo 360 496 million users for its Internet Security products
641 million users for its Mobile Antivirus products as of in June 2014
Now some details by Philipp Kratzer
Page 11
Datatransmission Test
21 Products have been tested with following methods:
1. Analysing networktraffic while performing different actions
- On-Demand Scan
- On-Access Scan
- Scan of unknown binary
- Detection
- Updates
- Browsing the Internet
2. Review of End User License Agreement (EULA)
3. Questionnaire for each Manufacturer
Page 12
Product Information and License
Czech USA USASouth
KoreaUSA India
License Information & Version yes yes yes yes yes yes
Unique Identifier yes yes yes yes no no
Statistics for product usage no yes yes no no no
Sample of transmitted data
Page 13
serial=100XXXXXXX
licType=Reg
licExpDays=439
licFeature=64c042de-XXXX-XXXX-XXXX-XXXXXXXXXXXX
licIssuedDate=1390548864
licExpirationDate=1453620864
version=10.0.2208
part.program=2208,2208,0,0
part.setup=2208,2208,0,0
part.vps=336662784,336662784,1,1
part.jrog2=3048,3048,1,1
guid=7e89bf6c-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Page 14
Example of EULA
“Other details about Your Device, which may include, without
limitation, Your Device's operating system, type and carrier (for
mobile devices), Your usage of the Vendor Solution (e.g., features
used and session length), program files or file extracts (used for
malware research and analysis), username of logged-in operating
system user, registry keys, language, Software report log(s), running
processes, temporary Internet files, Internet search history,
applications using ports, and other data pertaining to the contents of
Your default folder custom folders, and/or downloaded program files
directory.”
Page 15
Machine Information
Czech USA USASouth
KoreaUSA India
OS Version yes yes yes yes yes no
Computername yes yes yes no no no
Information about third party
Applicationsyes yes yes no no no
Information about hardware yes yes ND no no no
Information about running processes no no yes no no no
Local IP address yes yes yes no no no
Event- or errorlogs of the OS yes yes yes no no no
Display resolution yes yes ND no no no
Sample Data transmitted
Page 16
lan_addr=User-PC
lan_ip=10.1.1.124
dotNet2=2.0.50727.4927,2
dotNet3=3.0.30729.4926,2
dotNet3.5=3.5.30729.4926,1
dotNet4=4.5.51641,0
Silverlight=5.1.20513.0
os=win,6,3,2,9600,0,AMD64
mid=C87AEC9D3400XXXXXXXXXXXXXXXXXXXX
cpu_name=Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz,4
cpu=I9,4;ntel,306e4
ram_mb=4095
Page 17
Example of EULA
“In order to better understand the usage of updating infrastructure,
the software also collects information about all updates to the
Vendor software (including automatic updates), including certain
information about your computer hardware and software
configuration and/or network connection, as well as certain
information about the installation and operation of the Vendor
software and errors or problems that are encountered.”
Page 18
Personal Information
Czech USA USASouth
KoreaUSA India
Visited URLS (malicious and non-
malicious)yes yes yes no yes yes
Referer (Previous page with link to
malicious website)yes yes yes no no no
Country / Region of the OS yes yes yes no no no
Language of the OS yes yes yes no no no
Windows Username no yes yes no no no
Sample Data transmitted (Malware)
Page 19
"content-length": "68",
"content-type": "application/octet-stream",
"gmid": "1957ade46a35XXXXXXXXXXXXXXXXXXX",
"method": "GET",
"ppath": "c:\\\\program files (x86)\\\\internet
explorer\\\\iexplore.exe",
"referer": "http://www.eicar.org/85-0-Download.html",
"status-code": "200",
"url": "http://www.eicar.org/download/eicar.com"
Sample Data transmitted (Clean)
Page 20
"JSVersion": "J1",
"fipr": "33HM4iMLMmK…aqk3C07xGhHMbsCHBXpnMb3",
"prod": "XXXX v1.0.0",
"ql": "XXXX",
"sh": "false",
"url": "http://www.av-comparatives.org/corporate-
reviews/",
"vers": "2.13.6.18195",
"zoom": "2"
Samplepart of EULA of Product
Page 21
From time to time, the Software and Services may collect certain
information from the device on which it is installed, which may
include:
…
URLs of websites visited as well as search keywords and search
results only if the browser toolbar feature is enabled. This
information is collected by Vendor for the purpose of evaluating
and advising You regarding potential threats and risks that may
be associated with a particular Web site before You view it. This
information will not be correlated with any personally identifiable
information.
Page 22
File related information (clean & malicious)
Czech USA USASouth
KoreaUSA India
Hashes of Files or Hashes of parts of
Filesyes yes yes yes no yes
Detection name yes yes yes no yes no
Name and path of files yes yes yes no no no
Suspicious: Executable files
transmittedyes yes yes no yes yes
Suspicious: Non-executable files
transmittedyes ND ND no yes no
User can Opt-Out of sending files yes yes no N/A yes yes
Sample Data transmitted
Page 23
threatid="2147519003" sigseq="00000555dc2dddb0"
originalsha1="3395856ce81f2b7382dee72602f798b642f14140
" iscloudsignature="0" filename="eicar.com"
filesystem="NTFS" filedevicetype="7"
filedevicecharacteristics="393248" size="68"
md5="44d88612fea8a8f36de82e1278abb02f"
sha1="3395856ce81f2b7382dee72602f798b642f14140"
sha256="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2
a2c4538aabf651fd0f"
ctph="3:a+JraNvsgzsVqSwHq9:tJuOgzsko"
creationtime="130601911677365297"
lastaccessedtime="130601911677365297"
lastmodifiedtime="130580097081340570"
Sample of EULA of Product
Page 24
“The Non-Personally Identifiable Information Vendor may collect …
data concerning potential malware threats to your device and the
target of those threats, including file names, cryptographic hash,
vendor, size, date stamps, information about your devices
checkpoints, which may include path, file and application names,
copies of applications that are deemed malicious or infected
including information on behavior of such applications, their settings
and configurations, such as associated registry keys …”
Summary
AV Software transmits personal and environmental data
Users have to trust the vendor. But what about the
government?
Users accept transmission by accepting EULA
Give up privacy for more protection?
Page 25
Whishlist
Page 26
In an ideal world…
• Users should be asked each time before a file is sent to the
vendor
• Users should be informed where the collected information is being
sent and how long it will be stored.
• A single, clear privacy statement should be easy to find on the
vendor’s website and within the product itself.
• We would like to see vendors providing users with a short, clear
explanation of which data is collected
• It should be possible to opt out of data sending without losing or
compromising protection or usability.
• Security products should not include third-party toolbars or other
add-ons that collect data separately from the AV vendor. We
would find such add-ins especially inappropriate in paid-for
products.
• Vendors claim that any data which could personally identify the
user is anonymised after collection; we feel that it would be better
to anonymise the data before sending.
Discussion
www.av-comparatives.org ww
w.a
v-c
om
pa
ra
tiv
es
.org