Author Topic: ARA Security Considerations  (Read 40055 times)

0 Members and 1 Guest are viewing this topic.

Indoctor

  • Guest
ARA Security Considerations
« on: February 24, 2012, 03:31:21 PM »
Hello Avast community. It's a while I've been using the Avast 6 version. Now it updated to version 7. Great great, until I notice that there's a new "Feature" called Remote Assistance.  >:(

The problem with this "feature" is that ANYONE who can open the avast interface can allow ANYONE to completely control the computer. It also proudly says it "bypasses firewalls" and "routes through avast servers".   :-[

Say a library has avast installed, they nicely put in admin passwords etc, but forgot AVAST PASSWORD! Then a user clicks on REMOTE ASSISTANCE code, calls his criminal friends, and BAM!! Post-exploitation fase. Or if a employee with industrial secrets with all his files encrypted has AVAST, but in all his troubles didn't password protect it, a criminal could activate REMOTE ASSISTANCE, install a bootkit/rootkit, and VOILA! :'(

Avast, a company protecting "150 000 000" users, must be VERY proud how it uses malware techniques for "convenience" of its user. ???

How many of those "150 000 000" users have a password for avast, hm? Even if they all would have a 7 word diceware phrase, this "feature" is another added complexity which can be exploited.

SO, Avast, if you actually CARE about the security of your users, and not how GOOD you LOOK for CONVENIENCE, REMOVE this "Feature" from avast. If you want, you can make it available as a separate package for users who, despite the above, want this "Feature".


THANKS!

Indoctor

EDIT: Finally, after 5 pages of senseless arguing, avast developers show some transparency.

http://forum.avast.com/index.php?topic=93989.msg749530#msg749530

Topic subject edited.
« Last Edit: February 25, 2012, 03:18:08 PM by Indoctor »

Offline RSD

  • Jr. Member
  • **
  • Posts: 22
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #1 on: February 24, 2012, 03:42:02 PM »
I think you miss that the real problem is that someone you don't trust is using the PC physically.
There's nothing a remote user can do that couldn't be done by a local intruder.

AdrianH

  • Guest
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #2 on: February 24, 2012, 03:46:05 PM »
If you thought for 5 seconds prior to posting it just might have occurred to you that this "Remote Access" feature is a CHOICE just like all the other features available in avast!

Don't want it ? Then simply don't install it, end of problem!  ::)


Indoctor

  • Guest
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #3 on: February 24, 2012, 03:50:45 PM »
I did some further testing, and as it seems, the remote assist code is NOT PROTECTED.

Even LUA accounts could easily intercept it by making a screenschot. I tried it w/ paint as a limited user, and guess what ! plainly visible. So malware could easily use it for privilige escalation.

Quote
I think you miss that the real problem is that someone you don't trust is using the PC physically.
There's nothing a remote user can do that couldn't be done by a local intruder.

Oh really? So if you go 20 seconds from otherwise well locked down, strongly passworded, LUA etc. computer, a criminal can install a bootkit? Without you noticing ANYTHING? Every malware under limited accounts etc. can install bootkits you think? I think YOU miss the point here.

Quote
Don't want it ? Then simply don't install it, end of problem
Plus, I could not see the option to NOT install this "Feature". It automatically installed with my update. Read before you " ::)" Howmany of the "150 000 000" users have "auto-update" on avast?
« Last Edit: February 24, 2012, 03:55:20 PM by Indoctor »

Paul Rodgers

  • Guest
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #4 on: February 24, 2012, 03:59:26 PM »
I don't see an issue here. As it is you need two people working together to do this. If a person has physical access to a machine there are more effective and efficient ways to cause a problem.

Avast will still be protecting from malicious code attempting to run on the local machine.

Like you said the avast program can be password protected.

Also a library or business should be using the Business Protection/ Business Protection Plus software for ease of management and security purposes.

AdrianH

  • Guest
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #5 on: February 24, 2012, 04:00:56 PM »
Look at the installer for avast.............. as always the feature set is selectable via a custom install.  All users can change the features they have loaded at any time.

Let's face it you haven't thought this through, you are complaining about security here and yet you tell us that you blindly allow an auto install?    You have not read the Help Files and found out that you can select which features you wish to use?  This is hardly new, avast has given you the choice in all the versions I have seen.


>>> https://support.avast.com/index.php?languageid=1&group=eng&_m=knowledgebase&_a=viewarticle&kbarticleid=1139
 

Quote
9. Besides 'Typical' and 'Minimum' installation with predefined Configuration, you can also select 'Custom' on the next screen, where it is possible to add or remove individual program components and features in a checkbox tree. Then click 'Next' to continue.
« Last Edit: February 24, 2012, 04:17:09 PM by AdrianH »

Offline Charyb-0

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2508
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #6 on: February 24, 2012, 04:03:04 PM »
For years, there has been a remote assistance feature installed with every copy of Windows that I have seen. And there are many more Windows users than there are Avast users. Are you going to protest Windows too?  Just turn it off/uninstall it if you don't like it.

A bad guy would have to physically be sitting at the computer to enter the code. Why would he need a remote assistance connection if he is already physically at the computer?

I will tell you what. You use the remote assistance feature in avast! to hack into my computer. I would like to see how far you get. According to you, it's easy to do, right?
« Last Edit: February 24, 2012, 04:21:08 PM by Charyb »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #7 on: February 24, 2012, 04:25:04 PM »
Even LUA accounts could easily intercept it by making a screenschot. I tried it w/ paint as a limited user, and guess what ! plainly visible. So malware could easily use it for privilige escalation.

Where exactly is the privilege escalation?
The remotely connected user can only do the same as the local user can - the remote assistance is not running under any privileged account.

Quote
I think you miss that the real problem is that someone you don't trust is using the PC physically.
There's nothing a remote user can do that couldn't be done by a local intruder.

Oh really? So if you go 20 seconds from otherwise well locked down, strongly passworded, LUA etc. computer, a criminal can install a bootkit?

How can he install a bootkit? He's running under the very same account as the user that invoked the remote assistance - so if this powerful criminal can do that, it means that the original user can do it as well, so your machine is obviously not that strongly protected after all.
I mean, you are making overcomplicated scenarios with remote control where the same can be achieved locally (and if it can't, then it can't be achieved remotely either).

Offline EmoHobo

  • Sr. Member
  • ****
  • Posts: 339
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #8 on: February 24, 2012, 04:42:12 PM »
At first when I saw the remote thing I panicked also, I thought for sure it could be exploited but then I figured, Avast knows what they are doing, there was probably a lot of work that went into making sure this feature was safe, it may sound naive to have this kind of blind faith, but security is kind of their thing.

Alievitan

  • Guest
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #9 on: February 24, 2012, 05:00:38 PM »
hxxp://www.pcmag.com/article2/0,2817,2400609,00.asp

Don't know much about the remote security, but any word from Avast about how to prevent a similar scenario like the ongoing fiasco of Symantec pcAnywhere which is also remote tool?  Hope it is me being oversensitive, I was hoping to use it, it remote my families computers b/c they will sooner or later they will be upgraded to Avast 7. 

Indoctor

  • Guest
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #10 on: February 24, 2012, 05:12:15 PM »
Quote
as always the feature set is selectable via a custom install.  All users can change the features they have loaded at any time.

Nonsense. Only ADMINs can change the install, all users can only install program updates (which include the full package).

Quote
you are complaining about security here and yet you tell us that you blindly allow an auto install?

Barely. I used to the "update" button in the interface, as most users I would think do. There is no "custom" install on the update.

Quote
Where exactly is the privilege escalation?
The remotely connected user can only do the same as the local user can - the remote assistance is not running under any privileged account.

We'll see how long that will remain so ... after an exploit's been found  ;)

Quote
Don't know much about the remote security, but any word from Avast about how to prevent a similar scenario like the ongoing fiasco of Symantec pcAnywhere which is also remote tool?  Hope it is me being oversensitive, I was hoping to use it, it remote my families computers b/c they will sooner or later they will be upgraded to Avast 7.

A good point.
« Last Edit: February 24, 2012, 05:30:29 PM by Indoctor »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #11 on: February 24, 2012, 05:29:13 PM »
hxxp://www.pcmag.com/article2/0,2817,2400609,00.asp

Don't know much about the remote security, but any word from Avast about how to prevent a similar scenario like the ongoing fiasco of Symantec pcAnywhere which is also remote tool?  Hope it is me being oversensitive, I was hoping to use it, it remote my families computers b/c they will sooner or later they will be upgraded to Avast 7.

I'm not familiar with pcAnywhere and I don't know what exact vulnerabilities there were in the Symantec code, so I'm just speculating.
If the software (when installed) is listening for network connections, and if the handling of those network connections is vulnerable (so it's possible to bypass the authentication somehow), then anybody with the knowledge of the exploit can connect to your machine and control it (unless blocked by a firewall somewhere on the way, of course).

avast! is not listening for any connections, the communication is outbound - and it starts only when you click the "Allow remote control" button. So, noone can connect to your machine without you allowing that first (before you click the big button, avast! behaves just like it did when there was no remote assistance).

Paul Rodgers

  • Guest
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #12 on: February 24, 2012, 05:37:49 PM »
hxxp://www.pcmag.com/article2/0,2817,2400609,00.asp

Don't know much about the remote security, but any word from Avast about how to prevent a similar scenario like the ongoing fiasco of Symantec pcAnywhere which is also remote tool?  Hope it is me being oversensitive, I was hoping to use it, it remote my families computers b/c they will sooner or later they will be upgraded to Avast 7.

I'm not familiar with pcAnywhere and I don't know what exact vulnerabilities there were in the Symantec code, so I'm just speculating.
If the software (when installed) is listening for network connections, and if the handling of those network connections is vulnerable (so it's possible to bypass the authentication somehow), then anybody with the knowledge of the exploit can connect to your machine and control it (unless blocked by a firewall somewhere on the way, of course).

avast! is not listening for any connections, the communication is outbound - and it starts only when you click the "Allow remote control" button. So, noone can connect to your machine without you allowing that first (before you click the big button, avast! behaves just like it did when there was no remote assistance).

Symantec had a network breach and had their source code stolen. If this happened to avast I would jump ship because by that point they couldn't be trusted with security.

This system seems like any remote assistance programs available except it is integrated into the antivirus program itself. In my opinion this is a good idea.

To the op - no system is 100% secure. A system on the internet can be compromised and a system that is not connected to the internet can be compromised. Your best bet for 100% computer security is to not buy the computer in the first place. With that said you can't ensure protection of information not stored in electronic form either.

Offline RSD

  • Jr. Member
  • **
  • Posts: 22
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #13 on: February 24, 2012, 05:39:23 PM »
I've been testing the Remote Assistance and I find it pretty safe.
There's a always on top window at the bottom right corner telling you the computer is being controlled remotely. That window can't be closed or moved.
The controlling computer can not send files to the controlled computer, and it can not use its keyboard (you can still use an on-screen keyboard).

So it can't be used as a hidden spy and it can't be used to send a virus to the controlled computer.

If you try to stop Avast shields, the warning window asking you for permission only appears in the local computer.
However, you can disable the advanced settings without any warning. That could be improved, although it can also be done by a local intruder anyway.
« Last Edit: February 24, 2012, 05:46:45 PM by RSD »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #14 on: February 24, 2012, 06:08:10 PM »
There is not a security breach and the poll is evidently biased.
The remote access has the same rights and privileges of the local user.

But I would like to have another way to exchange the password besides phone, email and chat.
I think this could be improved like it is on TeamViewer (unattended session that requires registration of the computer being controlled remotely and also can manage UAC-like messages).
« Last Edit: February 24, 2012, 06:10:02 PM by Tech »
The best things in life are free.