Author Topic: ARA Security Considerations  (Read 40050 times)

0 Members and 1 Guest are viewing this topic.

Hermite15

  • Guest
Re: ARA Security Considerations
« Reply #90 on: February 25, 2012, 07:14:34 PM »
I think the Microsoft/Windows parallel to Avast Remote Assistance would be Windows Remote Assistance (not Remote Desktop per se).

true ;) ... I made a mistake, hesitated a second about that before posting, god knows why I thought a second that remote assistance was MS related and it's not, it's p2p help between computer users.

UserA789

  • Guest
Re: ARA Security Considerations
« Reply #91 on: February 25, 2012, 07:22:54 PM »
" This exploit is strraight outta James Bond scenarios and most dev's thought there was no way to do something like this.  Proof that we as developers dont always 'kno-it-all'."

By now, we should all know that for every security measure that's implemented, there are 100's of hackers busy at work finding a way to break the protection.


There is no solid guarantee that today's most secure product will not turn into tomorrows least secure application.
It's a fact of the times.
My main point with the statement goes along with what you've said, unfortunately more developers are to hard headed to hear anything than what they believe.  I'm more old school than that.  If I have a script, or piece of code, I develop, I do my best to stay open to every possibility of its uses and/or mis-uses.  Although there is a rule, more like guidelines (to steal a quote from a favorite Disney flick).

Kinda like how most dev's will swear by *nux builds but last year there were more serious exploits of *nux based systems (Sony, the US federal government minus the USMC -they use their own CLOSED/PRIVATE SOURCE code, etc) than Windows servers.  to that, we can attribute the fact that criminal organizations are NOT as stupid as we tend to believe and with how much of our lives exist in our machines, why wouldn't they be involved in all sorts of 'open-source' projects to insure their own criminal survivability?  We would be more stupid than we attribute them to be if we thought anything else.  I used to be a dedicated open-source user.  From FF to Filezilla to Linux itself.  The past year, Iv had my *nux builds crash more than my windows, or show stray transmission(s).

Either way, this went a bit off topic and for that I apologies, but at the same time remains on topic to suggest when users like InDoctor bring things like this to attention, we should explore EVERY possibility of it being true instead of the only possibilities of it not being true.  And if it does run on a P2P basis, this is a mistake. P2P is very easily interceptible (even with SSL; as reason described above) for MiM attacks.  We must believe that illicit users are already reverse engineering Avast, as its one of the best... if not the best.  end of story.

Dch48

  • Guest
Re: ARA Security Considerations
« Reply #92 on: February 25, 2012, 08:54:30 PM »
I just have one question and it's about this part of Zdenek's explanation.
Quote
Here is on user responsibility to deliver the ticket securely to other side. Avast! cannot take any responsibility if the ticket will be stolen  during the transfer. We recommend to use cellular phone, or encrypted e-mail (PGP for example) or SKYPE message or call (Skype is using strong encryption to protect session communication) to do this.
What if you're like me and you don't have any of those options? I do not and have never had a cell phone, and I have never used Skype. I also have no idea what PGP for email is.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: ARA Security Considerations
« Reply #93 on: February 25, 2012, 08:57:15 PM »
What if you're like me and you don't have any of those options? I do not and have never had a cell phone, and I have never used Skype.

You can use any phone, not just a cell phone..!! ;)
Guess you have one at home, don't you..?
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Dch48

  • Guest
Re: ARA Security Considerations
« Reply #94 on: February 25, 2012, 09:02:14 PM »
What if you're like me and you don't have any of those options? I do not and have never had a cell phone, and I have never used Skype.

You can use any phone, not just a cell phone..!! ;)
Guess you have one at home, don't you..?
Okay, well he didn't say that. Of course I have a phone but I only use it less than once a week. I hate talking on the phone. Oh and just to stave off the inevitable comments, no, the phone does not have a dial or a crank but it does have those little buttons that make a sound when you push them.  :P

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: ARA Security Considerations
« Reply #95 on: February 25, 2012, 09:04:27 PM »
Oh and just to stave off the inevitable comments, no, the phone does not have a dial or a crank but it does have those little buttons that make a sound when you push them.  :P

Great. ;D
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: ARA Security Considerations
« Reply #96 on: February 25, 2012, 09:24:29 PM »
What if you're like me and you don't have any of those options? I do not and have never had a cell phone, and I have never used Skype.

You can use any phone, not just a cell phone..!! ;)
Guess you have one at home, don't you..?
Okay, well he didn't say that. Of course I have a phone but I only use it less than once a week. I hate talking on the phone. Oh and just to stave off the inevitable comments, no, the phone does not have a dial or a crank but it does have those little buttons that make a sound when you push them.  :P

Remove the option you don't need it. ;D
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

FlyingRobot

  • Guest
Re: ARA Security Considerations
« Reply #97 on: February 25, 2012, 09:31:15 PM »
On a somewhat related note, if the design is such that everything that is necessary to establish a remote assistance session is in the ticket, then secure transmission of that ticket information to the provider becomes a critical issue.  As I touched upon in an earlier post today, there would seem to be a perfectly viable option to utilize a separate, privately communicated only piece of information such as a pass phrase.  It has been ages since I've helped someone via Windows Remote Assistance (everyone I now help is very local), but IIRC I either used a pre-shared passphrase (exchanged before hand, can be very strong) or created one on the spot by referencing something we both knew without actually saying it (example: make the pass phrase the name of your first dog, assuming said name was significantly obscure and unique of course).  I think by exploiting such tactics the ticket/setup info exchange via private communications channel can become a less critical issue.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: ARA Security Considerations
« Reply #98 on: February 25, 2012, 09:40:47 PM »
IMHO,
None of this is a critical issue it's just being turned into one.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Dch48

  • Guest
Re: ARA Security Considerations
« Reply #99 on: February 25, 2012, 09:47:21 PM »
What if you're like me and you don't have any of those options? I do not and have never had a cell phone, and I have never used Skype.

You can use any phone, not just a cell phone..!! ;)
Guess you have one at home, don't you..?
Okay, well he didn't say that. Of course I have a phone but I only use it less than once a week. I hate talking on the phone. Oh and just to stave off the inevitable comments, no, the phone does not have a dial or a crank but it does have those little buttons that make a sound when you push them.  :P

Remove the option you don't need it. ;D
I'm not removing it but I'm 99.9999999% sure that it will never be used.  :D

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: ARA Security Considerations
« Reply #100 on: February 25, 2012, 09:47:33 PM »
IMHO,
None of this is a critical issue it's just being turned into one.

Big +1
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

FlyingRobot

  • Guest
Re: Unite against REMOTE AVAST SECURITY BREACH
« Reply #101 on: February 25, 2012, 10:26:14 PM »
Presumably some can comprehend this part:

Here is on user responsibility to deliver the ticket securely to other side. Avast! cannot take any responsibility if the ticket will be stolen  during the transfer. We recommend to use cellular phone, or encrypted e-mail (PGP for example) or SKYPE message or call (Skype is using strong encryption to protect session communication) to do this. Use ICQ or normal e-mail message for example is not recommended, because any e-mail can be sniffed by attacker on any part of the e-mail path.

The ARA component is as secure as secure is the Assistance ticket! Choose the communication channel which you really TRUST!

Take issue with the word "critical" if you like, but please do not dismiss something that is clearly technically important and worthy of discussion. 

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: ARA Security Considerations
« Reply #102 on: February 25, 2012, 10:57:45 PM »
Sorry if this sound rude but to me this whole discussing has been unimportant.
The only good part was the explanation of exactly how this works.  :)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

itsjustme2

  • Guest
Re: ARA Security Considerations
« Reply #103 on: February 25, 2012, 11:01:50 PM »
for the guy who created this thread:
ffffffffffirst of all, before you start throwing words in the air.. remote assistance won't put the computer in any risk, as long as you're not retarded, and if you're, then avast isn't for you.
furthermore, you have the opportunity to choose not to install it, by selecting "custom" at the start of the installation.

how the hell did this thread gained 7 pages?! holy mother of avast.

Indoctor

  • Guest
Re: ARA Security Considerations
« Reply #104 on: February 26, 2012, 12:40:17 AM »
Sorry if this sound rude but to me this whole discussing has been unimportant.
The only good part was the explanation of exactly how this works.  :)

What's really "rude" is that you and your friends abuse this thread for your entertainment, trying to ridicule it in a ridicule manner.

FlyingRobot and UserA789 make some important critiques which are worth answering. I suggest we wait for the expert, being Zdenek, to speak out. He said he would be available for questions so let him, and don't fill the thread with junk.
« Last Edit: February 26, 2012, 01:26:02 AM by Indoctor »