Fun concept.
If the creators read this, I suggest some ways of building trust. There’s no “about us”, no GitHub link, etc. It’s a random webpage that wants my personal details, and sends me a “exe”. The overlap of people who understand what this tool does, and people who would run that “exe” is pretty small.
Author of cyber scarecrow here. Thank you for your feedback, and you are 100% right. We also dont have a code signing certificate yet either, they are expensive for windows. Smartscreen also triggers when you install it. Id be weary of installing it myself as well, especially considering it runs as admin, to be able to create the fake indicators.
I have just added a bit of info about us on the website. I'm not sure what else we can do really. Its a trust thing, same with any software and AV vendors.
When someone is offering you a certificate and the only thing you have to do in order to get it is pay them a significant amount of money, that's a major red flag that it's either a scam or you're being extorted. Or both. In any case you should not pay them and neither should anyone else.
There's a reason it costs money and it's because the CAs have to undergo costly audits. Microsoft publishes a list of trusted CAs:
https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACe...
This looks like a random website and not a Microsoft website. How could I trust such list?
Because it came from this site: https://learn.microsoft.com/en-us/security/trusted-root/part...
I used Google to search for "list of microsoft trusted CA".
Besides paying money you also go through a (pretty simplistic) audit. It’s about the only way we have to know who published some code, which is important. If you can come up with a better way you should implement it and we’ll all follow.
As a side note, I’ve been trying to figure out how to get an EV code signing cert that isn’t tied to me (want to make a tool Microsoft won’t like and don’t want retaliation to hurt my business) but I haven’t come up with a way to do it - which is a good thing I suppose.
Can you have someone else go through the process of getting it, like a Craigslist rando to whom you pay cash?
If said Craigslist rando likes getting police visits and potentially being criminally liable for helping you commit a felony ...
All code signing promises to give you the name of a real person or company that signed the binary. From there it's the end user's responsibility to decide if they trust that entity.
In practice the threat of the justice system makes any signed executable unlikely to be malicious. But that doesn't mean you have to uncritically trust a binary signed by Joe Hobo
There’s an audit to go through where you (sort of) prove who you are. The system isn’t great, but if you can come up with something better there’s a lot of space to make software more secure for people.
Is it possible to fake being from Russia. I heard some malware won't install on computers from Russia or with the Russian language as primary language
Great idea. Looking at installing an additional keyboard or language with out it being anoying to the user is next on the feature list.
This might be not a good idea. There are some reports of malware (npm packages, iirc) specifically targeting russian computers since the invasion
Russia has serious penalties for hacking their citizens.
Not for hacking non citizens
This can have the opposite effect too: https://arstechnica.com/information-technology/2022/03/sabot...
And be targeted by cyberwarfare from the first-world side.
Or has the Russian keyboard installed, even if not used IIRC.
It's a neat concept, although I imagine this'll be a cat and mouse endeavor that escalates very quickly. So, a suggestion - apply to the Open Technology Fund's Rapid Response Fund. I'd probably request the following in your position:
* code signing certificate funding
* consulting/assessment to harden the application or concept itself as well as to make it more robust (they'll probably route through Cure53)
* consulting/engineering to solve for the "malware detects this executable and decides that the other indicators can be ignored" problem, or consulting more generally on how to do this in a way that's more resilient.
If you wanted to fund this in some way without necessarily doing the typical founder slog, might make sense to 501c3 in the US and then get funded by or license this to security tooling manufacturers so that it can be embedded into security tools, or to research the model with funding from across the security industry so that the allergic reaction by malware groups to security tooling can be exploited more systemically.
I imagine the final state of this effort might be that security companies could be willing to license decoy versions of their toolkits to everyone that are bitwise identical to actual running versions but then activate production functionality with the right key.
I kinda think this functionality could be subverted into a kill switch for legit-licensed installs simply by altering the key.
I mean, the existing licensing mechanisms can be similarly abused.
This would be a boon for security folk who analyze/reverse malware: they can add/simulate this tool in their VMs to ensure the malware being analyzed doesn't deactivate itself!
It ceases to be a trust thing once you open source the code
In a world where everybody builds from source or downloads from a trusted build service
... and trusts their entire toolchain hasn't been compromised.
I’m sure it’s closed source for the eventual plans to monetize it, but what’s the real difference to something like https://github.com/NavyTitanium/Fake-Sandbox-Artifacts and why can’t you at least name yourselves?
Not many software promises to fend off attackers, asks for an email address before download, and creates a bunch of processes using a closed source dll the existence of which can easily be checked.
Then again, not many malware targeting consumers at random check for security software. You are more likely to see a malware stop working if you fake the amount of ram and cpu and your network driver vendor than if you have CrowdStrike, etc. running.
There are things that you can do that make you seem trustworthy, and you've done none of them.
Concerning code signing: Azure has a somewhat new offering that allows you to sign code for Windows (SmartScreen compatible) without having an EV cert. It is called "Trusted Signing" [1], non-marketing docs [2]. The major gotcha is that currently you need to have a company or similar entity 3 years or older to get public trust. I tried it with a company younger than 3 years and was denied. You might have a company that fits that criteria or you might get lucky.
The major upside is the pricing: currently "free" [3] during testing, later about 10 USD/month. As there doesn't seem to be a revocation mechanism based on some docs I read, signed binaries might be valid even after a canceled subscription.
[1] https://azure.microsoft.com/en-us/products/trusted-signing
[2] https://learn.microsoft.com/en-us/azure/trusted-signing/quic...
[3] You need a CC and they will likely charge you at some point. Also I had to use some kind of business Azure/MS 365 account which costs about 5 USD/month. Not sure about the exact lingo, not an Azure/MS expert. The docs in [2] was enough for me to get through the process.
Obviously this should be an open source tool that people can build for themselves. If you want to sell premium services or upgrades for it later, you need to have an open/free tier as well.
Also are you aware of the (very awesome) EDR evasion toolkit called scarecrow? Naming stuff is hard, I get that, but this collision is a bit much IMO.
https://github.com/Tylous/ScareCrow
One more thing you could do is put the real name of any human being with any track record of professionalism, anywhere on the website. Currently you're:
- commenting under a pseudonymous profile
- asking for emails by saying "please email me. contact at cyberscarecrow.com"
- describing yourself in your FAQ entry for "Who are you?" by writing "We are cyber security researchers, living in the UK. We built cyber scarecrow to run on our own computers and decided to share it for others to use it too."
I frequently use pseudonymous profiles for various things but they are NOT a good way to establish trust.
You're collecting personal info and claiming to be in the UK: identifying the data controller would be a start, both for building trust and complying with GDPR.
Not very convincing tbh. Theres's no source code and no real name or company on the website...
Something that would have built trust with me that I didn't find on the site was any mention of success rate. Surely CyberScarecrow has been tested against known malware to see if the process successfully thwarts an attack.
Where is that additional info? It just says you're a group of security researchers, but there are no names, no verifiable credentials, nothing. You haven't really added any info that would contribute to any real trust.
github link? if it's not open source it's dead on arrival
It is a cat and mouse game. And security by obscurity practice. Not saying it won't work, but if it is open sourced, how long before the malware will catch on?
Here is one on github:
https://github.com/NavyTitanium/Fake-Sandbox-Artifacts
I'd be willing to bet good money that 99% of malware authors won't adapt, since 99% (more like 99.999%) of the billions of worldwide windows users will not have this installed.
For the cat to care about the mouse it needs to at least be a good appetizer.
I think this is a same thing as betting on your own failure: "not enough people will use this for it to be an important consideration for hackers".
I've worked in companies with horrendous security, where someone with just a bit of SQL injection experience could have easily carried out the data. Yet, since this was a custom in-house application and your off-the-shelve-scanners did not work, this never happened; the only times the servers were hacked was when the company decided to host an (obviously never updated) grandfathered Joomla instance for a customer.
But even more simply, just setting your SSH port to something >10000 is enough to get away with a very mediocre password. It's mostly really not about being a hard target, not being the easiest one is likely quite sufficient :)
Given how easy and free tools like Wireguard are to setup now (thanks Tailscale!), I really don't understand why folks feel the need to map SSH access to a publicly exposed port at all anymore for the most part, even for throw away side projects.
If I were to run a Windows computer, I wouldn't care what 99.999% of other people didn't do to make their computer safe. If it were something that I could do, then that's good enough for me. However, the best thing one can do to protect themselves from Windows malware is to not use Windows. This is the path I've chosen for myself
The really fun part is when malware authors add detections for "fake sandbox" and then real sandbox authors get to add those indicators.
Look into Windows NT source code that was leaked. The if-else/switch statements in there is just another level of string matching hell. Seems like software development just become "let's jerry rig it to just make it work and forget about it." Pretty sure management (without tech clue) have something to do behaviours like this.
Always the same bullshit with you people here. Could never possibly someone built a sub-optimal system -- it HAD to be management fucking with our good intentions!
Author of scarecrow here. Our thinking is that if malware starts to adapt and check if scarecrow is installed, we are doing something right. We can then look to update the app to make it more difficult to spot - but its then a cat and mouse game.
You had an answer canned for one part of the query. Why are you trying to release security software completely anonymously? This is insane - you want an incredible amount of trust from users but can’t even identify a company.
Simply, if users are as intelligent as you think, they’re too intelligent to use your product.
If you think that is what will make it a cat and mouse game instead of understanding it has been a cat and mouse game since the beginning of time, then you're not compelling me into thinking you're very experienced in this space.
Some malware will catch on, some will not. It's a cost vs profit problem. Statistically, this will always decrease the number of possible malware samples that can be installed on the machine, but by what margin? Impossible to say.
It's not a cat an mouse game; it's a diver and shark game. In SCUBA training we joked that you had the "buddy system" where you always dive in pairs, because that way if you encounter a shark you don't have to outswim the shark, you only have to outswim your buddy.
A low-effort activity that makes you not be the low-hanging fruit can often be worth it. For example, back in the '90s I moved my SSH port from 22 to ... not telling you! It's pretty easy to scan for SSH servers on alternate ports, but basically none of the worms do that.
If windows would have this built in, then it would make malware authors job much more difficult. I like that.
Not just that - it only works on smart malware.
There is plenty of dumb malware.
Security folks seem to get overly focused at times on the most sophisticated attackers and forget about the unwashed hordes.
No different from MacAffee, Trend Micro, Symantec. Oh, but those are brand names you can trust, like Coca-Cola and Kellog's Corn Flakes.
Besides the obvious points made by others, those are odd choices. I don't trust any of those brands.
well... yes, that's what trust means
You can't spot the super subtle difference between a name with a rep to protect and a no-name?
Unfortunately (at least outside of HN) "people who understand what this tool does" probably isn't a subset of "people who would run that "exe"."
A lot of security stuff is a bit ironic like that. "Give this antivirus software super-root access to your machine".. it depends on that software being trustworthy.