There was another issue[1] that also began with the phrase, "When you install Comodo Internet Security...", which was also reported/discovered by Tavis (Also had an HN discussion[2]) This phrase now sounds much more ominous to me.
Tavis also recently discovered this issue with another AV/security software vendor[3]
(Related HN discussion [4])
Is it bad that when I see one of these, I'm no longer surprised?
At this point "When you install Comodo Internet Security..." is the first half of computer security punchline in which the joke is on the buyer of this product.
"This is an obvious and ridiculous local privilege escalation, which apparently Comodo believe they have resolved by generating a password instead of leaving it blank. That is not the case, as the password is simply the first 8 characters of SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I imagine Comodo thought nobody would bother checking how they generated the password, because this clearly doesn't prevent the attack they claim it solved."
I love that it's not just a generated SHA1 using known parameters, but just the first 8 characters, thereby reducing the search space considerably even if you cannot compute the hash.
RealVNC (authoritative) is currently 255 characters. Older legacy implementations may still be 8.
RFB protocol itself is agnostic[0]:
VNC authentication is to be used and protocol data is to be sent unencrypted.
The server sends a random 16-byte challenge:
No. of bytes Type [Value] Description
16 U8 challenge
The client encrypts the challenge with DES, using a password supplied by the user as the key, and sends the resulting 16-byte response:
No. of bytes Type [Value] Description
16 U8 response
The protocol continues with the SecurityResult message.
Having had to implement VNC authentication a while back, I can assure you that it is not agnostic, and you have inadvertently revealed the reason for that in your own post.
Since the user password is used as the DES key, and DES key size is limited to 56 bits (plus 8 parity bits), your key can only be up to 7 8-byte characters long. However, since ASCII only uses 7 bits, you give an 8 ASCII character key instead, and the unused 8th bit of every byte is simply discarded. If the password is shorter than 8 characters, it's just padded with zeroes.
Many VNC clients and sometimes even servers allow you to enter a longer password, but as long as they're connecting to a the standard auth implementation, they'll actually truncate your password to 8 characters during operation. Yes, even RealVNC's client does that when only the standard auth is possible. It will warn you that the connection is not encrypted, but it won't let you know that your password just got slashed.
Defining alternate authentication schemes is possible, but require VNC clients to add support for those. RealVNC has simply defined one of those. So everyone should just implement that right? I think you'll find out the reason why the standard auth is still so prevalent if you spend some time trying to find any implementation documentation for it.
Comodo has a series of really awful security problems in their security products. For example, they were the first major SSL certificate vendor to publicly confess they were hacked issuing rogue certificates. Many of their failures are more than just honest mistakes and suggest some very poor decision making at the top. https://en.wikipedia.org/wiki/Comodo_Group#Controversies
I don't quite understand how they are still in business.
> I don't know anything about the supposed vulnerability that was described and then resolved but I feel safer searching the web with Comodo's browsers.
The people making decisions about what security products to buy can be very, very far removed from people who understand security. Windows defender, bless it, has changed it to a security built on ignorance.
Can you expand on your Windows Defender statement? I've heard nothing but good things from techs about it. I know it's not useful against zero days because it is signature based, but uses less system resources as a result.
I count myself as reasonably informed about security threats, I've been recommending Defender / Security Essentials to people instead of AVG/Avast/Comodo/Symantec for home users.
Dismissive, brief statements like yours don't really help - they don't give me enough information to go research whether I should be recommending something else (including offering financial support to pay for subscriptions)
I know that Defender doesn't have the world's best detection rate but isn't it better than an expired copy of McAffee?
Should I be recommending EMET? Virtual Machines? Qubes OS?
This backdooring by "security" vendors has got to stop. This needs to be heavily publicized. Reach out to your press contacts. Comodo needs to feel serious pain for this.
It's a good time to publicize this, because Apple is in the US national news for refusing to crack Apple phones for the FBI.
It's really a shame to see how many holes their are in this product. It's actually a nice (looking) product! It claims to handle everything for you: Firewall, antivirus, spyware. It even an option to let you run an app in (what it calls) a "sandbox" if you suspect the app might be harmful.
I had it installed on my Win 7 laptop for the past five years. It was a program that did alot to make you feel like it was protecting you, such as displaying a pop-up whenever:
- An app tried to connect to the internet
- An app tried to execute or communicate with another app
- An app tried to modify the registry
- An app tried to read keyboard/mouse input
Part of it could be rather annoying (particularly when some applications like Crashplan would try to auto-update and fail during the night because I wasn't at my keyboard to approve the connection attempt that Comodo blocked), but it did feel secure. After the last Comodo gaffe[0], however, I finally said enough and uninstalled Comodo Internet Security and went with GlassWire instead for my firewall.
This kind of popups is exactly the psychological manipulation that vendors use to make you feel good about using their products. Same for "cleanup" apps which show a satisfying progress bar of how your device is "cleaned of all bad things".
To be honest, I really like the approach of network blocking. If you strip everything bad from that product and leave just the interactive firewall - it's great! Mainly because it's a whitelist rather than blacklist - so you need to spend time configuring it, but then it really does the right thing.
Or at least tries to... does windows security expose the actual network connection hooks to personal firewalls, or do they have to fight for dll hooks in the same way as malware?
Because it (assuming you are using Windows) lacks features and fine grained controls? IE also comes with OS, but that doesn't mean one should not look for alternatives.
Windows really doesn't have a firewall with features comparable to other operating systems?
I suppose Microsoft's point of view could be that they don't want users to accidentally screw themselves while trying to open a port for BitTorrent, for example. I wonder what percentage of Windows users end up installing 3rd party spyware garbage to get a "real" firewall?
I have comodo ssl certificates just because they are cheap but when I see how bad they fuck up anything that has to do with security (like their chromodo browser), I wonder if I shouldn't have bought shorter dated certificates. At this pace it is bound that they lose their root certificate sooner or later.
I doubt these CA can write insurance contracts themselves without being a regulated insurance company so they must legally have an external insurance. I would be curious to know how much they are paying on this contract.
The insurance bit is forced selling of an unwanted product. I am sure that 99% of certificate buyers do not need more insurance from their certificate provider than they need it from their hosting company, or the developers of Apache and OpenSSL.
Thanks to the ridiculousness that is the CAs system, Comodo losing their root cert private key is nuclear meltdown regardless if you are their customer or not. Browsers trust Comodo, if an attacker MITMs a client connecting to your site and presents a cert signed by Comodo, that will be accepted (unless the client previously visited your site and your site uses HKPK, but I think that's discouraged/broken for some reason, since I'm not seeing it on popular sites?).
I think cm2187 was referring to the CA death penalty with the "lose their cert" reference. ie, Browsers decide to reject Comodo CAs from their trust store.
One would hope that losing control of HSM-stored crypto material is improbable, regardless of other questionable security practices.
I believe cheap Comodo SSL certs are domain based and subject to DNS hijack aren't they? If so they shouldn't be considered all that secure for websites that have customers and need to be secure.
The CA system, for better or worse, doesn't work that way. Even if your cert is not from a domain-validating CA, that doesn't prevent the attacker from getting a cert from them. And I'd bet that pretty much all root CAs are domain-validating these days.
If by "DNS hijacking" you mean seizing control over the account with the registrar to change the delegation, or the legitimate DNS servers, I don't think there's a strong reason to worry about that more than someone seizing control of your account with your SSL provider, or your webserver, respectively. (It's possible to secure the former two at least as strongly as the latter two.) If by "DNS hijacking" you mean attacks on the unauthenticated DNS protocol, CAs are sort of supposed to query DNS from multiple locations to defeat that, although I don't think there's a strong rule about this. I'm not sure what Comodo's and Let's Encrypt's specific practices are.
Years ago Comodo made a decent app. With updates I've noticed the software become scummier and less effective. I totally removed and CCleaned it away a few years ago.
VNC is not malware. It simply should not be installed as part of a security package, or at least users should be warned of the risks and told the default option is to not install.
>Regarding the vulnerability below, we have issued a hotfix on 10th of February.
>GB 4.25.380415.167 has the required fix and 90+% of existing users are updated as of now.
Since the issue was fixed and rolled out, it was reasonable to reveal it instead of waiting.
So which anti virus and firewall SHOULD I use on windows? I am hardly on Windows anymore, just for the occasional game, but I still want to have some protection.
Windows Firewall isn't particularly good though, and it could be assumed that MS logging and telemetry (like the Windows 10 kind) will bypass it like they do the hosts file.
Tavis also recently discovered this issue with another AV/security software vendor[3] (Related HN discussion [4])
Is it bad that when I see one of these, I'm no longer surprised?
1. https://code.google.com/p/google-security-research/issues/de...
2. https://news.ycombinator.com/item?id=11021633
3. https://code.google.com/p/google-security-research/issues/de...
4. https://news.ycombinator.com/item?id=10882563