Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

haute secure – how it works

June 26th 2007 in Uncategorized

Ok, so I’ve had the chance to chat to the developers behind Haute Secure, and I have a little more information about the how’s and why’s of the product.  I’ll leave it to them to introduce themselves, and provide their Curriculum Vitae, in future days/weeks.

My regular readers will know that I had a few questions about Haute Secure:

“There is a lot still to be learned about Haute Secure – for example, exactly how does it work and how often is the database updated – is information transmitted encrypted – is it a fully dynamic service or is information stored locally – what classes as malware – does the site have to actually attempt to install software to be blocked, or is a known download site for fraudware (such as sites used by the Winfixer family of fraudware) also blocked – how will it handle malicious banner advertisements or pop-ups – will it go down the “all adverts are bad” route taken by the popular protective HOSTS files, or will it try to differentiate between good ads and bad ads (which is going to be a real technical challenge).”

I won’t go in to too much depth now – the product is still in alpha, and the developers are very open to feedback, therefore the entire situation is still very malleable – it is more appropriate to consider the following as current thinking rather than set-in-stone “this is how it is going to work” type information.  Please, be gentle on the guys.. they’re talking to the best people in the business (including me, forgive the arrogance) so things could, and likely will, change, as they go forward.

Data and synching

There is a locally cached copy of the master database. The data store itself is locked very early in the boot process and the application has the only interface to it.  The client regularly syncs a copy of the database with Haute’s web service.  The data that comes down to the client is hashed and signed.  The resynch interval is still being tweaked, but it’s very regular, certainly comparable with IE7’s phishing filter.

Haute Secure’s client application and web service relationship

The client provides both ‘passive’ and ‘active’ protection. Passive protection is the block list which will pop up the block/warn dialog on the client if the user navigates to a site that has previously been identified as having bad content.  Active protection is a behavioral analysis that watches for and then protects against sites exhibiting malicious behavior. This way if a user hits a malicious site that Haute Secure has never encountered before it can protect them even though the site isn’t on the block list. The client protects the user by blocking the malicious behavior AND reporting the malicious site to Haute’s web service.  This report is then validated and propagated out to all other clients via the web  service.

The service

The backend is proactively going out and scanning for malicious sites, and is the primary way that the block list is populated.  The service also validates sites that the client behavioral analysis believes is malicious and then passes them through to the web service.

The current thinking is that Haute Secure will not block all ads BUT they are already picking up malicious ads in their backend scanning. Since they have behavioral analysis and  protection on all the clients they hope to pick up and block malicious ads that get served that have not previously been encountered (and, of course, once one client picks an ad up, it goes back to the web service and then gets propagated out to all the other clients).

They don’t tackle fraudware – yet.

As Haute explains it, fraudware is a very hard problem to solve in an automated way (and heavens knows I, and every advertising network out there, will agree with them). Watch this space for possible developments on that point.

I admit to being very excited about the potential for good in this product.  Malware served via banner advertisements, hacked web sites and malicious blog comments is a growth industry.  I’ve had discussions with antivirus companies that I have connections with about the need to actively honeypot the various advertising networks because of the reality of hostile creatives, but reality is that they can’t help out in a way that can make a real difference. 

I hope, I hope, I hope, I hope, I hope that going forward services such as Haute Secure can make a real difference in the fight against malware and betrayware, and the attempts by the bad guys to get on to our system via Web 2.0 … fingers crossed…

 More to come later as the product develops.

Comments are closed.

I’ll be honest – this is one of the most unhelpful KB articles that I have encountered.  Basically, the KB says the problem occurs when IE7 is installed, and that Microsoft is aware of the problem, and that’s the entirety of the advice that they give. In Microsoft Windows Media Player, you play streaming […]

Previous Entry

I don’t know about you, but I feel like I am playing whack-a-mole most of the time.
I was asked to review a discussion through on dslreports today – a report that was complaining about malware incidents on the www.wfaa.com web site – the typical Winfixer via hostile banner advertisements carry on.
Cite: http://www.dslreports.com/forum/r18551684-Another-WinFixer-infiltrationthis-time-on-wwwwfaacom
So, let’s go have […]

Next Entry