Jump to content

oblivionisinevitable

Members
  • Posts

    1
  • Joined

  • Last visited

Reputation

0 Neutral
  1. So, this may be entirely unreasonable in a productivity sense, but I have been thinking about a ransom software firewall that would essentially remove almost all ability for even unknown ransomware threats to truly be feasible in large scale attacks. The unreasonable part I will start with in that, this is an entirely different approach to security than normal. Generally, almost all IT software that must be maintained on systems approach security as well as others interests with the idea that productivity first and foremost are the most important aspect of IT. There was also a time in history when productivity was more important than employee safety, and as time went on this has mostly changed. I believe too, with IT security, there is a change coming from where instead of approaching security with productivity being the leading factor forcing an allow all ideology unless otherwise known to be malicious in nature to the opposite, where security concerns and breaches will outweigh the gains in productivity to approach security in this manner, and at this time, like productivity and worker safety, they will invert, and security will become more important than productivity which will spur a new way of thinking of security instead of an allow all unless otherwise known to be malicious, it will be the block all unless otherwise known to be good. We have already reached this point with firewalls and so on, which was not always the case before. With this thinking, it makes me wander if creating a true ransomware soft firewall would be in line with this notion. In ransomware, there is primarily one major flaw that can be exploited to be used against itself in my opinion which ties almost all ransomware together in this one flaw. Encryption requires a key, there are only two true ways of creating an encryption key, there are PSK's, pre-shared keys, which are not suggested to be used unless necessary and in large deployments they are essentially their own undoing because there are more "victim" machines to manipulate to garnish this PSK from and that is the flaw in the PSK method, rendering it a less secure way of creating encryption keys and as such, easier to "break" the encryption key or acquire it by other means such as decompilation of malware, and so on. The only other method for creating encryption keys, which all Ransomware and encryption requires, is to use the RNG(Random number generator) chips and functions to create a truly unique string to be used as a key. In this method, because each key is random and unique, and usually the formulas are not reversible, you cannot find, acquire, or break the decryption key, with a single victim machine using this key. As such, I believe creating software with signatures to block all calls to RNG's chips/functions first and foremost, and have a whitelist function to allow bypassing of this check or block, would be one way of stopping almost all credible Ransomware threats known and unknown, while PSK ransomware will be it's own undoing in the long run. Mostly, while others do for one reason or another, RNG calls are used in encryption and gaming. As such, whitelist could be pre-filled with known good software for encryption and games, etc, while blocking anything else from creating uniquely random strings. I do not have the experience to write the signatures myself, so I am not sure if this is a reasonably effective way of blocking ransomware. Does it seem this might be worth pursuing or researching from other more experienced security engineers?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.