Man, I miss those days too. Some of the most creative UX experiments came out of the Windows team back then. Too bad they couldn't get any of it to build worth a damn.
>On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.
Its Symantec, they run AV on thousands of computers across the globe. All the events generated from these computers get sent to them. Removal/cleaning procedures would be one of those events, probably for this very reason (i.e creator gets sloppy, installs and then uninstalls on their own machine).
It's nice that Symantec has shared this info but their attempt at neutrality is frustrating.
Based on their data they could easily state that Longhorn is a CIA group. They also didn't provide any links to WikiLeaks for people to learn more about what Vault 7 is.
Would they want to know for absolute certain the source of it, or if they did know, would they want to acknowledge that? Suppose it is from the CIA, they acknowledge it, and then add removal of it to their tools. They (NASDAQ-listed public company) would have then just knowingly acknowledged interfering with the activities of the intelligence agency in the country in which they operate.
I think it's smart for Symantec to remain completely neutral and unassuming.
How is this even neutrality at this point? And what is there even to attempt? It is ridiculous and serves no purpose that they do not write "CIA" once.
My wife has a PhD and ran up to date Firefox with noscript, Flash disabled, and ad-blockers, uses webmail, and doesn't install software or download executables in general. She still got hacked, due to a bug in Firefox that was exploited despite having noscript and Flash disabled.
It's hard to be "invulnerable" these days. I guess you could avoid the majority of infections by using some "weird" software configuration: such as linux with some nightly built of chromium. I heard that Macs are also quite resistant (still). But these things are very dynamic and change fast. What was good yesterday ("educate" users), may not be relevant any more today.
Real question: what kind of website she visited to get such infection? It's quite uncommon (even though theoretically an existing risk pretty much everywhere, and probably even not that hard to do if you control a website)
I'm guessing you don't have teens who have to have the latest mod for every game they play. Giving up a very real download for the slight chance of a virus is a risk they are very willing to make.
Seriously, it's not just teens either, it's many college students too. In general, anyone who didn't have to buy their own stuff has a bit less respect for it, and while that doesn't describe all teens or college students, it describes a huge number of them; a rich target pool.
I remember in the early days of exploitative XDCC botting, practically all of the most exploited ip ranges were scholastic; new devices each semester, often given to teens as a present.
While I think that consumer antivirus is pretty terrible, I think it is hard to say that antivirus companies don't add any value.
I'd highly recommend reading up on Stuxnet and the work done by security firms (many of whom would qualify as antivirus corporations) to identify the source, spread, impact, and intent behind one of the most advanced technical attacks ever identified.
UAC is arguably better than nothing but: it was designed to run at max level (the only available one in Vista, where it was introduced). Because the UX hindrance was too high MS added intermediate levels, but without evolving the whole design from a security model point of view. The result is so weak that MS simultaneously started to declare that UAC is not a security boundary, so they don't have to include comprehensive fixes in each security patch, only partial ones in system upgrades, when they feel like it.
https://github.com/hfiref0x/UACME currently references 8 unfixed bypasses. That's so high that I don't think this is reserved for targeted infection; it might very well happen in common malware.
UAC is merely a prompt that desensitizes users to more prompts. Whenever UAC shows up, for most people, the default reflex is just make the annoying prompt go away. Yes it to death.
Users simply should not log in as Administrators for day-to-day use. Anything requiring Administrator permissions should force a full log out, and change of identity. UAC doesn't educate users. Users should either be locked out of dangerous operations, or not locked out.
Administrators should take action only when there's the awareness that their decisions could result in the need to perform a full re-install of the system, without internet access.
This is the "nuke from orbit" gambit. It's the only way to be sure.
I recall at least one instance where my mom stopped at a UAC prompt wondering what it meant. Her calling me to verify what it was doing saved her from installing some malware. So anecdotally those prompts are not completely useless. She is not a tech literate person either, not much beyond referring to the browser as "the internet."
Well, I think this picture sums up a lot of thoughts on this subject: https://xkcd.com/1200/
In a nutshell, your user account has all your data, all your session cookies, all your logins and passwords, all your documents.... Everything.
And what can root/Administrator do? That's right, play with device drivers and systems stuffs. Once you have the primary user's account, unless it's a multiuser system, it's game over.
Just with user creds, I can start encrypting files to #evil_private_key , emailing browser data, keylogging, screencapping, data injection, and being a general nuisance.
The only good defense I've seen to this is what Qubes incorporates: Zones. It's virtual machines, with unique unspoofable borders, that you can configure to only allow the minimum amount of permission the container needs. Bank Zone only needs to talk to bank and financial websites. It doesn't need sound, or direct graphics access. Tor Zone allows talking through TCP on specified ports to and from, to allow Tor across system.
In that case, yes a specific system could be compromised, but using containers like that keeps damage limited.
Yes, exactly, I also have sudo no password on my linux boxes. If you're on my account you can keylog me or dump my keepass DB from memory. You may as well go ahead and have root too.
UAC is particularly bad in that it also produces problems with older applications and causes other applications to pop up UAC dialogs frequently. It's a huge annoyance with little security impact.
At worst it may make malware harder to remove if I do get infected - but in my experience, 99% of the malware you find kicking around on the internet isn't rootkit loaded 0 days - it's script kiddies crapping out iStealer to dump browser passwords or darkcomet to run DDoS botnets.
Lack of root makes being stealthy and covering tracks more difficult. Log clearing almost always requires elevation. If getting owned is a given (and it is) then the most important thing is detection after the fact.
That's because UAC in windows is worthless, it's a broken version of sudo that fails to do the one thing necessary, force a re-authentication of credentials. There's little point in popping up a warning than people can simply click right past without requiring admin credentials.
Yes, but then you aren't doing things in your own account with temporarily elevated privadledges which is the intent of UAC, it's supposed to be like sudo.
sudo as root is unnecessary, sudo only makes sense for non root accounts; and sudo prompts the user for his own password ensuring that even someone that walks up to your computer can't perform root actions just because you're logged in and ensuring the user can't simply click without thinking which is what everyone does on windows which is why UAC is so often disabled.
I wonder if qihoo 360 or other Chinese security companies would post such blog entries on Chinese intelligence malware and operations in a similar vain. Same for Russia.
Symantec: Why require Javascript? Why not make it optional?
For users who do not use Javascript to read news: https://www.symantec.com/connect/tr/blogs/longhorn-tools-use...