[janwillemb]

> [Longhorn] has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets.

I genuinely don't see the added value of antivirus corporations in this or anywhere else. Better tactics are:

- patch

- educate wife and children

[munin]

My wife has a PhD and ran up to date Firefox with noscript, Flash disabled, and ad-blockers, uses webmail, and doesn't install software or download executables in general. She still got hacked, due to a bug in Firefox that was exploited despite having noscript and Flash disabled.

How, exactly, would you have educated her?

[haddr]

It's hard to be "invulnerable" these days. I guess you could avoid the majority of infections by using some "weird" software configuration: such as linux with some nightly built of chromium. I heard that Macs are also quite resistant (still). But these things are very dynamic and change fast. What was good yesterday ("educate" users), may not be relevant any more today.

[xorblurb]

Real question: what kind of website she visited to get such infection? It's quite uncommon (even though theoretically an existing risk pretty much everywhere, and probably even not that hard to do if you control a website)

[munin]

reddit, imgur, news sites. It was via an ad delivered over an ad network, so who knows really.

[janwillemb]

How come the adblocker didn't block the ad network?

[munin]

I blame the ad blocker / ad network arms race.

[williamscales]

Sounds like the kind of thing that could get anybody, even a reasonably paranoid person.

[jsmthrowaway]

By telling her to wait for the man to come home and fix the computer, if I'm reading that comment correctly. (I hope I'm not.)

[DougN7]

> educate wife and children

I'm guessing you don't have teens who have to have the latest mod for every game they play. Giving up a very real download for the slight chance of a virus is a risk they are very willing to make.

[M_Grey]

Seriously, it's not just teens either, it's many college students too. In general, anyone who didn't have to buy their own stuff has a bit less respect for it, and while that doesn't describe all teens or college students, it describes a huge number of them; a rich target pool.

I remember in the early days of exploitative XDCC botting, practically all of the most exploited ip ranges were scholastic; new devices each semester, often given to teens as a present.

[ryanmarsh]

This is why abstinence education results in teen pregnancies. Teenagers require birth control and supervision.

[andrewguenther]

While I think that consumer antivirus is pretty terrible, I think it is hard to say that antivirus companies don't add any value.

I'd highly recommend reading up on Stuxnet and the work done by security firms (many of whom would qualify as antivirus corporations) to identify the source, spread, impact, and intent behind one of the most advanced technical attacks ever identified.

Fun Wired article on the topic: https://www.wired.com/2011/07/how-digital-detectives-deciphe...

Also a book: http://a.co/0WGJm1H

[janwillemb]

Thank you, that was a nice read.

[sp332]

Most attacks do not involve 0-days. Being protected against many known kinds of attacks is valuable.

[kjs3]

- Don't run day to day with local admin

[chrisper]

Many people say that the first thing they do is disable UAC. One person even told me that people who know what they are doing disable UAC.

Not sure what to think of these people

[xorblurb]

UAC is arguably better than nothing but: it was designed to run at max level (the only available one in Vista, where it was introduced). Because the UX hindrance was too high MS added intermediate levels, but without evolving the whole design from a security model point of view. The result is so weak that MS simultaneously started to declare that UAC is not a security boundary, so they don't have to include comprehensive fixes in each security patch, only partial ones in system upgrades, when they feel like it.

https://github.com/hfiref0x/UACME currently references 8 unfixed bypasses. That's so high that I don't think this is reserved for targeted infection; it might very well happen in common malware.

[pavement]

UAC is merely a prompt that desensitizes users to more prompts. Whenever UAC shows up, for most people, the default reflex is just make the annoying prompt go away. Yes it to death.

Users simply should not log in as Administrators for day-to-day use. Anything requiring Administrator permissions should force a full log out, and change of identity. UAC doesn't educate users. Users should either be locked out of dangerous operations, or not locked out.

Administrators should take action only when there's the awareness that their decisions could result in the need to perform a full re-install of the system, without internet access.

This is the "nuke from orbit" gambit. It's the only way to be sure.

[funkymike]

I recall at least one instance where my mom stopped at a UAC prompt wondering what it meant. Her calling me to verify what it was doing saved her from installing some malware. So anecdotally those prompts are not completely useless. She is not a tech literate person either, not much beyond referring to the browser as "the internet."

[pavement]

But, did she have Administrator permissions?

[kefka]

Well, I think this picture sums up a lot of thoughts on this subject: https://xkcd.com/1200/

In a nutshell, your user account has all your data, all your session cookies, all your logins and passwords, all your documents.... Everything.

And what can root/Administrator do? That's right, play with device drivers and systems stuffs. Once you have the primary user's account, unless it's a multiuser system, it's game over.

Just with user creds, I can start encrypting files to #evil_private_key , emailing browser data, keylogging, screencapping, data injection, and being a general nuisance.

The only good defense I've seen to this is what Qubes incorporates: Zones. It's virtual machines, with unique unspoofable borders, that you can configure to only allow the minimum amount of permission the container needs. Bank Zone only needs to talk to bank and financial websites. It doesn't need sound, or direct graphics access. Tor Zone allows talking through TCP on specified ports to and from, to allow Tor across system.

In that case, yes a specific system could be compromised, but using containers like that keeps damage limited.

[problems]

Yes, exactly, I also have sudo no password on my linux boxes. If you're on my account you can keylog me or dump my keepass DB from memory. You may as well go ahead and have root too.

UAC is particularly bad in that it also produces problems with older applications and causes other applications to pop up UAC dialogs frequently. It's a huge annoyance with little security impact.

At worst it may make malware harder to remove if I do get infected - but in my experience, 99% of the malware you find kicking around on the internet isn't rootkit loaded 0 days - it's script kiddies crapping out iStealer to dump browser passwords or darkcomet to run DDoS botnets.

[Godel_unicode]

Lack of root makes being stealthy and covering tracks more difficult. Log clearing almost always requires elevation. If getting owned is a given (and it is) then the most important thing is detection after the fact.

[jsmthrowaway]

Depending on what magnitude of "after" you mean, of course.

[moogly]

https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=...

I'm in the "meh" camp here.

[gnaritas]

That's because UAC in windows is worthless, it's a broken version of sudo that fails to do the one thing necessary, force a re-authentication of credentials. There's little point in popping up a warning than people can simply click right past without requiring admin credentials.

[Terr_]

It works if you have a separate admin account. Then at least you have to enter its credentials, if not your own.

[gnaritas]

Yes, but then you aren't doing things in your own account with temporarily elevated privadledges which is the intent of UAC, it's supposed to be like sudo.

[ryanlol]

sudo as root usually doesn't ask for password either.

[gnaritas]

sudo as root is unnecessary, sudo only makes sense for non root accounts; and sudo prompts the user for his own password ensuring that even someone that walks up to your computer can't perform root actions just because you're logged in and ensuring the user can't simply click without thinking which is what everyone does on windows which is why UAC is so often disabled.