[randomf1fan]

How does one realistically protect against these new attack vectors? It's all become so quick - the malware infects your machine, and seconds later your repos are cloned.

Most computers are always connected to the internet when they're on, even if they don't necessarily need to be. Airgapping isn't really used outside of very sensitive networks, but I'm starting to think we need to head towards a model of connecting machines only when really needed.

Of course the cloud based world doesn't allow for that, and perhaps I'm a luddite, but I increasingly find myself disabling the network connection when I'm working on my PC. Kind of like the dial-up days.

[shubb]

Have a fun laptop, a work laptop, and maybe banking tablet?

As a good corporate drone, this arrangement is kind of forced on me, but a lot of small company / startup folks totally mix the two. Might be a good thing to not do.

Sure it doesn't protect you from e.g. a tool you need for work being compromised, but it reduces the attack surface - this guy probably wouldn't have installed handbrake on his work machine.

Another thing we do specifically because medical data is, a lot of the time I'm forced to work inside a non internet connected network that I vpn and then remote desktop to. Firewall rules mean the only thing getting in from my laptop is vnc. Some systems also require plugging into a specific physical network. Overkill for most uses but it makes losing laptops fat less scary if you can keep a lot of your stuff on a more secure remote system.

[waz0wski]

> Have a fun laptop, a work laptop, and a banking tablet?

Try out Qubes: http://qubes-os.org

[shubb]

This is a really good thing, and thank you for showing it to me.

Something like this could be good if you wanted to rapidly switch between different compartments on a single device. It would be great for e.g. keeping a 'sensitive data' compartment seperate from a 'emails and paperwork' compartment on a work laptop.

Doing something like this is certainly better than using a single device with no seperation or just user accounts.

Psychologically, I still think that training people to use different devices for different things is more likely to stick than (account seperation on steroids). This extends to physical security - not leaving a work laptop in your backpack in a nightclub cloakroom like you might a personal device. But in the end with that reason, at a small comapany where you can avoid hiring idiots, it's up to each person to decide what psychological tricks they need to get themselves to do things.

I wouldn't trust something like this to keep high security information seperate. When some exploit that escapes Xen or (for a corp) accesses windows systems otherwise securely configured, there is nothing like isolated networks to keep your blood pressure low. For most software a service dev type people you already have this - your data lives in a data center on carefully configured production servers. But for data science type users, you see a lot of people (especially in accademida) doing work with potentially scary datasets on local laptops they probably also watch pirate TV on at home, which is a bit concerning. I guess at least if they were using qubes it would be a bit better though.

[greedo]

Training users has been tried for over two decades and has largely failed to hinder black hats in any significant way.

[coldtea]

Failed on the users who took well to the training, or to those who ignored it/failed it?

Because we can always not care about those others in the context of what we should do.

[greedo]

Failed to improve computer security overall. Users (generally speaking, not HN readers) don't have the skills/inclination/time to be proficient at managing their systems. Efforts to educate them in malware avoidance, system upkeep etc etc are failures by and large.

Technology can only do so much to "protect" users from themselves, and from miscreants. Couple this with an indifference to privacy on most of the connected population, and you've got a recipe for a world where nothing is safe.

http://panelsyndicate.com/comics/tpeye

[joshstrange]

> Have a fun laptop, a work laptop, and maybe banking tablet?

I would both prefer and hate this setup. I use my personal laptop for work and having all my apps, data, settings, etc available in one place is amazing. I could get past using different computers but the sad reality is my provided work computer is underpowered compared to my 3.5 year old macbook. I can run circles around my coworker's machines on the simple fact I have an SSD. IDEA opens in seconds for me while they go get a cup of coffee. Our desktops haven't been updated in probably 4+ years and I strongly believe they'd be more productive on macOS than on whatever flavor of linux they are using (Most use Linux because they'd rather die than use Windows and they can eek a little more performance out). A number of them have older macbooks they use for meetings but they aren't powerful enough to actually develop on.

[ungzd]

"Work" usually requires more software to be installed than "fun". This "Handbrake" app may be used for creating videos for web, for example.

[st3fan]

* How does one realistically protect against these new attack vectors?*

Do not install unsigned software is a good start. Does that dialog need a secondary 'Are you really really sure?' absolutely .. but the basic defence in this specific case was in place.

[libeclipse]

Yeah, Linux especially I've never downloaded and installed something manually from the internet. I get all of my packages directly from:

  pacman -S foo

Or sometimes maybe:

  yaourt -S foo

tl;dr Use your operating-system's package manager.

[Macha]

The AUR (Since you mention yaourt) or PPAs are the linux equivalent of downloading random crap off developer homepages though. They have benefits in terms of updates etc. but they're no more secure (And you may want to look at the next PKGBUILD you install and see how many of them are literally just grabbing stuff off third party servers anyway)

See for example:

* Kivy: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=pytho...

* Chrome: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=googl...

* Vivaldi: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=vival...

* Plymouth (over HTTP too!): https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=plymo...

* Oracle JDK (also plaintext HTTP!): https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=jdk

[floatboth]

That's how pretty much all packages in any distribution are built.

Note the included hashes — if the file on the server gets replaced, the building process will complain. (Sure the package maintainer will probably just replace the hash :D But if the file changed but the version number didn't change, or there was no release announcement, that's suspicious…)

[kingosticks]

But arch pulls these files and rebuilds every time, right? Compared to most other distros where only the (more) savvy maintainer does these steps. Don't arch end users just assume there's a new version out and the package hasn't been updated, ignore the error and install anyway? Or are they better trained to take notice of this suspicious stuff?

[floatboth]

> ignore the error and install anyway

I don't remember how Arch does it, but in FreeBSD Ports you need to actively replace the hash in the text file, there's no easy ignore option. (FreeBSD also mirrors the files on the project's servers, which is pretty cool)

[egypturnash]

MacOS's package manager is the App Store. Which Handbrake isn't on.

It isn't on the Windows store either as far as I can tell.

Why, I don't know - maybe nobody involved wants to pay the fees to become an Authorized Developer, maybe there's a Free Software religious argument going on, maybe Apple doesn't want a program whose original function was "ripping DVDs" to be on there because of the many deals they have with the entertainment industry.

tl;dr: the program in question ain't in the operating system's package manager.

[derimagia]

App store has a lot of issues as is, I actively try to avoid the app store. I'm sure it's more secure, but security isn't everything. The issue doesn't have to do with the app store, it's being careful what you are downloading no matter what it's from.

[libeclipse]

Maybe use operating systems that have proper package managers then.

cough Arch cough

[badosu]

AUR (Arch User Repository) is a great way to provide user and vendor provided installers IMO: you can check the build script, comment on it, flag outdated ones define and change maintainers while providing a web interface as well.

[jackewiehose]

I'm using linux for some time and I installed tons of software without my package manager (thats unavoidable because not every package archive has every software).

In the end its all about trust. If you trust some web domain you can also trust their software. If that software is compromised you're out of luck. No package manager or walled apple garden can help you with that.

[clarry]

But there is more to trust than just domains (web servers): signatures. If only people used these.

[AnimalMuppet]

We had a system that was used to generate television graphics. Our installer for new software was capable of bringing up a system with a new hard drive, so one of the options it had was to format the hard drive. The installer asked three times if you were sure, with increasingly severe warnings about losing all your data. Sure enough, a customer with an existing hard drive ran through all three warnings, formatted their hard drive, and then called customer service to complain about losing all their data.

The solution, of course, was to add a fourth question...

[mark-r]

A fourth question obviously isn't going to help. Make them enter "erase my drive" into a text box, that might get them to pause for a moment.

[strictfp]

Well, the probability approaches zero asymptotically as the number of questions approaches infinity...

[coldtea]

>How does one realistically protect against these new attack vectors? It's all become so quick - the malware infects your machine, and seconds later your repos are cloned.

1) Don't install random crap off of the internet: only use the Mac App Store, with sandboxed apps and "System integrity protection" turned on.

2) If you absolutely need to have some non-MAS app, check the checksum, download the DMG, but let it rest, and only install it a month or so later, if no news of breach, malware etc has been announced.

3) Don't give a third party program root privileges -- don't give your credentials when a random program you've downloaded asks for them.

4) Have any sensitive data (e.g. work stuff, etc) on an encrypted .DMG volume or similar, that you only decrypt when you need to check something. Even if your mac is infected, they'll either get just an encrypted image of those, or wont be able to read it at all.

5) Install an application firewall, like Little Snitch.

6) Keep backups.

[Kenji]

Use a packet manager like apt to download and install your software. I think there are also packet managers for Mac OS and Windows.

[pfg]

I definitely agree with this advice in general, but as it so happens, users who installed HandBrake via homebrew (a package manager for macOS) were affected by this too because the hash for the latest version of HandBrake was changed to the infected version[1]. Still, package managers definitely make it harder for the attacker in most cases.

[1]: https://github.com/caskroom/homebrew-cask/pull/33354

[dlandis]

Wow, that's a strangely aggressive reply from one of the contributors on that thread. And then he said:

> 99% of the time these hash changes are innocent

That's actually not very good at all and proves they shouldn't just trust hash changes! Very odd

[bm98]

In cases where I need to download and install unsigned software that's not available via package manager, I run hashes (MD5, SHA1, SHA256, etc.) on the downloaded file and the run Google searches on those hashes. As long as the software has been released for more than a day or two and it has a decent sized user base, the hashes will show up in various places such as fossies.org and will be cached by google. That would have protected against this particular attack.

EDIT: But in this case, the software in question is signed, so the (fallback) technique described above is not necessary. The download page [0] contains a GPG signature along with a link to the author's GPG public key. Checking the signature would have prevented the attack.

[0] https://handbrake.fr/rotation.php?file=HandBrake-1.0.7.dmg

[waz0wski]

IF you really want to be pedantic about it, utilize an egress firewall policy, whether on your machine, or your router. For MacOS, LittleSnitch or RadioSilence. For Linux/BSD, setup your firewall of choice to do some filtering.

Yes, it will take alot of effort to setup, and some effort to maintain, but it helps.

[gangstead]

Would a passphrase on the SSH key help in this case? Attacker would have the SSH key but need the passphrase to be able to use it. That's how I have my SSH keys.

[cillian64]

I believe this malware included a keylogger. Retrieving the correct passphrase would be another step for the attacker but wouldn't stop them if they're determined.