True, users actually installing software on their computers is extremely rare and well outside the scope of intended use for windows. It’s surprising even that Microsoft made it possible at all to do such a poweruser task on a regular computer.
If you invited a stranger into your home, is it any surprise that they might steal and burgle?
The user has to have some level of technical knowledge and personal responsibility in keeping their machines clean. Downloading random VPN software that is free seems like such a dangerous thing to do. If the user doesn't understand this, they haven't really learnt how to computer properly.
When large populations can't figure out really basic UI navigation do you expect everyone to understand security? Our operating systems should protect us more from this kind of stuff.
When's the last time you used a computer? Windows since at least Vista explicitly pops up "This program from the internet could very well damage your computer, are you sure?" dialogs, as well as a dialog for permission escalation if required and another dialog for some internet connections (via Windows Firewall). That's not even getting into things like smartscreen in newer versions of Windows.
Meanwhile Mac will go so far as to completely deny you the right to run code it can't identify the developer of, until you go into the settings and temporarily grant yourself the permission to do so.
It is fundamentally impossible to prevent a user from doing bad things to their systems unless you are willing to 100% prevent the running of code that you can't identify with 100% certainty.
Developers curl | bash all the time to install stuff without first checking that what they download is what they want. Why should we demand more care from less technical users?
Even if the script doesn't just contain a sudo (which they often do), you're still just one local exploit away from installing a rootkit. I don't think they're that hard to come by.
> desktop security model is the controls are ridiculously course-grained.
it'd be really nice if it was more efficient to run an OS like https://www.qubes-os.org/. I think only true security model that works is the sandbox isolation model of virtual machines.
On Mac you need to explicitly enable the feature that allows one to install unsigned programs, which I think is a really healthy feature for the average user.
It will also warn you that you are installing unsigned software in scary language.
To be fair, they're security features that were guaranteed to be bypassable given that they weren't implemented in hardware, nothing really surprising here. Commercial game cheat developers have been bypassing patchguard since it was introduced just to beat anticheat systems in an easier way than emulating them fully.
Most users can be safely assumed to operate on the same intelligence level as a chipmunk the moment they are handed a keyboard. I've met people who had difficulty handling the instruction "open excel" because excel wasn't in the familiar spot on the desktop and confused "save and exit word" with "hold power button for 5 seconds" without a malicious thought.
People still install sketchy Apps and "Make your computer clean", they respond to emails from the nigerian prince about his money and pills to make body parts larger and they will continue to remain ignorant of the dangers lurking in the internet.
Instead of educating them we should protect them. Users will do dumb things and we need to make sure that when a user wants to do a dumb thing they know it's a dumb thing. Sysadmins may install a rootkit on purpose or may install a self-signed driver.
The average user should under no circumstance be given the power to install a self-signed anything.
Give the sysadmins power and prevent the user from abusing it.
"Give the sysadmins power and prevent the user from abusing it."
Yes, but don't treat me as a idiot, when I am admin.
And windows does that increasingly to a point where I simply hate it. (even though I only use Windows if I have to)
I wish there would be real, large-scale consequences for getting your computer compromised.
At the moment, unless you’re a celebrity or other high-profile individual, there isn’t really anything that can happen - the main financial risk - credit card fraud - will be refunded by the bank.
Should banks stop taking liability for idiot’s stupidity, all it would take is a few published cases of people getting their life savings emptied because of malware and idiots will wisen up or refrain from using the internet (which is fine too).
As much as I'd like computer security to become a solved problem, this outlook is ignoring the banks role in the transaction. In my opinion banks don't go far enough to verify identity or to verify a transaction is legitimate. The fact that someone who has never met me can walk into a bank with some pieces of information they got on the Internet and open a new bank account or credit card is scary. That's why it's so easy to refund this fraud, because banks don't want people to realize that their security is just a bunch of meaningless paperwork.
I also don't think people losing their life savings will change anything. Ponzi schemes are still a big thing, MLM is still a big thing, Nigerian princes are still a big thing, and people lose it all through those scams constantly. The state of bank security is so bad that every time I write a check, I'm giving the recipient my bank's name, my account number, my home address, and my signature. That's a lot of sensitive information that a phisher could do some real damage with.
Ultimately, if a fraudulent transaction clears the bank, it is the bank's fault. It's their job to verify transactions and verify identity before clearing the transaction. In a perfect world, financial malware would cease to exist because bank security was locked down so tight that fraudulent transactions would never clear.
I agree. Kinda baffled why banks don't push for a hardened hardware platform. I've always wanted a hardware token type widget that would display any pending transactions on my credit card. If I push the approve button the transaction would be signed with my public key and sent to the vendor.
Seems insane that my credit card number is displayed in plain text to anyone I deal with in the physical world and is enough for anyone else on the planet to charge my account.
I'd be against that. The damage a single computer can do is minuscule compared to, say, a car accident. So any penalties that amount to more than peanuts for anybody in a first world country would be unfair. How about we first try to get companies liable for selling insecure IoT devices, or for not providing security updates for cell phones that work just fine?
> all it would take is a few published cases of people getting their life savings emptied because of malware and idiots will wisen up or refrain from using the internet (which is fine too).
There's always sob stories* about how little old granny lost her savings because of some scam website
Yet people still fall for them, especially the ones that promise to get rich quick. From Nigerian princes to bitcoing investing
This one has been advertised with fake newspaper reports about how it was on "Dragons Den" (I believe it's Shark Tank in the U.S.): https://bitcoin-trader.biz/
When people fall for
What kind of results can I expect? Bitcoin Trader members typically profit a minimum of $13,000 daily.
there's simply no helping them
* (Usually from the kids/grandkids who wanted the money instead)
Or a 3rd party malware ad from a site you trusted. Or your identity stolen from the Equifax breach. Or the countless other times customer data was stolen. Or foreign state massive router hacks.
IMO Yes. iOS doesn't have this problem. I believe Android finally doesn't have this problem. Windows, Linux, and MacOS all have this problem because they don't run sandboxes by default.
OSes should be redesigned to make it nearly impossible to install a rootkit. Sure there will be bugs in the OS but those bugs will be fixed but the goal should be that apps can't own your entire computer anytime you install one and asking for admin should have big giant warnings and be shunned and shamed from any software that asks for it.
There is Windows 10 in "S-mode" for this. A user can't screw up this type of Windows installation, just like iOS/Android.
The problem is that most people seem to not like the limitations. Although you can now install iTunes from the Windows store, there is still no Chrome which most users really want.
> asking for admin should have big giant warnings and be shunned and shamed from any software that asks for it.
This is the solution, but it has a rather important second part. It requires granular privileges, and must make it easy for developers to not need the more severe privileges. Without this, developers will continue to request full admin privileges, and users will be trained to accept giving them.
You don't necessarily need a walled garden. A walled garden is the centralized "store" where you _have_ to download apps from.
But you can still have proper security features without centralization. Android's permission system, or even some form of isolated per-process virtualization/sandboxing can go a long way. If properly architectured, it can be possible to prevent a good bunch of malware.
I agree deeply, but I honestly think that approach of Android is the best here. Sandboxed to an app store by default, possible to enable 3rd party installations by jumping through a few hoops and big warning boxes, much more difficult to gain real root access, but still possible on many devices via manufacturer-approved methods.
Prevents malicious apps like this from really mining their way into your devices but allows power users to have real control still.
The whole model for modern mobile OSes is based on running apps in containers, so they're one in the same essentially. Windows lacks such containerization for most desktop apps, they're trying to improve that model now with UWP but with limited success I'd say, the Windows world is largely stuck on desktop apps that have general access to everything just due to the history of it.
If desiring containers are what the OP's assertion is about
"Windows, Linux, and MacOS all have this problem because they don't run sandboxes by default.
OSes should be redesigned to make it nearly impossible to install a rootkit"
Isn't an OS problem, and requires no redesign (well no idea about Windows), it's just a choice of how to run their machine.
Perhaps if OP believes that all apps should be containerised, but this doesn't need an OS to be redesigned, it just means a new skin. I could easily see a "Dockbuntu" which, instead of distributing programs like Firefox and spotify, distribute links to docker containers running those programs, where the user can choose which directories to mount into the application's container (and whether they should be readonly, readwrite, etc)
You and I may want that, but I'm thinking lately that like 98% of computer users don't want it and shouldn't have it.
Even for myself, I may want that for some of my actual computers. For phones and TVs and such, I'd rather it be 100% reliable and idiot proof than be able to install custom OSes or whatever.
Sure, but that's why my mother-in-law and grandmother have chromebooks, which from a cursory glance looked enough to do everything they need and keep them safe.
Certainly better than the "this free fart sound app requires access to your camera, microphone, gps location, background running, contact list, ability to send sms, etc" popups that people like my mother-in-law will just press "Yes" on.
That's not exactly what I meant. I work in information security and I can't name a single colleague who would argue that a normal user should have full admin access to any machine right out of the box, but people like you and me who are responsible and educated enough not to make uninformed decisions should be able to have admin access. There are tons of ways that both can be accomplished at the same time.
Linux, for example, does it out of the box. Most Linux systems don't give you root access, and some even disable logins to the root account altogether. You have to specifically escalate your privileges. If the user account isn't in the sudoers group, tough luck.
Windows has UAC for this, too. I find it very lacking, but it's better than nothing. macOS has a similar permissions system.
Application whitelisting is another great option. Let users install trusted and signed programs, while admins have the ability to install anything they want.
And also look for iOS versus Android. Almost no one using iOS is able to install random applications from the Internet, and it still has huge marketshare because most people don't care. Android is an option for those who do care.
It's not either/or. Options exist for both use cases. What responsible tech people need to do is use the option they're most comfortable with, while steering normal end users towards the safest option possible. It's even as simple as installing Windows, giving the user a normal (unprivileged) account, and just not giving them the admin password.
Sure, but most people who shouldn't have admin access do not have them already, (if the machine they use is managed). Even with Windows, if you are not in Administrators group, and your try something that requires UAC, tough luck, just like with sudo.
That leaves us with private machines: should the user have the admin access, if it is his private machine? He is the owner after all. If "not yet", who and when will grant it, when the need arises/the user educates himself/etc? Also, how will the user, who is willing to educate himself able to do, when he is not allowed to try and fail?
iOS turned this into a big brother scenario: there is someone else, who has to approve any program that you can run on the device. However, Apple might have objectives and responsibilities that may be different than yours, and they may deny you running an app, that is otherwise perfectly fine (and not just for technical reasons: imagine living in Crimea today, for example). Even on Android, there are things that you may legitimately want to do, but out of the box the system won't let you - you may either need the same signing key that the platform is signed with, or full blown root (backing up the device, for example). Both of these platforms take away possibilities in the name of what the mainstream user supposedly wants, and nobody is going to ask you, whether you are competent to use these features or not. Once you lose these possibilities, they are not going back.
"... persistence across OS reinstalls [...] even effective against Windows 10 installations..."
Since Windows 8 I have always enabled safeboot in the UEFI settings before installing the OS. Machines with pre-installled Windows usually come with this setting enabled by default. I would expect this type of malware would not run on machines with safeboot, or cause a BSOD on the next startup.
The article doesn't say anything about this, does it require an unlocked bootloader, does it silently fallback when it detects safeboot, or does it have a by-pass?
UEFI safeboot usually works fine with laptops, but it can be a can of worms on desktops.
For example, in the past I've seen a board where the combination of booting from NVMe drive, setting up Intel RAID on SATA HDDs and Secure Boot simply didn't work together. You had to give up one of these to continue.
I am not sure why they didn't point out what was this "free VPN" software that came loaded with the rootkit? Let's assume I did download a free VPN in the past (full disclosure: I DIDNT) how would I know if I am affected?
EDIT: They did - never mind the above, I totally missed it I need to upgrade my glasses - thanks for pointing it out!
>"The adware components are silently installed by a downloader that is presented as a free and anonymous VPN service (s5Mark)," Bitdefender experts wrote in a 104-page report detailing Zacinlo's modus operandi and all of its modules released today.
Err. Can we blame Windows if a user installs software?!